Google enhances, simplifies two-step authentication with physical USB Security Key

[Shawn Knight]

Google has simplified and beefed up its two-factor authentication implementation by adding support for Security Key. With it, security-sensitive individuals can purchase a physical USB stick from a third-party that can be used to verify your identity when logging into Gmail, Chrome or any other Google account.

Users with two-factor authentication enabled can purchase the aforementioned USB key from the provider of their choice. Once it comes in the mail, said user can simply plug it into their computer and press the built-in button on the dongle when prompted. It doesn’t get much easier than that.

The USB key only works after verifying the site you’re attempting to log into is truly a Google site (in other words, not a phishing attempt). And because the device uses the FIDO Universal 2nd Factor (U2F) protocol, it can be used with other websites with account login systems that support the protocol so long as you’re using Chrome.

The service is free to use although as already mentioned, you’ll need to purchase the USB key from a third-party vendor. A quick check on Amazon reveals a few FIDO U2F keys with prices starting at $5.99 and topping out around $50.

Of course, it won’t work when logging into a Google service from your smartphone but for computer use, it certainly sounds easier than typing in a verification code sent to a trusted phone.

Permalink to story.

https://www.techspot.com/news/58521-google-enhances-simplifies-two-step-authentication-physical-usb.html

 

[hitoshianatomi]

The two-factor authentication, though not a silver bullet, could be reliable when it comes with a reliable password.　2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password.

Using a strong password does help a lot even against the attack of cracking the stolen hashed passwords back to the original passwords. The problem is that few of us can firmly remember many such strong passwords.　 We cannot run as fast and far as horses however strongly urged we may be. We are not built like horses.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

 

[Guest]

Ok, but what about the government's backdoor?

 

[Kibaruk]

I present you a "solution", make a random list of characters in a grid for example a 10 by 5, then in your head create an "algorithm" that will give you a password based on that grid and the service you use it in, you can use a password manager like keepass or whatever to easily access them from your computer or pendrive or whatever, and when you don't have that option you can easily check your grid and "decipher" it.

If someone else looks at the grid it will mean nothing, and without your mental process or algorithm it's difficult for someone to crack it.

Then to the words add a couple of randomized characters, so that someone who gets 3-4-5 passwords out of you (For example) AND the grid, won't get to make a pattern either.

I'm not sure if it helps someone, but it's been a good system for me, I have unique passwords for almost all my accounts that I can't remember but can easily come up with without having to worry about someone else looking through my passwords.

 

[Guest]

The only problem with this is that people lose USB drives all the time which will pose a problem the next time they try to login and can't find their device.