Security Advisor

Google Adding Physical USB Key to Authentication Process

The new process looks to verify the authenticity of a Google site before users provide their login details.

Google has launched a new way to verify users in its two-step verification process. The company announced today that Google Chrome is the first Web browser to use a physical USB key to verify a user's identity using FIDO Alliance's Universal 2nd Factor (U2F) technology.

According to a company blog post that announced the new security procedure, plugging the specially crafted security device into a USB port will verify a Google login page is legitimate, curbing the threats associated with spoofed, malicious Web sites aiming to steal user credentials.

"Rather than typing a code, just insert Security Key into your computer's USB port and tap it when prompted in Chrome," said Nishit Shah, product manager for Google Security. "When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished."

Typically, two-step authentication includes first inputting your password and then providing a custom code generated and sent to the user's phone at a login screen. However, if an attacker tricks you into thinking that their spoofed site is actually Google, handing over both your password and authentication key will grant them full access. Another advantage of using a physical key is that it allows those that may not have a mobile data connection or their smartphone handy to log into their account.

The FIDO (Fast IDentity Online) Alliance, which was founded in 2012 with the support of major tech firms including PayPal and Lenovo, is a nonprofit organization that looks for ways to strengthen online authentication and provide alternatives for users to verify the legitimacy of Web sites that may contain sensitive data. Google's inclusion of the group's security tech continues the trend of major sites moving away from the widely used (but majorly flawed) two-factor authentication model.

"With large scale deployments of FIDO UAF in payments applications from PayPal, Samsung, AliPay, Nok Nok Labs, and Synaptics, and today's announcement of FIDO U2F authentication by Google, there is no doubt that a new era has arrived," said Michael Barrett, president of the FIDO Alliance. "We are starting to move users and providers alike beyond single-factor passwords to more secure, private, easy-to-use FIDO authentication."

Those wanting to use the new security protocol can purchase the small USB device from U2F vendors, and the feature is automatically enabled for all Chrome users.

What do you think of this approach? Will the use of a physical key help to protect against site spoofing? Spot any major holes in this modified two-factor authentication process? Share your thoughts below.

About the Author

Chris Paoli is the site producer for and


  • Windows Has Support for Encrypted DNS

    Microsoft announced this week that the Windows operating system already has support for an encrypted Domain Name System option that promises to add greater privacy protections for Internet connections.

  • The Datacenter in 2020 and Beyond: More Edge, 'As-a-Service' and AI

    The next few years are going to be lively ones for the datacenter, according to research firm IDC's "Futurescape" report.

  • Inking Gains Traction in Office 365

    From PowerPoint to Excel, Microsoft is beefing up its support for digital inking across its Office 365 apps. Here's a snapshot of upcoming features.

  • Salesforce and Microsoft Partnering on Azure Services and Teams and Microsoft on Thursday announced a strategic partnership on cloud technology use.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.