Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Launches Its Own Physical Security Key (cyberscoop.com)

Posted by msmash on from the how-about-that dept.

An anonymous reader writes: Google launched its own Titan Security Key on Wednesday, a small USB device which includes firmware developed by the omnipresent tech giant itself. This comes days after Google said its workforce has been phish-proof for more than a year thanks to security keys distributed to its 85,000 employees. The new key means new competition for Yubikey manufacturer Yubico which confirmed it is not involved with Google's new key. The product is available now to Google Cloud customers and will eventually be available to general customers, the company announced Wednesday at its Google Cloud Next conference in San Francisco. CNET, which tested the device, adds: It'll come in a bundle with both the USB and Bluetooth versions for $50, or you can buy one or the other for about $20 to $25 each, Brand said. The set of security keys should work on any device with a USB port or a Bluetooth connection.

15 of 100 comments (clear)

  1. And will it still work by Oswald+McWeany · · Score: 5, Insightful

    And will it still work when Google abandon the project. Google are probably the most famous company on earth for abandoning projects that don't take off right away.

    --
    "That's the way to do it" - Punch
    1. Re: And will it still work by greenfruitsalad · · Score: 5, Insightful

      I bet they had to make the bluetooth version because of their employees with macbooks.

    2. Re:And will it still work by bickerdyke · · Score: 4, Interesting

      As they were involved in developing the U2F standard, it shouldn't depend on any Google servers. It's more about how long Chrome will support U2F, but that would effect not only Google security keys.

      --
      bickerdyke
    3. Re:And will it still work by DontBeAMoran · · Score: 5, Funny

      "Announcing the new Google T... - this project is now discontinued."

      --
      #DeleteFacebook
    4. Re: And will it still work by DontBeAMoran · · Score: 3, Informative

      Why? They could have made USB-C versions.

      --
      #DeleteFacebook
    5. Re:And will it still work by Anonymous Coward · · Score: 3, Informative


      And will it still work when Google abandon the project.

      Yes it will. The key is based off an open technology standard called U2F, which is becoming increasingly common, and supported by many security key makers. With luck, it'll become as ubiquitous as http(s). As long as Google keeps supporting U2F, they key will still work.

    6. Re: And will it still work by DontBeAMoran · · Score: 4, Informative

      Your MacBook Pro has four USB-C ports.
      A MacBook only has one USB-C port.

      --
      #DeleteFacebook
    7. Re: And will it still work by Jane+Q.+Public · · Score: 3, Interesting

      And this is why NFC is a terrible technology to use for making payments.

      It doesn't have to be "very close by" if you have a big enough antenna. That's the thing about RF. Make an antenna big enough, and you can send and receive at a distance, even with a device that is extremely low-powered.

      In general, people should not use anything that operates over radio frequencies to access their bank account. It's a fool's errand. Christopher Soghoian, the same guy who read RFID chips from passports outside an airport from 30 feet away, also cracked NFC before it ever became common in consumer products. With a portable device that cost only $200 to build.

      Put your NFC-capable cards in a foil sleeve (they're cheap), or snip the coil antenna. Instructions for the latter are all over the internet.

  2. 0wned by Google by DogDude · · Score: 3, Interesting

    I imagine this thing will make sure to slurp up every last piece of data that the good little Google drones aren't already giving the Mothership.

    --
    I don't respond to AC's.
  3. Re:Phish-Proof? by chubs · · Score: 5, Insightful

    Yes, but what if I social engineer your password and it's still useless because all your accounts use 2FA and I don't have your key?

  4. Re:Bluetooth? Secure? Hahahaha that's hilarious by darkain · · Score: 3, Insightful

    As the other reply mentioned, yeah, its a ONE-TIME password. In fact, the existing market alternative is a Yubikey with NFC support, which is zero security rather than minimal security. The catch? You need physical access to the device either way. And once the time-based OTP is used, its gone forever. Someone would literally have to be at the login prompt at the same exact time you are, in physical proximity to you to intercept the OTP communication wirelessly, and input it into the web site before you did. On top of that, most of these systems nowadays send out push notifications of new device logins, so while the OTP would fail for you (because someone just highjacked it), their device information will be pushed to your notifications on your cell phone or similar device.

    In other words, bashing someone upside the head with a brick would be far more convenient.

  5. Re:Phish-Proof? by neurojab · · Score: 3, Informative

    A phishing attack generally takes the form of a web form that looks like a legitimate site, the idea that the victim will enter their user and password into the form and the attacker will then be able to steal the credentials. 2FA is not always immune to this sort of attack since the second factor could be stolen and passed along immediately to the target site. In the U2F protocol implemented by these security keys, there is a public/private key pair generated for each site (which is in turn tied to the TLS certificate of that site). Proof of possession of the key by means of a signature is the second factor. This makes it pretty difficult to phish since the fake server owned by the phisher would not be able to stand up the same domain and TLS cert in order to get U2F on the client to generate a challenge that would be accepted by the attacked site.

    Maybe I didn't explain it that well.. but the point is that the key becomes cryptographically tied to the target site in a way that cannot be replayed by a standard phishing attack.

  6. Re:Phish-Proof? by Ichijo · · Score: 3

    The 3-2-1 backup strategy says you should have 3 copies of important information, 2 copies onsite but on separate drives or mediums and 1 copy offsite in case of malware or the kind of disaster you're describing.

    --
    Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
  7. Re:Phish-Proof? by neurojab · · Score: 3, Informative

    >In this case, it doesn't matter what 2-factor authentication method you use. I don't think this proves Google's device is any better or worse than any other 2FA mechanism, merely proving "requiring 2FA makes phishing less effective".

    Actually the U2F protocol (yubikey and google's new key) is more phish-proof than TOTP or SMS based 2FA. In TOTP, it would be possible to for a phishing attacker to set up a fake website which passes credentials directly to the real website, thus owning the account. In SMS, it would be possible for an attacker to trigger the SMS authentication through the same means (passing the first factor to the real website, then presenting a form for the second factor). 2FA outside of U2F makes phishing more difficult, but still is possible, and these kinds of attacks do happen. U2F is "practically unphishable" because it doesn't allow a user to type in a OTP on a fake website.

  8. Re:Chrome only by Average · · Score: 3, Informative

    U2F is perfectly functional in Firefox 60+ as downloaded. But, for reasons I honestly can't get, it's not turned on by default. It worked before FF 60 with plugins.

    about:config -> security.webauth.u2f true