Today, Google announced a new G Suite feature that allows admins to lock down accounts so they can only be accessed by users with a physical USB security key. The FIDO U2F Security Keys have been supported on G Suite and regular Google accounts since 2011, but now new security controls allow admins to make the keys mandatory for anyone who tries to log in.

Universal 2nd Factor (U2F)—initially developed by Google and Yubico—is a standard from the FIDO Alliance that allows a physical device to work as a second factor of authentication. After entering your username and password, you'll have to connect your device to your physical authentication key. The keys can support USB, NFC, and/or Bluetooth, allowing them to connect to desktops, laptops, and smartphones. Many services support U2F, like Dropbox, GitHub, Salesforce, Dashlane, and others. The Chrome and Opera browsers support U2F, along with Android and Windows smartphones. Modern iOS devices don't work with the standard, but Google appears to have some kind of workaround

It's a good idea to enable 2FA on any service that supports it. Usually after your username and password you'll get texted or e-mailed a six-digit code to type in, but the security keys are easier and more secure than punching in a rolling code. While anyone in the world could theoretically guess your password and get your code, once you get your key set up, someone would have to physically have the key to access your account.

Google says mandatory key enforcement should hit G Suite admin panels today.