Skip to Content

A Physical Key to Your Google Account

Google says using a small USB stick to vouch for your identity is more secure than either a password or conventional two-factor authentication.
October 21, 2014

Opting in to Google’s latest security upgrade requires a spot on your keychain for a device known as a security key.

Google says using a security key like this one in addition to a password provides a better way to secure an online account.

The small USB stick provides added protection for a Google account. Once a key is associated with your account, you’ll be prompted to insert the device into a computer each time you enter a password to log in—or, if you prefer, once a month on computers you use frequently. Touching a button on the security key triggers a cryptographic exchange with Google’s login systems that verifies the key’s identity. Security keys can be bought from several security hardware companies partnered with Google, for a little less than $20.

The new approach is primarily aimed at the security-conscious. But the technology involved lays the groundwork for physical devices that displace passwords altogether, says Mayank Upadhyay, a security engineer at Google. Google has been working on ways to replace passwords for some time, because stolen or guessed passwords are often used to take over accounts.

“This is a great first step that solves a problem today but also helps move the ecosystem toward that Holy Grail,” says Upadhyay. He has led work at Google to test whether other physical devices, like smartphones or even a piece of jewelry, could replace passwords (see “Google Experiments with Ring as Password”). This summer, Google announced that it will make it possible to have a Chromebook automatically unlock and log you in to a Google account when your Android smartphone is nearby.

A security key provides a more secure version of two-factor authentication, an approach already offered by some Web companies and many banks that involves logging in with both a password and a temporary code tied to something physically in your possession. Usually a two-factor code comes via a phone app, a text message, or a key fob.

That approach is designed to prevent an attacker from logging into your account remotely. If Apple had offered two-factor authentication for its iCloud backup service, for example, people using it would have been protected against the methods used by hackers to steal the celebrity photos leaked this summer. (Apple has since rolled out the technology.)

However, sophisticated attackers are capable of breaking two-factor authentication. They can steal or spoof codes by intercepting text messages, hacking a person’s smartphone, or breaking into the centralized database used to generate the codes. There is evidence an attack like that on RSA’s SecureID authentication system in 2011 enabled security breaches at defense contractor Lockheed Martin. Google has highly targeted users who may not be safe using existing two-factor authentication systems, says Upadhyay. “We’ve seen all kinds of attacks,” he says.

A security key, such as Google’s, is resistant to remote attacks, because the information needed to copy a key can be obtained only by physically attacking a security chip inside that key. Two-factor authentication is already widely used on corporate networks. Starting early next year, companies that pay Google for e-mail and office software will be able to have their employees use security keys to access these services.

Lorrie Cranor, director of the CyLab Usable Privacy and Security Laboratory at Carnegie Mellon University (see “Why Privacy Is Hard to Get”), says that a security key is unlikely to broaden the appeal of two-factor authentication beyond those who already use it. But the technology might gain wider use if promoted and packaged in the right way, she says. “Maybe it will make sense to some people who don’t know much about computer security but can relate to the idea of using a physical key to lock their account,” she says.

A security key bought today could be used with services other than Google’s, if other companies choose to adopt the technology. The device is built on an open standard called U2F, being developed by the FIDO Alliance, a consortium established to reduce reliance on passwords (see “PayPal, Lenovo Launch New Campaign to Kill the Password”).

Stina Ehrensvärd, CEO of Yubico, a startup that sells security keys, says the consortium’s technology creates the right incentives for widespread adoption. “It’s great for Google to go out and show that this works, and I expect many to follow because it’s easy and FIDO allows competition,” she says.

Future versions of the security key will also work with mobile devices, says Ehrensvärd, because the final U2F standard will specify that a key can include a contactless near-field communications chip that most new smartphones can read wirelessly. 

Keep Reading

Most Popular

Scientists are finding signals of long covid in blood. They could lead to new treatments.

Faults in a certain part of the immune system might be at the root of some long covid cases, new research suggests.

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.