Google has been offering support for two-step verification for years, but now there’s another option for proving you are who you say you are. You can now use a physical USBdevice plugged into your computer to access your Google account via Chrome in addition to your password. Google calls this Security Key. Using Security Key means your physical presence (or at least the presence of your keychain) is needed to log into Google, making it all but impossible for a remote attacker to gain access to your account, protecting you from most of the malicious hacks you hear about.
The goal of two-step verification in general is to make account access more secure by requiring a password plus something else. The characters that make up your password — even a very complex one — can be typed into any keyboard anywhere in the world. You don’t need to be anywhere nearby or even aware that someone is accessing your account.Google and other companies include tools that can help you remain aware of when and from where your online profile has been accessed (hey, that random login from Prague looks suspicious), but the only way to be sure is to add a second layer of security on top of the password. In this case, that means a USB key that plugs into your computer, but other methods include temporary PIN codes sent via SMS, applications that receive codes via a secure server.
Don’t dust off that USB thumbdrive in your drawer just yet, though. You can’t use any old USB device you have sitting around — Google’s Security Key implementation uses the open Universal 2nd Factor (U2F) protocol, which is maintained by the FIDO Alliance. It uses public key cryptography to create a single USB device that can authenticate with the service. A remote attacker won’t have your U2F USB device, so any attempts to gain access are doomed.
This is important because U2F isn’t only for Google. While it’s true that Google is adding support for U2F in its two-step account verification, the support is baked into Chrome. Any company that wants to take advantage of this highly secure access method can do so right now. All you need is a computer running Chrome v38 or higher, which is the current stable channel release.
One notable downside is that you really need Chrome. Other browsers lack support for a U2F security dongle, meaning you’ll have to go back to SMS or app verification to get the one-time code for two-step verification when Chrome isn’t available. Security Key also isn’t supported on mobile devices like Android phones and iOS. Google notes that it hopes more desktop browser makers will at least add support for FIDO U2F so users can rely on the hardware verification method more frequently.
Google is including Security Key support on all accounts free of charge and it’s not even selling the USB devices directly. It’s actually nice to know that Google doesn’t have a financial stake in this move — it’s about making your data more secure. A compatible U2F USB device can be purchased from any a vendor that uses the standard, but most of the current options you’ll find come from Yubico and cost $15-50. As they say, that’s a small price to pay for peace of mind.
As far as we’re aware, you can’t yet make your own U2F USB key. The standard is open, however, so an open-source implementation might appear at some point in the future — assuming it doesn’t require a special hardware feature to be present on the USB stick, that is..