Google's USB Security Key

Is it a great news or what that Google is looking into USB security keys for 2-step verification process? Google has recently announced that they want to move into Security Key technology for their 2-step verification process. Google is the first to adopt the Fast Identity Online (FIDO) Alliance for their second-factor authentication or U2F. FIDO Alliance is a group of nearly 120 companies, including Microsoft and Google but not Apple, that supports better online security through open technologies. This Alliance and their support for open technologies and their impact for allowing users to securely login to all of the supported services through this secure key is something worth considering.         

The way 2-step authentication works now is the user logs on with his/her username and password into respected service, which then sends an SMS or an e-mail notification to the user with the code which the user enters to be allowed in the respected service. This is a great security mechanism for the security minded; however, there are occurrences where the second step can turn into pain. For example, if the user is using the SMS (data rates apply, of course) means to receive the code, the user is relaying on the cell-phone service and their strong signal reception. There are times at which if the reception is bad, the code will not be received by the user and in times of urgency, it could be costly. To avoid this pain, users download an app for the respected service which has pre-installed code to allow users to log into the service using this app. Security of using an app with pre-installed codes for authentication in services can be debated as well.

That is why the new approach to using the USB security key for the 2-step verification can be considered advantageous. Users will have to buy this USB key for about $20, which will act as a  second medium for the verification. This USB key will have a built in chip which will support Public Key Encryption via only the Google’s Chrome browser (at the moment). Chrome will verify the security process for the encryption and decryption of course. What this means is that users will have to use Chrome in order to use this USB security key for any 2-step verification services. If users want to use any other browsers, then they will not be able to complete the 2-step verification process. The USB security key only supports Chrome browser at the moment and might be adopted by other browsers in future. This might make some paranoid types uncomfortable; that is why Google is recommending not switching to this new means of authentication and remaining with the old way for these security paranoids. For others not concern about using Chrome and Google’s tweaked cryptography algorithms, they can most certainly take advantage of this new means of 2-step authentication. This will ensure more security for users against attacks like phishing, keylogging, and man-in-the-middle.      

http://arstechnica.com/security/2014/10/google-offers-usb-security-key-to-make-bad-passwords-moot/