Google Monday added controls for two-step verification to a pair of its Google Apps services, giving enterprise and education administrators tools to deploy, monitor and manage physical hardware-based tokens for strong authentication.

Google said the Security Key tokens offer a layer of protection that can't be phished. On top of hardened security, Google's big-time addition to the game is in the introduction of management tools, which are a requirement of any viable enterprise security system or service.

The two Google services supported are Google Apps Unlimited, the premium business version of Google Apps, and Google Apps for Education, a suite of productivity tools for classroom collaboration. In April, Google rolled out Security Key support for Google at Work. In October, Google introduced Security Key for Gmail to any user of the service.

In a blog post released this afternoon, Google said the new management controls are now available in the Admin Console for Apps Unlimited and Apps for Education.

Once users activate their Security Keys within a domain, admins will have tools to revoke access to lost Security Keys and to provide backup codes for account recovery so users can still sign-in. In addition, admins will have tracking and reporting tools to pinpoint where and when people last used their keys.

The Security Key hardware token uses a public key cryptography specification called Universal 2nd Factor (U2F) developed by the FIDO Alliance rather than sending a code that has to be re-typed like popular SMS and other two-step verification tools, including Google Authenticator.

A video on Google's Web site shows how the 2-step verification is activated by touching the Security Key. Google is a member of the FIDO Alliance.

The company said the Security Key will provide two-step verification for other editions of Google Apps, but for now users in those domains will have to revoke their own keys without administrative help.

The on-going rash of password hacks, phishing scams and data breaches are catching the attention of service providers large and small.

In April, Salesforce.com added mobile-based two-factor authentication to its stable of identity and access control technologies with the acquisition of Toopher for an undisclosed sum. At the time, Mark Diodati, research vice president at Gartner, referred to two-factor capabilities as table stakes that improve competitive capabilities for service providers.

Disclosure: My employer is a FIDO Alliance member, and sells and develops a Security Key.