Google has launched a USB security key as a simpler, stronger alternative to the six-digit,one-time passcodes (OTPs) used by its 2-Step Verification facility.
Until now, second-factor authentication has relied on OTPs by text message, but this approach has several challenges, such as when users lose their mobile phone.
Google’s Security Key is the first deployment of the universal second factor authentication (U2F) standard published by the Fast Identity Online (FIDO) Alliance.
The alliance is a consortium of IT companies – including PayPal, Lenovo and Google – that hopes to revolutionise online authentication with an industry-supported standards-based open protocol.
The protocol is designed to address the lack of interoperability among strong authentication technologies, and remedy the problems users face when creating and remembering multiple usernames and passwords.
Previous attempts at introducing password alternatives have failed because of the need for all web services to adopt the same standard, but pundits say FIDO members may be big enough to make it happen.
FIDO standards support a full range of authentication technologies, including biometrics, as well as further enabling existing technologies such as Trusted Platform Modules (TPMs), USB Security Tokens, embedded Secure Elements (eSE), Smart Cards and Near Field Communication (NFC).
The open standards specifications are being designed to be extensible and accommodate future innovation, as well as protect existing investments.
Google’s new Security Key offers greater protection for security-sensitive users.
Rather than typing a code, the user just inserts the security key into their computer’s USB port and taps it when prompted in the Google Chrome browser.
When signing into a Google Account this way, users can be assured that their second factor cannot be phished, because the security key does not provide its cryptographic signature when a fake site is attempting to impersonate a Google sign-in page in Chrome.
Google Chrome has also become the first web browser to implement support for FIDO Alliance authentication standards.
According to FIDO, this opens the door for any website to deploy simpler, stronger FIDO U2F authentication to users of Google Chrome.
Chrome now incorporates the open FIDO U2F protocol, so other websites with account login systems can build support for FIDO U2F into their web applications.
“It’s our hope that other browsers will add FIDO U2F support, too,” Nishit Shah Google security product manager wrote in ablog post.
“As more sites and browsers come onboard, security-sensitive users can carry a single Security Key that works everywhere FIDO U2F is supported,” he said.
Security Key works with Google Accounts at no charge, and users can buy a compatible USB device directly from any tested and approved “FIDO Ready” U2F supplier.
“We are glad to participate in the FIDO Alliance, and bring FIDO U2F support to Google and to Chrome,” said Sampath Srinivas, product management director at Google and FIDO Alliance board member.
FIDO Alliance president Michael Barrett welcomed the move by Google.
“With large-scale deployments of FIDO authentication standards in payments applications from PayPal, Samsung, AliPay, Nok Nok Labs, and Synaptics, and today’s announcement of FIDO U2F authentication by Google, there is no doubt that a new era has arrived,” he said.
“We are starting to move users and providers alike beyond single-factor passwords to more secure, private, easy-to-use FIDO authentication,” said Barrett.
Browser support for FIDO U2F has been heralded as a major step toward scaling high security public key authentication to the mass market.
“With a U2F enabled device, users can now login to Google Accounts and any number of services with FIDO U2F support – with no drivers, client software or middleware needed,” said Stina Ehrensvard, CEO and founder of USB security key maker Yubico.
According to the FIDO Alliance, several members are announcing their product lines of FIDO-compliant devices that work with Google’s Security Key feature and any future deployments of FIDO U2F.
These FIDO-compliant devices enable online service providers, enterprises, and users to take advantage of FIDO U2F authentication.
“Empowering users and enterprises by enabling choice from a range of interoperable strong authentication products is a hallmark of the FIDO Alliance,” the consortium said in a statement.
In addition to Google, the FIDO Alliance said there are FIDO-compliant devices, authenticators, open source solutions, and servers available from suppliers like: Duo Security, Entersekt, Infineon, NXP, Nok Nok Labs, Plug-up International, ST Microelectronics, Sonavation, StrongAuth, SurePassID and Yubico.