Key to Your Google Account

Key to Your Google Account

Google says using a small USB stick to vouch for your identity is more secure than either a password or conventional two-factor authentication.

Opting in to Google’s latest security upgrade requires a spot on your keychain for a device known as a security key.

The small USB stick provides added protection for a Google account. Once a key is associated with your account, you’ll be prompted to insert the device into a computer each time you enter a password to log in—or, if you prefer, once a month on computers you use frequently. Touching a button on the security key triggers a cryptography exchange with Google’s log in systems that verifies the key’s identity. Security keys can be bought from several security hardware companies partnered with Google, for a little less than $20.

The new approach is primarily aimed at the security-conscious. But the technology involved lays the groundwork for physical devices that displace passwords altogether, says Mayank Upadhyay, a security engineer at Google. Google has been working on ways to replace passwords for some time, because stolen or guessed passwords are often used to take over accounts.

A security key provides a more secure version of two-factor authentication, an approach already offered by some Web companies and many banks that involves logging in with both a password and a temporary code tied to something physically in your possession. Usually a two-factor code comes via a phone app, a text message, or a key fob.

hat approach is designed to prevent an attacker from logging into your account remotely. If Apple had offered two-factor authentication for its iCloud backup service, for example, people using it would have been protected against the methods used by hackers to steal the celebrity photos leaked this summer. (Apple has since rolled out the technology.)

However, sophisticated attackers are capable of breaking two-factor authentication. They can steal or spoof codes by intercepting text messages, hacking a person’s smartphone, or breaking into the centralized database used to generate the codes. There is evidence an attack like that on RSA’s SecureID authentication system in 2011 enabled security breaches at defense contractor Lockheed Martin. Google has highly targeted users who may not be safe using existing two-factor authentication systems, says Upadhyay. “We’ve seen all kinds of attacks,” he says.

A security key, such as Google’s, is resistant to remote attacks, because the information needed to copy a key can be obtained only by physically attacking a security chip inside that key. Two-factor authentication is already widely used on corporate networks. Starting early next year, companies that pay Google for e-mail and office software will be able to have their employees use security keys to access these services.

Future versions of the security key will also work with mobile devices, says Ehrensvärd, because the final U2F standard will specify that a key can include a contactless near-field communications chip that most new smartphones can read wirelessly. 

For More Visit Here