Sure, you can get a one-time code sent to your mobile phone and use that code, with your password, to try to fend off takeovers of Google, Yahoo or iCloud accounts, among others.
But can you be assured that a sophisticated phisher hasn’t spoofed a site to trick you into handing over your one-off code?
No, you can’t, and that’s why Google’s decided to ratchet up the security of two-step verification (2SV) even tighter.
On Tuesday, it announced that it’s adding support for a physical USB second factor that will first verify the login site as being a true Google website, not a fake site pretending to be Google, before it hands over a cryptographic signature.
What this means is that instead of typing in a code from their mobile phones, users who opt for the USB approach will just insert a USB enabled by the FIDO Universal 2nd Factor (U2F) standard – or what Google’s calling a Security Key – into their computers’ USB port, then tap a button on the USB at Chrome’s prompt.
That should block sites trying to phish your credentials away, says Nishit Shah, Product Manager at Google Security:
Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google.
We write about two-step verification often. We urge companies to offer it, and we advise users to take advantage of it whenever possible.
That’s because we think it’s the easiest and most effective way for web properties and other internet services to raise the bar against stolen passwords.
Google’s offering Security Key free on its end, but given that the USB drives themselves will be coming from third parties, yes, it does mean that you’ll have to buy yet another drive to add to your collection.
Google’s Security Key is actually the first deployment of FIDO. Google says it’s hoping that other browsers besides Chrome get on board, but for now, that means that your new stick will only work with Chrome.
Hopefully, Google says, at some point, that one Security Key USB drive will unlock your online self all over the place, as opposed to having your pockets bulge with a key ring bogged down with a clanking collection of drives:
Security Key and Chrome incorporate the open Universal 2nd Factor (U2F) protocol from the FIDO Alliance, so other websites with account login systems can get FIDO U2F working in Chrome today. It’s our hope that other browsers will add FIDO U2F support, too. As more sites and browsers come onboard, security-sensitive users can carry a single Security Key that works everywhere FIDO U2F is supported.
A few other good things about a USB 2SV device: unlike your phone, neither a dead battery nor lack of a data connection will thwart it.
Heck, one of the third-party USB drives is also apparently rugged enough to go through the spin-cycle when caught up in one Amazon reviewer’s laundry:
Great hardware! (My little token has survived an accidental run through the washer & dryer!)
Is there anything potentially bad about this? Well, as commenter Chris Drake noted on Google’s post, some of us might be constrained, in security-sensitive workplaces, not to plug arbitrary USB keys into workstations.
Interesting point, particularly given that it was just a few months ago that BadUSB had us wondering if we could ever trust a USB device again, what with their newfound ability to be turned into covert keyloggers, malware spreaders or boobytrappers of backup files.
Hopefully, the third-party USB drive makers using FIDO are on top of that, but we’ll let you know if we learn otherwise.
As for plugging drives in at your workstation, please do check with your IT department first.
Follow @NakedSecurity
I like the idea of a USB key, it’s something that cannot be spoofed directly – reminds me of the key device some applications had years back that had to be plugged into the computer for them to work. As for the ability to hack the device, a legitimate concern, but, couldn’t the device be locked with say a read-only switch, like the SD Cards? Again a physical hardware piece that no matter what, cannot be routed. Then we push the onus back to the one area we will always have a problem with, that of social engineering.
I’m curious: Will FIDO supplement or replace Google Authenticator?
If I were to use Chrome on an office network that restricts USB devices (like the one I am at presently), will my Authenticator app on my smartphone be still available for use?
Using SMS verification it will only send me a text if i activate the google site – a fake site wouldn’t know my phone number I assume? I can see that using the token app would be different. And yes, we can’t plug in USBs at work.
if you have given you password away and someone trys to login using your correct email and password you get a SMS code right away (works out very well as it lets you know right away someone has your google password if you get a SMS code out of the blue, why i do not recommend the google code generator auth app)
Will the USB key firmware be protected from tampering via the latest discovered USB design flaw?
Nevermind… should learn to read the WHOLE article before posting….
Seems like a good start, but I have one big question: What happens if you lose your device, or if it becomes corrupt?
A smaller question is related to sites where two people use the same credentials, like banking sites. Will it work to have 2 USB devices that both work to get into such sites (possibly at the same time)?
So no 2-step security key for Mobile, I love new standard that relies on USB !!! I think the U2F standard is a joke designed by Google and Yubikey to sell more hardware. As a reminder, Today in 2014 we the people access google accounts on our phones or tablets which (as a reminder) don’t have USB port.
They don’t? No USB-On-The-Go on your phone?
USB On the Go is a trade name for a USB port which can act as a slave (when your phone looks like a memory device to your computer) and as a master (when your phone controls a slave device like a keyboard, mouse, or memory key).
Even the Android tablet I bought for $29.00 supports USB On the Go, Windows phones don’t support it as of October 3, 2014. iPhones support it provided you have the right adapters to go from USB to Apple’s proprietary connectors.
Crypto key + password (in case the key gets into wrong hands) is used on some high end government crypto systems and is a good scheme.
I’d like this for my own more sensitive logins.
Unfortunately this is from google so not much use. Limited value in ultra-security when the only people actually snooping on most google accounts is google.
When google comes up with something which keeps google out of our private data then that will be worth having – other than privacy concerns they offer some good services.
(Go on google … let us pay $25 a year – via google gift voucher bought for cash – for snooping free/proof systems. I’ll join.)
Google is the big gorilla in starting to support it, but the FIDO standard they are using is an open industry standard that anyone can program to. Now that Chrome is on board it makes me interested in developing a plug-in solution for other systems.
Google and Security in the same sentance, lol. Get ready to have 20 USB drives on a key chain to access junk like this, one more thing to get exploited and generate a false sence of security.
I keep seeing the word “drive” here. Although they use USB, they are not storage devices, they are – as far as operating systems are concerned – keyboards. Yubico have been making these for a few years now.