The tech giant has finally announced a physical USB Security Key for two-factor authentication. The key is expected to ensure that users keep their accounts safe from intruders, but it has its own limitations. Users can buy a compatible USB from a third-party supplier and add the Security Key functionality. After doing so, they can start using it when logging in to Google’s services, including Gmail and Google Drive. The key will contain the code required for two-factor authentication, if the latter has been switched on.
Two-factor authentication is a popular method of security protection. It required both a password and an additional data able to verify the identity of the person logging in. Before, Google provided users with the second piece of authentication data by sending the code via text message or the Authenticator app. Now the USB key can be used without any input required from the keyboard.
The company promises that accounts with Security Key enabled will remain secure from hacking (unless hackers manage to steal the plastic key). This method is presented as more secure than using a smartphone, because hackers have infected mobile devices in the past to steal security codes.
The USB key will also make sure that the website the user is on is owned by Google and not by a third-party who uses it for a “man-in-a-middle” attack. The Security Key will not transmit its cryptographic signature if some phishing service is trying to pretend a Google login page.
Google explains that instead of typing a code, you can now insert the Security Key into the USB port of your machine and tap it when prompted in Chrome. The company guarantees that the cryptographic signature can’t be phished when you sign into your Google Account using Chrome browser and the Security Key.
As you might have noticed, there is one significant limitation: the USB key only works via the Chrome browser, and people who use other Internet browsers won’t like it. In addition, there’s the need for added hardware – this can also put some people off.
Apparently, this innovation has its own disadvantages: it is another thing to carry around and keep track of, it requires the Chrome browser to work, and it can’t be used on mobile devices as it needs a USB port to work. Perhaps, the target audience for this innovation is non-technical people who don’t use smartphones and apps. Anyway, if this increases the number of people using two-factor authentication, it is a useful thing.
Besides that, Google is also joining and championing a movement called the FIDO (Fast IDentity Online) Alliance. The goal of the latter is to spread the open Universal 2nd Factor (U2F) protocol used by the Security Key across various websites, so people will only require one USB key for all of them.
FIDO Universal Authentication Framework is widely used in payments apps from PayPal, Samsung, AliPay, and others, and with Google now using FIDO U2F, it is clear that a new era has arrived, where users and providers are urged to move beyond single-factor passwords to more secure authentication.
Sources: Google Support & Amazon (Key #1 & Key #2)