Google made something of an unexpected announcement at its Cloud Next 2018 conference a few weeks back: the Titan Security Key. It’s the internet giant’s take on a FIDO (Fast Identity Online) key, a physical device used to authenticate logins over Bluetooth. And after more than a year of dogfooding it to employees on its Mountain View campus, the security key is today available for purchase in the Google Play Store.
Google Cloud enterprise customers have been able to pick up the Titan Security Key for the better part of two months, but now customers in the U.S. can nab one for $50. (That’s roughly equivalent to the price of a Yubikey, the current FIDO standard-bearer.) The bundle comes with a USB key, a Bluetooth Low Energy key, and an adapter for devices with USB Type-C ports.
It’s not meant to compete with other FIDO keys on the market, stressed Sam Srinivas, product management director for information security at Google, during a press pre-briefing. Rather, it’s “for customers who want security keys and trust Google,” he said.
Google provided VentureBeat with a review unit ahead of today’s launch, and I’ve been dutifully carrying it on my person for the past few days. I’ll get to my first impressions in a sec, but first, here’s a bit of background to set the stage.
FIDO: What is it and why should you care?
FIDO is a standard certified by the nonprofit FIDO Alliance that supports public key cryptography and multifactor authentication, specifically the Universal Authentication Framework (UAF) and Universal Second Factor (U2F) protocols. When you register a FIDO device with an online service, it creates a key pair: an on-device, offline private key, and an online public key. During authentication, the device “proves possession” of the private key by prompting you to enter a PIN code or password or supply a fingerprint or speak into a microphone.
Lest you worry about FIDO’s staying power, it’s got a considerable amount of momentum behind it. Since 2014, Google’s been working with Yubico, NXP, and other collaborators to develop the Alliance’s standards and protocols, including the new Worldwide Web Consortium’s Web Authentication API. (WebAuthn shipped in Chrome 67 and Firefox 60 earlier this year.) Among the heavy hitters involved are Dropbox, Facebook, GitHub, Salesforce, Stripe, and Twitter.
The FIDO Alliance’s stated mission is to make it easier for folks to log into apps, websites, and services securely, and to reduce the amount of work required for developers. Google credits FIDO keys with preventing phishing attempts on its more than 100,000 employees.
You might be wondering why other forms of multifactor authentication — i.e., SMS-based systems that require you to enter a string of numbers before you’re permitted to log in — don’t measure up in the FIDO Alliance’s eyes. It comes down to usability, basically.
“The challenge with current systems is that … they’re too confusing,” Google product manager Christiaan Brand said during a press briefing. “[And for that reason,] even if they wildly improve security above baseline, they can be phished.”
He’s got a point. It’s relatively trivial for hackers to impersonate someone and convince a cell phone provider to redirect their text messages to another number. (New York State issued an official warning against such “SMS swap” attacks in 2016.) Fooling someone into giving up their password isn’t much harder — hackers with well-designed pages mount successful phishing attempts 43 percent of the time, according to Google.
Google’s alternative — Google Prompt — sends two-factor login prompts directly to Android phones or the Google Search app for iOS. The company’s also one of several that offers token-based authentication (via the Google Authenticator app), which generates unique, offline passcodes — hashes — every few seconds.
But there’s no substitute for a physical key, Srinivas said. Even if a hacker steals your password and two-factor code, they’d need the key to get any further. That’s why keys are a requirement for Google’s Advanced Protection Program, which aims to prevent attacks against business leaders, politicians, and other high-profile targets.
“You can think of [the Titan Security Key] in terms of car keys,” he said. “Years ago, they became harder to clone, but you could still clone them. Now, the industry has moved to a chip, and they’re much more secure.”
Titan Security Key
Full disclosure: I’d never used a FIDO key. And up until last year, when a couple of my accounts were compromised by a smartphone-nabbing pickpocket, I wasn’t much of a two-factor authentication guy, either.
Thankfully, Google designed the onboarding process with newbies like me in mind. The two Titan Security Keys — one USB, the other Bluetooth and NFC — come bundled in a minimalist, surprisingly thick packaging that contains printed setup instructions. The only prerequisites are a PC — specifically one with Chrome installed — and active enrollment in Google’s 2-Step Verification program.
From there, visit Google’s sign-in & security page, click the Add Security Key button, tap the button on the USB key, and you‘re off to the races. (Ditto for the Bluetooth key.)
Google’s decision to support Bluetooth hasn’t been without controversy, it’s worth noting. In a statement following the Titan Security Key’s announcement, Yubico CEO Stina Ehrensvard said that it “does not provide the security assurance levels of NFC and USB” and that its battery and pairing requirements offer “a poor user experience.”
That seems a bit overblown to me. The Bluetooth key can last up to six months on a single charge, and it was just as easy to get up and running as its USB counterpart.
Once the keys are registered to a Google account, you’ll need them every time you log into Google services — Gmail, YouTube, Google Calendar, Google Docs, and the like — in addition to third-party apps that rely on Google sign-in. I never forgot mine, thanks to a nifty keychain loop on the Bluetooth key. (Worse-case scenario, you can request a backup verification through Google Prompt.) But it was certainly top of mind.
As for the day-to-day experience, there’s not much to report. When out and about, I mostly stuck to the Bluetooth key for its easy-to-use physical click button. But the USB key worked just as well on my Surface Pro.
They definitely came in handy when traveling. When I stepped off the plane in Berlin this week, my phone — which I normally use to authenticate Google services on my laptop — was nearly out of charge and not yet connected to a domestic carrier. If it weren’t for the Titan Security Key, I would’ve been dead in the water.
The statistics are enough to scare anyone into ordering a Titan Security Key. According to Google, the most popular password in 2018 so far is “123456789,” and the second-most popular is “qwerty.” About 3.3 billion credentials have been leaked in password dumps, moreover, and as many as 81 percent of account vulnerabilities last year were due to weak or stolen passwords.
From a security standpoint, the advantages of physical keys are readily apparent: They can’t be spoofed or intercepted without a lot more legwork on the hackers’ part. But for me, they’re a bit overkill. Save for those rare instances when I find myself without an internet connection or a charge, Google Prompt has served me well in the two years I’ve been using it. And while I wouldn’t call lugging the Titan Security Key around a burden, I’m all about traveling light.
Google appears to recognize this. When asked whether the company will advertise the Titan Security Key, Srinivas said it’ll run awareness campaigns targeted at politicians, business executives, and other people who it thinks need security the most.
If you’re not in that camp, I’d think long and hard before buying a bundle.