Two factor authentication provides an extra layer of security to your account. It provides a method of combining two different kinds of login approaches to add some extra security, but that’s not enough. 2FA is stronger than password based authentication, but it is prone to phishing attacks. An account that has a very strong password, and is secured with a 2FA service that sends an OTP everytime you try to login may not be completely hack-proof. The OTP generated through various random algorithms can also be defeated. Various phishing sites can trick users to enter both their password and temporary codes, and thus the attacker can easily bypass the security.
Dropbox, a cloud based storage service has done some research in this respect, and they have concluded that complete reliance on one time passwords can sometimes be dangerous. So, they have started a new feature that requires a FIDO U2F security key, which looks like the picture below. This can be used additionally with your password as a second factor tool, and unless you lose it, it can’t be tricked.
The Security Key only works on Google Chrome for now. Starting with this version, the browser has built-in support for an open protocol called Universal 2nd Factor (U2F) that was developed by the FIDO Alliance. FIDO is a multi-vendor alliance that aims to develop hack-proof second factor authentication tools. Various other websites can also use this protocol as it is supported by Chrome. This physical key doesn’t just provide a tool for 2FA but it also ensures using cryptography that the site is not a phishing site, to be extra cautious.
If you want to buy this authentication tool, you’ll have to buy a FIDO certified device from any vendor selling it. Currently, it is available only on Amazon’s international site for around $18, but it can also be bought in India from local vendors for little less. Just make sure they have the “FIDO U2F Ready” logo on them.
Apart from this USB key, there are various devices that are being developed for this purpose like audio jack authenticator, USB touch authenticator etc.