Google Locks Down Passwords With Security Key Technology

By Sean Michael Kerner  |  Posted 2014-10-21 Print this article Print
USB security

The technology uses the FIDO Alliance's Universal 2nd Factor protocol to enable highly secured access.

In the race to secure user accounts against compromise, two-factor verification technologies are often recommended as a way to protect users. Today Google announced its embrace of a new form of two-factor authentication by supporting the FIDO Alliance's Universal 2nd Factor (U2F) technology. With U2F, Google's Chrome users will now be able to secure access to Google accounts by way of a physical USB security key device.

Fast IDentity Online Alliance (FIDO) Alliance officially got its start in February of 2013 with the goal of enabling more advanced forms of user authentication to secure user access. Google has offered its users two-step verification for several years by way of its Google Authenticator technology. Google Authenticator is a mobile app that provides users with a one-time password that is used as the second password for access.

Sam Srinivas, vice president of the FIDO Alliance and director of product management at Google, explained to eWEEK that the new security key option is even more secure than existing two-step approaches. According to Srinivas, the security key is a USB device that can be registered with a Google account to generate a cryptographic key. Multiple vendors, including Yubico and Duo Security, now have secure key USB products that are compliant with the FIDO U2F in the market.

"When you need to have a second factor for authentication, now you just insert the security key into your computer and press a button and you get signed in," Srinivas said.

The security key adds an important new layer of security, Srinivas said. The key is not "phishable"—that is to say, it cannot be stolen by an attacker who tricks a user into disclosing a code generated from Google Authenticator or an SMS (Short Messaging Service), he added.

"The security key is the next level of security," Srinivas said. "The browser tells the security key device as part of the protocol what site it's looking at, providing an additional layer of authentication."

The security key technology leverages the U2F protocol, which was developed by the FIDO Alliance. At this point, Google's Chrome is the only Web browser that supports U2F. Srinivas said that as an open protocol, other browser vendors, including Apple, Microsoft and Mozilla, are free to implement the feature as well.

"We can look to a future where this kind of stronger security will enable users with a single device to be able to log in online," he said. "The device registers with each site, and the protocol guarantees a very high degree of security for the user."

While the new security key option provides users with a more secure choice for two-step verification, the existing Google Authenticator method can still also be used. Srinivas said that the security key is an additional option, and users can still fall back to using the Google Authenticator if the security key is not present.

The USB secure key itself can be plugged into any USB port the user has available, including an extension hub. Even if there is an attempt on the user device to intercept the secure key data, an attacker would not be able to access the user's credentials, he said.

"If an attacker taps in, all they'd really see is a cryptographic signature request coming from the Web browser going to the key and then the key signing and sending the request back," Srinivas said. "The signature request is tied to the specific session on a specific browser."

As such, an attacker would not have the ability to intercept a transmission from the secure key and then replay it on another machine to gain access to a user's account.

Michael Barrett, president of the FIDO Alliance, told eWEEK that he is very optimistic about the new U2F secure key support by Google and expects that it will lead to broader adoption.

"This is the first major deployment of U2F at scale," Barrett said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel