Security Advisor

Google Adding Physical USB Key to Authentication Process

The new process looks to verify the authenticity of a Google site before users provide their login details.

Google has launched a new way to verify users in its two-step verification process. The company announced today that Google Chrome is the first Web browser to use a physical USB key to verify a user's identity using FIDO Alliance's Universal 2nd Factor (U2F) technology.

According to a company blog post that announced the new security procedure, plugging the specially crafted security device into a USB port will verify a Google login page is legitimate, curbing the threats associated with spoofed, malicious Web sites aiming to steal user credentials.

"Rather than typing a code, just insert Security Key into your computer's USB port and tap it when prompted in Chrome," said Nishit Shah, product manager for Google Security. "When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished."

Typically, two-step authentication includes first inputting your password and then providing a custom code generated and sent to the user's phone at a login screen. However, if an attacker tricks you into thinking that their spoofed site is actually Google, handing over both your password and authentication key will grant them full access. Another advantage of using a physical key is that it allows those that may not have a mobile data connection or their smartphone handy to log into their account.

The FIDO (Fast IDentity Online) Alliance, which was founded in 2012 with the support of major tech firms including PayPal and Lenovo, is a nonprofit organization that looks for ways to strengthen online authentication and provide alternatives for users to verify the legitimacy of Web sites that may contain sensitive data. Google's inclusion of the group's security tech continues the trend of major sites moving away from the widely used (but majorly flawed) two-factor authentication model.

"With large scale deployments of FIDO UAF in payments applications from PayPal, Samsung, AliPay, Nok Nok Labs, and Synaptics, and today's announcement of FIDO U2F authentication by Google, there is no doubt that a new era has arrived," said Michael Barrett, president of the FIDO Alliance. "We are starting to move users and providers alike beyond single-factor passwords to more secure, private, easy-to-use FIDO authentication."

Those wanting to use the new security protocol can purchase the small USB device from U2F vendors, and the feature is automatically enabled for all Chrome users.

What do you think of this approach? Will the use of a physical key help to protect against site spoofing? Spot any major holes in this modified two-factor authentication process? Share your thoughts below.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube