This week Krebs on Security reported that none of Google’s more than 85 thousand employees had fallen prey to phishing attacks since early 2017. That’s when the company issued physical security keys for 2-factor authentication (2FA) to all of its employees.
Now Google plans to begin selling its own security keys to businesses and individuals.
According to CNET, the new Titan Security Keys will sell for around $20 to $25 and they’ll provide an extra form of protection when logging into websites or apps. If your security key isn’t connected to your device, then no login for you.
Multi-factor authentication has been around for a while. The idea is that even if someone manages to steal your password, they won’t be able to login to your accounts if they don’t have access to that secondary factor.
For example, you can use your phone for multi-factor authentication by having your bank or other services send a one-time code via SMS. Or you can install an authenticator app on your phone to skip the SMS (Google, Microsoft, LastPass, and Yubico all offer free apps, and if you prefer an open source option, there’s andOTP).
The Titan Security Key, on the other hand, is a physical device that you connect to a computer or mobile device. It will come in two forms: a USB key and a Bluetooth fob.
You can plug the USB key into a computer to easily login to apps, services, and sites. Remove it and you won’t be able to login. The Bluetooth version is a wireless option that should work with a smartphone or other device that may not have a full-sized USB port.
Since there’s no code sent to your phone, there’s no chance of someone peeking over your shoulder and spying the code. And it also makes it harder for a website to phish you to gain access to your accounts.
Google is hardly the first company to offer a hardware-based 2FA solution.
It’s unclear if Feitan (or the manufacturer used by Feitan) is building the hardware for Google, but CNET says the software on the keys was developed by Gogole and it’s expected to be compatible with the FIDO U2F (Universal 2-Factor) standard.
Up until now Google has been recommending keys from Yubico, one of the early pioneers in this space.
Yubico doesn’t seem entirely thrilled at the new competition: the company published a blog post today pointing out, among other things, that the reason it doesn’t offer a Bluetooth security key is that Bluetooth “does not provide the security assurance levels of NFC and USB.” It’s hard not to see that as a dig at Google’s decision to offer a Bluetooth option, while Yubico’s YubiKey devices are only available in USB and NFC versions.
As for Google’s Titan keys, the company says they offer phishing control, work with G Suite and Google Cloud, and are compatible with many websites including Facebook, Dropbox, and Github.
Overall, hardware-based security keys should offer a nice balance between ease-of-use and additional security… assuming you’re not the sort of person who’s constantly losing your keys.