Google Adds Physical Security Key Support to 2-Step Verification

The company details that the physical USB second factor only works after it verifies the site the user is attempting to log in to is a Google website and not a fake site attempting a phishing attack.

(Also see: How to Enable Two-Factor Authentication For Gmail, Facebook, Apple, Twitter, Outlook, Yahoo Accounts)

Google in a blog post titled "Strengthening 2-Step Verification with Security Key" announced the new Security Key support, saying, "Today we're adding even stronger protection for particularly security-sensitive individuals. Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google."

The company details that the Security Key and Chrome incorporate the open Universal 2nd Factor (U2F) protocol from the FIDO Alliance. This means websites that use the same U2F protocol can access Security Key's features in Chrome.

Google reveals that the Security Key works with Google Accounts at no charge, but users are required to buy a compatible USB device directly from a U2F participating vendor. The Mountain View giant also provided a link to online retail giant Amazon that lists FIDO U2F Security Key USB devices, with prices starting as low as $5.99 (roughly Rs. 370), and warned users to look for the 'FIDO U2F Ready' logo.

The search giant says users will be able to log in safely by just inserting the Security Key into the computer's USB port as a second factor for verification when prompted in Chrome; rather than by typing a code. "When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished," it added.

Google claims that the Security Key offers "protection even beyond what using verification codes sent to your phone gives" and details few examples of phishing attacks. It notes, "With 2-Step Verification, Google requires something you know (your password) and something you have (like your phone) to sign in. Google sends a verification code to your phone when you try to sign in to confirm it's you. However, sophisticated attackers could set up lookalike sites that ask you to provide your verification codes to them, instead of Google. Security Key offers better protection against this kind of attack, because it uses cryptography instead of verification codes and automatically works only with the website it's supposed to work with."

The search engine giant also lists some limitations of the Security Key in 2-step Verification, such as the requirement of a USB port to use the Security Key, and that the feature does not work on browsers other than Chrome.

Last month, a stash of roughly 5 million usernames and passwords of Google accounts (including Gmail, Google+) was reported to have been found on a Russian forum for Bitcoin security. The company responded on the claims and said, "We found that less than 2 percent of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We've protected the affected accounts and have required those users to reset their passwords."