October 22, 2014

People who use Gmail and other Google services now have an extra layer of security available when logging into Google accounts. The company today incorporated into these services the open Universal 2nd Factor (U2F) standard, a physical USB-based second factor sign-in component that only works after verifying the login site is truly a Google site.

A $17 U2F device made by Yubikey.

A $17 U2F device made by Yubico.

The U2F standard (PDF) is a product of the FIDO (Fast IDentity Online) Alliance, an industry consortium that’s been working to come up with specifications that support a range of more robust authentication technologies, including biometric identifiers and USB security tokens.

The approach announced by Google today essentially offers a more secure way of using the company’s 2-step authentication process. For several years, Google has offered an approach that it calls “2-step verification,” which sends a one-time pass code to the user’s mobile or land line phone.

2-step verification makes it so that even if thieves manage to steal your password, they still need access to your mobile or land line phone if they’re trying to log in with your credentials from a device that Google has not previously seen associated with your account. As Google notes in a support document, security key “offers better protection against this kind of attack, because it uses cryptography instead of verification codes and automatically works only with the website it’s supposed to work with.”

Unlike a one-time token approach, the security key does not rely on mobile phones (so no batteries needed), but the downside is that it doesn’t work for mobile-only users because it requires a USB port. Also, the security key doesn’t work for Google properties on anything other than Chrome.

The move comes a day after Apple launched its Apple Pay platform, a wireless payment system that takes advantage of the near-field communication (NFC) technology built into the new iPhone 6, which allows users to pay for stuff at participating merchants merely by tapping the phone on the store’s payment terminal.

I find it remarkable that Google, Apple and other major tech companies continue to offer more secure and robust authentication options than are currently available to consumers by their financial institutions. I, for one, will be glad to see Apple, Google or any other legitimate player give the entire mag-stripe based payment infrastructure a run for its money. They could hardly do worse.

Soon enough, government Web sites may also offer consumers more authentication options than many financial sites.  An Executive Order announced last Friday by The White House requires the National Security Council Staff, the Office of Science and Technology Policy and the Office of Management and Budget (OMB) to submit a plan to ensure that all agencies making personal data accessible to citizens through digital applications implement multiple layers of identity assurance, including multi-factor authentication. Verizon Enterprise has a good post with additional details of this announcement.

100 thoughts on “Google Accounts Now Support Security Keys

  1. David T

    ‘…[M]ore secure and robust authentication options than are currently available to consumers by their financial institutions. ‘

    Right. It dismays be that my bank (Chase) doesn’t offer any 2-factor ID. But I can’t find one that does, so I’m stuck with them.

        1. jason

          and…so? Site has to have a valid cert to have valid info? /logicfail

          1. Matthew

            No, not a logic fail.

            While the info may or may not be accurate, a site that is supposedly providing info on security might be expected to meet minimum best practices itself. Not having a valid certificate makes me question everything else they tell me.

            It’s like a Doctor with a cigarette in his hand telling you to stop smoking.

            1. Tont

              The certificate presented isn’t “invalid”. It’s a cloudflare cert. They’re free (and on by default now I think) for cloudflare hosted sites but they don’t include custom hostnames.

              A few hosting companies are doing this now – and it’s good in one sense, but they really should be adding the custom hostnames as SANs.

    1. Dennis A

      My credit union does, in the form of a code called back to my cell phone.

      1. Anthony

        Dennis, if you don’t mind me asking, which CU? I knew CUs were better than banks but not from the technical aspect. Nice!

        1. DennisA

          Sorry to be so late responding (my first trip back here since I posted this AM). Mine is the University of Iowa Community Credit Union. The code call-back is an option one can choose.

    2. Allan Miller

      Bank of America offers two-factor authentication using RSA SecureID. They seem to implement it correctly, asking for a new ID just ahead of any important transaction, heading off a man-in-the-middle attack that scrapes an ID and then dumps the user with an error message.

      1. Bart

        Allan, can this feature be found on the B of A website, or do I have to call and ask for it as was the case with getting a chip and signature credit card?

        1. Allan Miller

          Yes, this is the right link, but be aware that B of A uses the term “SafePass” to refer to both the RSA SecureID and the (relatively insecure) SMS-based one-time codes. So, you have to get the “card”. There is a $20 one-time fee. I’m not sure if you can request it online, I think so. (I did this a long time ago, so I forget the details.)

        1. Allan Miller

          Hmm . . . I’ve always had pretty good luck with B of A customer service. I usually use the “secure mail” option rather than trying to call on the phone, so maybe that has something to do with it.

        2. Bret

          Interesting website link. While I’m sure the comments could be helpful, the overall ranking does not help in bank comparison. I put in the names of 6 different banks, and they all had horrible ratings!

          1. 1776

            Yes, all big banks have terrible customer service. So do telephone land-line and cell, and Internet providers. However, BoA in my personal experience is top-tier losers with customer service.

    3. Matt

      @David Chase does have 2FA … at least the Credit Card site does. If I login from a different PC, it sends me a text. You might have to do some more research.

    4. MFactor

      Bank of the West

      They’re all over personal security!

      1. NotMe

        I use BOTW and have found no offers for better security, in fact they just removed the image verification step from their logon process. In addition they appear to have a slapped together internet services offering that looks like someone took a mainframe and attempted to “weberize” it.

        Please post a link to the BOTW 2fa information, I’d love to see some improvements in their services.

          1. NotMe

            Plus he is “blogging” about 2fa for email, personal email at that. nothing to do with the bank in question

    5. Mark Wolfgang

      My bank doesn’t even allow complex passwords…no special characters and can’t be longer than 8 chars. I think it’s time to find another bank!

    6. Mark Wolfgang

      My bank doesn’t even allow complex passwords…no special characters and can’t be longer than 8 chars. I think it’s time to find another bank!

    7. timeless

      http://twofactorauth.org/ indicates that Chase does have 2fa:

      What you should be dismayed by is that they (Chase) didn’t tell you.

      It actually came up recently, when Chase was breached (at least a database with accounts and passwords was exfiltrated), they said that some customers wouldn’t be impacted because they have two factor authentication enabled. — Unfortunately, I can’t find a citation for that right now.

    8. William Hugh Murray

      Actually Chase does offer strong authentication to some customers. I am not sure how one qualifies but I suspect a business account is one of the hurdles.

  2. Eric

    I saw a story about this yesterday – the details about the underlying technology are very sparse at the moment.

    And to test this, one needs to purchase a physical key (which one can purchase from Amazon – search for U2F). Price starts at 6$ and goes up to 50$. The 50$ key includes other capabilities – the cheaper ones can only be used for U2F.

    I will probably order one just to play with. I have experimented with earlier versions of such keys from a company called Yubico, but those worked differently and were never integrated into a browser (they were integrated with the PasswordSafe that I use to store the plethora of passwords that I have).

  3. Wesley Kerfoot

    “because it uses cryptography instead of verification codes and automatically works only with the website it’s supposed to work with”
    Slight correction here: the current system is a form of cryptography, it relies on a shared secret between you and google (assuming you are using the authenticator app) which it derives nonces from. There is nothing less “cryptographic” about this than this new device :/. Sending random codes over SMS (which is easy to intercept) is criminally stupid of course and people need to stop doing it.

    1. Nicholas Weaver

      It is NOT a shared secret, but a public key setup, with a different public key for every site, with a “Leap of Faith” style initial key exchange.

      The authenticator device supports two operations: “Register” and “Authenticate”

      Register has the device given a 32 byte challenge (nonce) and a 32 byte application parameter. It generates a new public/private key pair (ECC with P-256 as the curve).

      It returns the new public key, a “key handle”, an X509 attestation certificate, and a signature over the public key, application parameter, challenge parameter, key handle, and public key.

      This is then returned to the site, so the site knows the user’s public key with the given key handle. This is a “Leap of Faith” key exchange, that you basically trust in setting up/registering a new token.

      Authenticate takes a 32 byte challenge, 32 byte application parameter, and the key handle, and returns “was a user there”, a 4 byte counter of the # of signatures this device has done in its lifetime, and a signature over the app parameter, user presence, counter, and challenge.

      This is then returned to the server, which can now verify that the signature was created by the private key associated with that user.

      1. Wesley Kerfoot

        Thanks for the explanation. I was under the impression that it was using the standard TOTP protcol but I guess they developed their own protocol, fair enough!

        1. Nicholas Weaver

          Overall, the protocol is very cute and well done: Its designed to not just say “the device is in the computer” but “a human is at the computer” because at least some devices like the YubiKey device have a push-button that must be pressed.

          It is also, blessedly, a very dumb crypto protocol: it doesn’t try to be fancy, it doesn’t support lots of variant curves or anything else.

          It does need the addition of “User consent for transaction”, basically a “display string/audio string” pair that is also included in the signing and needs to be played before the user presses the button in order to enable authenticating transactions rather than just devices, but that would be easy to extend into the protocol.

          The only distant worry I have is P-256 itself: it has NIST-defined magic numbers which make people worry. I’d be more comfortable with good, ol 4096b RSA for the public key operations, but I’m paranoid on math I do not understand, and really paranoid on crypto with such opaque magic constants as the NIST curves use: dual-EC was a wake-up call.

  4. GuitarBob

    I do not need/use a mobile phone, so the current 2FA leaves me out. I guess there are a few of us, so I hope more consideration is given to us.

    1. BrianKrebs Post author

      Bob, why do you say the current 2FA leaves you out if you don’t have a mobile phone? That’s exactly what this approach was designed for.

    2. Liquidretro

      Google also offers to call you (Landline) to give you a code if you want.

  5. george

    Interesting development .. But need to use Chrome (ie no FF, IE, Opera, or Safari), and need to BYOD.. Prices $6-$60, but only 3 choices, who knows what’s the right thing to buy for this, etc.

  6. Jeff

    I applaud the intent, and agree that banks do seem to be hugely behind on this technology.

    That said, I do hope they’ve checked that these keys aren’t vulnerable to Bad USB variants. I wouldn’t want to engage in two-factor authentication & discover malware has just gone a further step to infecting my USB token and harvesting its data (either in advance or in real time)

      1. Stephen H

        Peter, is that just Yubico or is it part of the standard? If the standard permits firmware-upgradeable USB then it is not secure.

        1. bob

          @Stephen H

          USB spec requires firmware to be updatable by anyone. They might be re-thinking this…

          Yubikey breaks the spec.

          1. Phil Cooper

            So what?
            They break the spec- there’s a damn USB spec for the side of the connector the USB symbol is to be printed on. I have a few devices which are therefore “out of spec” and have been working just fine for 10+ years.

            “Out of spec” does not mean it’s broken or useless. In the case of a security dongle that needs to be hardened against attack, I WANT the “firmware upgradeable” business to be disabled. The device is cheap, if it goes bad in the future (and again, these things are extremely durable, I’ve been using yubico products for over 6 years), I will buy another one.

        2. Peter in LA

          Stephen H,

          To the best of my knowledge it’s just Yubico, and it does seem to be a sensible approach IMHO.

  7. TheOregnoRouter.onion.it

    Note here that I read that these Gmail and Google security tokens ( Example Yubikey) log-in’s , only work with Chrome and not with Firefox and Internet Explorer

  8. nullsteph

    Last I checked, this didn’t work with Google Voice numbers!

    1. Koob

      I use google 2fa with Google Voice every day. It will text or call me my verification code. I also use it with Microsoft 2fa.

  9. Peter in LA

    I’m interested in this because I don’t have a mobile phone, and the landline I do have has no display so 2FA using texts can’t work for me.

    So I’ve ordered the cheapest unit I could find ($5.99+shipping that claims to be $2 – from Plug-up Intl in France) as a test.

    The amazing thing is the stark contrast in pricing: the most expensive unit (from a different provider) costs $60 + shipping.

    There are also two forms of dongle available: one is U2F, the other UAF.

    I have a 2FA fob from PayPal that’s worked well for me for some years now, and only cost $5. Bank of America briefly offered a similar unit but for $35, and they don’t seem to have kept it going (probably because at that price they had few takers).

    Since I’m stuck with Windoze XP SP3 (my hardware can’t support later MS OS and I have $0 available for a new machine) I need something other than the flakey EMET, the free version of ZoneAlarm, and various on-demand antivirus scanners such as ClamWin, to try and help keep me as secure as I can be.

    (And yes, I have explored Linux, but for now I’m stuck with Windoze because almost all of my development is for that environment; I will be (slowly) making the transition, though.)

    1. William Hugh Murray

      Googlee’s landline option “speaks” the OTP to you. It uses spoken language. Requires no display. Will work with an iron phone.

      The Google implementation is very well thought out. Please do not over complicate this. The number of applications and environments in which none of the options work is vanishingly small.

      Please do not make the perfect the enemy of the good. That is a large part of the resistance to strong authentication. It is an argument that we apply only to the technology we are not using. If you want to use it, try it on passwords first.

      1. Peter in LA


        What you say is only partially true. However, Google cannot handle landline numbers that have extensions, which is my situation (my home number requires navigation through a PBX; it used to be possible to handle such situations by incorporating commas (as pauses) to allow such navigation – usually for fax numbers – but Google does not allow non-numeric characters in the phone number).

        I checked to see whether I could be sent a spoken token through Google Voice (linked to a cellphone that is no longer functional) but it fails; the connection is made but the call is dropped before the voicemail message completes.

        I have written to Google in the past to suggest that they consider including a provision to allow the use of extensions for home numbers but never received a response.

    2. Cavoyo

      First of all, use a browser other that IE. XP is stuck with the outdated IE8, while Chrome and Firefox will be updated on XP for the foreseeable future.

      Disable browser plugins you don’t use, and consider setting the plugins you do use to click to play.

      Use the noscript addon. Noscript can be a little difficult to configure (a lot of sites need JavaScript enabled) but it makes many exploits, from JS interpreter vulnerabilities to XSS, very difficult if not impossible.

      Use Sandboxie. It keeps the new and modified files that a program makes in their own sandbox, and you can delete the changes when you close the program. This makes it hard for a virus to stay on your system. It also makes it difficult for ransomware like Cryptolocker to encrypt all your files. Just empty your sandbox and your hard drive’s back to normal.

      Use HTTPS Everywhere, especially if you use WiFi. This plugin makes it harder for your traffic to be snooped on by opting to encrypt traffic with sites that support it.

  10. Ross

    It’s ironic that Google is trying to secure it’s user’s information between the browser and company servers while many, if not most, financial institutions with far more dangerous personal information rely on antiquated measures. For a long time at least one bank I know of required IE 6 till it was EOL because it was “more secure than it’s alternatives” Said so right on it’s website.

    What’s even more ironic, is that the information on Google’s servers is not safe even then. Google markets, uses internally and sells services based on that data to ‘partners’ harvested from all Google services. It also is required by law to share all pertinent information to law enforcement or the various spy agencies of at the very least the US and UK governments. So even if the middle man snooper is cut out, that information is still not safe.

    1. NotMe

      It’s not ironic it is simply greed.
      It costs the bank money so they don’t invest in it unless they can bilk the consumer for “service fees”.

      At least with Google you knew when you signed up what the cost was. Your information would be used to market to you.

      When I use the bank I expect to pay for service and get that service, but instead I get service fee’d to death and receive crappy security.

  11. Paul Barwick

    I ordered the middle priced key ($20) yesterday to try out. As far as the problem of using the key with a mobile phone, I noticed that one of the more expensive keys has NFC capabilities. That would seem to take care of that problem, as long as it works with the Google implementation. That particular model key sold out quickly.

    These keys appear to be a brand new product on the market, and I would expect many more to show up and the price to drop quickly, probably down toward the $6 that the one shipping from France costs. I almost bought that one, but the delivery was estimated to be the end of November to the middle of December.

    I would love to see my credit union adopt something like this.

    1. confused

      I’m confused, I saw some youtube videos on how crooks can clone your information using nfc scanners… so how is nfc technology an advancement in security?

      1. David Fetrow

        I was referring to Google Authenticator, which generates a 6 digit code that must be entered in addition to password in a shortish time window. Google can send that code via SMS or you can run an app to generate the code. Having accuratish clocks is a requirement for the latter.

        The NFC stuff used in Google Wallet is a different beast.

        So Many Standard to Choose From!

      2. William Hugh Murray

        NFC offers no security. The security must be in the application. For example, if one uses it to pass a one-time digital token, it matters not if it is intercepted.

        For example, Apple Pay passes an EMV token. It is orders of magnitude safer than an RFID credit card, which uses the same contactless reader as Apple Pay but which passes the credit card number and the owners name.

        (While it is true that an RFID card can be read in your pocket, the reader must be within inches. if one gets that close to where I carry my credit cards, one is likely to get an elbow to one’s nose.)

        1. Tony Smit

          Another reason I should stop carrying my wallet in my back pockets.

  12. Jeff Hall

    So where does this leave Google Authenticator?

    On the subject of why banks don’t offer 2FA to their consumer customers, it comes down to a support issue. Those banks that experimented with 2FA back more than a decade ago, found that too many people lost/misplaced their fobs. In addition, the 2FA process apparently was more than a lot of people could handle. The bottom line was it was a customer support nightmare. People blamed the bank for their own stupidity/incompetence. Rather than educate, the banks bailed.

    1. Jason

      GAuth isn’t going away. This is just one more option. I personally prefer GAuth. It’s not really something you have, but rather something you know (a long pre-shared secret) which is used to generate TOTP. The nice thing is that I can have it on my Android device, or anything that can a GAuth app(let). I just need to have my pre-shared secret (of which I have a copy printed out in my safe) and I’m able to use it again. Downside is that if my phone were to be hacked, potentially this pre-shared secret would also be compromised (along with my stored Google password).

      1. Philip Ngai

        “I just need to have my pre-shared secret (of which I have a copy printed out in my safe)”

        What do you think of taking a picture of the QR code displayed during setup and storing those pictures on a SD card in a safe deposit box? You would use the picture to setup Google Authenticator instead of directly from your computer monitor to be sure the picture was readable.

    2. William Hugh Murray

      Google’s strong authentication offers options to minimize the support cost. The user even has backup options that can be invoked on a per use basis.

      By the way, if my little three branch bank can offer strong authentication as an option, any bank can. For most banks it is an option in the software or service that they are already paying for. All they have to do is turn it on and let the customer choose.

    3. Phil Cooper

      Security ALWAYS has one major problem:

      the meatsack using it. People are the weakest link. Anyone that works in security knows this, and I can’t imagine anyone making an effective argument against it.

  13. BobbyB

    I’ve been quite happy with Google Authenticator on two Android phones for 2FA with critical Google, Amazon AWS and LastPass credentials… the printed ‘one-time use’ codes are a great failsafe. No SMS involved.

    1. David Fetrow

      Google Authenticator is also more general than this is (yet). One can have authenticator (program on iphone, android, whatever) do 2nd factor authentication against, for instance, a Linux workstation.

      You can have multiple keys running at once so the Google account authentication code can have nothing to do with the code for the workstation (except of course they are running the same algorithm).

      ..and, as you said, no SMS involved.

      Happy to have the option of a hardware token though.

  14. Gyre

    I am currently using Symantec Vip access app for my iPhone.
    I started using it after my paypal token died.

    Seems to be a reasonable alternative.

    When are companies like Amazon going to offer 2FA for their users?
    I’d sure feel a lot better knowing that there’s something there in adddtion to my crappy password.

    1. William Hugh Murray

      I have the same question. However, I remain comfortable using Amazon because they confirm every transaction out of band.

      I am much more concerned that they use strong authentication for insiders. eBay did not. After their breach, I closed my account and sold my stock. As of June, Facebook did not. They are a breach we have not heard about yet.

  15. IA Eng

    So its Google proprietary….

    What if there is an unknown/undiscovered bot or malware on that device that now has authentication rights? Will it be able to authenticate as well? Probably.

    So, in other words, it may knock out hijacking and MItM attacks, but thats about it.

  16. TheOregnoRouter.onion.it

    A bigger problem is with smart phones and tablets, which typically don’t have full-sized USB ports Furthermore, this type of token log-in could be enabled by way of a newly developed Bluetooth enabled device :–)

  17. Oliver

    I already use Google’s Authenticator application on my smartphone for 2FA, will that continue to work even if I get a U2F key (i.e. so I can authenticate with the app if I don’t have the key available and vice-versa)?

  18. Elaine

    I recently applied for Medicare using the government’s online website.

    There was no request to provide proof of who I am. All I needed was my name, SSN, date of birth and place of birth. Anyone who had the correct information could have applied and been approved.

    Clearly, the federal government is lax in any type of identity security at least in this case.

    1. Tony Smit

      Brian has written articles about the Social Security Administration website and Medicare fraud. I don’t know if any of the information would be helpful to you. You might have to go personally going to the local Social Security offices to ask for information about securing your identity.

      Crooks Hijack Retirement Funds Via SSA Portal

      “Meanwhile, some banks with customers that have been burned by fraudulently diverted SSA payments are beginning to back away from managing SSA account payment changes for customers, Maher said. Increasingly, those banks are directing customers to make such changes at their local SSA office or at the SSA’s new portal. Maher said that’s because the government recently instituted a process for reclaiming funds that are fraudulently transferred to accounts that were not authorized by the beneficiary.”


      You can search for more articles in search engines with these phrases :

      Social Security site:krebsonsecurity.com
      Medicare site:krebsonsecurity.com

  19. Gerhard Oosthuizen

    There are a number of U2F and UAF certified providers. The tech provides certificate based second factor authentication.
    OTP’s, either via SMS, voice call or authenticators are not Out of Band, which means that they can still be harvested during Man in the middle attack. And of ofcourse we know they are also subject to various standard malware kits.

    So U2F is a definate step forward. It’s still not the end game yet. Would be even better if you could confirm the details of the transaction on the second factor /something you have device’s display. A number of providers offer such MFA solutions on your mobile phone (so not another device to carry around).

    [Disclosure: I work for one of those mobile MFA security providers that are on the certified list, called Entersekt.. Even if you don’t use our stuff, plesse just switch on MFA for al your cloud providers.]

  20. Hollywood Bob

    I called Wells Fargo to see if they have 2-factor login options. The person on the line assured me of all the safeguards their website offers. But, I said, all that’s required is username and password.

    I was then directed to an “expert” who wanted me to pay $12.99/month for ID protection.

  21. 2FA

    I use an iPod Touch to run Google Authenticator and Authy and it works well. So you do not need a smartphone to do 2FA with Google if you do not want to use this new U2F.

  22. Berend de Boer

    Krebs: I find it remarkable that Google, Apple and other major tech companies continue to offer more secure and robust authentication options than are currently available to consumers by their financial institutions.

    You need to insert the word US here, people in other countries have been using two factor authentication for almost two decades.

    1. timeless

      I’ve seen some countries deployed 2fa, and I wasn’t impressed.

      Finland especially mostly relied on a printed card.
      If you took the card out in public, you basically gave away all of your secrets to anyone in the room (including all cameras).

      There are only a few kinds of 2fa out there:
      1. pre shared values (Google issues these as backup numbers, the paper/plastic cards from banks fall in this category)
      2. token generators (the subject of this article)
      3. out-of-band notices (SMS, voice calls)
      4. PKI certificate devices

      The first kind is subject to the flaw I describe. The version Google uses is a text file, and you can safely split its 10 numbers into individual strips — which means it shouldn’t be at risk. The bank version because of jumping “security” behaviors means that you will almost certainly be searching the whole card for the answer — while someone else is capturing the contents of the entire card.

      The second is what is described in this article. There might be some countries which use this model. I’m not aware of any.

      The third is used in some European countries and is vulnerable to MITM and Malory-at-the-endpoint. http://www.scmagazineuk.com/34-european-banks-hit-by-android-app-security-attacks/article/362424/

      The fourth is used by some countries (a number in Europe, as well as South Korea). Current news on this: http://www.theregister.co.uk/2014/10/14/south_korea_national_identity_system_hacked/

      I have instances of 1 (from Google) and from a European bank.
      I have instances of 2 (from RSA via various employers).
      I have instances of 3 (from Twitter, Facebook, Google, and a number of other providers).
      I have an instance of 4 from a European country.

      On that last one, it involves you setting a password and carrying around an ID which is the PKI card. I lost the password shortly after applying for the card (actually, I had the same problem w/ items from 2 which required passwords to supplement their tokens). This is more or less the problem that the US banks encountered when they tried to deploy 2fa: If a user doesn’t use something regularly, the user will lose it. It doesn’t matter if it’s physical, virtual, or memetic — anything you have and don’t use, you will lose. And if you don’t lose it, 9 out of 10 people who are more average than you are will.

      1. William Hugh Murray

        We MUST NOT allow the perfect to be the enemy of the good. Please apply all your arguments to UID and passwords before you apply them to stronger solutions. Strong Authentication does not provide perfect security. One still needs out of band transaction confirmation, usage based controls, and multi-party controls. Even these are not perfect but they are efficient.

  23. spacewalker

    When is someone out there going to re-do USB from the ground up so it’s secure?
    And I agree that if P-256 is in use, it’s been said the gov’t purposefully picks things it knows the math backdoors to breaking, so between the gov’t and google I would trust this one either if trust needed to include no gov’t snooping.
    And I agree and am aggravated with banks and bill pay sites that don’t even use basic 2fA of any sort, and some sadly still have a max password length of 8!

    1. William Hugh Murray

      That is an over-constrained problem. USB stands for UNIVERSAL serial BUS. When one understands that, one understands why security must be supplied by higher layers.

  24. Peter in LA

    Only after I placed my order for a U2F device did I see a page from Google that restricts the use of such a device to Chrome v38 or later. I have v31, and when I check for updates, I’m told I have the latest version.


  25. Oneula

    There’s allot of options out there. But most large retail systems have been trending toward using something like Trusteer in the background with in the online app to monitor for and possible clean malware from customer’s PCs. I think most of the large retail FI’s are using Trusteer in their consumer online apps. 2factor is great as are tokens, digital certs etc etc. But they are a PIA to manage and maintain across the entire user base. Some of the most harden stuff goes toward large commercial and business systems where the dollar losses have been and continue to be significant. The CFPB guards consumer accounts with avengence ask any banker. So taking a financial loss as a consumer is much less a possibility than a business of any size. Multifactor, Biometrics, Hardware Tokens, Secure Browsers/USB Sticks and Live CD are all yesterday’s technology in the commercial space. Nothing beats a live call back to a predesignated number and talking to live “previously authorized”person for confirmation. That’s why the card networks still do it with all the neural network horse power they have..

  26. Eric

    What I find interesting is the total silence coming from Mozilla. Google and Microsoft are already involved. And if you look at the organizations that are members of the FIDO Alliance, there is an impressive list of banks and technology companies. But no word from Mozilla..

  27. Antoine

    So no 2-step security key for Mobile, I love new standard that relies on USB !!! I think the U2F standard is a joke designed by Google and Yubikey to sell more hardware. As a reminder, Today in 2014 access google accounts on their phone or tablet which (as a reminder) don’t have USB port.

  28. HackerHurricane

    Being a Lastpass fanatic, I would recommend NOT getting this model of FIDO YubiKey.

    The one you should get needs to support LastPass AND Google, so look at the NEO and NEO-N for more $$ but save you the hassle of having 2 fobs.

  29. Robert.Walter

    How vulnerable is this USB key to the recently announced USB hack?

    1. Tony Smit

      I don’t know, but I would not plug it into any USB daisy chains or USB hubs. Only into a socket soldered to the motherboard.

  30. mbi

    Some banks do offer 2-factor authentication, but only for their business customers. At Citibank I was given a token to generates a different encrypted number I enter along with my ID and password to get access to my online account.

Comments are closed.