In Google’s latest move to improve two-factor authentication for Gmail and other services, the tech giant now offers a small USB-based hardware token that can only be used on legitimate Google sites.
The new Security Key system Google has put into place is to deter attacks that rely on real looking fake websites that are designed to capture users’ credentials, commonly known as phishing sites. Attackers often extend their lengths to create faulty Gmail or Google Account sites that look identical to the real one. They then lure in victims with faulty phishing emails or through other means to get users to input their Google account credentials. Attackers then take over their account and can do as they please.
The latest hardware Security Key Google offers is a small USB-based token that implements the FIDO Alliance’s Universal 2nd Factor specification. It is built for users who require a higher level of security on their accounts and users can begin buying them from Amazon among other retailers.
“Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google. Rather than typing a code, just insert Security Key into your computer’s USB port and tap it when prompted in Chrome. When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished,” Nishit Shah, security product manager at Google, wrote in a blog post.
Google has offered two-factor authentication for Gmail and other Google services for nearly four years. The current system relies on a simple process that uses an app on mobile devices to send a short verification code to a phone the user must enter, only after properly inputting the correct username and password combination. The system is designed to secure users against attacks and possible unauthorized logins by required the end user to have physical access to the mobile device. That system does not prevent against all attacks though, high-end phishing sites can capture credentials, two-factor authentication codes and much more.
“With 2-Step Verification, Google requires something you know (your password) and something you have (like your phone) to sign in. Google sends a verification code to your phone when you try to sign in to confirm it’s you. However, sophisticated attackers could set up lookalike sites that ask you to provide your verification codes to them, instead of Google. Security Key offers better protection against this kind of attack, because it uses cryptography instead of verification codes and automatically works only with the website it’s supposed to work with,” the company wrote about Google’s new system.
Google’s Secure Key technology only works in the Chrome browser right now, but if other browsers and more sites adopt the U2F protocol, the same Security Key will work with the technology as well.