Securing your Cloud Platform account with U2F

To help protect your Google account and to lock down your digital assets, you can enable U2F, a type of 2-step verification, as your sign-in method. Protecting your digital assets is important, because if a hacker acquires your cloud credentials, they could lock you out of your app, or spin up a bot farm with the largest available machine types, leaving you to pay for the bill.

Setting up U2F on Cloud Platform adds a second security layer to accounts that access and manipulate your resources, and if you manage users through a hosted G Suite domain, you can require that accounts enable U2F.

The following steps describe the 2-step verification process:

  1. A user acquires a device that can generate a security token.

  2. The user signs in using their username and password.

  3. The server authenticates the user based on their login credentials, and prompts them for a security token as a second form of identification.

  4. The user uses the device to generate a security token, and inputs the token into a web form.

  5. The server validates the security token and completes authentication.

2-step verification methods

Google provides several methods for 2-step verification:

Verification method Software or hardware Requirements
Text message Software Cellular service and a powered mobile device
Google Authenticator Software Powered mobile device
Security Key Hardware USB port and Google Chrome browser (version 40+)

Both text message and Google Authenticator verification require having your mobile device with you when logging in. For text message verification, a one-time password (OTP) token is sent through a text message. Google Authenticator is a downloadable app that you can use to emit OTP tokens from your mobile device. Both methods add an extra layer of security to your account, but the Security Key method offers the strongest security. A Security Key isn't susceptible to man-in-the-middle attacks, where hackers use phishing techniques to steal your password and security token.

The Security Key method is powered by the U2F (Universal 2nd Factor) open authentication standard. U2F enables strong, easy-to-use and interoperable 2-step verification. Instead of inputting numeric codes or passphrases, you touch your security key to generate a token.

U2F is a better verification method to use for the following reasons:

  • Security keys are more user-friendly. You tap the key instead of having to switch between your mobile device and computer.

  • Phishing attacks are less effective because you don't input your token into a web form.

  • You don't need cellular service to authenticate.

However, U2F requires that you use Google Chrome version 40+ as your browser, and that you have access to a machine with a USB port.

Set up U2F

You can leverage U2F on Cloud Platform to add a second security layer to accounts that access and manipulate your resources. Customers that manage users through a hosted G Suite domain can require that accounts enable U2F.

Set up U2F on your Google account

  1. Install the Google Chrome browser (version 40 or higher).

  2. Order a security key. Ensure the key is compatible with Google accounts using the Yubikey compatibility matrix.

  3. Go to the Google Cloud Platform Console.

  4. Enable U2F authentication by clicking your user icon in the top-right corner of the screen, then click Account.

    Access account settings

  5. Click Signing in to Google.

    Signing in to Google

  6. Click 2-Step Verification. The page that follows explains how 2-step verification works.

    2-step verification

  7. Click the Start setup button.

  8. Next, you'll need to configure 2-step mobile verification through either an SMS message or phone call. Input your mobile phone number and select the verification type you'd like to use, then click Send code. Google sends the verification code immediately, so have your phone nearby.

  9. Input the verification code, then click the Verify button.

  10. At the next step, you'll be asked if the computer you're working on is a trusted computer for your Google account. If you're running these steps from a public computer, unselect the Trust this computer checkbox. Click Next to continue.

  11. Click the Confirm button to enable U2F for your Google account.

Register your security key

  1. Click the Security Keys tab.

  2. Click Add security key to register your security key with your Google account.

    2-step verification

  3. Follow the on-screen instructions to register your security key. After you've completed the steps, you'll see a checked Registered checkbox.

    2-step verification

Test your Google account

  1. From a different computer or from an incognito window, go to the Google Cloud Platform Console.

  2. If you've set up U2F correctly, you'll be prompted to insert and touch your security key. If you don't touch the key you'll see the following failure message.

    Access account settings

  3. Click Retry, and tap the security key when prompted.

You've now proven that without your security key, a user on a new machine can't authenticate as your Google account. Next, you'll test authenticating using the Google Cloud SDK from the command line.

  1. Install the Google Cloud SDK if you haven't already.

  2. From the command line, type gcloud auth login <your-email-account>. If you run this command from a system with a graphical interface, a browser window will appear with a login screen. If you run this command from a headless server, the command window prints a URL that you must visit to complete authentication.

  3. Enter your email and password at the browser login page. Then, tap the security key when prompted. A verification code displays.

  4. Copy the verification code and input it on the command line.

Next steps

Try out other Google Cloud Platform features for yourself. Have a look at our tutorials.

Send feedback about...