The company details that the physical USB second factor only
works after it verifies the site the user is attempting to log in to is a
Google website and not a fake site attempting a phishing attack.
(Also see: How to Enable Two-Factor Authentication For
Gmail, Facebook, Apple, Twitter, Outlook, Yahoo Accounts)
Google in a blog post titled "Strengthening 2-Step
Verification with Security Key" announced the new Security Key support,
saying, "Today we're adding even stronger protection for particularly
security-sensitive individuals. Security Key is a physical USB second factor
that only works after verifying the login site is truly a Google website, not a
fake site pretending to be Google."
The company details that the Security Key and Chrome
incorporate the open Universal 2nd Factor (U2F) protocol from the FIDO
Alliance. This means websites that use the same U2F protocol can access
Security Key's features in Chrome.
Google reveals that the Security Key works with Google
Accounts at no charge, but users are required to buy a compatible USB device
directly from a U2F participating vendor. The Mountain View giant also provided
a link to online retail giant Amazon that lists FIDO U2F Security Key USB
devices, with prices starting as low as $5.99 (roughly Rs. 370), and warned
users to look for the 'FIDO U2F Ready' logo.
The search giant says users will be able to log in safely by
just inserting the Security Key into the computer's USB port as a second factor
for verification when prompted in Chrome; rather than by typing a code.
"When you sign into your Google Account using Chrome and Security Key, you
can be sure that the cryptography signature cannot be phished," it added.
Google claims that the Security Key offers "protection
even beyond what using verification codes sent to your phone gives" and
details few examples of phishing attacks. It notes, "With 2-Step
Verification, Google requires something you know (your password) and something
you have (like your phone) to sign in. Google sends a verification code to your
phone when you try to sign in to confirm it's you. However, sophisticated
attackers could set up lookalike sites that ask you to provide your
verification codes to them, instead of Google. Security Key offers better
protection against this kind of attack, because it uses cryptography instead of
verification codes and automatically works only with the website it's supposed
to work with."
The search engine giant also lists some limitations of the
Security Key in 2-step Verification, such as the requirement of a USB port to
use the Security Key, and that the feature does not work on browsers other than
Chrome.
Last month, a stash of roughly 5 million usernames and
passwords of Google accounts (including Gmail, Google+) was reported to have
been found on a Russian forum for Bitcoin security. The company responded on
the claims and said, "We found that less than 2 percent of the username
and password combinations might have worked, and our automated anti-hijacking
systems would have blocked many of those login attempts. We've protected the
affected accounts and have required those users to reset their passwords."
GOOGLE HAS BEEFED UP ITS 2-STEP VERIFICATION PROCESS.
Reviewed by kreative Station
on
Thursday, October 23, 2014
Rating: