October 22, 2014

People who use Gmail and other Google services now have an extra layer of security available when logging into Google accounts. The company today incorporated into these services the open Universal 2nd Factor (U2F) standard, a physical USB-based second factor sign-in component that only works after verifying the login site is truly a Google site.

A $17 U2F device made by Yubikey.

A $17 U2F device made by Yubico.

The U2F standard (PDF) is a product of the FIDO (Fast IDentity Online) Alliance, an industry consortium that’s been working to come up with specifications that support a range of more robust authentication technologies, including biometric identifiers and USB security tokens.

The approach announced by Google today essentially offers a more secure way of using the company’s 2-step authentication process. For several years, Google has offered an approach that it calls “2-step verification,” which sends a one-time pass code to the user’s mobile or land line phone.

2-step verification makes it so that even if thieves manage to steal your password, they still need access to your mobile or land line phone if they’re trying to log in with your credentials from a device that Google has not previously seen associated with your account. As Google notes in a support document, security key “offers better protection against this kind of attack, because it uses cryptography instead of verification codes and automatically works only with the website it’s supposed to work with.”

Unlike a one-time token approach, the security key does not rely on mobile phones (so no batteries needed), but the downside is that it doesn’t work for mobile-only users because it requires a USB port. Also, the security key doesn’t work for Google properties on anything other than Chrome.

The move comes a day after Apple launched its Apple Pay platform, a wireless payment system that takes advantage of the near-field communication (NFC) technology built into the new iPhone 6, which allows users to pay for stuff at participating merchants merely by tapping the phone on the store’s payment terminal.

I find it remarkable that Google, Apple and other major tech companies continue to offer more secure and robust authentication options than are currently available to consumers by their financial institutions. I, for one, will be glad to see Apple, Google or any other legitimate player give the entire mag-stripe based payment infrastructure a run for its money. They could hardly do worse.

Soon enough, government Web sites may also offer consumers more authentication options than many financial sites.  An Executive Order announced last Friday by The White House requires the National Security Council Staff, the Office of Science and Technology Policy and the Office of Management and Budget (OMB) to submit a plan to ensure that all agencies making personal data accessible to citizens through digital applications implement multiple layers of identity assurance, including multi-factor authentication. Verizon Enterprise has a good post with additional details of this announcement.

100 thoughts on “Google Accounts Now Support Security Keys

  1. Mark in CA

    The Canadian government has already put a system in place to provide strong authentication for citizens accessing government sites. The infrastructure is provided by SecureKey Concierge. Provincial governments are now getting on board with it. http://goo.gl/SAjLqB

    In the U.S., the Postal Service has also contracted with SecureKey to provide the cloud-based authentication infrastructure for the new Federal Cloud Credential Exchange (FCCX). http://goo.gl/iLNnhH

    1. Phil Cooper

      Please explain “USB is fundamentally broken”

      I’ve had a Yubikey for about 6 years now. It’s very secure, and I have never run into a problem using it- even in situations where USBStore is locked down by GPO.

      Sure, I haven’t used it on high-security systems (because they typically have no USB ports, or the USB ports are epoxy-potted to guard against use), but it’s working very well for my uses.

      It’s also been dropped, walked on, driven over, underwater, washed, etc, and has no issues at all.

      1. bob

        I think Wired had a few articles about it not too long ago. And Bruce Schneier also had a few words to say about it.

  2. Jessica Luemen

    Thank you for this article. I have been looking for a 2 factor encryption method for some time now and this really helped. I am just starting up my blog and website, so it isn’t completely ready yet.

  3. Steve Wilson

    I could not get my Yubikey to work correctly in my Gmail account. Is it possible to use the Yubikey for two different online websites?

  4. Kelly Goldberg

    Dear Mr. Krebs,

    Our school district wishes to pilot GAFE, Google Apps for Education. Any thoughts on safeguards for our teens participating? I found this article in Ed Weekly detailing a law suit earlier this year.


    The issue was that Google was freely mining the data to build profiles. I don’t know what if anything can be done to prevent that. I have the option to opt out and refuse to let my kid participate.

    Thank you!


    Kelly G.

Comments are closed.