Securing your Account with Security Keys

To help protect your Google account and to lock down your digital assets, you can enable security keys, a type of 2-step verification that provides additional protection against phishing, as your sign-in method. Protecting your digital assets is important, because if a hacker acquires your cloud credentials, they could lock you out of your app, gain access to your data, or spin up a bot farm with the largest available machine types, leaving you to pay for the bill.

Setting up security keys on Cloud Platform adds a secondary security layer to accounts that access and manipulate your resources, and if you manage users through a hosted G Suite domain, you can require that users use security keys.

The following steps describe the 2-step verification process with security keys:

  1. A user acquires a security key that implements the FIDO U2F protocol.

  2. The user signs in using their username and password.

  3. The server authenticates the user based on their login credentials, and prompts them for their security key as a second factor identifier.

  4. The user taps the device to generate a cryptographic signature that's sent to the server.

  5. The server validates the security token and completes authentication.

2-step verification methods

Google provides several methods for 2-step verification:

Verification method Software or hardware Requirements
Text message Software Cellular service and a powered mobile device
Google Authenticator Software Powered mobile device
Security keys Hardware Google Chrome desktop browser (version 40+), iOS, Android

Both text messages and Google Authenticator verification require having your mobile device with you when logging in. For text message verification, a one-time password (OTP) token is sent through a text message. Google Authenticator is a downloadable app that you can use to generate OTP tokens on your mobile device. Both methods add an extra layer of security to your account, but security keys offer the strongest security. A security key isn't susceptible to a phishing attack, which is a common technique hackers use to steal your password and OTP token.

Security keys are powered by the FIDO U2F (Universal 2nd Factor) open authentication standard. U2F enables strong, easy-to-use and interoperable 2-step verification. Instead of entering numeric codes or passphrases, you touch your security key to generate a cryptographic signature.

Security keys are a better verification method to use for the following reasons:

  • Security keys are more user-friendly. You tap the key instead of having to switch between your mobile device and computer to enter OTP tokens

  • Phishing attacks are less effective because security keys send Google cryptographic proof that a user is on a legitimate Google site and the user possesses a security key.

  • You don't need cellular service to authenticate.

However, security keys require that you use Google Chrome version 40+ as your desktop browser, and that you have access to a machine with a USB port.

Set up security keys

You can leverage security keys on Cloud Platform to add a secondary security layer to accounts that access and manipulate your resources. Customers that manage users through a hosted G Suite domain can require that accounts use security keys by configuring Security Key Enforcement.

Set up security keys on your Google account

  1. Install the Google Chrome desktop browser (version 40 or higher).

  2. Order a U2F-compatible security key.

  3. Go to the Google Cloud Platform Console.

  4. Enable U2F authentication by clicking your user icon in the top-right corner of the screen, then click Account.

    Access account settings

  5. Click Signing in to Google.

    Signing in to Google

  6. Click 2-Step Verification. The page that follows explains how 2-step verification works.

    2-step verification

  7. Depending on how your account was configured by your administrator, you might need to configure 2-step mobile verification through either an SMS message or phone call.

    1. Click the Get started button.

    2. Input your mobile phone number and select the verification type you'd like to use, then click Send code. Google sends the verification code immediately, so have your phone nearby.

    3. Input the verification code, then click the Verify button. Then click the Turn on link on the success page.

  8. Next, enable security keys for your account. Click the Add security key link in the Set up alternative second step section.

    2-step verification

  9. Follow the on-screen instructions to register your security key.

    2-step verification

Test your Google account

  1. From a different computer or from an incognito window, go to the Google Cloud Platform Console.

  2. Enter your email address and password when prompted.

  3. If you've set up security keys correctly, you'll then be prompted to insert and tap your security key. If you don't touch the key you'll see the following failure message.

    Access account settings

  4. Click Retry, and tap the security key when prompted.

You've now proven that without your security key, a user on a new machine can't authenticate using your Google account. Next, you'll test authenticating using the Google Cloud SDK from the command line.

  1. Install the Google Cloud SDK if you haven't already.

  2. From the command line, type gcloud auth login <your-email-account>. If you run this command from a system with a graphical interface, a browser window will appear with a login screen. If you run this command from a headless server, the command window prints a URL that you must visit to complete authentication.

  3. Enter your email and password at the browser login page. Then, tap your security key when prompted. A verification code displays.

  4. Copy the verification code and input it on the command line.

Next steps

Try out other Google Cloud Platform features for yourself. Have a look at our tutorials.

Was this page helpful? Let us know how we did:

Send feedback about...