This week Krebs on Security reported that none of Google’s more than 85 thousand employees had fallen prey to phishing attacks since early 2017. That’s when the company issued physical security keys for 2-factor authentication (2FA) to all of its employees.

Now Google plans to begin selling its own security keys to businesses and individuals.

According to CNET, the new Titan Security Keys will sell for around $20 to $25 and they’ll provide an extra form of protection when logging into websites or apps. If your security key isn’t connected to your device, then no login for you.

Multi-factor authentication has been around for a while. The idea is that even if someone manages to steal your password, they won’t be able to login to your accounts if they don’t have access to that secondary factor.

For example, you can use your phone for multi-factor authentication by having your bank or other services send a one-time code via SMS. Or you can install an authenticator app on your phone to skip the SMS (Google, Microsoft, LastPass, and Yubico all offer free apps, and if you prefer an open source option, there’s andOTP).

The Titan Security Key, on the other hand, is a physical device that you connect to a computer or mobile device. It will come in two forms: a USB key and a Bluetooth fob.

You can plug the USB key into a computer to easily login to apps, services, and sites. Remove it and you won’t be able to login. The Bluetooth version is a wireless option that should work with a smartphone or other device that may not have a full-sized USB port.

Since there’s no code sent to your phone, there’s no chance of someone peeking over your shoulder and spying the code. And it also makes it harder for a website to phish you to gain access to your accounts.

Google is hardly the first company to offer a hardware-based 2FA solution.

In fact, as pointed out by 9to5Google, the new Google Titan Security keys bear an uncanny resemblance to Feitan’s existing USB/NFC and Bluetooth security keys.

It’s unclear if Feitan (or the manufacturer used by Feitan) is building the hardware for Google, but CNET says the software on the keys was developed by Gogole and it’s expected to be compatible with the FIDO U2F (Universal 2-Factor) standard.

Up until now Google has been recommending keys from Yubico, one of the early pioneers in this space.

Yubico doesn’t seem entirely thrilled at the new competition: the company published a blog post today pointing out, among other things, that the reason it doesn’t offer a Bluetooth security key is that Bluetooth “does not provide the security assurance levels of NFC and USB.” It’s hard not to see that as a dig at Google’s decision to offer a Bluetooth option, while Yubico’s YubiKey devices are only available in USB and NFC versions.

As for Google’s Titan keys, the company says they offer phishing control, work with G Suite and Google Cloud, and are compatible with many websites including Facebook, Dropbox, and Github.

Overall, hardware-based security keys should offer a nice balance between ease-of-use and additional security… assuming you’re not the sort of person who’s constantly losing your keys.

Support Liliputing

Liliputing's primary sources of revenue are advertising and affiliate links (if you click the "Shop" button at the top of the page and buy something on Amazon, for example, we'll get a small commission).

But there are several ways you can support the site directly even if you're using an ad blocker* and hate online shopping.

Contribute to our Patreon campaign

or...

Contribute via PayPal

* If you are using an ad blocker like uBlock Origin and seeing a pop-up message at the bottom of the screen, we have a guide that may help you disable it.

7 replies on “Google to sell Titan Security key hardware for 2-factor authentication on computers and mobile devices”

  1. if google could first fix the mess that is Authenticator, that would be great. I mean, no backup for when you lose you phone ? in 2018 that is silly and rather dangerous than helpful from a security point of view

    1. Don’t they force you to have a second form of authentication when you select 2FA?

      1. They force you to set up broken (insecure) txt first.
        I think you do get the option of writing down onetime keys though.

  2. I wonder how long until after these go on sale that they’ll be cracked.

Comments are closed.