Google takes 2FA a touch further with Security Key

Two-factor authentication within Google Chrome has been extended to support USB keys instead of one-time codes.

Google has announced that it now supports what the company claims is a more secure form of two-factor authentication (2FA), dubbed Security Key, by adding support for FIDO Universal 2nd Factor (U2F) devices to Google Chrome.

Rather than sending a verification code to a phone, or using a time-based one-time password, users insert a U2F USB device into their computer and tap on the device when prompted by Chrome. It's a process that Google says provides better protection against phishing.

"With two-step verification ... sophisticated attackers could set up lookalike sites that ask you to provide your verification codes to them, instead of Google," the company said on its Security Key FAQ. "Security Key offers better protection against this kind of attack, because it uses cryptography instead of verification codes, and automatically works only with the website it's supposed to work with."

To use the new feature, users will need to purchase a FIDO U2F-capable device and register it with their Google account. Google said that the same Security Key can be used across multiple Google accounts.

Should the device ever be lost, or users need to sign in to Google on a phone or tablet, users are able to fall back to any of the other methods of two-factor authentication that Google offers.

Users should not worry about someone else being able to sign into accounts with a lost key, the search giant said, equating a lost device with losing a house key on the street.

"Somebody who finds the Security Key cannot query it for the accounts it contains, because it doesn't store this information. All the Security Key can do is to answer a challenge from an account that it has been previously registered to," it said.

"A lost Security Key is useful to the finder if only he/she also knows the username and the password for the Google accounts where the Security Key has been registered."

Security Key is currently supported in Chrome version 38 and greater on Windows, OS X, Linux, and Chrome OS.

Authentication service provider Duo Security also announced support for U2F on Wednesday.