Google has beefed up its two-factor authentication by offering a physical key in the form of a USB stick. It’s designed to cut down some of the loopholes exploited by phishing scams.
To date, the “something you know” (login details) in Google’s two-factor authentication has been accompanied by the “something you have” of a cellphone, on which you receive a security code when the process is triggered, for example when trying to access your account from a new location.
That setup brings a couple of potential flaws, even if they may largely be theoretical. It’s possible your phone may have been compromised such that somebody else is able to intercept the security code. It’s also possible that if you are using a compromised computer, you could be tricked into entering the security code into a bogus site posing as Google. To say the least, both of these possibilities involve a string of “if”s.
With the new alternative, users who try to login on a computer running Chrome (via virtually any operating system) will have the option to insert the USB key into the computer, rather than receive and enter the code.
The way the key is set up means it will only connect to genuine Google account pages. It won’t transmit its cryptographic signature to any other site. Unlike a phone, the key doesn’t require batteries or a data connection, so should work anywhere at any time.
It’s entirely up to users whether or not to take advantage of the USB key option. Even then, they’ll still need to use the phone code option if using a browser other than Chrome or using a device without a USB port.
The authentication system is based on the FIDO Alliance standard, so it’s possible other browser developers could choose to support it.
The USB keys will be available from a range of manufacturers, who can indicate compliance with a FIDO Universal 2nd Factor logo. Models currently available start at $5.99.