Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Launches Its Own Physical Security Key (cyberscoop.com)

Posted by msmash on from the how-about-that dept.

An anonymous reader writes: Google launched its own Titan Security Key on Wednesday, a small USB device which includes firmware developed by the omnipresent tech giant itself. This comes days after Google said its workforce has been phish-proof for more than a year thanks to security keys distributed to its 85,000 employees. The new key means new competition for Yubikey manufacturer Yubico which confirmed it is not involved with Google's new key. The product is available now to Google Cloud customers and will eventually be available to general customers, the company announced Wednesday at its Google Cloud Next conference in San Francisco. CNET, which tested the device, adds: It'll come in a bundle with both the USB and Bluetooth versions for $50, or you can buy one or the other for about $20 to $25 each, Brand said. The set of security keys should work on any device with a USB port or a Bluetooth connection.

32 of 100 comments (clear)

  1. And will it still work by Oswald+McWeany · · Score: 5, Insightful

    And will it still work when Google abandon the project. Google are probably the most famous company on earth for abandoning projects that don't take off right away.

    --
    "That's the way to do it" - Punch
    1. Re: And will it still work by greenfruitsalad · · Score: 5, Insightful

      I bet they had to make the bluetooth version because of their employees with macbooks.

    2. Re:And will it still work by bickerdyke · · Score: 4, Interesting

      As they were involved in developing the U2F standard, it shouldn't depend on any Google servers. It's more about how long Chrome will support U2F, but that would effect not only Google security keys.

      --
      bickerdyke
    3. Re:And will it still work by DontBeAMoran · · Score: 5, Funny

      "Announcing the new Google T... - this project is now discontinued."

      --
      #DeleteFacebook
    4. Re: And will it still work by DontBeAMoran · · Score: 3, Informative

      Why? They could have made USB-C versions.

      --
      #DeleteFacebook
    5. Re: And will it still work by greenfruitsalad · · Score: 2

      And how would that employee then charge their laptop? Or connect a screen or charge their phone or connect to a wired network? It's a harsh life for fruit aficionados. #lovemahdongle

    6. Re:And will it still work by Anonymous Coward · · Score: 3, Informative


      And will it still work when Google abandon the project.

      Yes it will. The key is based off an open technology standard called U2F, which is becoming increasingly common, and supported by many security key makers. With luck, it'll become as ubiquitous as http(s). As long as Google keeps supporting U2F, they key will still work.

    7. Re: And will it still work by networkBoy · · Score: 2

      W.T.(actual)F?!?!
      While I am not an apple fan, my current employer provided me a Macbook Pro for my worstation, and I have 4 USBc ports available. We use Yubikey C's for our 2fa and that still leaves me two open ports after using one for power for a docking station and monitor or wired ethernet and monitor if on the road...

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    8. Re: And will it still work by tepples · · Score: 2

      And how would that employee then charge their laptop?

      Hub.

      Or connect a screen

      Hub. One is already required in order to connect a screen while charging the laptop.

      or charge their phone

      Hub. One is already required in order to charge the phone while charging the laptop or connecting a screen.

      or connect to a wired network?

      Hub. One is already required in order to connect to a wired network while charging the laptop, connecting a screen, or charging a phone.

    9. Re:And will it still work by networkBoy · · Score: 2

      I was at intel when they released the Edison...
      Even internally there was lots of sideways glances of "this is cool, but how long is it going to be around?"

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    10. Re: And will it still work by DontBeAMoran · · Score: 4, Informative

      Your MacBook Pro has four USB-C ports.
      A MacBook only has one USB-C port.

      --
      #DeleteFacebook
    11. Re: And will it still work by r1348 · · Score: 2

      And to add to this, the Pixelbook, which has only 2 ports and is extensively used internally in Google, has a hardware security key built in the power button.
      It makes sense that soon we'll see that in smartphones too.

    12. Re:And will it still work by r1348 · · Score: 2

      Probably forever, considering every single Google employee and a sizable part of TVC users has at least one device using it. Don't expect U2F support to disappear from Chrome in the next two decades.

    13. Re: And will it still work by bondsbw · · Score: 2

      If you need a hub, then you've already failed.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    14. Re: And will it still work by Jane+Q.+Public · · Score: 3, Interesting

      And this is why NFC is a terrible technology to use for making payments.

      It doesn't have to be "very close by" if you have a big enough antenna. That's the thing about RF. Make an antenna big enough, and you can send and receive at a distance, even with a device that is extremely low-powered.

      In general, people should not use anything that operates over radio frequencies to access their bank account. It's a fool's errand. Christopher Soghoian, the same guy who read RFID chips from passports outside an airport from 30 feet away, also cracked NFC before it ever became common in consumer products. With a portable device that cost only $200 to build.

      Put your NFC-capable cards in a foil sleeve (they're cheap), or snip the coil antenna. Instructions for the latter are all over the internet.

  2. 0wned by Google by DogDude · · Score: 3, Interesting

    I imagine this thing will make sure to slurp up every last piece of data that the good little Google drones aren't already giving the Mothership.

    --
    I don't respond to AC's.
    1. Re:0wned by Google by r1348 · · Score: 2

      Whatever, they don't have to. They provide a U2F-compatile chip, they're not the only actor in the market, and they don't manage your certs. And the fact that someone alleges that this could be somehow used to steal data is ludicrous, and really don't understand what U2F is for and how it works.

    2. Re:0wned by Google by flink · · Score: 2

      In all seriousness, though, why should we trust Yubikey, Google, or any security key that doesn't publicly post its design and firmware for independent external audit? FST-01 or bust.

      The USB flavor of the Yubi key is FIPS-140 certified, so it has been independently audited, albeit not in a public manner.

  3. Bluetooth? Secure? Hahahaha that's hilarious by Rick+Schumann · · Score: 2, Interesting

    According to this story just posted yesterday, Bluetooth security is far from absolute.

    1. Re:Bluetooth? Secure? Hahahaha that's hilarious by darkain · · Score: 3, Insightful

      As the other reply mentioned, yeah, its a ONE-TIME password. In fact, the existing market alternative is a Yubikey with NFC support, which is zero security rather than minimal security. The catch? You need physical access to the device either way. And once the time-based OTP is used, its gone forever. Someone would literally have to be at the login prompt at the same exact time you are, in physical proximity to you to intercept the OTP communication wirelessly, and input it into the web site before you did. On top of that, most of these systems nowadays send out push notifications of new device logins, so while the OTP would fail for you (because someone just highjacked it), their device information will be pushed to your notifications on your cell phone or similar device.

      In other words, bashing someone upside the head with a brick would be far more convenient.

  4. Re:Phish-Proof? by chubs · · Score: 5, Insightful

    Yes, but what if I social engineer your password and it's still useless because all your accounts use 2FA and I don't have your key?

  5. Re:Phish-Proof? by zlives · · Score: 2

    what happens when you lose your key... fall back is always some info

  6. Re:Phish-Proof? by Ichijo · · Score: 2

    When you register your key, you print out some temporary codes and keep that paper in a safe place. Then if you lose your key, you would use one of the temporary codes to log in.

    --
    Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
  7. Find your phone by null+etc. · · Score: 2

    Hopefully it will be better than Google's "Find your phone" feature.

    "Lost your phone? Finding it is simple! To start, sign in by typing the six-digit code we've just sent to your lost phone."

    1. Re:Find your phone by linuxguy · · Score: 2

      > "Lost your phone? Finding it is simple! To start, sign in by typing the six-digit code we've just sent to your lost phone."

      I use the Google find your phone feature often. I have never seen the process you describe above.

  8. Re:Phish-Proof? by neurojab · · Score: 3, Informative

    A phishing attack generally takes the form of a web form that looks like a legitimate site, the idea that the victim will enter their user and password into the form and the attacker will then be able to steal the credentials. 2FA is not always immune to this sort of attack since the second factor could be stolen and passed along immediately to the target site. In the U2F protocol implemented by these security keys, there is a public/private key pair generated for each site (which is in turn tied to the TLS certificate of that site). Proof of possession of the key by means of a signature is the second factor. This makes it pretty difficult to phish since the fake server owned by the phisher would not be able to stand up the same domain and TLS cert in order to get U2F on the client to generate a challenge that would be accepted by the attacked site.

    Maybe I didn't explain it that well.. but the point is that the key becomes cryptographically tied to the target site in a way that cannot be replayed by a standard phishing attack.

  9. Re:Phish-Proof? by Ichijo · · Score: 3

    The 3-2-1 backup strategy says you should have 3 copies of important information, 2 copies onsite but on separate drives or mediums and 1 copy offsite in case of malware or the kind of disaster you're describing.

    --
    Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
  10. Re:Phish-Proof? by neurojab · · Score: 3, Informative

    >In this case, it doesn't matter what 2-factor authentication method you use. I don't think this proves Google's device is any better or worse than any other 2FA mechanism, merely proving "requiring 2FA makes phishing less effective".

    Actually the U2F protocol (yubikey and google's new key) is more phish-proof than TOTP or SMS based 2FA. In TOTP, it would be possible to for a phishing attacker to set up a fake website which passes credentials directly to the real website, thus owning the account. In SMS, it would be possible for an attacker to trigger the SMS authentication through the same means (passing the first factor to the real website, then presenting a form for the second factor). 2FA outside of U2F makes phishing more difficult, but still is possible, and these kinds of attacks do happen. U2F is "practically unphishable" because it doesn't allow a user to type in a OTP on a fake website.

  11. Re:Phish-Proof? by Areyoukiddingme · · Score: 2

    And if my house burns down with my key and my paper and I can no longer access a machine that, for whatever reason, is not consumed in the inferno?

    Generally speaking the keys are designed to be connected to your machine and left there permanently. I have the Yubikey Nano, because my employer requires two factor authentication to Github, and I leave it in the machine. So if the key was destroyed in a fire, so was the machine I use to connect.

    I used to carry the Yubikey on my key ring, but its own lanyard cut right through the metal loop on the back of it. Not well designed at all as a removable device.

  12. Re:Chrome only by Average · · Score: 3, Informative

    U2F is perfectly functional in Firefox 60+ as downloaded. But, for reasons I honestly can't get, it's not turned on by default. It worked before FF 60 with plugins.

    about:config -> security.webauth.u2f true

  13. Re:Cloning device instead of token.. by itsme1234 · · Score: 2

    I seems like if you had some window of time and access to a physical key, you could probably clone it... after all it holds everything needed to generate a OTP.

    Cloning is easy only for things that were designed to be read easily, from mag-stripes to normal flash memory (for example) that is specifically designed to give you the data you're asking for. Otherwise in real world it is really, really, really hard to clone things. If you don't believe me go and clone a kidney, heck even a tooth; your body has all the needed information isn't it?

    Even the SIM cards from 20+ years ago are pretty resistant to attempts to extract the keys from them, and even if there are a few vulnerabilities and the designs were in infancy. Still even for those it's a pretty complicated affair to get the keys out.
    Now it's a different story, any such devices are much more tamper-proof. Unless there's a backdoor (which is really a vulnerability of any such system) I think even three letter agencies will have a very hard time to get into those. Especially that there won't be any push to get them cracked, it requires too much effort as opposed to just getting the data from the provider (from what I understand these are for 2FA not to hold arbitrary encryption keys).

  14. Re:Phish-Proof? by arth1 · · Score: 2

    So someone just needs to use social engineering to get you to provide one of those codes.

    Not even. It's likely even easier to use social engineering to get a user to run a program that opens a tunnel.