A new security feature for Google’s services will help users better protect their data by requiring that they insert a USB security key to log in to their account.
Announced on Tuesday, the optional Security Key technology requires that a Chrome user take two additional steps to sign in to their Google account: plug a small key into the USB port on their computer and tap a button. The process is a simpler and more secure version of the 2-Step Verification process that Google offers to security-conscious users. With 2-Step Verification, users receive a code from Google on their phone or in e-mail that they must enter into Google’s site to complete the login process.
Users that opt for the Security Key technology will have to purchase a special USB key, which typically costs less than $20.
“Rather than typing a code, just insert Security Key into your computer’s USB port and tap it when prompted in Chrome,” Nishit Shah, product manager for Google Security, wrote in a blog post on the new technology. “When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished.”
Google’s Security Key is one of the first public applications of the Fast Identity Online (FIDO) Alliance’s universal second-factor experience, or U2F. The FIDO Alliance is a group of nearly 120 companies, including Microsoft and Google but not Apple, that supports better online security through open technologies. A user of the technology can use the same key to help secure the login process with any supporting service provider.
The FIDO Alliance cheered Google’s announcement on Tuesday. “There is no doubt that a new era has arrived,” Michael Barrett, president of the FIDO Alliance, said in a statement. “We are starting to move users and providers alike beyond single-factor passwords to more secure, private, easy-to-use FIDO authentication.”
The hardware key—a thin slice of plastic containing a chip for handling encryption keys and contacts to slide into a computer’s USB slot—costs less than $20 and can be used in other applications that support U2F security, according to the FIDO Alliance. The key contains a chip known as the “secure element”—a hardware component commonly used in smart-card applications and designed to securely hold and process encryption keys. During the initial registration of the key to the service provider, a pair of encryption keys are created: a public key sent to the provider and a private key held by the Security Key. When using a supporting browser, the website sends an encrypted challenge, which the key decrypts and then responds with an encrypted reply.
In many ways, the key is similar to the chip-and-PIN technology that is starting to be adopted by banks and merchants to defeat credit card fraud.
By using the key along with a supporting browser and service, phishing attacks, keylogging, and man-in-the-middle attacks become nearly impossible, Jerrod Chong, vice president of solutions engineering for access-technology provider Yubico, told Ars.
“Any attacker will not be able to get information useful for logging into an account,” Chong said.
“If the system is compromised, this will not protect against (data leakage),” he added. “Instead, what it is designed to prevent is the most widely seen attack against users: phishing—tricking the users into doing something that they do not want to do.”
The Security Key works with Google Chrome and Google’s service to verify the identity of the website, which sends an encrypted challenge. After receiving and decrypting the challenge, it responds with a signed authentication token.
Google acknowledged that until there is wider support for U2F, users may want to stick with Google’s 2-Step Verification, especially if they typically use Web services from their mobile devices or use a browser other than Chrome.
