Google has today announced it’s started supporting a new type of two-factor authentication for its websites, as long as you use its Chrome desktop browser. The existing 2-step verification system is based on you entering your password followed by a six-digit code that you either receive via SMS or get from a special mobile app.
The new system replaces the code-entering with inserting a physical USB device into your computer, then tapping its sole button when prompted to do so.
Obviously then, this is a simpler way to perform two-factor authentication, from the user experience perspective. It relies on a specific physical object (the required USB device), which you can carry with you on your keychain, for example. On the other hand, that device seems easier to lose than a phone, so understandably the new system will be opt-in. And you’ll still be able to use the old code-based one if you so choose.
The Security Key USB device only works after having verified that the login site truly is operated by Google, thus preventing against phishing attacks. All of this works because Security Key and Chrome (since version 38) incorporate the Universal 2nd Factor (U2F) protocol developed by the FIDO Alliance. This means other websites with login systems will also be able to use the same system if they want to.
The new Security Key will be free to use for Google accounts, but you have to purchase a special USB authenticator device – your existing USB sticks won’t work for this purpose. Google helpfully recommends a couple of Amazon-listed products, the cheapest currently going for $5.99.