Logethica

Level 12
Source: Adding a USB Security Key to your Google account is a good idea — and here's how to do it

Two-factor authentication can protect your account, and a USB Security Key makes for a great backup if you lose your phone.

What are you talking about? Why do I want one of these things?
A USB Security Key is a small plastic key-shaped device you can plug into a USB port on a Computer. Some of them light up, some have a small touch-sensitive button, and some have both. But they don't really do anything, you just plug them in. AT least it looks like they don't do anything.

What you can see is the tiny chip inside the plastic. It's connected to the gold-colored contacts on the pluggy-inny side, and when two of those contacts are powered up by your computer through the USB port, a secure token can be read. Software on a computer can get this token and compare it against what it expects to see, and see if the two match. That software can use this result to do "stuff." When you go to log onto your Google account from a computer, the web page code can read one of these keys. If everything matches, you get a green light and can get into your account. If things don't match, you get an error. Everything is encrypted, everything is safe, and no two keys are the same.

A USB key is like plug-and-play account recovery.

It's a "thing you have" that can be used to authenticate who you are. When used in tandem with your username and password, it makes things very difficult for someone pretending to be you on the internet. It makes for a great piece of a 2FA scheme, but it's best to add it as a third authentication method along with the authenticator app on your phone. It's even a good idea to use more than one of them.

Let's say you get on a plane and head out somewhere nice for a week or so. During the commotion at the baggage carousel or the rental car desk, you lose (or someone steals) your carry-on. Inside was your smartphone and your laptop. If you have 2FA set up on your Google account and don't have another computer or phone that's already logged in you have three options.

  • Find those backup codes Google told you were important to print out and keep safe.
  • Call Google and work your way through their account recovery process and hope for the best. Also, hope that the information you have on file with Google is correct and you can remember it.
  • Scream and shout because you now need to make a new account and will lose everything you had before.
The first option is the best one. Those recovery codes are an easy way in, and Google even tells you how important it is to keep track of them. Mine are ... somewhere. The second option can be a crapshoot, and frankly, shouldn't even exist. Google should never ever give you access to a 2FA protected account if you can't provide both methods of authentication. Knowing your mother's maiden name or the name of your first pet is a ridiculous security challenge, and if I had my phone to take a call and get a code I wouldn't be asking in the first place. And the third option, well, that would suck. None of us want to think about the third option.

If you had a USB Security Key (or two) set up on your account you would have a fourth — log in at any computer, and plug your key in when asked. I have two of them — one on my keychain, and one at my house that I won't lose...

Click here..To Find out how to set up a USB Security Key
PLUS;
Two-Factor Authentication: What you need to know

How to install and set up Authy for two-factor authentication on your Android
 

DracusNarcrym

Level 19
Verified
Truly, the future here, at least for extremely sensitive accounts/data, is multi-factor authentication.
E-mail code, device authenticator code (e.g. Google Authenticator), USB security key, facial recognition, eye recognition, ear structure recognition, fingerprint recognition, voice recognition...
Imagine how mad hackers would be. :D

And what if you lose your usb? go back square one and reroll :p
Indeed. Same with most two-factor authorization methods:
E-mail - What if you can't access your e-mail? (double hijack lol)
Device authenticator (code generator) - What if you lose the device? Or what if you accidentally do a factory reset, and your authenticator configuration is erased in the process?

Two-factor might be secure, but it also needs... responsible users...

But wait, if users need to be responsible in order for their account to be more secure, then why do they actually need more security measures? (since they already need to be, and are, responsible, they will already know how to take care of their account)

Did we just find a security paradox? :D:p

Nah...