Google’s New 2-Factor Authentication Approach

The day after Apple rolled out its Apple Pay payments system with fingerprint authentication, Google announced that it is adopting a different sort of hardware to replace passwords: an industry-standard USB key, according to Secure ID News.

The Security Key is a standardized hardware token for two-factor authentication that can now be used for Google websites when accessing them through its Chrome browser, Google’s security team said in a blog post. Unlike Google’s previous two-factor system, which sent a one-time passcode to a user’s smartphone that the user would then have to type into a website, the user taps a button on the Security Key for authentication.

Google’s older two-factor system will continue to work for users on devices without USB ports, such as iPads, or who are restricted from plugging USB devices into their computers. But the new hardware plug-in has the advantage that it uses cryptographic standards from the Fast Identity Online (FIDO) Alliance to communicate directly with a target website. One-time passcodes might be captured by lookalike sites, Google said.

FIDO-standard Security Key devices are available from at least 11 vendors (including Duo Security, Entersekt, Infineon, NXP, Nok Nok Labs, Plug-up International, ST Microelectronics, Sonavation, StrongAuth, SurePassID and Yubico) at prices ranging from $6 to $50.

However, the USB devices can only be used when both a browser and website meet the FIDO standards. Right now, most major browsers don’t support the standards — and neither do most retailers’ e-commerce sites, or banking websites for most major banks.