Opting in to Google’s latest security upgrade requires a spot on your key chain for a device known as a security key.
A security key provides a more secure version of two-factor authentication, an approach already offered by some Web companies and many banks that involves logging in with both a password and a temporary code tied to something physically in your possession. Usually a two-factor code comes via a phone app, a text message, or a key fob.
The new feature works with a special kind of USB key. You can’t just use anything you’ve got lying around; you need something that’s FIDO Universal 2nd Factor (U2F) compliant. Instead of typing in a code from your phone, you just plug in one of these bad boys and press the button, which prompts a cryptographic back-and-forth with Google’s servers. That means you not only get the security of having a physical second-factor (like your phone) but also that the site you’re logging into is actually Google. There’s no way for hackers to fake this.
The small USB stick provides added protection for a Google account. Once a key is associated with your account, you’ll be prompted to insert the device into a computer each time you enter a password to log in—or, if you prefer, once a month on computers you use frequently. Touching a button on the security key triggers a cryptographic exchange with Google’s login systems that verifies the key’s identity. Security keys can be bought from several security hardware companies partnered with Google, for a little less than $20.