Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Launches Its Own Physical Security Key (cyberscoop.com)

Posted by msmash on from the how-about-that dept.

An anonymous reader writes: Google launched its own Titan Security Key on Wednesday, a small USB device which includes firmware developed by the omnipresent tech giant itself. This comes days after Google said its workforce has been phish-proof for more than a year thanks to security keys distributed to its 85,000 employees. The new key means new competition for Yubikey manufacturer Yubico which confirmed it is not involved with Google's new key. The product is available now to Google Cloud customers and will eventually be available to general customers, the company announced Wednesday at its Google Cloud Next conference in San Francisco. CNET, which tested the device, adds: It'll come in a bundle with both the USB and Bluetooth versions for $50, or you can buy one or the other for about $20 to $25 each, Brand said. The set of security keys should work on any device with a USB port or a Bluetooth connection.

4 of 100 comments (clear)

  1. And will it still work by Oswald+McWeany · · Score: 5, Insightful

    And will it still work when Google abandon the project. Google are probably the most famous company on earth for abandoning projects that don't take off right away.

    --
    "That's the way to do it" - Punch
    1. Re: And will it still work by greenfruitsalad · · Score: 5, Insightful

      I bet they had to make the bluetooth version because of their employees with macbooks.

  2. Re:Phish-Proof? by chubs · · Score: 5, Insightful

    Yes, but what if I social engineer your password and it's still useless because all your accounts use 2FA and I don't have your key?

  3. Re:Bluetooth? Secure? Hahahaha that's hilarious by darkain · · Score: 3, Insightful

    As the other reply mentioned, yeah, its a ONE-TIME password. In fact, the existing market alternative is a Yubikey with NFC support, which is zero security rather than minimal security. The catch? You need physical access to the device either way. And once the time-based OTP is used, its gone forever. Someone would literally have to be at the login prompt at the same exact time you are, in physical proximity to you to intercept the OTP communication wirelessly, and input it into the web site before you did. On top of that, most of these systems nowadays send out push notifications of new device logins, so while the OTP would fail for you (because someone just highjacked it), their device information will be pushed to your notifications on your cell phone or similar device.

    In other words, bashing someone upside the head with a brick would be far more convenient.