The Google Pixelbook power button is now a 2FA token

If you own a Google Pixelbook, intriguing news –  it appears the power button can now double as an alternative to using U2F (Universal 2nd Factor) tokens for two-factor authentication (2FA).
As the name implies, U2F tokens such as the YubiKey are hardware tokens that plug into a USB port to authenticate users who enter a username and password on supported websites.
The U2F protocol (co-developed by Google and others) improves security because an attacker has to have the token in their possession to access an account. Just having the password and username aren’t enough.
It resists phishing too because the token’s private key is cryptographically tied to the website(s) it will be used on, e.g. Gmail. Anyone tricked into visiting the wrong site will find that the token won’t work.
Now, it seems the same – or something approximating it – can be achieved simply with a short press of the power button on a Pixelbook.
Given that the Pixelbook only has two USB-C ports, it’s not hard to see why Google might want to enable the feature for users who begrudge having to use one for a token.
It sounds alien but it seems the feature has been in the works since around the time of the Pixelbook’s launch last September but nobody beyond the developer community noticed.
Enabling the feature involves loading May’s Chrome OS 66.0.3359.203 or later from the stable channel, putting it into developer mode, opening the Chrome OS developer shell and executing the correct command.
The feature must also be enabled as an additional security key via the Google 2-step verification (2SV) account settings, repeating this process for third-party sites that support U2F authentication.
Before we move on to the caveats, this remains an experimental feature, and we don’t recommend enabling it if you’re not experienced at using developer mode and its shell.

How does it work and is it a secure alternative to using a U2F key?
The ‘how it works’ bit isn’t yet clear, which leaves us having to overlay the general workings of the U2F protocol over whatever Google has cooked up on its Pixelbooks. (Notice we’re assuming this is U2F and not the less secure Time-based One-Time Password or TOTP.)
In principle (and we’re guessing here), the private key that would normally be stored on the U2F token must be squirrelled away somewhere such as the Trusted Platform Module (TPM), which every Chromebook has.
That implies the need for firmware support, which is probably why people who have tried have found that it doesn’t work on any Chromebook other than the Pixelbook.
Or perhaps this is a completely different authentication initiative connected to the development of new technologies such as WebAuthn.
Interestingly, not everyone is enamoured with the idea of blurring the physical separation between token and device, starting with Kevin C. Tofel, a security writer who covers Chromebooks and has worked for Google in the past:

To me, this is like having your personal PIN code printed on your ATM card. There’s no way I’d enable 2FA with this particular method because it essentially eliminates the strength of a second authentication factor.

This is a valid point which could partly be overcome by making it harder to access the Pixelbook itself, for example by adding an equivalent to Apple’s Face ID or Microsoft’s Hello authentication (although that would still leave open the small possibility of a security vulnerability on the device through which the private key might be remotely compromised).
Still, the idea of turning devices such as smartphones or computers into tokens is a trend that appears to be here to stay. It now looks as if Chromebooks will soon be joining the party.