2FA: Google offers physical alternative to verification codes

Google is offering an alternative second factor for its two-step account verification option, one that has the additional advantage of thwarting phishing attacks.

It’s called Security Key, and it’s a physical USB device that only works when the login site is truly a Google website, and not a spoofed login page aimed at harvesting login credentials. This is possible because Security Key uses cryptography instead of verification codes.

The process of logging into your Google account thus becomes even more simple: you go to the login page, enter your password and insert the device into the computer’s USB port:

The solution has some limitations. At the moment, Security Key works only on Chrome (version 38 or newer).

“Security Key and Chrome incorporate the open Universal 2nd Factor (U2F) protocol from the FIDO Alliance, so other websites with account login systems can get FIDO U2F working in Chrome today,” explained Nishit Shah, Product Manager, Google Security. “It’s our hope that other browsers will add FIDO U2F support, too. As more sites and browsers come onboard, security-sensitive users can carry a single Security Key that works everywhere FIDO U2F is supported.”

Secondly, the Security Key can’t be used when you log into your account from a mobile device, as they usually lack a USB port.

“Security Key works with Google Accounts at no charge, but you’ll need to buy a compatible USB device directly from a U2F participating vendor,” Shah noted. Devices compliant with the standard are marked with a logo that says they are FIDO U2F ready.”

This seems like a great solution for inexperienced users who have difficulties with using verification codes sent to their phones or provided via an app, and spotting phishing sites.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss