In an age where sophisticated hackers and cyberespionage groups are aggressively going after specific targets, stealing credentials and sensitive data, passwords may no longer be an effective defence against potential cyberthreats.
Now, Google has come up with an innovative approach to deal with such threats. The tech giant says that it can protect its high-risk users, who are likely to be targeted by cybercriminals, with a physical key that locks down their accounts like never before.
Google's recently-launched Advanced Protection Program requires Google account holders to use security keys – similar to USB or wireless devices – to log in to their accounts. The keys function as a more secure version of two-factor authentication and make use of "public-key cryptography and digital signatures" to authenticate the legitimacy of the account holder.
The additional layer of security provided by the physical keys ensure that malicious hackers are blocked from accessing vulnerable users' accounts, even if they possess the users' passwords.
"This is basically an extremely heavy-duty way of locking down an account," Joseph Lorenzo Hall, the chief technologist for the Center for Democracy and Technology told Wired. "Even for people with very limited technology chops, this is a way for them to have an extremely protected profile."
How is the physical key different from two-factor authentication?
Although traditional two-factor authentication measures are generally considered to provide enough protection against most attacks, in some cases, they may not be enough. For instance, determined hackers going after specific targets may launch specialised phishing attacks, meant to intercept two-factor codes. Users' phones may also be infected with spy malware, capable of taking screenshots of two-factor codes displayed on the users' screens, ZDNet reported.
In the event of such attacks, generally considered to be orchestrated by state-sponsored hackers, Google's physical key could play a significant role. The keys are also designed to block phishing attacks. They only work on Google pages and accounts can only be accessed via Gmail.com.
In other words, if users are tricked into divulging their account credentials by entering them on a fake phishing site, the keys would ensure that the account is not accessible to anybody else. Attackers would not be able to get into the account, despite having access to the users' credentials.
However, the downside of using the key is that users will no longer be able to access their accounts via third-party platforms. For instance, those using Apple's email apps on iPhone or Microsoft Outlook will no longer be able to log in using the services. Of course, the other aspect of using the physical keys is that users will always have to remember to have them on their person to log in.
Google rolled out advanced protection in the wake of a series of attacks against some of Google's users, including journalists, dissidents and political opponents of the Russian government.
Users interested in beefing up their security can register for Google's Advanced Protection Program. The physical keys – one USB key for desktop that costs $20 and another wireless key for mobile priced at around $25 – have to be purchased by those interested.