September 4, 2018
At its Cloud Next 2018 conference, Google debuted the Titan Security Key, its version of a FIDO (Fast Identity Online) physical device to authenticate logins over Bluetooth. Now, only a few weeks after the announcement, Google has made it available for purchase at $50 in its Google Play Store. Google Cloud enterprise customers have been able to access the Titan Security Key for the past two months. The product comes with a USB key, a Bluetooth Low Energy key, and an adapter for devices with USB Type-C ports.
VentureBeat reports that the Titan Security Key’s price is “roughly equivalent to the price of a Yubikey, the current FIDO standard-bearer.” But Google product management director for information security Sam Srinivas emphasized, “it’s not meant to compete with other FIDO keys on the market … [but] rather is for customers who want security keys and trust Google.”
Google has been working with Yubico, NXP, Dropbox, Facebook, GitHub, Salesforce, Stripe and Twitter among others since 2014 to develop the nonprofit FIDO Alliance standards and protocols, “including the new Worldwide Web Consortium’s Web Authentication API.” When a user registers a FIDO device “with an online service, it creates a key pair: an on-device, offline private key, and an online public key.” The device prompts the user for a PIN code, password, fingerprint or voice to “prove possession” of the private key.
The FIDO Alliance mission is to make it easier to “log into apps, websites, and services securely, and to reduce the amount of work required for developers,” and Google reports that FIDO keys have prevented phishing attempts on its 100,000+ employees. Google product manager Christiaan Brand noted that the FIDO keys are an improvement over SMS-based systems because the latter are “too confusing.”
“[And for that reason,] even if they wildly improve security above baseline, they can be phished,” he added. He’s right, since “it’s relatively trivial for hackers to impersonate someone and convince a cell phone provider to redirect their text messages to another number … [and] fooling someone into giving up their password isn’t much harder.”
Google Prompt sends two-factor login prompts to Android phones or, with iOS, to Google Search, and also is “one of several that offers token-based authentication (via the Google Authenticator app), which generates unique, offline passcodes — hashes — every few seconds.” But Srinivas stressed that, “there’s no substitute for a physical key,” which would stop even a hacker who’s stolen the password and two-factor code.
Google’s Advanced Protection Program, which is aimed at protecting “high-profile targets against hacking,” requires a physical key. Srinivas said that, with regard to the Titan Security Key, the company will “run awareness campaigns targeted at politicians, business executives, and other people who it thinks need security the most.”