Google’s Physical Keys: Your Password’s Extra Security Layer
google physical key
Passwords were invented in the 1960s. Although they have proven their use over the progressive years of digital technology, it turns out the password has serious problems. Ironically, the inventor of the password, Fernando Corbato, agrees.
In an interview with the Wall Street Journal, he said the password has become a nightmare of sorts on the internet. He mentions that since people cannot possibly remember all setup passwords, resorting to third-party programs or maintaining a crib sheet is a nuisance.
Data breach numbers from the Breach Level Index have reached 9 billion since 2013. If you’re a high-value target, you may want to use Google’s new Gmail security – the Google Physical Keys.
Considered as the newest breach prevention service, it primarily aims to service high-ranking position holders or people in vulnerable fields. If you’re no stranger to data breaches or resetting passwords, you can purchase two keys that cost about $20 each.
The service offers the USB Security Key, which is said to be twice as secure as the two-factor authentication service (2FA). Plug it into your laptop or computer and you’re good to go.
USB Security Key Benefits:
Hackers need to physically obtain the key to access your records or account; hence, you don’t have to worry about online breaches.
Mobile devices compatibility
“But how will the key work with my phone?” you may ask. Worry not, as the final U2F standard will ensure that future key versions will include contactless near-field communication chips that most smartphones can already read. (The U2F standard is an open authentication standard that simplifies 2FA).
The Advanced Protection Program
Google recognizes the vulnerability of the password. However, the company encourages users to embrace the password, now with its extra physical security backed by its new and sophisticated program. The Advanced Protection Program is meant to render stolen passwords useless. If hackers actually get into your online records, they wouldn’t be able to do anything.
Setting Up the Advanced Protection Program
The program basically requires you to use two inexpensive keys to log into your Google account. It does away with the text messaging part of 2FA, which has recently been determined as a vulnerability.
Google’s new program aims to provide users with a physical device that is harder to steal than a text message. You can get two keys from either Feitian or Yubico, as endorsed by Google.
The keys look like thumb drives, and they will contain “digital signatures” to prove your identity. Setting one up is easy. Plug the key into your USB port and name it. If you purchased the Feitian key, it will wirelessly connect to your phone for login authentication. You only need to log in once using the keys, as Google remembers all of your devices for future logins.
Challenges to Having a Physical Key
According to security researchers, the program is deemed relatively painless for everyday use but it has its drawbacks:
Limited access to third-party apps
By default, the program only allows applications that support the security keys. This means you can only use Chrome, Gmail, and Google’s Backup and Sync app. This is meant to prevent the most sensitive data from accidental sharing. It’s not ideal for those that rely heavily on Apple Mail or Microsoft Outlook. However, Google says it will eventually allow third-party apps in the program.
Longer recovery if keys get lost
A challenge of possessing a physical security device is the possibility of losing it. When you lose one without a spare, it will take you a long time to regain account access. Google has strictly put forward more elaborate recovery steps. It could take days for a submitted recovery request to get a response. This is why Google advises purchasing two keys.
Considering the drawbacks, here is the bottom line: the keys and the program work quite well with users who only use a computer and a phone. Productivity may be stifled for users or companies who rely heavily on third-party apps. Experts advise users to wait for companies to update their apps and for Google’s program to mature. The program is currently only available to Google accounts.