Security Advisor

Google Adding Physical USB Key to Authentication Process

The new process looks to verify the authenticity of a Google site before users provide their login details.

Google has launched a new way to verify users in its two-step verification process. The company announced today that Google Chrome is the first Web browser to use a physical USB key to verify a user's identity using FIDO Alliance's Universal 2nd Factor (U2F) technology.

According to a company blog post that announced the new security procedure, plugging the specially crafted security device into a USB port will verify a Google login page is legitimate, curbing the threats associated with spoofed, malicious Web sites aiming to steal user credentials.

"Rather than typing a code, just insert Security Key into your computer's USB port and tap it when prompted in Chrome," said Nishit Shah, product manager for Google Security. "When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished."

Typically, two-step authentication includes first inputting your password and then providing a custom code generated and sent to the user's phone at a login screen. However, if an attacker tricks you into thinking that their spoofed site is actually Google, handing over both your password and authentication key will grant them full access. Another advantage of using a physical key is that it allows those that may not have a mobile data connection or their smartphone handy to log into their account.

The FIDO (Fast IDentity Online) Alliance, which was founded in 2012 with the support of major tech firms including PayPal and Lenovo, is a nonprofit organization that looks for ways to strengthen online authentication and provide alternatives for users to verify the legitimacy of Web sites that may contain sensitive data. Google's inclusion of the group's security tech continues the trend of major sites moving away from the widely used (but majorly flawed) two-factor authentication model.

"With large scale deployments of FIDO UAF in payments applications from PayPal, Samsung, AliPay, Nok Nok Labs, and Synaptics, and today's announcement of FIDO U2F authentication by Google, there is no doubt that a new era has arrived," said Michael Barrett, president of the FIDO Alliance. "We are starting to move users and providers alike beyond single-factor passwords to more secure, private, easy-to-use FIDO authentication."

Those wanting to use the new security protocol can purchase the small USB device from U2F vendors, and the feature is automatically enabled for all Chrome users.

What do you think of this approach? Will the use of a physical key help to protect against site spoofing? Spot any major holes in this modified two-factor authentication process? Share your thoughts below.

About the Author

Chris Paoli is the site producer for and


  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

  • Microsoft Open License To End Next Year for Government and Education Groups

    Microsoft's "Open License program" will end on Jan. 1, 2022, and not just for commercial customers, but also for government, education and nonprofit organizations.

comments powered by Disqus