With a physical key, Google says it can protect you from nation-state hackers

When two-factor doesn't cut it against the most sophisticated adversary, Google thinks it has an answer.
Written by Zack Whittaker, Contributor

Passwords aren't perfect -- anyone who's had to reset them after a data breach can tell you that. But neither are biometrics, and every other "password killer" has largely fallen flat.

Ask around, and security experts will tell you that passwords aren't going anywhere any time soon.

Google knows this, too. With constant threats from hackers and scammers, and now even nation-state and government-backed attackers, the odds are stacked against Google users. Hackers only have to win once, and tech companies have to win every time.

Now, the search giant thinks it can stop even the most sophisticated of hackers. Instead of doing away with the password for good, the search giant wants to give at-risk accounts a whole new layer of protection.

Enter a physical key, one you can attach to your home and car keys (and another that you keep locked away as a backup). These two keyfob-like devices, about $20 each, are at the heart of Google's so-called Advanced Protection Program, which the company is betting on to keep its email accounts as secure as possible from hackers.

The keyring acts a lot like a physical key to your inbox. Whenever you log-in to your account, Google will prompt you to use the keyfob as a two-factor device. Either plug it in as a USB key or push the Bluetooth button, and you're granted access to your account.

You might think: how is that different from the usual two-factor authentication that Google already offers?

For most people, two-factor authentication will protect against most attacks. But in some rare cases, it's been shown that two-factor codes sent by text message can be intercepted. And, apps that have access to your phone can theoretically take screenshots of your phone while a two-factor code is displayed. These kinds of attacks are usually carried out by sophisticated hackers -- such as those working for a foreign government, with the skills and the resources to target individuals of importance.

These keys will also only work on genuine Google pages, so even if you enter your email address and password on a fake phishing site, your physical key won't work, rendering those siphoned credentials useless to an attacker.

Even the toughest hackers will be powerless to access your account without your physical key, Google contends.


A Feitian-made two-factor physical key. (Image: CNET)

Accounts that are most at-risk of being targeted by sophisticated, state-sponsored hackers like those belonging to politicians and lawmakers, business leaders, activists, and even reporters and journalists who need to protect their sources while embedded in less-than-friendly countries are the ones that Google wants to protect first with this new program.

In all, the program takes just a few minutes to set up. Your two keys will be enrolled -- one Feitian key will wirelessly authenticate with your computer or phone, and another Yubikey can be used in the USB port.

And for the most part, that's it. Log in, plug in, push a button, and you're into your account.

Here's the catch. Many will have to sacrifice some convenience for this protection. The program locks down Google accounts so they can only be accessed through Gmail.com and the company's own apps, effectively locking out third-parties. Anyone who relies on other apps, like Apple's own mail apps for iPhones or Microsoft Outlook, will be out of luck for now. And remember: the key has to be physically with the user whenever they want to log in, including when they travel overseas.

And if a user loses both keys, there's no immediate backup to enable the user to regain access to their account. Google says it'll take a few days to review each recovery request.

As fiddly as physical keys are, and as frustrating as extra hurdles might be -- especially when you're in a rush -- Google says that these keys will give users the strongest possible protection. And for the fraction of accounts that need this extra level of protection, it's a small but necessary hassle compared to the harm that could be done if an account was ransacked.

But there's a long way to go before this reaches the mainstream audience -- if ever. Physical two-factor keys are seen as niche and gimmicky to many who haven't even taken basic two-factor steps yet. While some tech firms like Facebook have offered support for physical keys for months, many tech companies still don't offer two-factor beyond text messages. Until other companies adopt physical keys for additional security, this level of additional security features likely won't ever make it into wide-scale adoption.

It's early days, but it's a promising step from the company, and it can't come a moment too soon for those who need it.

Editorial standards