Skip to main content

Google’s 2-Step Verification Now Supports FIDO “Universal 2nd Factor” Open Standard

Today, Google announced that the 2-Step Verification security for its Google accounts will get even stronger thanks to new support for the Universal 2nd Factor (U2F, for short) open standard created by the FIDO Alliance.

The FIDO Alliance is a non-profit organization, founded in 2012, working on interoperable open standards protocols for secure authentication. Companies such as Google, Microsoft, Samsung, ARM, Qualcomm and others have already joined this group. The FIDO Alliance aims to make it easy to securely authenticate to devices whether it's through USB keys (such as Yubikey NEO), fingerprint or face scanning, voice recognition, or other methods.

The main advantage of using a USB "Security Key" (as Google calls it) over typing a verification code that you may have gotten from the SMS-based 2-step verification or the Google Authenticator app is that it can protect you against phishing. The USB Security Key will only work with Google's websites if it recognizes them.

Right now, though, Google's websites will only accept this login method within the Chrome browser (version 38 or later), but Google hopes other browsers will adopt it soon, too. Mozilla is usually on the same page with Google when it comes to security and open standards, and Microsoft has already joined the group as well, so we can probably expect support for the FIDO U2F in the next version of Internet Explorer.

Apple could be the last one to hold out on adopting any of the standards from the FIDO Alliance, considering the company now has its own protocol for fingerprint scanning. Apple has recently started allowing iPhone users to pay for online purchases by using Touch ID, and in the future it may also add Touch ID to its Macbooks.

USB keys are probably not going to become mainstream, which is why this functionality should probably be built into smartwatches, which can then connect through NFC and authenticate laptops or mobile devices. Google's Android 5.0 operating system already allows something similar, but it only works to unlock the devices, not log in to any websites. Another disadvantage of USB keys is that they can't work with mobile devices, unlike the NFC-based smartwatch solution.

Still, for people who want to be extra-secure and don't want to risk having their smartwatches compromised by malware, the USB keys are a good solution, especially if most browsers are going to adopt an interoperable standard in the near future.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.