Google offers USB security key to make bad passwords moot

Google logoA new security feature for Googles services will help users better protect their data by requiring that they insert a USB security key to log in to their account.

Announced on Tuesday, the optional Security Key technology requires that a Chrome user take two additional steps to sign in to their Google account: plug a small key into the USB port on their computer and tap a button. The process is a simpler and more secure version of the 2-Step Verification process that Google offers to security-conscious users. With 2-Step Verification, users receive a code from Google on their phone or in e-mail that they must enter into Googles site to complete the login process.

Google offers USB security key to make bad passwords moot

Users that opt for the Security Key technology will have to purchase a special USB key, which typically costs less than $20.

Rather than typing a code, just insert Security Key into your computers USB port and tap it when prompted in Chrome, Nishit Shah, product manager for Google Security, wrote in a blog post on the new technology. When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished.

Googles Security Key is one of the first public applications of the Fast Identity Online (FIDO) Alliances universal second-factor experience, or U2F. The FIDO Alliance is a group of nearly 120 companies, including Microsoft and Google but not Apple, that supports better online security through open technologies. A user of the technology can use the same key to help secure the login process with any supporting service provider.

The FIDO Alliance cheered Googles announcement on Tuesday. There is no doubt that a new era has arrived, Michael Barrett, president of the FIDO Alliance, said in a statement. We are starting to move users and providers alike beyond single-factor passwords to more secure, private, easy-to-use FIDO authentication.

The hardware keya thin slice of plastic containing a chip for handling encryption keys and contacts to slide into a computers USB slotcosts less than $20 and can be used in other applications that support U2F security, according to the FIDO Alliance. The key contains a chip known as the secure elementa hardware component commonly used in smart-card applications and designed to securely hold and process encryption keys. During the initial registration of the key to the service provider, a pair of encryption keys are created: a public key sent to the provider and a private key held by the Security Key. When using a supporting browser, the website sends an encrypted challenge, which the key decrypts and then responds with an encrypted reply.

In many ways, the key is similar to the chip-and-PIN technology that is starting to be adopted by banks and merchants to defeat credit card fraud.

By using the key along with a supporting browser and service, phishing attacks, keylogging, and man-in-the-middle attacks become nearly impossible, Jerrod Chong, vice president of solutions engineering for access-technology provider Yubico, told Ars.

Any attacker will not be able to get information useful for logging into an account, Chong said.

If the system is compromised, this will not protect against (data leakage), he added. Instead, what it is designed to prevent is the most widely seen attack against users: phishingtricking the users into doing something that they do not want to do.

The Security Key works with Google Chrome and Googles service to verify the identity of the website, which sends an encrypted challenge. After receiving and decrypting the challenge, it responds with a signed authentication token.

Google acknowledged that until there is wider support for U2F, users may want to stick with Googles 2-Step Verification, especially if they typically use Web services from their mobile devices or use a browser other than Chrome.

Source: Ars Technica

Tags: Google, security

Add comment

Your name:
Sign in with:
Your comment:

Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party

Last news

Galaxy Note10 really is built around a 6.7-inch display
You may still be able to download your content
Facebook, Messenger and Instagram are all going away
Minimize apps to a floating, always-on-top bubble
Japan Display has been providing LCDs for the iPhone XR, the only LCD model in Apples 2018 line-up
The 2001 operating system has reached its lowest share level
The entire TSMC 5nm design infrastructure is available now from TSMC
The smartphone uses a Snapdragon 660 processor running Android 9 Pie
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 / 2
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /

News Archive



Do you use microSD card with your phone?
or leave your own version in comments (16)