Who are you? As far as most secure websites are concerned, you are your email account. Forgot your password? No problem—we’ll send a reset code by email! If your email account falls into the wrong hands, you’re screwed good and proper. Hackers who crack your PayPal account get access to just that account; hackers who crack your email account get everything.
That’s where two-factor authentication comes in. Just about every email provider offers some type of authentication beyond simple-minded username and password. Some will send a text to your smartphone. Others let you link the account to an app like Google Authenticator or Twilio Authy. Without much fanfare, Google has slipped in another option for protecting your Gmail account—the security key. Now you can unlock your email with a key, just the way you unlock your car, or your front door. And if the backers of this new-style authentication have their way, that key will soon unlock many more sites and applications.
Fast Identity Online
Each security key implements a standard called U2F, for “Universal Two-Factor.” This open standard was published by the FIDO (Fast IDentity Online) Alliance, of which Google is a prominent member. Yubico, purveyor of the Yubikey authentication device, is another prominent member, and in fact most of the design of the Security Key comes from Yubico. However, the standard is wide open and the code is available, so a number of other vendors already sell their own model of the security key.
The original Yubikey worked by sending a one-time password to supporting applications like LastPass. You can still use the updated Yubikey for that purpose, but in order to implement FIDO U2F it now contains a built-in smart card that interacts with supporting applications. Both old and new device types are extremely durable; I’ve had a Yubikey rattling around in my pocket with my keys since 2009.
As for the alliance itself, its membership list reads like a who’s who of finance and security. Among the board level members are Google and Yubico, of course, but you’ll also find Samsung, Bank of America, Microsoft, Mastercard, and Visa. The more numerous sponsor-level members include Costco, Dell, Ing, Netflix, and Wells Fargo. This is a heavyweight alliance!
Using a Security Key with Gmail
You can buy a FIDO U2F Security Key from Yubico for $18, or scan the Web for deals from other manufacturers. I’ve seen them for as little as $5. Before you can register your security key, you must set up traditional two-factor authentication, either using Google Authenticator or having Gmail send an authentication code to your smartphone when you try to log in. Once you’ve completed this configuration, you’ll find a tab labeled Security Key. Do note that only Chrome is supported at present, so if you log in with a different browser you’ll have to use the smartphone-based authentication.
Registering a security key is simple. Click Register to ready the system, insert your security key, and touch the gold button on the key. Done! You can register multiple keys on the chance you might lose one. Just don’t keep them all in the same place!
When nothing but a password protects your email, anybody who learns that password can open your account. With security key protection, nothing will unlock your account except the handshake between the security key’s smartcard and the secure application. Remote access just isn’t possible, as initiating that handshake requires that you touch the key’s button.
The Future of U2F
At the recent RSA Conference in San Francisco, I caught up with Stina Ehrensvärd, CEO and Founder of Yubico and unabashed evangelist for U2F. Indeed, she sees U2F as the key to the not just the Internet, but to the future.
“I’m excited about U2F because my vision is that this will be everywhere,” said Ehrensvärd. “Eventually it can scale to encryption, payments, it can allow users to take control of their own identity. You don’t get your identity from the bank, or the government; you buy your key and it’s your own ID.” Ehrensvärd pointed out that U2F can take multiple forms, not just like a USB key. It can be in phones, or computers, for example. She mentioned that two combined biometric-U2F devices are already out. Going forward, Yubico plans to add U2F capability to its Bluetooth and NFC-based devices.