Google USB Security Key introduced to keep out hackers

show ad

Doctor who treated Ebola patients in Africa rushed to Bellevue Hospital in New York with 103F fever and nausea as test results expected as early as 9pm this evening
Ebola panic in Brooklyn: Doctor who treated patients in West Africa visited hip bowling hotspot ONE DAY before he was rushed to the hospital with 103F fever
New Ebola 'SWAT teams' on standby to rush to wherever new cases are identified, reveals CDC
Could robots be the key to beating EBOLA? US summit to discuss everything from mortuary bots to drones that deliver medicine and food
Girl, 2, is first confirmed Ebola case in Mali despite WHO's confidence that deadly disease would not spread to ANOTHER African state
Girl, 15, slashed her younger brother's throat and planned to kill her parents so she could run away with her 23-year-old boyfriend
A golden Ello: Ad free 'Facebook killer' social network raises $5.5m
Decorated soldier who fought in 'Black Hawk Down' battle in Somalia dies aged 52
Woman who stabbed PENCILS in her eyes in a failed suicide attempt sues over viral photo snapped by hospital staff
'F*** you Chinatown': Guide stuns a bus load of tourists with a racist tirade in San Francisco's famous district
Jurors hear harrowing 911 call of dying mother gasping for breath 'after her husband poisoned her with cyanide because he thought she was having an affair'
Hillary is already using granddaughter Charlotte Clinton Mezvinsky as a campaign tool - and she's not even a month old
Video captures terrifying moment Canadian shooter arrives at Parliament waving a gun while bystanders flee as police reveal he may be a dual citizen with Libya
Outraged Anderson Cooper hits out at a local reporter who wanted a SELFIE at Ottawa shooting scene
Where are gunman's two missing associates? Terrorist taught two men about Islam in homeless shelter and all three were trying to get a car. Now they've disappeared...
Canadian reservist's beloved dogs wait forlornly for him to return home a day after he was shot dead
Man arrested at gunpoint after he came 'just steps' away from Canadian Prime Minister Stephen Harper as he lay a wreath at Ottawa War Memorial
Emotional sergeant-at-arms is greeted back to parliament with a rousing standing ovation a day after he heroically shot dead terrorist - the first time he used weapon in 30 year career
EXCLUSIVE: The truth behind her fairytale romance: Renée Zellweger is caught in the middle of a bitter battle between her ex-heroin addict boyfriend and his former wife
Facebook gets a room: New app allows users to chat without having to give away their identity
White House fence jumper who was caught on video streaking across the lawn and KICKING a Secret Service dog is charged with assault
Crazed ax-wielding man shot dead by police in Queens after slashing one in the head and another in the arm in random attack
World's most indiscreet pot smoker texts his probation officer 'You have some weed?' and is sentenced to prison on drug charges
Brave rape survivors support each other through sobs as neighbor is sentenced for attacking three and killing a fourth in 10-hour torture session when he thought they reported him to child welfare

Security Key only grants access to accounts when plugged into a USB port
Users must then enter their password, and the combination of the two creates a secure connection
It is designed to stop hackers accessing accounts, and the Chrome browser
The key is sold by Yubico and doesn’t need software or drivers to use
It is currently only available in the US and costs $17.99 (£11)
In addition, the key works with any site that uses similar security protocols

Published: 12:04 EST, 22 October 2014 | Updated: 13:56 EST, 22 October 2014

View
comments

Many firms are bolstering their attempts to keep accounts secure using two-step verification, which typically sends an access code to a phone in addition to asking for a password.

But Google is planning to expand this in an attempt to make its accounts, products and even hardware impenetrable from hackers.

When using its Security Key, users can only access their Google account, sign into Chrome or access their Chromebook, by plugging the device into the computer’s USB port and entering their password.

Security Key (pictured) is sold by California-based Yubico. It only lets users access Google accounts by plugging the device into a USB port, after which they must also enter their password. The combination of the two creates a secure connection

The key can only be used with a connected Google account, which is linked during the set-up process.

And it will only grant access when the correct private key, or password, matches the account it's connected to.

The Security Key is sold by Yubico and doesn’t need software or drivers to use, ultimately removing an extra point that the hackers could attempt to infiltrate.

For example, earlier this year, the firmware on typical USB drives was exposed as being vulnerable to attack - a flaw dubbed BadUSB.

The key is designed to stop hackers accessing Google accounts and the Chrome browser and is currently only available in the US for $17.99 (£11)

Berlin-based researchers reverse-engineered the software files that control how the USB drive's software works - and revealed how this so-called firmware can be reprogrammed to take complete control of a PC.

In addition to protecting Google accounts, Yubico’s key works with any website that supports the Universal 2nd Factor specification.

U2F is an authentication standard created by the Fast IDentity Online (FIDO) Alliance, the security industry consortium.

In a blog post, Nishit Shah, product manager at Google Security said: ‘If you use 2-Step Verification, you can choose Security Key as your primary method, instead of having verification codes sent to your phone.

‘With Security Key, there’s no looking at codes and re-typing - you simply insert your Security Key into your computer’s USB port when asked.’

With 2-Step Verification, Google requires something a user knows, such as their password, and something they have, including their phone or the Yubico Security Key.

Mr Shah continued: ‘Sophisticated attackers could set up lookalike sites that ask you to provide your verification codes to them, instead of Google.

‘Security Key offers better protection against this kind of attack, because it uses cryptography instead of verification codes and automatically works only with the website it's supposed to work with.

‘No mobile connection or batteries needed.

‘Security Key works without a data connection, and you can carry it wherever you go on a keychain or in your wallet.’

Apple recently ramped up security on its own iCloud service by including backups in its two-step verification process. When the security feature is enabled, users are sent a four-digit code to a trusted device that must be entered in addition to the iCloud account password when accessing the account online

Apple recently ramped up security on its own iCloud service by including backups in its two-step verification process.

When the security feature is enabled, users are sent a four-digit code to a trusted device that must be entered in addition to the iCloud account password when accessing the account online.

WHAT IS TWO-STEP VERIFICATION?

Two-step verification, also called two-factor authentication, requires a user to have two of three things to access an account.

This can include a password, a separate four-digit one-time code, or a long access key given to the user when they signed up for the service.

When a user sets up two-step verification, they register one or more trusted devices.

A trusted device is one that can receive four-digit verification codes using either SMS or Find My iPhone.

Last month,, chief executive Tim Cook promised to strengthen security after hackers stole hundreds of celebrity selfies from the cloud service.

The code isn't needed when a backup takes place, because the information is coming directly from a trusted device - it is only needed when users try to access their iCloud account from a web browser.

Under the security measure, the majority of iCloud features remain locked until the user's identity has been verified.

The only feature that is enabled without verification is the Find My Phone tool, which helps locate devices if they are lost or stolen.

It is assumed that if a user doesn't have their trusted device, they can't receive the four-digit verification code.

Two-step verification is an optional security feature, and settings are managed through the My Apple ID page.