Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Launches Its Own Physical Security Key (cyberscoop.com)

Posted by msmash on from the how-about-that dept.

An anonymous reader writes: Google launched its own Titan Security Key on Wednesday, a small USB device which includes firmware developed by the omnipresent tech giant itself. This comes days after Google said its workforce has been phish-proof for more than a year thanks to security keys distributed to its 85,000 employees. The new key means new competition for Yubikey manufacturer Yubico which confirmed it is not involved with Google's new key. The product is available now to Google Cloud customers and will eventually be available to general customers, the company announced Wednesday at its Google Cloud Next conference in San Francisco. CNET, which tested the device, adds: It'll come in a bundle with both the USB and Bluetooth versions for $50, or you can buy one or the other for about $20 to $25 each, Brand said. The set of security keys should work on any device with a USB port or a Bluetooth connection.

100 comments

  1. And will it still work by Oswald+McWeany · · Score: 5, Insightful

    And will it still work when Google abandon the project. Google are probably the most famous company on earth for abandoning projects that don't take off right away.

    --
    "That's the way to do it" - Punch
    1. Re: And will it still work by greenfruitsalad · · Score: 5, Insightful

      I bet they had to make the bluetooth version because of their employees with macbooks.

    2. Re:And will it still work by bickerdyke · · Score: 4, Interesting

      As they were involved in developing the U2F standard, it shouldn't depend on any Google servers. It's more about how long Chrome will support U2F, but that would effect not only Google security keys.

      --
      bickerdyke
    3. Re:And will it still work by DontBeAMoran · · Score: 5, Funny

      "Announcing the new Google T... - this project is now discontinued."

      --
      #DeleteFacebook
    4. Re: And will it still work by DontBeAMoran · · Score: 3, Informative

      Why? They could have made USB-C versions.

      --
      #DeleteFacebook
    5. Re:And will it still work by DCFusor · · Score: 1

      Intel's attempts at IoT also come to mind. Never design in parts from a company that does this.

      --
      Why guess when you can know? Measure!
    6. Re: And will it still work by greenfruitsalad · · Score: 2

      And how would that employee then charge their laptop? Or connect a screen or charge their phone or connect to a wired network? It's a harsh life for fruit aficionados. #lovemahdongle

    7. Re:And will it still work by Anonymous Coward · · Score: 3, Informative


      And will it still work when Google abandon the project.

      Yes it will. The key is based off an open technology standard called U2F, which is becoming increasingly common, and supported by many security key makers. With luck, it'll become as ubiquitous as http(s). As long as Google keeps supporting U2F, they key will still work.

    8. Re: And will it still work by networkBoy · · Score: 2

      W.T.(actual)F?!?!
      While I am not an apple fan, my current employer provided me a Macbook Pro for my worstation, and I have 4 USBc ports available. We use Yubikey C's for our 2fa and that still leaves me two open ports after using one for power for a docking station and monitor or wired ethernet and monitor if on the road...

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    9. Re: And will it still work by tepples · · Score: 2

      And how would that employee then charge their laptop?

      Hub.

      Or connect a screen

      Hub. One is already required in order to connect a screen while charging the laptop.

      or charge their phone

      Hub. One is already required in order to charge the phone while charging the laptop or connecting a screen.

      or connect to a wired network?

      Hub. One is already required in order to connect to a wired network while charging the laptop, connecting a screen, or charging a phone.

    10. Re:And will it still work by networkBoy · · Score: 2

      I was at intel when they released the Edison...
      Even internally there was lots of sideways glances of "this is cool, but how long is it going to be around?"

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    11. Re: And will it still work by DontBeAMoran · · Score: 4, Informative

      Your MacBook Pro has four USB-C ports.
      A MacBook only has one USB-C port.

      --
      #DeleteFacebook
    12. Re: And will it still work by bill_mcgonigle · · Score: 1

      I bet they had to make the bluetooth version because of their employees with macbooks.

      Sure, it was definitely Macbooks and definitely not for phones without NFC (like a Yubikey uses).

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    13. Re: And will it still work by Anonymous Coward · · Score: 0

      MacBooks are still better though because less is more!

    14. Re: And will it still work by r1348 · · Score: 1

      Google uses only MacBook Pro internally.

    15. Re: And will it still work by r1348 · · Score: 2

      And to add to this, the Pixelbook, which has only 2 ports and is extensively used internally in Google, has a hardware security key built in the power button.
      It makes sense that soon we'll see that in smartphones too.

    16. Re: And will it still work by r1348 · · Score: 1

      NFC has a small security issue in which it's enough to have a smartphone close by to make it work. This leaves a small corner case where the user is not physically present but an attacker is just swinging by (admittedly, very close by). Bluetooth requires the user to turn on, connect, and press a physical button to authenticate, therefore is required for higher level access to corp resources from smartphones.

    17. Re:And will it still work by r1348 · · Score: 2

      Probably forever, considering every single Google employee and a sizable part of TVC users has at least one device using it. Don't expect U2F support to disappear from Chrome in the next two decades.

    18. Re: And will it still work by bondsbw · · Score: 2

      If you need a hub, then you've already failed.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    19. Re: And will it still work by Jane+Q.+Public · · Score: 3, Interesting

      And this is why NFC is a terrible technology to use for making payments.

      It doesn't have to be "very close by" if you have a big enough antenna. That's the thing about RF. Make an antenna big enough, and you can send and receive at a distance, even with a device that is extremely low-powered.

      In general, people should not use anything that operates over radio frequencies to access their bank account. It's a fool's errand. Christopher Soghoian, the same guy who read RFID chips from passports outside an airport from 30 feet away, also cracked NFC before it ever became common in consumer products. With a portable device that cost only $200 to build.

      Put your NFC-capable cards in a foil sleeve (they're cheap), or snip the coil antenna. Instructions for the latter are all over the internet.

    20. Re: And will it still work by DontBeAMoran · · Score: 1

      And since they just launched their security key to the public, how is that information helpful in any way?

      --
      #DeleteFacebook
    21. Re: And will it still work by Kjella · · Score: 1

      If you need a hub, then you've already failed.

      At the office where you're likely to have more displays, keyboard, mouse, wired network, printer and so on? No. On the go you need as many ports as you're likely to actually simultaneously use on the go. Assuming you got a Bluetooth mouse etc. I'd say power and occasionally a USB stick instead. What do you think normal people use 2+ ports for on the go?

      --
      Live today, because you never know what tomorrow brings
    22. Re: And will it still work by r1348 · · Score: 1

      It wasn't, that's why I complemented it with a further comment.

    23. Re: And will it still work by thegarbz · · Score: 1

      It doesn't have to be "very close by" if you have a big enough antenna. That's the thing about RF. Make an antenna big enough, and you can send and receive at a distance, even with a device that is extremely low-powered.

      Sure aim your big antenna my direction. When the 4 cards in my wallet respond in unison and you receive nothing but garbage assuming you don't actually hit anyone else in the queue ... I wish you good luck sir.

      There's a reason why NFC is so short range despite in theory being capable of something longer.

      Put your NFC-capable cards in a foil sleeve (they're cheap), or snip the coil antenna. Instructions for the latter are all over the internet.

      Given the number of cases of this happening the best instructions are probably: https://www.quirkbooks.com/pos...

    24. Re: And will it still work by mjwx · · Score: 1

      Your MacBook Pro has four USB-C ports.
      A MacBook only has one USB-C port.

      My Asus has 4 USB A ports, a headphone jack, and an SD card reader... It also cost 1/3 of the price of a Macbook Pro for the same hardware.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    25. Re: And will it still work by Anonymous Coward · · Score: 0

      Yubikey NFC is perfectly secure. You must authenticate with the card to interact with it. It's not like anybody can glean a one time password or gpg signature just by being nearby. Depending on what you're doing you need the card's password (otp), the device pin (gpg/cert store), or a finger on the capacitive button (u2f).

      Unauthenticated NFC like pin-less tap to pay is moronic. At the very, very least a button push needs to be required.

  2. 0wned by Google by DogDude · · Score: 3, Interesting

    I imagine this thing will make sure to slurp up every last piece of data that the good little Google drones aren't already giving the Mothership.

    --
    I don't respond to AC's.
    1. Re:0wned by Google by r1348 · · Score: 1

      You have no idea on how U2F works, do you?

    2. Re:0wned by Google by admin7087 · · Score: 1

      Google is not trustworthy.

    3. Re:0wned by Google by r1348 · · Score: 2

      Whatever, they don't have to. They provide a U2F-compatile chip, they're not the only actor in the market, and they don't manage your certs. And the fact that someone alleges that this could be somehow used to steal data is ludicrous, and really don't understand what U2F is for and how it works.

    4. Re:0wned by Google by skids · · Score: 1

      Such negative language. The upload of the private keys to the cloud will be a "backup service" and the usage tracking data collected by the management app and uploaded to google servers will be a "security auditing service."

      In all seriousness, though, why should we trust Yubikey, Google, or any security key that doesn't publicly post its design and firmware for independent external audit? FST-01 or bust.

      --
      Someone had to do it.
    5. Re:0wned by Google by flink · · Score: 2

      In all seriousness, though, why should we trust Yubikey, Google, or any security key that doesn't publicly post its design and firmware for independent external audit? FST-01 or bust.

      The USB flavor of the Yubi key is FIPS-140 certified, so it has been independently audited, albeit not in a public manner.

    6. Re:0wned by Google by DogDude · · Score: 1

      It's a USB storage device. It could do anything. Just because it has a chip, doesn't mean it couldn't have all sorts of other wonderful stuff with it too. Kinda' like all of those simple web pages people visit every day (like this one), that are filled with crap, including Google trackers.

      --
      I don't respond to AC's.
    7. Re:0wned by Google by jareth-0205 · · Score: 1

      I imagine this thing will make sure to slurp up every last piece of data that the good little Google drones aren't already giving the Mothership.

      Do we actually have any evidence of them doing something clearly bad? Because it would have leaked by now. This trope is getting really tired, back up your claims with some fucking actual data. I would be the first to want to read about it.

      Google push boundaries in some uncomfortable ways, but they have yet to do anything even remotely like you are suggesting they would with this. Grow up.

    8. Re:0wned by Google by fph+il+quozientatore · · Score: 1

      The USB flavor of the Yubi key is FIPS-140 certified, so it has been independently audited, albeit not in a public manner.

      So Uncle Sam checked that no other country has put backdoors on it?

      --
      My first program:

      Hell Segmentation fault

  3. Bluetooth? Secure? Hahahaha that's hilarious by Rick+Schumann · · Score: 2, Interesting

    According to this story just posted yesterday, Bluetooth security is far from absolute.

    1. Re:Bluetooth? Secure? Hahahaha that's hilarious by Anonymous Coward · · Score: 1

      Oh noes, so you might be able to intercept an OTP that's intended for (...drumroll...) one time use and already used up...

    2. Re:Bluetooth? Secure? Hahahaha that's hilarious by darkain · · Score: 3, Insightful

      As the other reply mentioned, yeah, its a ONE-TIME password. In fact, the existing market alternative is a Yubikey with NFC support, which is zero security rather than minimal security. The catch? You need physical access to the device either way. And once the time-based OTP is used, its gone forever. Someone would literally have to be at the login prompt at the same exact time you are, in physical proximity to you to intercept the OTP communication wirelessly, and input it into the web site before you did. On top of that, most of these systems nowadays send out push notifications of new device logins, so while the OTP would fail for you (because someone just highjacked it), their device information will be pushed to your notifications on your cell phone or similar device.

      In other words, bashing someone upside the head with a brick would be far more convenient.

    3. Re:Bluetooth? Secure? Hahahaha that's hilarious by Anonymous Coward · · Score: 0

      With enough OTPs/timestamps and knowledge of the algorithm used, would it be possible to recreate the initial conditions such that you can generate the appropriate OTP whenever? I'm seriously asking here because I don't know.

    4. Re:Bluetooth? Secure? Hahahaha that's hilarious by Anonymous Coward · · Score: 0

      The point of OTPs is that they are entirely random - there is no algorithm used to generate the OTP.

      Also, the interception rate of the second factor should be relatively low given that it's only used during authentication and session-based private keys or tokens are used thereafter.

    5. Re:Bluetooth? Secure? Hahahaha that's hilarious by Anonymous Coward · · Score: 1

      The point of OTPs is that they are entirely random - there is no algorithm used to generate the OTP

      https://en.wikipedia.org/wiki/HMAC-based_One-time_Password_algorithm

    6. Re:Bluetooth? Secure? Hahahaha that's hilarious by Anonymous Coward · · Score: 0

      details on the yubikey "zero security"? or do you mean NFC has zero security? because yeah, that's... why I leave NFC off when not in use.

    7. Re:Bluetooth? Secure? Hahahaha that's hilarious by AHuxley · · Score: 1

      Whats the way around that?
      A physical usb port? A really well and totally shielded "small USB device".
      That would stop some of the easy location short range long term wireless collection efforts.
      The bad people would have to enter the site. Have a reason that allowed them to use the computer with a "small USB device" working.
      A wired device offers one less really easy way to collect on.

      --
      Domestic spying is now "Benign Information Gathering"
    8. Re:Bluetooth? Secure? Hahahaha that's hilarious by AHuxley · · Score: 1

      Think of a NGO, charity worker, guest, new staff member who got into a site. To a trusted internal network behind a firewall.
      That collection of all wireless in real time could be done with collection hardware they placed. Created a new network out of the building in real time. Too many random people wondering around.

      --
      Domestic spying is now "Benign Information Gathering"
    9. Re:Bluetooth? Secure? Hahahaha that's hilarious by buchanmilne · · Score: 1

      In fact, the existing market alternative is a Yubikey with NFC support, which is zero security rather than minimal security.

      details on the yubikey "zero security"? or do you mean NFC has zero security? because yeah, that's... why I leave NFC off when not in use.

      Obviously NFC security, because there are many alternative U2F devices that don't have wireless (Bluetooth or NFC) support, including a number of open-source (hardware+software) dongles like u2fzero, but very few that have either NFC (mainly Yubikey Neo) or Bluetooth (mainly Fetian, but it seems pretty poor hardware).

  4. Yeah, no, I don't trust you. by Anonymous Coward · · Score: 0

    It's made by me, or at the very least a person I know as an actual person, trust, and can punch if he fucks up, or it's not trustworthy.

    Not a faceless corporation that does not even let you call humans. Let alone one, that makes all its money from snooping on people and whoring that off to everyone who wants to manipulate and lie to us (aka advertisement) to rip off and grab our money.

    (Posting as AC because I deleted my account years ago, and don't care about upmods.)

  5. Phish-Proof? by Marc_Hawke · · Score: 1

    Can someone tell me how a physical key makes you 'phish-proof.' Phishing is primarily social engineering isn't it?

    --
    --Welcome to the Realm of the Hawke--
    1. Re:Phish-Proof? by chubs · · Score: 5, Insightful

      Yes, but what if I social engineer your password and it's still useless because all your accounts use 2FA and I don't have your key?

    2. Re:Phish-Proof? by chubs · · Score: 0

      In this case, it doesn't matter what 2-factor authentication method you use. I don't think this proves Google's device is any better or worse than any other 2FA mechanism, merely proving "requiring 2FA makes phishing less effective".

    3. Re:Phish-Proof? by zlives · · Score: 2

      what happens when you lose your key... fall back is always some info

    4. Re:Phish-Proof? by Ichijo · · Score: 2

      When you register your key, you print out some temporary codes and keep that paper in a safe place. Then if you lose your key, you would use one of the temporary codes to log in.

      --
      Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
    5. Re:Phish-Proof? by neurojab · · Score: 3, Informative

      A phishing attack generally takes the form of a web form that looks like a legitimate site, the idea that the victim will enter their user and password into the form and the attacker will then be able to steal the credentials. 2FA is not always immune to this sort of attack since the second factor could be stolen and passed along immediately to the target site. In the U2F protocol implemented by these security keys, there is a public/private key pair generated for each site (which is in turn tied to the TLS certificate of that site). Proof of possession of the key by means of a signature is the second factor. This makes it pretty difficult to phish since the fake server owned by the phisher would not be able to stand up the same domain and TLS cert in order to get U2F on the client to generate a challenge that would be accepted by the attacked site.

      Maybe I didn't explain it that well.. but the point is that the key becomes cryptographically tied to the target site in a way that cannot be replayed by a standard phishing attack.

    6. Re:Phish-Proof? by jittles · · Score: 1

      When you register your key, you print out some temporary codes and keep that paper in a safe place. Then if you lose your key, you would use one of the temporary codes to log in.

      And if my house burns down with my key and my paper and I can no longer access a machine that, for whatever reason, is not consumed in the inferno?

    7. Re:Phish-Proof? by Anonymous Coward · · Score: 1

      Can someone tell me how a physical key makes you 'phish-proof.' Phishing is primarily social engineering isn't it?

      Because it's 2 factor authentication. So if an attacker has your password, they still cannot access your account without the token, which is a physical thing that you use to generate a one time string that confirms you have the physical device.

      Of course, it's possible to duplicate a token, but the way they generate the one time strings to verify their presence is usually some one way encrypted hash that changes over time using a private/public key. This means that the end point can verify the string was signed (or encrypted) by a device holding the private key without exposing the private key, so an attacker cannot easily guess the private key, even if they see a large number of encrypted/signed strings.

      I've also schemes where the token is designed to respond to a specific query string with some kind of hash based on the private key, in this case the server requesting the second factor must be careful to use a query only once or an attacker would be able to mimic the response, but usually there is a time component, where the token keeps a real time clock and hashes different at different times.

      All this basically means that without the token or the private key to generate a copy of the token, an attacker won't be able to authenticate as you. The loss of a physical token is easily noticed and if you destroy the private keys after you create the token and make it so you cannot easily retrieve the public key w/o destroying the token, the 2 Factor authentication is pretty secure.

      Of course, this all depends on the Web Site's security too...

    8. Re:Phish-Proof? by tepples · · Score: 1

      Why did you not store a copy of the codes in your safe deposit box at your bank?

    9. Re:Phish-Proof? by Ichijo · · Score: 3

      The 3-2-1 backup strategy says you should have 3 copies of important information, 2 copies onsite but on separate drives or mediums and 1 copy offsite in case of malware or the kind of disaster you're describing.

      --
      Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
    10. Re:Phish-Proof? by neurojab · · Score: 3, Informative

      >In this case, it doesn't matter what 2-factor authentication method you use. I don't think this proves Google's device is any better or worse than any other 2FA mechanism, merely proving "requiring 2FA makes phishing less effective".

      Actually the U2F protocol (yubikey and google's new key) is more phish-proof than TOTP or SMS based 2FA. In TOTP, it would be possible to for a phishing attacker to set up a fake website which passes credentials directly to the real website, thus owning the account. In SMS, it would be possible for an attacker to trigger the SMS authentication through the same means (passing the first factor to the real website, then presenting a form for the second factor). 2FA outside of U2F makes phishing more difficult, but still is possible, and these kinds of attacks do happen. U2F is "practically unphishable" because it doesn't allow a user to type in a OTP on a fake website.

    11. Re:Phish-Proof? by Areyoukiddingme · · Score: 2

      And if my house burns down with my key and my paper and I can no longer access a machine that, for whatever reason, is not consumed in the inferno?

      Generally speaking the keys are designed to be connected to your machine and left there permanently. I have the Yubikey Nano, because my employer requires two factor authentication to Github, and I leave it in the machine. So if the key was destroyed in a fire, so was the machine I use to connect.

      I used to carry the Yubikey on my key ring, but its own lanyard cut right through the metal loop on the back of it. Not well designed at all as a removable device.

    12. Re:Phish-Proof? by nine-times · · Score: 1

      So someone just needs to use social engineering to get you to provide one of those codes.

    13. Re:Phish-Proof? by ctilsie242 · · Score: 1

      A Yubikey ensures that there is a live body sitting at the computer/phone/whatever that is requesting access. Yes, malware could put up a fake request, but what the key does is narrow down the attack to just the time it takes to press that button and acknowledge things.

    14. Re:Phish-Proof? by JoePete · · Score: 1

      First, let's qualify the statement. It's that no Google employee has apparently been successfully phished for a work account. It's not that Google employees haven't been fished for any account. Bear in mind this claim is a bit like a company that has switched from using office keys to RFID cards saying that "no one has lost their keys or had them stolen." Of course not; they don't use them any more. However, these tokens are not necessarily two-factor authentication (at least that is not detailed in the reporting). They are still a single factor (a token the user possesses - again like a physical key and lock). Perhaps, the USB keys are encrypted, requiring a user to enter a password to decrypt the data on the USB key that is then used to authenticate. However, this is still not two-factor authentication. It is authenticating to two different systems (the USB key and Google corporate system).

    15. Re:Phish-Proof? by iCEBaLM · · Score: 1

      Well, if you forgot your password, lost your security key, and your house burned down, then you have bigger problems.

      But seriously, fireproof lock boxes are a thing, and they're not that expensive.

    16. Re:Phish-Proof? by Locke2005 · · Score: 1

      The server sends a challenge to the device, then the device sends a response back. Without knowing the private key used by the device, the response cannot be calculated by third parties, and recording the response is useless because a different challenge is used every time. Yes, that doesn't fit the definition of "two factor authentication", but I see no reason why it would be less secure. https://www.securenvoy.com/two...

      --
      I've abandoned my search for truth; now I'm just looking for some useful delusions.
    17. Re:Phish-Proof? by thsths · · Score: 1

      Indeed. U2F is like an ssh key stored on the server: it is based on a trust relationship between the key and the server. So as far as I understand, only the right website can induce the key to authenticate. A fake website would not have the right credentials.

      Of course there are always forwarding attacks, and if only by forwarding the USB protocol. But that is very hard work, and not nearly as easy as regular phishing attacks.

    18. Re:Phish-Proof? by arth1 · · Score: 2

      So someone just needs to use social engineering to get you to provide one of those codes.

      Not even. It's likely even easier to use social engineering to get a user to run a program that opens a tunnel.

    19. Re:Phish-Proof? by AHuxley · · Score: 1

      Try some penetration test on site https://en.wikipedia.org/wiki/... and some social engineering https://en.wikipedia.org/wiki/...
      Distance to a new network, physical access? A new best friend? Someone new with a charity, NGO, gov, mil wondering around?

      --
      Domestic spying is now "Benign Information Gathering"
    20. Re:Phish-Proof? by Anonymous Coward · · Score: 0

      The key itself is just one of the two factors, the other being a traditional password.

  6. Re:Form Factor by war4peace · · Score: 0

    Do they come in cock ring variants?

    --
    ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
  7. Find your phone by null+etc. · · Score: 2

    Hopefully it will be better than Google's "Find your phone" feature.

    "Lost your phone? Finding it is simple! To start, sign in by typing the six-digit code we've just sent to your lost phone."

    1. Re:Find your phone by DontBeAMoran · · Score: 1

      Keyboard not found. Press F1 to continue.

      --
      #DeleteFacebook
    2. Re:Find your phone by linuxguy · · Score: 2

      > "Lost your phone? Finding it is simple! To start, sign in by typing the six-digit code we've just sent to your lost phone."

      I use the Google find your phone feature often. I have never seen the process you describe above.

    3. Re:Find your phone by thegarbz · · Score: 1

      Hopefully it will be better than Google's "Find your phone" feature.

      "Lost your phone? Finding it is simple! To start, sign in by typing the six-digit code we've just sent to your lost phone."

      ??? I have no idea what you're talking about and I use this feature quite often.

    4. Re:Find your phone by null+etc. · · Score: 1

      I have never seen the process you describe above

      Have you ever tried to find your phone using a phone or device that you've never used to login to Google before? For example, a friend's phone?

  8. Chrome only by sremick · · Score: 1

    Wake me up when these things work with browsers other than Chrome.

    1. Re:Chrome only by Average · · Score: 3, Informative

      U2F is perfectly functional in Firefox 60+ as downloaded. But, for reasons I honestly can't get, it's not turned on by default. It worked before FF 60 with plugins.

      about:config -> security.webauth.u2f true

    2. Re:Chrome only by Anonymous Coward · · Score: 1

      Good morning.

      My Yubikeys work perfectly with Lastpass on Firefox.

      My setup:

      Two Yubikeys. (Lastpass allows you to register more than one key)
      - Yubikey Nano kept in my laptop's USB ports.
      - Yubikey 4 kept on my key chain.

      Several family members also have a copy of my Yubikey Grid Multifactor Authentication paper printout for key backup should I lose both.

  9. Or buy this key with USB Bluetooth and NFC for $25 by Anonymous Coward · · Score: 0

    https://www.amazon.com/Feitian-MultiPass-FIDO-Security-Key/dp/B01LYV6TQM

    Just put one in my cart.

  10. Cloning device instead of token.. by SuperKendall · · Score: 1

    I seems like if you had some window of time and access to a physical key, you could probably clone it... after all it holds everything needed to generate a OTP.

    But probably beyond the skill of almost anyone other than government agencies.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Cloning device instead of token.. by itsme1234 · · Score: 2

      I seems like if you had some window of time and access to a physical key, you could probably clone it... after all it holds everything needed to generate a OTP.

      Cloning is easy only for things that were designed to be read easily, from mag-stripes to normal flash memory (for example) that is specifically designed to give you the data you're asking for. Otherwise in real world it is really, really, really hard to clone things. If you don't believe me go and clone a kidney, heck even a tooth; your body has all the needed information isn't it?

      Even the SIM cards from 20+ years ago are pretty resistant to attempts to extract the keys from them, and even if there are a few vulnerabilities and the designs were in infancy. Still even for those it's a pretty complicated affair to get the keys out.
      Now it's a different story, any such devices are much more tamper-proof. Unless there's a backdoor (which is really a vulnerability of any such system) I think even three letter agencies will have a very hard time to get into those. Especially that there won't be any push to get them cracked, it requires too much effort as opposed to just getting the data from the provider (from what I understand these are for 2FA not to hold arbitrary encryption keys).

    2. Re:Cloning device instead of token.. by Anonymous Coward · · Score: 0

      Note that getting physical access to the dongle is beyond 99.9% of phishers, even if it were easy to clone.

  11. Anti trust by Anonymous Coward · · Score: 0

    Who in their right mind would trust Google security and privacy hardware? And they would drop the product after a clue of years. Nope. Nope amd nope.

    1. Re: Anti trust by Anonymous Coward · · Score: 0

      Oh dear - my fat fingers ony Google device. "Two Years".

    2. Re: Anti trust by Anonymous Coward · · Score: 0

      I give up. Oh - I managed to type that right.

  12. N$A KEY by Anonymous Coward · · Score: 0

    NT

  13. Physical keys by Locke2005 · · Score: 1

    "And if our experiments show it works well for securing computers, we're going to try using them on DOORS next!"

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
  14. BS Pricing by thsths · · Score: 1

    Individually, they cost $20 to $25, and together, the bundle is $50.

    Why would anybody buy the bundle? Is this marketed at stupid people?

  15. Feitian keys look similar to the Google one... by ctilsie242 · · Score: 1

    Looks like Feitian is the maker that Google chose to OEM. At $16.99 and $24.99, they are fairly reasonably priced, and the Bluetooth one actually supports iOS.

    1. Re:Feitian keys look similar to the Google one... by Anonymous Coward · · Score: 0

      Yeah, I bought several Feitian keys a year or so ago (the NFC-capable ones), and the NFC is pretty lousy vs yubikey neo which "just works".

    2. Re:Feitian keys look similar to the Google one... by c_g_hills · · Score: 1

      Feitian NFC has worked perfectly for me with my Android phone.

  16. Evil by Anonymous Coward · · Score: 0

    "The Titan Key is specifically for customers who want security keys and trust Google."

    In other words, it's for relatively few people.

  17. So is it physical or virtual? by AbRASiON · · Score: 1

    The article last week could be taken both ways, as if a phone with google authenticator was good enough?

    Personally? I'm happy with fairly complicated passwords, a unique email for most sites and 2FA (soft, on phone)

    If it requires a dongle? I'm not in, I'm sorry but I don't care about the security that much. If it can't be done with a soft token on my phone (and ipad, thanks Authy!) then I can't be bothered and the general public will be even worse.

  18. Still pricey by Anonymous Coward · · Score: 0

    Yubikey is $18

    Other competition is $12

    Miss the other players who did it for $6

    Lose one and you're out $25, no thanks.

  19. Too lazy to check by Anonymous Coward · · Score: 0

    Does google have an Authenticator App like all the other good players?

  20. Re:Or buy this key with USB Bluetooth and NFC for by c_g_hills · · Score: 1

    +1 for Feitian. One key for my phone and computer (as well as additional keys in safe places).

  21. Customer base by dromgodis · · Score: 1

    From TFA: "The Titan Key is specifically for customers who want security keys and trust Google."

    I figure that the overlap of those two groups should be rather small.

  22. Will There Be Targeted Ads? by Anonymous Coward · · Score: 0

    Security from Google? How much data will it collect for google to monetize?