Last year, Google introduced physical security keys to its 85,000 staff members. The search giant hasn’t suffered a single successful phishing attack since. Here’s how to get your own version for around $20.
The Google security key is a USB device that uses a type of multi-factor authentication called Universal 2nd Factor (U2F). This allows the user to complete the login process simply by inserting the USB device and pressing a button on it. There’s no need to type in an authorisation code or a password; just insert and click.
The key acts as an additional buffer between the user and attempted phishing attacks – by requiring both the physical key and an action by the user, attackers are unable to steal user credentials and use them remotely. As Google explains on its blog:
Phishing — when an attacker tries to trick you into giving them your credentials — is a common threat to all online users. Google’s automated defenses securely block the overwhelming majority of sign-in attempts even if an attacker has your username or password, but we always recommend you enable two-step verification (2SV) to further protect your online accounts.
While any second factor will greatly improve the security of your account, for those who want the strongest account protection, we’ve long advocated the use of security keys for 2SV.
U2F support is already baked into a number of security products including LastPass, Dashlane and Keepass password managers. It’s also supported in Firefox and many Google services, including Chrome. Support is also coming to Microsoft Edge. U2F-equipped security keys simply provide an added layer of protection.
So how do you get your hands on one? Unfortunately, Google’s online store appears to have run out of the device – clicking on the ‘Buy Now’ button takes you back to the front page.
However, as the product is essentially no different to other U2F keys on the market, it’s easy to snap one up elsewhere. One brand that has a solid reputation is YubiKey – it sells a range of physical U2F solutions with prices starting at $20.
The entry-level Security Key by Yubico combines hardware-based authentication, public key cryptography, and the U2F and FIDO2 protocols to eliminate account takeovers. Just like the Google version, it’s compatible with hundreds of popular applications including Twitter, Facebook, Gmail, GitHub, Dropbox, Dashlane, Salesforce, Duo and Centrify. Get it here.