Due to the increasing prevalence of cyber-attacks resulting in massive data leaks, it is of utmost importance that we keep our profiles under lock and key so as to avoid becoming another victim.
We have already commented on this on more than one occasion – enabling a two-step verification for all services that we use (Gmail, Facebook, etc) is a basic security measure that we should not overlook. It requires a bit more effort than simply entering a password, yes, but the protection it offers you is worth it.
The confirmation might be a code that arrives by SMS to your mobile phone, an automatic call in which a robot reads the code, an email that you receive within the associated service, or a notification in the app. The bottom line is that it makes it harder for the attacker to access your account as they won’t have the code available.
However, the techniques thought up to circumvent the two-step verification have become more sophisticated. Cybercriminals can create webpages almost identical to the official pages of Google or Facebook, for example, which will demand the verification code sent to your mobile phone. This way, if they manage to fool you, they can access your account without needing to have the device which contains the code.
The answer to all this has arrived in the form of a pen drive. Led by Google, FIDO Alliance is developing a technology (U2F Security Key) that makes it imperative that you have the gadget in order to access the account.
This gadget is a USB device that can be purchased for under 6 euros through Amazon. Google accounts are also now supported if you access it through the Chrome browser. It’s simple – you enter your username and password in Gmail, as usual, but instead of a code that’s sent to your phone, you need to insert the pen drive into the port on your computer – and click on the button which says add – to complete the second step of the identification process.
A would-be attack, who isn’t in possession of the device, will be denied access. It won’t be of any use to them to try to trick you, because there isn’t any code that you need to enter. The key, whose function is based on cryptographics, takes care of it all.
Although it’s not the first time that a USB has been suggested as a second verification mechanism, the U2F technology is the only one so far that has the backing of an internet giant like Google. The seal of approval from the search engine set the ball rolling for this tool, which is now an open standard controlled by the FIDO Alliance, a working group which also includes multinationals like Microsoft and Samsung.
In fact, it’s not only your Google account which can benefit from this security measure. Using the Chrome browser, any company can adopt this key to protect its intranet, email manager or any other corporate application.
The main drawback of the U2F protocol is that by relying on a USB port and the Chrome browser, it is unsuitable for use on mobile devices – the solution, however, is on the way. Yubico has produced similar devices which offer the same service without the need to insert a pen drive, but rather by NFC (near field communication), which is the same technology used by major mobile payment platforms (Apple Pay, Android Pay, and Samsung Pay).