Be Like Google: Get A U2F Security Key

Image: Yubico

Last year, Google introduced physical security keys to its 85,000 staff members. The search giant hasn't suffered a single successful phishing attack since. Here's how to get your own version for around $20.

The Google security key is a USB device that uses a type of multi-factor authentication called Universal 2nd Factor (U2F). This allows the user to complete the login process simply by inserting the USB device and pressing a button on it. There's no need to type in an authorisation code or a password; just insert and click.

The key acts as an additional buffer between the user and attempted phishing attacks - by requiring both the physical key and an action by the user, attackers are unable to steal user credentials and use them remotely. As Google explains on its blog:

Phishing — when an attacker tries to trick you into giving them your credentials — is a common threat to all online users. Google's automated defenses securely block the overwhelming majority of sign-in attempts even if an attacker has your username or password, but we always recommend you enable two-step verification (2SV) to further protect your online accounts.

While any second factor will greatly improve the security of your account, for those who want the strongest account protection, we’ve long advocated the use of security keys for 2SV.

U2F support is already baked into a number of security products including LastPass, Dashlane and Keepass password managers. It's also supported in Firefox and many Google services, including Chrome. Support is also coming to Microsoft Edge. U2F-equipped security keys simply provide an added layer of protection.

So how do you get your hands on one? Unfortunately, Google's online store appears to have run out of the device - clicking on the 'Buy Now' button takes you back to the front page.

However, as the product is essentially no different to other U2F keys on the market, it's easy to snap one up elsewhere. One brand that has a solid reputation is YubiKey - it sells a range of physical U2F solutions with prices starting at $20.

The entry-level Security Key by Yubico combines hardware-based authentication, public key cryptography, and the U2F and FIDO2 protocols to eliminate account takeovers. Just like the Google version, it's compatible with hundreds of popular applications including Twitter, Facebook, Gmail, GitHub, Dropbox, Dashlane, Salesforce, Duo and Centrify. Get it here.


Comments

    "This allows the user to complete the login process simply by inserting the USB device and pressing a button on it. There's no need to type in an authorisation code or a password; just insert and click."
    When I enabled a Yubikey - I still need to enter my Gmail password and the Yubikey is used as the 2FA. Did I miss something in the setup or might this sentence be a bit misleading?

    They need are to integrate this into windows 10.

    Muggers won't just want your wallet and phone - now they want your keychain, too.
    Pickpockets will have a new target, and the better ones will replace your device with a "dummy" so you won't notice anything - giving them more time to access your accounts.

      Which is why it's a second factor, not the only thing required to log in. You still need the password - "something you know" - so they can't physically take it.

      the attacker will still need the account name and password

        Which is why he / she will stand over me, breaking my fingers until I give him / her the correct details.

        What you NEED is - a "Mayday Alert" login. Entering these details SEEMS to give access, but actually triggers an alarm that your details are stolen, or you are under duress.

Join the discussion!

Trending Stories Right Now