Google is improving its two-step verification feature with what the company is calling Security Key, which is essentially a physical USB that can replace passwords. All a user has to do is tap the key when prompted by Google Chrome.
Two-step verification means two methods are used to access an account. Often this includes a password and having a mobile device. In the case of the Security Key, users will be able to use it in conjunction with a password or something similar.
"The Security Key is the next level of security," said Sam Srinivas, vice president of the FIDO Alliance and director of product management at Google. "The browser tells the Security Key device as part of the protocol what site it's looking at, providing an additional layer of authentication."
According to Google, there are two advantages to using Security Key rather than a mobile device in two-step verification. The first is that it provides better protection against phishing. Some hackers are able to set up lookalike websites that ask users to provide verification codes. Security Key uses cryptography instead of verification codes and only works with the websites that it's supposed to work with. Security Key also does not require a mobile connection like a mobile device would.
"When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished," said Google in a statement.
Users will be able to use Security Key for free, but they will have to purchase a compatible USB device from a Universal 2nd Factor (U2F0) vendor.
Security Key incorporates the open U2F protocol from the FIDO Alliance, so other websites that use the same technology will be able to use Security Key. For users of both Chrome and other Google services, Security Key should definitely be considered. For those who don't use other Google services, it would be worthwhile to see what other websites that are regularly visited are compatible with the service.
Currently, Chrome 38 and above are the only browsers to support the FIDO U2F standard, but Google says it hopes other browsers will add support.
"We congratulate Google for making FIDO U2F authentication an option for their users," said Michael Barrett, president of the FIDO Alliance. "With large-scale deployments of FIDO UAF in payments applications from PayPal, Samsung, AliPay, Nok Nok Labs, and Synaptics, and today's announcement of FIDO U2F authentication by Google, there is no doubt that a new era has arrived."