It is very possible to be so vulnerable and helpless despite having the two-factor authentication security layer set up on your google account (or for the fact that you do have it set up)– if the unexpected happens and you have no access to your registered phone. The 2-Step Verification (also known as 2 Factor Authentication or 2FA) is an optional system in which you can add an extra layer of security to your account by taking advantage of components that are unique to oneself
Take a look at this scenario. Your phone gets missing, and you rushed to your laptop and got to the ingenious google find-my-phone app. Still, you needed to be signed in to your google account to ring your phone via the app, so you tried to log in to your google only to realise that you need your missing phone to authenticate your access to your phone. Then you think of the most basic solution – reset your google account password, but the One Time Password (OTP) is sent to your missing phone via your SIM. You tried the Google Prompt, but you needed to tap YES on your missing phone to sign in. You cannot access the authenticator app code that would be sent to the same missing phone. The only other option left for you is for you to use your Security Keys. However, most google users on the 2-FA security layer had never activated this option. If you’re wondering, “what about retrieving my SIM pack from my network operator and using it on another device to access my google account?”. Well, in Nigeria, this takes a process that will have you visit the offices of your provider to get a SIM swap. The worry, usually, is what if my google account is compromised while my phone is in the wrong hands? What if I need to urgently transact some businesses on my email but I can’t get in? What if you are on a trip to a different country where your provider is not present and your network provider is saying you have to physically visit a service centre to get verified on the National Identity Number (NIN) platform before getting your SIM? The implication is that you are locked out… and in the cold!
Now, there are two options provided by google to activate the Security Key – using your phone’s built-in key or a physical USB/NFC Key – U2F device. The latter is better for the obvious reason – our scenario is that you have lost your phone and using the same phone as the security key won’t help. What this implies is that google is making a model of your security key on the external modem. This is akin to cutting an extra lock key to your car or your apartment.
A U2F device, short for Universal 2nd Factor, is a type of two-factor authentication (2FA) device that is used to provide an additional layer of security when logging into online accounts or services. It is a small physical device that connects to a computer or mobile device via USB, Bluetooth or NFC, and it uses public-key cryptography to verify the identity of the user.
U2F devices work by generating a unique key pair for each website or service that the user wants to use it. When the user attempts to log into that website or service, they will be prompted to insert the U2F device into their computer or mobile device, and then press a button on the device. The device will then generate a cryptographic signature, which is verified by the website or service, providing a second form of authentication in addition to the traditional password. The main advantage of U2F devices is that they are easy to use and provide a high level of security. Because the key pair is unique for each website or service, it is much more difficult for hackers to steal the user’s credentials, even if they have already obtained the user’s password.
U2F devices are supported by many popular online services such as Google, Facebook, Dropbox, Github, and more and are becoming more widely adopted as a secure way to authenticate users. It is also important to note that U2F devices are an open standard, meaning that they can be used with any website or service that supports U2F, regardless of the device’s manufacturer. There are several types of these devices available in the market:
- USB U2F Key: This is the most common type of U2F device, it is a small USB key that connects to a computer or mobile device via USB. It is often used as a replacement for traditional security tokens or one-time password generators.
- NFC U2F Key: This type of U2F device uses NFC (near-field communication) to connect to a mobile device. It can be used to authenticate the user by tapping it on the mobile device.
- Bluetooth U2F Key: This type of U2F device uses Bluetooth to connect to a mobile device. It can be used to authenticate the user by pressing a button on the device.
- Smartcard U2F Key: This type of U2F device is a smart card that can be inserted into a smart card reader to authenticate the user.
- Biometric U2F Key: This type of U2F device uses biometric authentication such as fingerprint or facial recognition to authenticate the user.
All of these U2F devices work in a similar way, providing a second form of authentication in addition to a password, but the main difference is the way they connect to the device, some of them are more portable than others, and some of them have additional features such as biometric authentication.
It is important to note that U2F devices are not suitable for everyone, and they may not be practical or cost-effective for some users, especially for those who are not very tech-savvy. In these cases, other forms of two-factor authentication such as SMS or authenticator apps may be more appropriate.
So, where does this take us? Set up your 2-factor authentication on your google account but if you are the type who wants all the scenarios covered, if you have millions of followers on Facebook, Instagram or million of views on Youtube, you don’t want your account hacked. You need to activate the security keys on a secondary device to avoid “the story that touches the heart”.
Have you been in a situation when you feel “locked out” of your google account? How did you get out of it? Share your experience in the comment.