Sure, you can get a one-time code sent to your mobile phone and use that code, with your password, to try to fend off takeovers of Google, Yahoo or iCloud accounts, among others.
But can you be assured that a sophisticated phisher hasn’t spoofed a site to trick you into handing over your one-off code?
No, you can’t, and that’s why Google’s decided to ratchet up the security of two-step verification (2SV) even tighter.
On Tuesday, it announced that it’s adding support for a physical USB second factor that will first verify the login site as being a true Google website, not a fake site pretending to be Google, before it hands over a cryptographic signature.
What this means is that instead of typing in a code from their mobile phones, users who opt for the USB approach will just insert a USB enabled by the FIDO Universal 2nd Factor (U2F) standard – or what Google’s calling a Security Key – into their computers’ USB port, then tap a button on the USB at Chrome’s prompt.
That should block sites trying to phish your credentials away, says Nishit Shah, Product Manager at Google Security:
Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google.
We write about two-step verification often. We urge companies to offer it, and we advise users to take advantage of it whenever possible.
That’s because we think it’s the easiest and most effective way for web properties and other internet services to raise the bar against stolen passwords.
Google’s offering Security Key free on its end, but given that the USB drives themselves will be coming from third parties, yes, it does mean that you’ll have to buy yet another drive to add to your collection.
Google’s Security Key is actually the first deployment of FIDO. Google says it’s hoping that other browsers besides Chrome get on board, but for now, that means that your new stick will only work with Chrome.
Hopefully, Google says, at some point, that one Security Key USB drive will unlock your online self all over the place, as opposed to having your pockets bulge with a key ring bogged down with a clanking collection of drives:
Security Key and Chrome incorporate the open Universal 2nd Factor (U2F) protocol from the FIDO Alliance, so other websites with account login systems can get FIDO U2F working in Chrome today. It’s our hope that other browsers will add FIDO U2F support, too. As more sites and browsers come onboard, security-sensitive users can carry a single Security Key that works everywhere FIDO U2F is supported.
A few other good things about a USB 2SV device: unlike your phone, neither a dead battery nor lack of a data connection will thwart it.
Heck, one of the third-party USB drives is also apparently rugged enough to go through the spin-cycle when caught up in one Amazon reviewer’s laundry:
Great hardware! (My little token has survived an accidental run through the washer & dryer!)
Is there anything potentially bad about this? Well, as commenter Chris Drake noted on Google’s post, some of us might be constrained, in security-sensitive workplaces, not to plug arbitrary USB keys into workstations.
Interesting point, particularly given that it was just a few months ago that BadUSB had us wondering if we could ever trust a USB device again, what with their newfound ability to be turned into covert keyloggers, malware spreaders or boobytrappers of backup files.
Hopefully, the third-party USB drive makers using FIDO are on top of that, but we’ll let you know if we learn otherwise.
As for plugging drives in at your workstation, please do check with your IT department first.
I have been using the FIDO U2F Yubikey since it was launched. So far no issues with the key. However, unfortunately currently Google is only service provider that supports FIDO U2F based login. There is a plugin available for wordpress, but wordpress.com hasn’t installed it. 🙁
I believe FIDO U2F is now supported by other browsers now (I heard about firefox a while ago and believe one or both of the microsoft browsers).