Tweet This
- Google is deploying a new security option that not only makes your Gmail account much harder to break into, but potentially removes the burden of choosing long, complex passwords.
- Google is deploying a new security option that not only makes your Gmail account much harder to break into, but potentially removes the burden of choosing long, complex passwords.
Breaking into email and social media accounts has become so common that the hacks now only make big headlines when the victims are celebrities. Today Google is deploying a new security option that not only makes your Gmail account much harder to break into, but potentially removes the burden of choosing long, complex passwords. It's based on a set of security standards developed by the FIDO Alliance (which counts
Armed with the latest version of the Google Chrome browser and an $18 keychain-compatible USB dongle from Yubico, you can instantly make your Google account more hacker-proof than ever before. The protocol, dubbed FIDO U2F authentication, is based on 2-step verification, something Google has been pushing for years. But this implementation offers greater security than previous methods while requiring less user effort.Here's how it works. In the Chrome browser you enter your Gmail username and password as normal. You're then prompted to insert the Yubico Security Key in your computer's USB port. Press a button on the Security Key and the device sends and receives encrypted data that verifies you are the owner of that Gmail account and you're logged in.
If that sounds too easy, that's the whole point of U2F (a one-time step of pairing the Security Key with your Google account is required). You don't have to manually retrieve or enter a special code from your mobile device. And even if someone got hold of your username and password, that information would be useless without physical possession of the Security Key. Should your Security Key go missing you can still log into your account by manually entering a verification code and then easily disassociate the lost or stolen Security Key from your Google account. Google has posted an FAQ page specifically for the Security Key with more details about its use.
If you want to geek-out on the details behind this technology you can read an in-depth look I wrote earlier about the U2F standard. But here's why today's news is important, going far beyond more secure access to your Gmail account.
Data security is fundamentally flawed because it relies on the password to keep hackers out. Mainstream users are never going to commit to hard-to-guess passwords that are not shared among sites. It's too difficult and time consuming. Time and again we've learned that most will choose convenience over security on a regular basis. Now imagine a future in which your password isn't the top level of defense, but merely a secondary one. In Google's approach, your password isn't being used as proof of your identity. That job falls to the Security Key. So even if someone knows your username and steals your password, they would need to possess your individual Security Key in order to log in. Because passwords are no longer the last line of defense, they can be much simpler, like the four-digit PIN you use at the ATM.
Now imagine that every site you visit, from Facebook to your bank allowed you to use your Security Key to verify your identity. You could simply reuse the same PIN among all of your sites, since logging in would require you to physically insert the Security Key in your USB slot. Again, your username and password/PIN are simply pointing to the account you've requested. The Security Key is what transmits the data allowing you access. A single Security Key can be used with any number of logins, so you'd only need one. (Several companies are working on U2F-compliant options that can work with phones and other devices that don't have USB ports.)
The fact that you're no longer typing in any verification data means that eavesdroppers can't use keystroke logging software to glean the info. And because the Security Key has been paired with the website beforehand, the exchange of public and private data keys ensure that the web page asking for your username and password is legitimate, not a fake setup to harvest customer login info.
If buying and keeping track of an additional piece of hardware like a USB dongle seems inconvenient, there are other solutions under the FIDO umbrella. A separate UAF protocol allows for the use of biometric data – a thumbprint, vocal phrase or iris scan – to verify your identity. Apple's Touch ID is an obvious example of having biometric verification built-in to a device. It's worth noting that AuthenTec, the company who developed the technology behind Touch ID had early ties to the FIDO Alliance before the firm was bought by Apple in 2012.
The FIDO Alliance has been steadily gaining momentum behind its U2F approach since the group's inception in 2012. As with any technology that seeks to become a standard, its success depends on widespread adoption by high profile players. Today's announcement by Google is a big and very necessary milestone on that path. If other sites in the social media and financial space follow suit, we may finally be able to get rid of those pesky passwords.
