Google unveils Security Key

Today Google announced Security Key, a two-step verification method in the form of a USB key that users will need to plug into their computer before they can log in, if they opt in to the service. It promises to make Google accounts even more secure, but will people actually use it?

Until now, Google users using two-step verification were asked to enter a code on their cell phones when logging in. With Security Key, which can be bought from third-party retailers, users will have to plug a USB key into their computer in addition to entering a password.

Security Key is more secure than previous methods, according to Google, because it only works after verifying the login site as a real Google page.

There is the question of what happens if you lose the USB. A security protocol that relies on keeping track of a tiny little thing that jangles around your pocket might not be a great idea for people like me, who lose their keys on a daily basis. Beside the cost of replacing a Security Key, which can be bought for less than $10, however, there's little security risk or hassle involved in losing your USB. You can still access your Google accounts with a verification code sent to your phone, and the key itself doesn't contain any information about you or your accounts; it's useless without a password.

Security Key uses technology developed by the FIDO Alliance, a tech consortium that includes Google, Paypal and Lenovo. The Alliance has the explicit goal of moving the world away from passwords and towards device-focused authentication. They also say they want to "[operate] industry programs to help ensure successful worldwide adoption." With Google now on board, it certainly appears as though they're doing pretty well on that front.

Of course, the success of Security Key depends on whether people will actually use it. Right now, Google is targeting "particularly security-sensitive individuals"—people who read every article on cryptography they can find and worship Glenn Greenwald—with the product, but long-standing pushes for two-step verification and membership in the FIDO Alliance point to hopes of wider adoption.

Even in our post-Snowden, post-"Fappening," post-"Snappening" culture of ramped-up security concern, can the average person be bothered to carry around a USB key to log in to their email? Arkadiusz Stopczynski, a postdoctoral fellow in the Department of Applied Mathematics and Computer Science at the Technical University of Denmark and co-creator of a security protocol for brain wave data, thinks so.

"Whether the exact form-factor will be a standalone USB key, or secure chip in your phone accessible via USB, or a part of wearable is to be seen, but the basic idea of at least two factors—what you know and what you have—will be universally required very soon," Stopczynski told me. "Google's vision is to move away from logging in and towards linking devices to your account."

It does seem as though the big market players—Google and Apple alike—are moving towards stronger two-step verification, and Security Key is just the latest in a long line of pushes. With the right packaging, (Security Key does look kind of cool in a Silicon Valley chic kind of way), and marketing, two-step verification could take off if it's not defeated by sheer laziness on the part of users.