2-Step Verification offers a strong extra layer of protection for Google Accounts. Once enabled, you’re asked for a verification code from your phone in addition to your password, to prove that it’s really you signing in from an unfamiliar device. Hackers usually work from afar, so this second factor makes it much harder for a hacker who has your password to access your account, since they don’t have your phone.
The hardware Security Key is a small USB token that implements the FIDO Alliance’s Universal 2nd Factor specification. It’s meant for users who require a higher level of security on their accounts and users can buy them from Amazon or other retailers now.
The new feature works with a special kind of USB key. You can't just use anything you've got lying around; you need something that's FIDO Universal 2nd Factor (U2F) compliant. Instead of typing in a code from your phone, you just plug in one of these bad boys and press the button, which prompts a cryptographic back-and-forth with Google's servers. That means you not only get the security of having a physical second-factor (like your phone) but also that the site you're logging into is actually Google. There's no way for hackers to fake this.
The Google Security Key system only works in Chrome right now, but if other browsers and additional sites implement the U2F protocol, the same Security Key will work with them, too.
Is Security Key right for me?
Security Key is right for you if you want protection even beyond what using verification codes sent to your phone already gives you. Advantages include:
- Better protection against phishing. With 2-Step Verification, Google requires something you know (your password) and something you have (like your phone) to sign in. Google sends a verification code to your phone when you try to sign in to confirm it's you. However, sophisticated attackers could set up lookalike sites that ask you to provide your verification codes to them, instead of Google. Security Key offers better protection against this kind of attack, because it uses cryptography instead of verification codes and automatically works only with the website it's supposed to work with.
- No mobile connection or batteries needed. Security Key works without a data connection, and you can carry it wherever you go on a keychain or in your wallet.
- You use your account only on a mobile device. Security Key requires a USB port to work, so it’s not recommended for mobile-only users.
- You don’t use Chrome. Security Key does not work on browsers other than Chrome.
Google is including Security Key support on all accounts free of charge and it’s not even selling the USB devices directly. It’s actually nice to know that Google doesn’t have a financial stake in this move — it’s about making your data more secure. A compatible U2F USB device can be purchased from any a vendor that uses the standard, but most of the current options you’ll find come from Yubico and cost $15-50. As they say, that’s a small price to pay for peace of mind.
As far as we’re aware, you can’t yet make your own U2F USB key. The standard is open, however, so an open-source implementation might appear at some point in the future — assuming it doesn’t require a special hardware feature to be present on the USB stick, that is.