Slashdot Mirror
Google Launches Its Own Physical Security Key (cyberscoop.com)
An anonymous reader writes: Google launched its own Titan Security Key on Wednesday, a small USB device which includes firmware developed by the omnipresent tech giant itself. This comes days after Google said its workforce has been phish-proof for more than a year thanks to security keys distributed to its 85,000 employees. The new key means new competition for Yubikey manufacturer Yubico which confirmed it is not involved with Google's new key. The product is available now to Google Cloud customers and will eventually be available to general customers, the company announced Wednesday at its Google Cloud Next conference in San Francisco. CNET, which tested the device, adds: It'll come in a bundle with both the USB and Bluetooth versions for $50, or you can buy one or the other for about $20 to $25 each, Brand said. The set of security keys should work on any device with a USB port or a Bluetooth connection.
Why? They could have made USB-C versions.
#DeleteFacebook
A phishing attack generally takes the form of a web form that looks like a legitimate site, the idea that the victim will enter their user and password into the form and the attacker will then be able to steal the credentials. 2FA is not always immune to this sort of attack since the second factor could be stolen and passed along immediately to the target site. In the U2F protocol implemented by these security keys, there is a public/private key pair generated for each site (which is in turn tied to the TLS certificate of that site). Proof of possession of the key by means of a signature is the second factor. This makes it pretty difficult to phish since the fake server owned by the phisher would not be able to stand up the same domain and TLS cert in order to get U2F on the client to generate a challenge that would be accepted by the attacked site.
Maybe I didn't explain it that well.. but the point is that the key becomes cryptographically tied to the target site in a way that cannot be replayed by a standard phishing attack.
And will it still work when Google abandon the project.
Yes it will. The key is based off an open technology standard called U2F, which is becoming increasingly common, and supported by many security key makers. With luck, it'll become as ubiquitous as http(s). As long as Google keeps supporting U2F, they key will still work.
>In this case, it doesn't matter what 2-factor authentication method you use. I don't think this proves Google's device is any better or worse than any other 2FA mechanism, merely proving "requiring 2FA makes phishing less effective".
Actually the U2F protocol (yubikey and google's new key) is more phish-proof than TOTP or SMS based 2FA. In TOTP, it would be possible to for a phishing attacker to set up a fake website which passes credentials directly to the real website, thus owning the account. In SMS, it would be possible for an attacker to trigger the SMS authentication through the same means (passing the first factor to the real website, then presenting a form for the second factor). 2FA outside of U2F makes phishing more difficult, but still is possible, and these kinds of attacks do happen. U2F is "practically unphishable" because it doesn't allow a user to type in a OTP on a fake website.
Your MacBook Pro has four USB-C ports.
A MacBook only has one USB-C port.
#DeleteFacebook
U2F is perfectly functional in Firefox 60+ as downloaded. But, for reasons I honestly can't get, it's not turned on by default. It worked before FF 60 with plugins.
about:config -> security.webauth.u2f true