As a secure method of two-factor authentication, security keys are physical hardware tokens that plug into a USB port on your laptop.
After typing in their username and password, a user is prompted to complete two factor. By tapping the key, a user can generate a unique passcode that grants them access to Facebook or Google’s suite of cloud-based productivity apps (formerly known as Google Apps).
A More Secure Way to Ensure Trusted Users
Without physical access to the device and security key, a threat actor can’t gain unauthorized access to your accounts. This method also thwarts phishing and other data-stealing attacks that count on usernames and passwords alone to give them easy, unfettered access to your accounts.
Security keys are also more secure than SMS-based two-factor authentication (2FA). This is when a user must verify their identity by typing in a verification code sent via text message to their phone. An attacker can intercept SMS messages and log in as the user.
Back in July of last year, the U.S. National Institute for Standards and Technology (NIST) announced they would be deprecating SMS-based 2FA in their guidelines for digital authentication, deeming it no longer secure enough to recommend to anyone for remote access.
In addition to being more susceptible to phishing attempts, SMS 2FA also relies on the security of the telephony and carrier infrastructure, which is typically not very secure. Plus, many apps on the average phone have access to the SMS inbox, which could lead to easily stolen one-time passcodes.
Security keys send cryptographic proof that users are, in fact, on a legitimate Google site and in physical possession of their security keys, stopping attackers that are remotely attempting to access accounts remotely, according to the Google Account Security team.
Even More Security Precautions Announced By Google
In addition to adding security key support for authentication, Google announced the availability of a hosted S/MIME service that ensures Gmail messages are encrypted, beyond TLS capabilities, to secure every hop an email makes throughout the delivery life cycle before it reaches your inbox.
This adds account-level signature authentication, unlike domain-based authentication. It can allow email receivers to verify that the email is actually coming from the sending account and not just a matching domain, according to Google, as reported by Threatpost.
Here’s hoping it cuts down on phishing email campaigns that leverage similar and matching domain names to lure users and their inboxes into a false sense of security.
Universal 2nd Factor by FIDO Alliance
The Fast IDentity Online (FIDO) Alliance created a strong industry standard for two-factor authentication known as Universal 2nd Factor (U2F).
Google, Facebook, Duo and many others announced support in 2014 for the hardware-based authentication standard that both simplifies the login process while providing stronger security for users. The method only requires a web browser, operating system and U2F device.
Once enrolled with Duo, users can tap the USB device plugged into their laptop to verify their identities and quickly log in. The USB device protects private keys with a tamper-proof component known as a secure element (SE).