Google improved 2-Step Verification with Security Key

Google has announced the introduction of an improved two-factor authentication mechanism based on a USB token dubbed Security Key.

Google firm considers cyber security a pillar of its business, the last initiative announced by the company is the introduction of an improved two-factor authentication system for its services, including Gmail. The new 2FA process is based on the use of a tiny hardware token that will allow the authentication only when users visit legitimate Google sites.

The new hardware is named Security Key system and will be introduced by the company to prevent attacks based on cloned websites that are designed to steal users’ credentials. This kind of attacks is becoming even more sophisticated, recently security experts at Symantec discovered a phishing campaign, which exploits SSL connections used by DropBox, and in the last months a similar technique was used to host malicious content on Google Drive storage service.

Phishing is a very common and dangerous practice in the criminal ecosystem as reported in the last APWG report, new techniques exploit paradigms like mobile, cloud computing and social networking.

As explained in the official page of the Security Key system, the hardware used by Google is a small USB token that implements the FIDO Alliance’s Universal 2nd Factor specification.

“Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google. Rather than typing a code, just insert Security Key into your computer’s USB port and tap it when prompted in Chrome. When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished,” Nishit Shah, security product manager at Google, said in a blog post.

The Security Key represents an excellent solution for those customers that need a strong security for their accounts, typically all those people that manage sensitive data, but anyway I strongly suggest it’s adoption on a large scale. Users can acquire it from popular retailers and also from Amazon.

“If you use 2-Step Verification, you can choose Security Key as your primary method, instead of having verification codes sent to your phone. With Security Key, there’s no looking at codes and re-typing―you simply insert your Security Key into your computer’s USB port when asked.” states Google.

The basic two-factor authentication system implemented by Gmail uses the mobile device as an authentication token. This authentication process, despite protects users against account takeovers by requiring physical access to the mobile phone doesn’t protect Google users against other type of attacks like phishing.

“With 2-Step Verification, Google requires something you know (your password) and something you have (like your phone) to sign in. Google sends a verification code to your phone when you try to sign in to confirm it’s you. However, sophisticated attackers could set up lookalike sites that ask you to provide your verification codes to them, instead of Google. Security Key offers better protection against this kind of attack, because it uses cryptography instead of verification codes and automatically works only with the website it’s supposed to work with,” Google’s description of the new system says.

Th Security Key system initially will work only in Chrome, but according to Google it will be soon available for other browsers and with all the websites implementing the U2F protocol.

As explained by Google there are the following cases where users will want to use verification codes instead of a Security Key:

• You use your account only on a mobile device. Security Key requires a USB port to work, so it’s not recommended for mobile-only users.
• You don’t use Chrome. Security Key does not work on browsers other than Chrome.

Pierluigi Paganini

(Security Affairs – Security Key, Google)