14 DAY TRIAL // On Tuesday, Google announced support in Chrome for increased authentication protection through USB devices working as a second factor validation for logging into its services.
The move is a more secure form of two-factor authentication (2FA), which requires a supplemental verification code to be entered when accessing an online account. The code is generally sent to a physical device belonging to the owner of the account, but it can also be provided via email to an address controlled by its legitimate user.
New authentication method has limited use at the moment
The new solution is called Security Key and it is a USB device integrating the Universal 2nd Factor (U2F) protocol from the FIDO Alliance. At the moment, it works in Chrome 38 and above for accessing Google services, but other websites and browsers may also adopt it.
“It’s our hope that other browsers will add FIDO U2F support, too. As more sites and browsers come onboard, security-sensitive users can carry a single Security Key that works everywhere FIDO U2F is supported,” said Google Security Product Manager Nishit Shah in a blog post.
Better protection against fraudulent websites
Security Key is intended for the security-sensitive individuals and it checks that the log-in site is legitimate before allowing access.
This particularity ensures that users do not run the risk of losing their credentials by providing them on a phishing page, even if it has not been uncovered yet.
Phishing websites manage to stay online for short periods of time until they are detected by automated systems and the information is passed to web browsers. With Security Key, the risk of landing on a fraudulent page is eliminated because it verifies the legitimacy of the page.
Security Key uses public key cryptography
“When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished,” said Shah.
The FIDO protocols rely on public key cryptography for more secure authentication. A new key pair is created, the public one is registered with the online service, while the private one is retained by the client. If the client provides the private key to the service after a entering the username and password, authentication is completed; the private key is unlocked locally when the USB device is inserted.
The USB token basically eliminates the need of typing in the 2FA code received on the phone and works only when the correct website is loaded.
Since it is USB-based, Security Key is not functional on mobile devices, where the regular 2FA code needs to be entered. This option is also available with Security Key. Adopting this authentication method requires a compatible USB device.