The feature is available in Chrome: Instead of typing in a code, you can simply insert Security Key into your computer’s USB port and tap it when prompted by Google’s browser.
For those who don’t know, two-step verification requires you to use more than one form of verification to access an account. Typically, this information includes “knowing something” such as a password and “having something” such as a mobile device — in the case of Security Key, the latter is an item specifically meant for authentication, rather than a device you carry around with you anyway.
As Google explains, there are two advantages to using Security Key over a mobile device:
- Better protection against phishing. Google sends a verification code to your phone when you try to sign in to confirm it’s you. However, sophisticated attackers could set up lookalike sites that ask you to provide your verification codes to them instead of Google. Security Key offers better protection against this kind of attack because it uses cryptography instead of verification codes and automatically works only with the website it’s supposed to work with.
- No mobile connection or batteries needed. Security Key works without a data connection, and you can carry it wherever you go on a keychain or in your wallet.
“When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished,” Google promises. While Security Key works with Google Accounts at no charge, you’ll need to go out and buy a compatible USB device directly from a Universal 2nd Factor (U2F) participating vendor.
Since Security Key in Chrome incorporates the open U2F protocol from the FIDO Alliance, other websites with account login systems can use the feature as well. If security is your priority and you use both Google services and Chrome, Security Key is probably worth your consideration. If you use Chrome but don’t login via Google Account, you should check whether the sites you rely on support Security Key.
Google says it hopes other browsers will add FIDO U2F support soon (Security Key currently only works with Chrome 38 and above). The end goal is for FIDO U2F support to go mainstream, so security-sensitive users can carry a single Security Key that works everywhere.