Google Adds Hardware Security Key For Account Protection

  • 21 October 2014
  • 1 reply
  • 245 views

Userlevel 7
Badge +54
by Dennis Fisher October 21, 2014
 
Google is introducing an improved two-factor authentication system for Gmail and its other services that uses a tiny hardware token that will only work on legitimate Google sites.
 
The new Security Key system is meant to help defeat attacks that rely on highly plausible fake sites that are designed to capture users’ credentials. Attackers often go to great lengths to create fake Gmail or Google Accounts sites that look exactly like the real ones. They then try to lure or direct users to those sites through phishing emails or other tactics in order to get them to enter their Google account credentials. The attackers then will take over the accounts.
 
The hardware Security Key is a small USB token that implements the FIDO Alliance’s Universal 2nd Factor specification. It’s meant for users who require a higher level of security on their accounts and users can buy them from Amazon or other retailers now.
 
Full Article

1 reply

Userlevel 7
Badge +54
22nd October,
 
People who use Gmail and other Google services now have an extra layer of security available when logging into Google accounts. The company today incorporated into these services the open Universal 2nd Factor (U2F) standard, a physical USB-based second factor sign-in component that only works after verifying the login site is truly a Google site.
 
 
http://krebsonsecurity.com/wp-content/uploads/2014/10/yubikey-285x346.pngA $17 U2F device made by Yubico.
 
The U2F standard (PDF) is a product of the FIDO (Fast IDentity Online) Alliance, an industry consortium that’s been working to come up with specifications that support a range of more robust authentication technologies, including biometric identifiers and USB security tokens.
The approach announced by Google today essentially offers a more secure way of using the company’s 2-step authentication process. For several years, Google has offered an approach that it calls “2-step verification,” which sends a one-time pass code to the user’s mobile or land line phone.
 
Full Article

Reply