Google announced it is stepping up its two-step verification feature with Security Key, an open standard that lets you log in to an account with a physical device, usually in the form of a USB. The feature is available in Chrome: Instead of typing in a code, you can simply insert Security Key into your computer’s USB port and tap it when prompted by Google’s browser. A password is still required, so a thief wouldn’t be able to log into your account just by stealing your security key. On the other hand, if your account password ended up leaking onto the web, it would be useless without the corresponding security key.
While Security Key works with Google Accounts at no charge, you’ll need to go out and buy a compatible USB device directly from a Universal 2nd Factor (U2F) participating vendor.
Many businesses already use similar devices for security, most notably the RSA SecureID, but this is the first time you’ll be able to use them to log in to a consumer service as popular as Gmail.
In addition to providing a two-factor mechanism on top of traditional password protections, Google said that the Security Key platform will also seek foil phishing attacks by not providing a cryptographic signature to the site, preventing spoof sites from collecting credentials for man-in-the-middle attacks.
Obviously then, this is a simpler way to perform two-factor authentication, from the user experience perspective. It relies on a specific physical object (the required USB device), which you can carry with you on your keychain, for example. On the other hand, that device seems easier to lose than a phone, so understandably the new system will be opt-in. And you’ll still be able to use the old code-based one if you so choose.