How to Lock Down Your Google Account with Google's New Physical Key
While most of us don't think twice about dragging a pattern or using Touch ID to open our phones, or entering a password in for our email and bank accounts, these features are there to protect some of our most private information. Only problem is, they don't do a good job of it.
Passwords and PINs can easily be hacked, and if your password were ever leaked onto the web, or your bank PIN discovered, there would be no other security barrier to prevent a hacker or thief from accessing your account besides maybe some "strong" authentication challenge questions.
That's why some companies have implemented two-step verification (and even the more secure multi-factor authentication) for their websites. Apple currently offers two-step verification for Apple IDs, and Google also offers it for Google Accounts.
First, a user logs into their device using their regular password. Once that password is confirmed, a code will be sent to your mobile device (one previously set up with the two-step verification process). Next, the user enters in the verification code that they received on their device in order to finally log in.
Google states: "2-Step Verification adds an extra layer of security to your Google Account, drastically reducing the chances of having the personal information in your account stolen. To break into an account with 2-Step Verification, bad guys would not only have to know your username and password, they'd also have to get a hold of your phone."
To make things even more secure, Google is providing another option for the two-step verification process, strengthening it and perhaps even simplifying it. Where users had to login with their password and then type in the security code sent to their phone, this new method requires a password and physical key to be connected to a USB port on your PC, Mac, or Chromebook.
As Google states on their blog, this new Security Key feature makes it even harder for a security lapse to occur.
"Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google. Rather than typing a code, just insert Security Key into your computer's USB port and tap it when prompted in Chrome. When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished."
While someone could technically find your phone number and hack your password or setup a fake Google page (to phish) for your password, even if they get it, it'd be physically impossible for them to login without also getting their hands on your Security Key. On the flip side, if someone stole your Security Key, they would need your password for it to be of any use.
What does that mean? Since these keys are being built using the open-source FIDO standard, other sites could incorporate the same security measures, meaning you could log into Facebook or Outlook with your password and that same USB Security Key. This also mean that flash drive in your drawer probably isn't up to protocol.
You can find compatible USB keys on Amazon or from other retailers for anywhere from $6 to $60, depending on the supported protocols and form factor. Here are the compatible keys Google recommends that support FIDO U2F Authentication:
This process also does not have to be limited to USB. In the future, expect to see Bluetooth, NFC, and other methods creep into this arena. Here are some more things you should know.
Using the Security Key with Gmail only works on Chrome. If you use another browser to log into your Gmail account, you will have to use the regular login or the classic two-step verification method.
To use a Security Key, you'll need a computer running Google Chrome version 38 or newer on Chrome OS, Windows, Mac OS X, or Linux.
You cannot use the Security Key on a device without a USB port. Now this may seem obvious, but for people that use their phone or tablet, you will not be able to log in this way. There are some Security Keys, like the Yubico NEO, that support NFC, but U2F does not by default just yet. So, you will need to use the standard two-step verification with your cell phone number.
If you lose your security key, you will have to buy another one, and that sucks.
Unlike the mobile phone method, you will never be stuck unable to login because your phone is dead and cannot receive the code. Your Security Key will work whenever, wherever (unless, of course, your laptop is dead and you forgot your cord). You just need to have it on hand. A keychain isn't a bad place to put it.
If you want to have one key to use at work and another key to use at home, you can do that. The key is just one step of the process and isn't coded to your particular account. Your password and login information is your identifier; the key just confirms that you are on a safe-to-use Google site.
Again, here are the keys Google recommends:
Learn more about using a Security Key here.
There are many businesses that use a similar process, but this is one of the few times it's being made for a giant consumer population like Google's. Single-step verification is what many people are used to, as it's easy to do.
For those looking for more security on their Gmail and all the other sensitive information Google has on you, the two-step process is a safer route to take. Especially considering the fact that your email account is the key to all of your other accounts, since most websites allow you to reset your password via email.
"There is no doubt that a new era has arrived," said FIDO Alliance President Michael Barrett in an official statement. "We are starting to move users and providers alike beyond single-factor passwords."
Once you've purchased your key, get started with the new two-step verification process here.