The idea of the password as the “key” to your account just became a little less metaphorical with Google’s announcement that it’s supporting the Security Key open standard. The physical USB dongle takes the place of code in the second step of two-step verification, the system of protecting an account with not only a password but also a second form of authentication, usually a code sent to a phone. Where you’d normally enter your password and then verify with the numeric code, with the Security Key you plug it into a USB port after entering your password, press a button, and Google authenticates your identity.
Like standard two-step authentication, use of the Security Key is based on the premise that the second step of logging in, after entering a password, requires a physical thing. But with the key, the second step is that physical thing, rather than the code generated by it (i.e. the code generated by a smartphone). This makes for a more secure two-factor system, since hackers can’t intercept the code as it’s being sent to the code-requester, nor can they hack into the code-generating database or create fake codes. To get info from the key, a hacker would need to physically break into it.
The Security Key is based on U2F (Universal 2nd Factor) specifications, a standard developed by the FIDO Alliance, a group that’s working to minimize our use of passwords in favor of physical objects. Because U2F is an open standard, the keys can be used for more than just Google’s services — eventually, the standard may work via NFC for use with smartphones. Right now, though, it’s limited to USB dongles made by a handful of manufacturers, namely Yubico, whose key is available for $18.
The Security Key reflects the notion that the virtual world is better off—more secure, more convenient, and more useful—when it’s intertwined with the physical world, not set apart completely.