Now you can use a key to get into your Google account

October 21, 2014

Facebook
Twitter
Flipboard
LinkedIn

Google's new USB Security Key provides a secure and convenient means of two-factor authentication

There's an increasing recognition that passwords alone are not going be an adequate form of online security in the future. Two-factor authentication can vastly improve security, by simply introducing a second means of verification alongside a password. Google's new USB Security Key does just that.

There are various possible alternatives to using passwords or passwords alone for security. Google already offers a number of different two-step methods. Users can be sent codes via text message or phone call to input in addition to their password, they can generate a code via a mobile app, use back-up one-time-use codes or register a regularly-used computer or device as a second means of verification.

Google says that the Security Key pairs with its Chrome browser to offer even stronger security than its existing methods. It is also more convenient. Users simply insert the key into a USB port on their computer and press a button on it when prompted.

In addition to providing a second means of authentication, the key also verifies that the site requesting the password is actually a Google site and not a fake. As it is a USB key, the device is highly portable and avoids the need to rely on receiving codes or even having mobile connectivity available.

The Security Key uses the FIDO Alliance's open Universal 2nd Factor (U2F) protocol, which utilizes a standard public key cryptography approach. FIDO U2F will work with other websites as well as Google's and the company says that, in the interests of standardization, it hopes other browsers will add FIDO U2F support.

Source: Google

Tags

Facebook
Twitter
Flipboard
LinkedIn

6 comments

EddieG October 21, 2014 02:27 PM

Well, this is certainly a step in some direction or other. Let me see if I've got this straight.
This is going to prove conclusively that I am who I say I am. That way, only *I* have access to my PayPal account, say. It means nobody can spend my money but me. Cool.
The website I'm working with, on the other hand, doesn't need to prove anything to me at all. The site could share my information with anyone it wishes, lie to me about it, and be legally in the clear. Is this right?
I don't see what FIDO is the cure for...except maybe, public distrust of Google.

Bob Flint October 21, 2014 02:28 PM

Till someone steals the laptop with the dongle in it....or steals the dongle, and hacks it.

Brian M October 22, 2014 07:06 AM

The people responsible for this idea must be a new set of interns at Google who still need to learn about security and human nature!
You always (Always) need a password or possibly bio-id not just a USB or other token,

Mel Tisdale October 22, 2014 08:27 AM

So, I lose my USB stick and no one can access my account, not even me. Wow, that really is safe.
Just a little niggling concern; seeing that computers can be hacked to the point where key strokes can be logged, what is to stop them being hacked to log what the USB stick's unlock instruction code is?
It is nice to know that Google are working on the problem, but I don't think this is the solution.

Nick Heidl October 22, 2014 11:35 AM

The dongle won't make you just metadata, it ties you to the the metadata thus making you even more vulnerable to excessive spying by NSA etc. I am more worried about data being given to federal, state and private agencies than a random hacking into my PC.

MarylandUSA October 22, 2014 12:52 PM

@Brian M, the dongle probably generates a new random encryption code each time it's used. If so, keylogging won't help a thief pretend he's got the dongle.