October 21, 2014

Strengthening 2-Step Verification with Security Key


2-Step Verification offers a strong extra layer of protection for Google Accounts. Once enabled, you’re asked for a verification code from your phone in addition to your password, to prove that it’s really you signing in from an unfamiliar device. Hackers usually work from afar, so this second factor makes it much harder for a hacker who has your password to access your account, since they don’t have your phone.

Today we’re adding even stronger protection for particularly security-sensitive individuals. Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google. Rather than typing a code, just insert Security Key into your computer’s USB port and tap it when prompted in Chrome. When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished.
Security Key and Chrome incorporate the open Universal 2nd Factor (U2F) protocol from the FIDO Alliance, so other websites with account login systems can get FIDO U2F working in Chrome today. It’s our hope that other browsers will add FIDO U2F support, too. As more sites and browsers come onboard, security-sensitive users can carry a single Security Key that works everywhere FIDO U2F is supported.

Security Key works with Google Accounts at no charge, but you’ll need to buy a compatible USB device directly from a U2F participating vendor. If you think Security Key may be right for you, we invite you to learn more.

Posted by Nishit Shah, Product Manager, Google Security

13 comments:

  1. As a Yubico-user I welcome this step. But can we use it to get access to Google accounts with other browsers too?

    ReplyDelete
  2. Is this to help the people or a new spy mechanism from Google/NSA?

    ReplyDelete
  3. Good luck plugging a USB key into your iPad, or letting your security-sensitive workplace let you plug arbitrary USB keys into your workstation, or convincing your bank that you really did not send your entire balance to Nigeria, even though you signed that transaction with a tap, etc etc...

    Remember Mt.Gox? That's Yubico's most public failure so far :-)

    Strong authentication needs to be out-of-band, and support transaction signing, and work everywhere, or there's no point using it. You can't get "out of band" with anything that you "plug in" - that's simply connecting it directly to the same threats.

    By the way - for everyone reading this comment - please know that, if you are reading this, Google had the grace to allow this to be published here ("all comments published must be approved by the blog author") - and if you are reading this, that I'm grateful that they allowed my opinions to be aired, despite me being critical - thanks!

    Chris.

    ReplyDelete
  4. I wish there's a possible way to use USB flash disks with the U2F protocol.

    ReplyDelete
  5. Hiya, is this functionality in the UK also. I have had a look on Amazon.co.uk & they sell

    http://www.amazon.co.uk/Plug-up-FIDO-U2F-U2F-SK-01-Security/dp/B00OGPO3ZS/ref=sr_1_1?ie=UTF8&qid=1413905127&sr=8-1&keywords=FIDO+Security+Key

    I would be keen to add this to my accounts going forward.

    ReplyDelete
  6. I have a drawer full of USB drives, why should I have to purchase another one.

    This would be much better, if users could use drives they already have.

    ReplyDelete
  7. Will the USF compatabile USB Device need to be connected to the Computer at all times, or once login is complete can the USB device be disconnected?

    ReplyDelete
  8. How about selling these in the Play Store?! :D

    ReplyDelete
  9. This is a great new offering to help boost adoption of 2-step authentication. There are many scenarios where having a physical USB key is preferred to a mobile device. Looking forward to trying this out!

    ReplyDelete
  10. Will an additional factor be permitted to be used in conjunction with the physical device ? I think this is important in the same way as a PIN is required for a debit card.

    ReplyDelete
  11. Will there be/is there an JS API that can be used for other users, or this strictly a Google thing?

    If so, do you have a link to the documentation?

    ReplyDelete
  12. This is very cool. I use Google 2-factor all the time for work and personal use. I've looked at some Yubi keys in the past. Maybe I'll order a Yubi Key Neo and play around with it.

    ReplyDelete
  13. Can you have more than one key assigned to your Google account? So I could carry one with me, and leave another at home in a safe just in case I lose it?

    ReplyDelete

You are welcome to contribute comments, but they should be relevant to the conversation. We reserve the right to remove off-topic remarks in the interest of keeping the conversation focused and engaging. Shameless self-promotion is well, shameless, and will get canned.

Note: Only a member of this blog may post a comment.