Google extends two-factor authentication with physical USB keys

Google Chrome gets support for new authentication protocol called Universal 2nd Factor

Google is letting users protect their accounts against password compromises by adding support for two-factor authentication based on physical USB keys.

The new feature expands the company's 2-Step Verification mechanism that is already available for Google accounts, and requires users to input one-time-use codes received via text message or generated with a mobile app when they log in from a new device.

"Today we're adding even stronger protection for particularly security-sensitive individuals," said Nishit Shah, a Google Security product manager, in a blog post. "Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google."

The Security Key, which is what the special USB devices are called, only works with Chrome version 38 or newer for now. Starting with this version, the browser has built-in support for an open protocol called Universal 2nd Factor (U2F) that was developed by the FIDO Alliance, a multivendor association focused on developing authentication protocols that reduce reliance on passwords.

The good news is that since the protocol is supported by Chrome, other websites besides Google can use it to provide stronger authentication options to their users.

"As more sites and browsers come onboard, security-sensitive users can carry a single Security Key that works everywhere FIDO U2F is supported," Shah said.

The Security Key does more than authenticate the user; it also uses cryptography to ensure that the site a person is trying to use it on is actually the real website and not a phishing page.

Two-factor authentication based on one-time-use codes is stronger than simple password-based authentication, but is still susceptible to phishing attacks. Users can be tricked into inputting both their passwords and their temporary second factor codes on a fake site, allowing attackers to bypass this protection.

Users who want to start using the new authentication method will need to buy a Security Key device from one of the vendors producing them. They're available to order from and possibly other shopping sites and they should have a "FIDO U2F Ready" logo on them.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags FIDO Allianceonline safetyGooglesecurityAccess control and authentication

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?