Skip to main content

Google launches support for Security Key, a simpler kind of two-factor authentication

Google launches support for Security Key, a simpler kind of two-factor authentication

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

It just got a little easier to log into Gmail. Today, Google launched support for Security Key, an open standard that lets you log in to an account with a physical device, usually in the form of a USB. The device takes the place of the six-digit confirmation codes currently used by Google's two-factor authentication. Instead of typing in the code, you'll simply insert your USB key before logging in. A password is still required, so a thief wouldn't be able to log into your account just by stealing your security key. On the other hand, if your account password ended up leaking onto the web, it would be useless without the corresponding security key.

"We are starting to move...beyond single-factor passwords."

Many businesses already use similar devices for security, most notably the RSA SecureID, but this is the first time you'll be able to use them to log in to a consumer service as popular as Gmail. Various manufacturers are already producing compatible keys, ranging from $6 to $50. Because the keys are built on top of the open FIDO standard, any manufacturer can try its hand at making a compatible key, and any service can use them as authenticators. PayPal, Samsung and Alibaba already have similar programs in the works.

Because the Security Key is built on an open standard, there's also no reason to think it will be limited to USB — which is particularly important given the recent bugs discovered in USB hardware. (Specific tokens can also be protected against the bug in the manufacturing process.) The same architecture could be used over Bluetooth or NFC tokens, or triggered by biometric scans of a users fingerprint or iris. It could also be used to move beyond simple two-factor security, requiring three or four different authentications before particularly sensitive information could be accessed, although those features aren't present in Google's current implementation.

However the standard develops, it's clear that Google and others are already moving away from a single password as the standard for consumer security. "There is no doubt that a new era has arrived," said FIDO Alliance President Michael Barrett in an official statement. "We are starting to move users and providers alike beyond single-factor passwords."