Millions of us rely on our Google Account for access to Gmail, Google Apps, YouTube, Google+, Blogger, and more. We all want our accounts and data to be safe, but traditional login just isn’t secure enough in today’s world — malware and other attacks steal passwords and hack accounts every day.
Fortunately, you can secure your Google Account easily with Yubico’s U2F-compliant YubiKeys. YubiKeys provide an additional secret beyond your password when you access your Google Account. The extra layer of protection is called a second factor or 2-Step Verification. Even if your username and password (first factor) is stolen, hackers cannot get into your account without having possession of your Security Key (second factor). The only way someone could get in to your account would be to have both your password and your physical key — not very likely!
A stolen Security Key is useless without the account username and password. If a key is lost, a new key can be added to a Google Account and the lost key deleted. You can rest assured your account is secure when it’s protected by a YubiKey. YubiKeys are more secure than Google Authenticator, Google Prompt, SMS, and emailed passcodes.
What’s the Secret
The YubiKey 4, YubiKey 4 Nano, U2F Security Key, and YubiKey NEO support the emerging FIDO Alliance standard called U2F (Universal Second Factor). U2F uses something called public key cryptography, which involves using a really hard math problem to create a pair of keys used to verify access to an account. The key pair is one portion of the two-factor strong authentication equation: “something you know” (such as your username/password) and “something you have” (such as a YubiKey).
You just plug your YubiKey into your USB port, enter your existing username and password, then touch the YubiKey button when prompted. There is no installation of software required and there is no battery to charge. Your YubiKey is small and nearly indestructible, and hangs on your keychain or sits inside your USB port.
How To Use Your YubiKey with Google
Congratulations, you have a U2F YubiKey! So how do you set it up to protect your Google accounts? Follow these easy instructions and you’ll be protected with the simplicity of YubiKey two-factor authentication in no time!
- Latest version of Google Chrome browser (or at least version 38)
- A U2F Security Key, YubiKey 4, YubiKey 4 Nano, YubiKey NEO, or other Yubico U2F-enabled YubiKey
- One finger (the YubiKey button is a capacitive sensor, not a biometric)
- A Google Account (such as Gmail, Google Apps, YouTube, Google Plus, Blogger, Adwords)
Note: If your Google account is a managed account — such as with Google for Business or Google for Education — your administrator must have enabled two-step verification before you can use your YubiKey. If the option to select 2-Step Verification is not available (as described in the steps below), ask your administrator to enable this security option.
Setting Up Your Google Account
- Set up 2-Step Verification for your Google account, if you have not yet done so. This is also where you will set up your mobile device as a back up. (If you already have 2-Step Verification set up, continue step 8.) To set up 2-Step Verification, in your Chrome browser, click My Account, then click Sign-in & Security.
- In the section under Password & sign-in method, click on 2-Step Verification.
- If it is not already selected, click Verification Codes.
- Under Backup Options, click Add a phone number. This is an important step should you ever need access to your account and find yourself without your YubiKey. Note that we recommend that you have a second YubiKey for backup so that you can always access your accounts – similar to how you have an extra copy of your keys for your house and car.
- In the Add backup phone number dialog box, enter your phone number and specify how you want to receive codes (usually by SMS text message).
- If you want to verify that your backup method works, click Send Code.
- Click Save.
- You also have backup codes that you can use to gain access to your account. This is an additional mechanism to use if you do not have access to your YubiKey or your phone. You might find it useful to copy these backup codes and put them in a safe place. To do this, click Show backup codes. A new browser window is opened so you can manage your backup codes.
- Click Print or Save to text file, to save your codes.
- In the future, if you notice you have used a few of your backup codes and you are worried about running out of them, you can return to this screen and click Generate new codes.
- Now you are ready to register your YubiKey as your 2-Step Verification device. Click Security Keys, and then click Manage.
- This is the really cool part! If your YubiKey is inserted, remove it. Now click Register, insert your U2F YubiKey, wait for it to blink, and tap the YubiKey button. Your YubiKey is now registered to your account as your default Two-Step Verification device!
- The screen now displays all devices that are registered to your account, so you can easily add another Security Key, or remove registered keys. (If you accidentally lose a YubiKey, come here and remove that YubiKey from your account. No one could log on to your account, though, because they would still need to know your password.)
Logging in to Your Google Account
Logging in to your Google account with your YubiKey is refreshingly simple.
- The next time you need to login to your Google account, enter your user name and password, and click Sign in.
- When prompted for 2-Step Verification, insert your YubiKey, wait for it to blink, and then tap it.
- If you want to trust this computer for a short period of time, so you do not have to insert your YubiKey each time you log in, check the box to Remember this computer for 30 days.
- If you do not have your YubiKey with you, click Use a verification code instead. You can then use either an SMS text message with a backup code, or one of the eight backup codes you previously saved.
Congratulations! Your Google account is now secure with Yubico two-factor authentication!
Even Better for Businesses
Google for Work and Google for Education are ready for YubiKey out-of-the-box. Find out more about YubiKey and Google for Work.
Running Microsoft Internet Explorer or Mozilla Firefox?
Mozilla is currently building support for U2F and Microsoft is working within the FIDO Alliance to bring support to Windows 10. But for now, there are some additional technical steps to take for YubiKey two-factor authentication if your browser isn’t Google Chrome.
Here is a one-time password solution for Gmail that works with YubiKeys that do not currently support U2F. It relies on a free application called the Yubico Authenticator (that works on Windows, Mac OS X, or Linux) to generate time-based authentication codes.
Secure Your Google Account Today
YubiKeys are available worldwide on Amazon and through the Yubico Store.
See Why Google Likes Security Keys
Google recently published a two-year study on the use of FIDO U2F Security Keys. Read our blog discussing the paper and Google’s conclusions (and then download the study).