Google launches FIDO-compliant 2FA USB key for Chrome and Gmail

Google has souped up its two-factor authentication (2FA) login process with the launch of Security Key, a physical USB that only works after verifying the login site is truly a Google website.

Google selects hardware security
Google selects hardware security

The feature is integral to the company's Chrome browser, meaning that instead of typing in a mobile phone authentication code, users insert the Security Key into the computer's USB port, tapping it when prompted by Google's browser.

According to Google, there are two key advantages of using Security Key when compared to a mobile phone-based authentication system, including enhanced protection against phishing, and no batteries or cellular connection being required.

SCMagazineUK.com notes that, whilst Security Key works with Google accounts, users will need to buy a compatible USB device directly from a Universal 2nd Factor (U2F) participating vendor.

This is an important feature, as Google has been talking openly about using a federated approach to authentication for several years now, centering on the concept of being able to use the same login authenticator on multiple websites and services.

Since Security Key in Chrome incorporates the open U2F protocol from the FIDO Alliance, other sites with account login systems can use the feature as well. For its part, Google says it hopes other web browsers will add FIDO U2F support soon.

Get safe online

Andrew Mason, co-founder and technical director with Randomstorm, the IT security consultancy, said that he welcomes the announcement of Secure Key, which he notes is perfectly timed ahead of Get Safe Online Week.

"However, Secure Key could well be a side project, developed as part of Google's 80/20 policy to foster employee innovation. There is no support offered and if insufficient organisations adopt Secure Key, it could be dropped without warning. This would create a window of vulnerability while organisations replaced it with another commercial 2FA USB technology such as Yubico, or Swivel Secure," he said.

Mason added that he would sound a note of caution for any corporation that is considering adopting Secure Key to add a layer of defence to cloud-based applications that store sensitive data and advise that they consider selecting commercial second factor technology first.

"Apple iPad and iPad Minis don't have USB ports, so Apple fans will need to carry on using Google Authenticator to enjoy 2FA on their Google Apps. It would be great to see Google Secure Key integrated with Touch ID on the latest Apple devices. We've been using Google Authenticator 2FA to secure access to our applications for some time because it supports users that want to access their Gmail from their iOS devices. However, we are aware that it's not supported and could be dropped at any time," he explained.

Bob Tarzey, an analyst and director with Quocirca, was also welcoming about Security Key, which he said is a lot less complex to use than the existing Google 2FA technology.

"A single hardware token should be more straight forward. The support for FIDO is important, this will enable the Google strong authentication to be used for other services that choose to accept it. The endorsement is great news for the FIDO alliance that promotes the standard. The announcement brings the future reality of social login one step closer - if Google users opt to use the new tokens, then this will increase their confidence to use their Google credentials more broadly," he said.

"The future where we chose one social identity, with strong authentication, for many services will increase security not just because it is more secure, but because overall we will have fewer passwords etc., to manage," he added.
 

Question mark

Sarb Sembhi, a director with STORM Guidance, also welcomed the move to hardware-based 2FA technology by Google, but cautioned that there is still a question mark of the security of email and other data flowing between Google's servers and those of third-party companies.

"Overall, I think it's excellent news, as a major company like Google getting behind hardware 2FA logins is bound to have a positive effect on authentication adoption across the entire industry," he said, adding that, whilst most people are not that worried about privacy issues relating to Google's many services, the security aspect is always uppermost in many people's thoughts.

Sembhi, who is a leading light in ISACA, the not-for-profit IT security association, said that he expects to see the Security Key technology being supported by a number of other websites and services, eventually allowing users to carry a single authenticator around with them, and which allows secure access to a wide range of online facilities and services.