Google is introducing an improved two-factor authentication system for Gmail and its other services that uses a tiny hardware token that will only work on legitimate Google sites.
The new Security Key system is meant to help defeat attacks that rely on highly plausible fake sites that are designed to capture users’ credentials. Attackers often go to great lengths to create fake Gmail or Google Accounts sites that look exactly like the real ones. They then try to lure or direct users to those sites through phishing emails or other tactics in order to get them to enter their Google account credentials. The attackers then will take over the accounts.
The hardware Security Key is a small USB token that implements the FIDO Alliance’s Universal 2nd Factor specification. It’s meant for users who require a higher level of security on their accounts and users can buy them from Amazon or other retailers now.
“Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google. Rather than typing a code, just insert Security Key into your computer’s USB port and tap it when prompted in Chrome. When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished,” Nishit Shah, security product manager at Google, said in a blog post.
Google has offered two-step verification for Gmail users for nearly four years now. The basic system relies on a simple process that uses an app on mobile devices to send a short verification code that a user must enter, along with her username and password, when she logs in from a new device. The system is designed to protect users against account takeovers by requiring physical access to the mobile device. But it doesn’t protect against all kinds of attacks, including the use of sophisticated phishing sites to capture credentials.
“With 2-Step Verification, Google requires something you know (your password) and something you have (like your phone) to sign in. Google sends a verification code to your phone when you try to sign in to confirm it’s you. However, sophisticated attackers could set up lookalike sites that ask you to provide your verification codes to them, instead of Google. Security Key offers better protection against this kind of attack, because it uses cryptography instead of verification codes and automatically works only with the website it’s supposed to work with,” Google’s description of the new system says.
The Google Security Key system only works in Chrome right now, but if other browsers and additional sites implement the U2F protocol, the same Security Key will work with them, too.