A Physical Key to Your Google Account
Google says using a small USB stick to vouch for your identity is more secure than either a password or conventional two-factor authentication.
The technical shortcomings of passwords, and the way people use them, are at the root of many computer security incidents.
Opting in to Google’s latest security upgrade requires a spot on your keychain for a device known as a security key.
The small USB stick provides added protection for a Google account. Once a key is associated with your account, you’ll be prompted to insert the device into a computer each time you enter a password to log in—or, if you prefer, once a month on computers you use frequently. Touching a button on the security key triggers a cryptographic exchange with Google’s login systems that verifies the key’s identity. Security keys can be bought from several security hardware companies partnered with Google, for a little less than $20.
The new approach is primarily aimed at the security-conscious. But the technology involved lays the groundwork for physical devices that displace passwords altogether, says Mayank Upadhyay, a security engineer at Google. Google has been working on ways to replace passwords for some time, because stolen or guessed passwords are often used to take over accounts.
“This is a great first step that solves a problem today but also helps move the ecosystem toward that Holy Grail,” says Upadhyay. He has led work at Google to test whether other physical devices, like smartphones or even a piece of jewelry, could replace passwords (see “Google Experiments with Ring as Password”). This summer, Google announced that it will make it possible to have a Chromebook automatically unlock and log you in to a Google account when your Android smartphone is nearby.
A security key provides a more secure version of two-factor authentication, an approach already offered by some Web companies and many banks that involves logging in with both a password and a temporary code tied to something physically in your possession. Usually a two-factor code comes via a phone app, a text message, or a key fob.
That approach is designed to prevent an attacker from logging into your account remotely. If Apple had offered two-factor authentication for its iCloud backup service, for example, people using it would have been protected against the methods used by hackers to steal the celebrity photos leaked this summer. (Apple has since rolled out the technology.)
However, sophisticated attackers are capable of breaking two-factor authentication. They can steal or spoof codes by intercepting text messages, hacking a person’s smartphone, or breaking into the centralized database used to generate the codes. There is evidence an attack like that on RSA’s SecureID authentication system in 2011 enabled security breaches at defense contractor Lockheed Martin. Google has highly targeted users who may not be safe using existing two-factor authentication systems, says Upadhyay. “We’ve seen all kinds of attacks,” he says.
A security key, such as Google’s, is resistant to remote attacks, because the information needed to copy a key can be obtained only by physically attacking a security chip inside that key. Two-factor authentication is already widely used on corporate networks. Starting early next year, companies that pay Google for e-mail and office software will be able to have their employees use security keys to access these services.
Lorrie Cranor, director of the CyLab Usable Privacy and Security Laboratory at Carnegie Mellon University (see “Why Privacy Is Hard to Get”), says that a security key is unlikely to broaden the appeal of two-factor authentication beyond those who already use it. But the technology might gain wider use if promoted and packaged in the right way, she says. “Maybe it will make sense to some people who don’t know much about computer security but can relate to the idea of using a physical key to lock their account,” she says.
A security key bought today could be used with services other than Google’s, if other companies choose to adopt the technology. The device is built on an open standard called U2F, being developed by the FIDO Alliance, a consortium established to reduce reliance on passwords (see “PayPal, Lenovo Launch New Campaign to Kill the Password”).
Stina Ehrensvärd, CEO of Yubico, a startup that sells security keys, says the consortium’s technology creates the right incentives for widespread adoption. “It’s great for Google to go out and show that this works, and I expect many to follow because it’s easy and FIDO allows competition,” she says.
Future versions of the security key will also work with mobile devices, says Ehrensvärd, because the final U2F standard will specify that a key can include a contactless near-field communications chip that most new smartphones can read wirelessly.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today