Multiple sites across the internet are reporting about Google's latest effort to increase log in security. Google has offered a two-step authentication method for several years. This older method involved sending a code to the users cellular or land-line phone allowing the user to complete the second part of the login process by entering this additional bit of information.
This was a better than nothing solution but it had some drawbacks. First and the most obvious, you needed to have access to your phone. But that isn't a big issue, right? Except if the battery was down or the phone was misplaced or stolen. An even bigger issue was that while the second step may have helped to better prove who the user was; it did nothing to confirm the site the user was logging into.
The user might be attempting to log into a carefully crafted phishing site designed to look like their trusted Google site. The extra authentication did nothing to validate the site before the login credentials were stolen by the bogus site operator.
Now, enter the latest Google effort for additional login security. The new procedure involves a physical device, a USB card, called Security Key, which not only adds the extra login data, when paired with a Chrome browser it verifies the authenticity of the Google site you are trying to log into.
The Security Key needs to be compliant with an open standard called “FIDO Universal 2nd Factor (U2F). A chip like version is available for $5.99 located here and a more substantial version with a push button sells for $17.99 located here. Both of these "keys" resemble those sold by yubico to be used with LastPass but at a much better price point.
A negative aspect is phones and most portable devices are excluded from using the Security Key because they have no USB port. There's also the so called BadUSB to contend with. The BadUSB is a recently recognized hole in security through which malware can be injected and data can be stolen.
I don't see how this threat could derail the Security Key. The industry has long known that thumb drives have the potential for misuse – but the new exploits greatly bump up the level of destruction possible. Meaning we should all be more careful about what we plug into our USB ports.
It's interesting to me that Google has gone to such links to protect my Gmail. I wonder when the banking industry will make a similar effort to protect my financial accounts?