Google's $50 Titan Security Keys Are Now Available in the US (engadget.com)

← Back to Stories (view on slashdot.org)

Google's $50 Titan Security Keys Are Now Available in the US (engadget.com)

Posted by msmash on Thursday August 30, 2018 @02:46AM from the for-the-record dept.

Last month, Google introduced its Titan Key -- a physical security key used for two-factor authentication -- and now it's widely available for purchase in the US through company's Google Store. Almost any modern browser and mobile device, as well as services such as Dropbox, Twitter, Facebook, Salesforce, Stripe support the Titan Key. It's Google's take on a Fast Identity Online key, a physical device used to authenticate logins over Bluetooth. From a report: For $50, you'll get a USB security key and a Bluetooth security key as well as a USB-C to USB-A adapter and a USB-C to USB-A connecting cable. What happens if you lose them? From a report: A downside of physical keys is that if lose them, you're toast. That's why you have two keys -- one is meant to be a backup. Google says it can help you gain access to your account again but the recovery process can take days. VentureBeat adds: It's not meant to compete with other FIDO keys on the market, stressed Sam Srinivas, product management director for information security at Google, during a press pre-briefing. Rather, it's "for customers who want security keys and trust Google," he said. Further reading: None of Google's 85,000 Employees Have Been Phished in More Than a Year After Company Required Them to Use Physical Security Keys For 2FA.

127 comments

Min score:

Reason:

Sort:

TFA? by rjune · 2018-08-30 02:49 · Score: 1

Am I missing something? Is there a full article? Who supports this? Amazon? Shopping Sites? Banking or Investment? It seems that more effort could have been put into this post.
1. Re:TFA? by Tomahawk · 2018-08-30 02:59 · Score: 1
  
  Use the 2nd link for a longer article. It lists a few sites that use it (facebook and twitter being in there, along with Google)
2. Re:TFA? by Fly+Swatter · 2018-08-30 03:45 · Score: 1
  
  At least mention the ones that matter, this is slashdot after all. It will be supported by the Worldwide Web Consortium’s Web Authentication API, as well as github.
3. Re:TFA? by Stan92057 · 2018-08-30 05:51 · Score: 1
  
  who? "Posted by msmash" "Google" does. this story has been re-posted plenty of times here at /. its a slashvertisement. click the related links it goes on and on from their.
  
  --
  Jack of all trades,master of none
4. Re:TFA? by Anonymous Coward · 2018-08-30 07:56 · Score: 0
  
  There*
Curious by the_skywise · 2018-08-30 02:55 · Score: 3, Interesting

None of Google's 85,000 Employees Have Been Phished in More Than a Year After Company Required Them to Use Physical Security Keys For 2FA
How many of them using 2FA and NOT using physical keys got phished?
Getting phished for the password sure - but who gives out the 2FA code? Even presuming a hacked website I would think the key would just hand over the data to the fake website?
1. Re:Curious by olsmeister · 2018-08-30 03:03 · Score: 4, Interesting
  
  I was closing an account at Capital One a couple of weeks ago, and as a security precaution they asked me for my phone #, sent me a code via text message, and had me repeat that code back to them. I was like, I don't understand what the hell that just accomplished but whatever, I just want to close the damn account. Maybe that's their idea of 2FA.
2. Re: Curious by Anonymous Coward · 2018-08-30 03:30 · Score: 2, Insightful
  
  Well they just proved that whoever was closing the account had a phone number. Can never be too sure these days. It's not like just anyone can have a phone number.
3. Re:Curious by Anonymous Coward · 2018-08-30 03:30 · Score: 0
  
  LOL. Same thing happened when I tried to talk to Chase. They asked me for a phone number that's good to send text.
  I first tried Google Voice number, but that didn't work (although Chase had that number in their record). So I gave them my actual phone number (which Chase didn't have on their record). That worked.
4. Re:Curious by Anonymous Coward · 2018-08-30 03:54 · Score: 0
  
  None of Google's 85,000 Employees Have Been Phished in More Than a Year After Company Required Them to Use Physical Security Keys For 2FA
  How many of them using 2FA and NOT using physical keys got phished?
  The second factor is a physical key. So I would think the answer is zero, as no one tried to use 2FA without a physical key.
  
  Getting phished for the password sure - but who gives out the 2FA code?
  No one. That's the whole point :)
  
  Even presuming a hacked website I would think the key would just hand over the data to the fake website?
  No. Read the article.
5. Re:Curious by fibonacci8 · 2018-08-30 03:57 · Score: 2, Insightful
  
  It sounds like you got phished by Capital One for you phone number, have you taken any steps in case they misuse it?
  
  --
  Inheritance is the sincerest form of nepotism.
6. Re:Curious by darkmeridian · 2018-08-30 04:06 · Score: 1
  
  Actually, the FIDO U2F standard would not allow man-in-the-middle attacks with a spoofed website. The key will only work with the specific domain that authenticated the key, so a fake domain wouldn't work. If the website itself is hacked on the back end, then all bets are off. Same thing if the user's browser/computer is hacked.
  https://www.yubico.com/2017/10...
  
  --
  A NYC lawyer blogs. http://www.chuangblog.com/
7. Re:Curious by Anonymous Coward · 2018-08-30 04:42 · Score: 0
  
  "Company Required Them to Use Physical Security Keys For 2FA"
  You can require accounts to use physical keys and only physical keys for 2FA through the G-Suite admin console, one would assume Google is able to do the same for their internal accounts.
8. Re:Curious by bogd · 2018-08-30 04:43 · Score: 1
  
  Getting phished for the password sure - but who gives out the 2FA code?
  Oh, you would be surprised how many people do... There have been plenty of attacks in the wild doing exactly that - persuading people to give out 2FA codes (from Steam Authenticator codes to banking token codes). And it is amazing how many people willingly hand them out.
  
  Even presuming a hacked website I would think the key would just hand over the data to the fake website?
  That's the beauty of U2F - the generated code depends (among others) on the actual URL. So if you get a phishing link on goog1e.com, that site will receive a totally different 2FA code, one that will NOT work on the original website.
  More details here, for example.
  The downside of this design is that it requires support from the browser (someone has to provide the actual URL when requesting the 2FA code), and major browser manufacturers don't seem that eager to implement it. Maybe the new WebAuthn standard will change this...
9. Re:Curious by hoggoth · 2018-08-30 04:59 · Score: 1
  
  That is moronic!
  Also, Vanguard has TOPT 2FA (Authy, Google Authenticator, etc), but on the page that asks you to enter your code there is a button 'I don't have my security device with me, send me an SMS instead'. This cannot be disabled. I am not making this up. I complained but the support rep couldn't understand why this is bad. She just kept asking if I wanted to turn off 2FA altogether.
  
  --
  - For the complete works of Shakespeare: cat /dev/random (may take some time)
10. Re:Curious by Anonymous Coward · 2018-08-30 05:39 · Score: 0
  
  The downside of this design is that it requires support from the browser
  and the yuge downside of that is that browser support requires enabled javascript
  
  major browser manufacturers don't seem that eager to implement it
  and when they do, I'm sure they will screw the pooch six ways from sunday; we've had a standard for years that supported software and hardware based tokens and none of the browser vendors could be bothered to implement a reasonable ui for it
11. Re:Curious by Anonymous Coward · 2018-08-30 05:59 · Score: 0
  
  Yeah, I've had that happen before. Not when trying to close an account, but just trying to login. "Give us a phone number so we can text you a code in order to prove that you are the account holder" makes no gods damned sense. It doesn't prove that I am the account holder, it just proves that I am a person with a phone.
  
  Now admittedly I have never tried to enter some random phone number, so I don't know if they are comparing the phone number I enter against a value in their system. But the way the form is presented, it sure doesn't sound like it.
12. Re: Curious by Anonymous Coward · 2018-08-30 06:08 · Score: 1
  
  This isn't the worst thing. I mean, it would be (and might be) stupid if they required the ability to text your number, since land lines are still a thing and not everyone has unlimited texting, but it does add *some* level of validation.
  When you call in, they (probably) get your caller ID number, but that can easily be forged (this isn't theory; I've done it, and it's done as a normal course of business on nearly all business and 800 lines). The feedback loop they provided by sending you a code and having you read it back means that you have access to that phone number. That might be small, but it's way more than trusting caller id, and it can provide a means to trace that back to an account holder at that time should some legal issue arise from the cancellation.
  It would have been better if you had some form of 2fa setup with them already, and I hope they asked some other security-ish questions to verify your identity, but it doesn't seem like a bad thing.
13. Re:Curious by Anonymous Coward · 2018-08-30 06:51 · Score: 0
  
  +1 to troll post
14. Re:Curious by Hadlock · 2018-08-30 07:02 · Score: 1
  
  I would imagine they're in a transitionary stage and/or the project manager in charge of this doesn't trust their implementation enough to switch cold turkey.
  
  --
  moox. for a new generation.
15. Re: Curious by Anonymous Coward · 2018-08-30 07:19 · Score: 0
  
  Could I have changed my account phone number just prior to closing the account if I knew this was part of their scripted conversation? Could I change it to a "burner phone"?
16. Re:Curious by Anonymous Coward · 2018-08-30 07:38 · Score: 0
  
  Capital One can use a non-SMS based authentication. I just verified this on my account. (I don't have much in there, but maybe it makes me feel *slightly* safer with them now.) Something I didn't like was: using non-SMS authentication was just an option. There was no option to disallow SMS-based authentication. (I could have also chosen to do this.)
  Apparently, they also don't prompt you for two factor authentication unless you hit their servers from a different IP. (And they're very non-transparent about this.) They don't use cookies as a means to identify, they use your actual IP address. (Which I *guess* is ok since it's only triggering a two factor check, it's just I know that can have problems of it's own too... spoofed IP / dynamic IP / etc.)
17. Re:Curious by Anonymous Coward · 2018-08-30 07:39 · Score: 0
  
  None of Google's 85,000 Employees Have Been Phished in More Than a Year After Company Required Them to Use Physical Security Keys For 2FA
  How many of them using 2FA and NOT using physical keys got phished?
  Getting phished for the password sure - but who gives out the 2FA code? Even presuming a hacked website I would think the key would just hand over the data to the fake website?
  likely what happened was the employees that used Authy or Authenticator or other software 2FA were fine but employees who didn't use 2FA couldn't be bothered and they were phished. So by changing the option and requiring everyone to go physical it just completely sealed the door.
  It is an interesting question on whether the employees who were using software 2FA can still use it. I would guess yes and that the titan key was just provided to everyone and 2FA was mandatory in whatever way you used it.
18. Re:Curious by Anonymous Coward · 2018-08-30 07:44 · Score: 0
  
  Vanguard is a huge company which still has to respond to snail mail. Mail them a letter requesting that SMS can't be used on your account as an authentication measure. You'll likely get some sort of response and they'll likely notate your account somehow or fix their systems. (Or this is my hope anyway. There have been people complaining about the exact same issue you brought up for at least 5 years on bogleheads.)
19. Re:Curious by Anonymous Coward · 2018-08-30 07:48 · Score: 0
  
  While you're at it interacting with Vanguard, you probably want to mail them a letter asking them to turn off voiceprint verification. This is also an easily fake-able thing. If you have a significant chunk of change with Vanguard, you're best off if things move slowly and require snail mail. Of course a snail mail signature can be forged, but I'd say that's a larger problem with the entire legal system itself in not adopting digital signatures.
20. Re:Curious by Anonymous Coward · 2018-08-30 07:50 · Score: 0
  
  I was closing an account at Capital One a couple of weeks ago, and as a security precaution they asked me for my phone #, sent me a code via text message, and had me repeat that code back to them. I was like, I don't understand what the hell that just accomplished but whatever, I just want to close the damn account. Maybe that's their idea of 2FA.
  actually they likely verified you know your phone number and that it matches what they have in their records and not only do you know the correct phone number but you also have the phone. All to verify you are the account holder.
  -- Wolfkin
21. Re:Curious by Anonymous Coward · 2018-08-30 09:26 · Score: 0
  
  Not only that, my interaction with Vanguard about using hardware security tokens indicated that they require the phone to be set up for account recovery so you can not only skip the token but also use the phone to reset password and register a new token!
  I want to think my current legacy config with them is more secure... a long randomized password which I protect carefully, and no blessing on my part to allow a cheap phone hijack to bypass all this. However, the cynical part in me realizes they probably offer the same social engineering flaw regardless of whether I agree to it or not.
  I really want them to have a *more secure* option than just password. Let me set up one or more tokens and require both password and token. If I need to recover my account, force me to go to some local office in my region and prove my identity to recover the account. They could deputize another bank or law firm if they don't have a retail advisors office within 50 miles.
22. Re:Curious by thegarbz · 2018-08-30 09:47 · Score: 1
  
  It sounds like you got phished by Capital One for you phone number, have you taken any steps in case they misuse it?
  Are you implying that there are people out there who have dealings with a financial institution like Capital One who haven't already given them their phone number? To be clear we are talking about a financial services company here. If there's one group of people I want to be able to contact me urgently, it's the damn ones looking after my money.
23. Re:Curious by Anonymous Coward · 2018-08-31 04:49 · Score: 0
  
  major browser manufacturers don't seem that eager to implement it
  Chrome, mozilla and opera support it now. Microsoft Edge just added it this month in build 17723.
  What major browser manufacturer doesnt support it?
Trust Google? by Anonymous Coward · 2018-08-30 02:58 · Score: 2, Insightful

Would you trust Google to make you secure when Google mines details about as many people as it can?
1. Re: Trust Google? by dbialac · 2018-08-30 03:19 · Score: 2, Insightful
  
  Yep. Donâ(TM)t think for a second that this isnâ(TM)t another way to track you online.
2. Re:Trust Google? by Anonymous Coward · 2018-08-30 04:25 · Score: 0
  
  i wouldn't. But everyone else will, so it will become a de-facto standard, and you will be increasingly locked out of society unless you use it.
3. Re:Trust Google? by Anonymous Coward · 2018-08-30 04:44 · Score: 0
  
  It's already a web standard called WebAuthn. You can use any compatible authentication device, this is just one option.
4. Re: Trust Google? by jareth-0205 · 2018-08-30 04:58 · Score: 1
  
  Yep. Donâ(TM)t think for a second that this isnâ(TM)t another way to track you online.
  [citation needed]
  Oh no, wait, it's 2018. Spouting unfounded bullshit without having to back it up with anything is just how things are now.
5. Re:Trust Google? by Anonymous Coward · 2018-08-30 06:28 · Score: 0
  
  As of last time I checked, Google won't let you use Firefox with FIDO even though Firefox itself has supported it for a bit now. They're doing some 20+ year old style browser sniffing to prevent it.
  I'm curious how this will be any different.
  OTOH, my mom no longer gets all those emails about people trying to break into her gmail account, so at least that's improved.
6. Re: Trust Google? by Anonymous Coward · 2018-08-30 07:00 · Score: 0
  
  Oh no, wait, it's 2018. Google's primary method of generating profit hasn't been a secret for over a decade and is now being copied by every major corporation, web-based or not. This is just the way American capitalism works now. But you need direct proof of each, individual violation of your trust and privacy? Just wait 6 months.
7. Re:Trust Google? by Anonymous Coward · 2018-08-30 08:51 · Score: 0
  
  They're not sniffing, if they were it wouldn't do the delay before it fails. Firefox's support for U2F is incomplete and lacks AppID and Facet, and they moved their development towards Webauthn. Chrome does support these features and they are not yet using Webauthn for login.
8. Re: Trust Google? by dissy · 2018-08-30 09:02 · Score: 1
  
  Yep. DonÃ(TM)t think for a second that this isnÃ(TM)t another way to track you online.
  Well without a 2FA hardware token, that means you are currently typing in a username and password.
  I don't see how your claim that entering a username and password doesn't let the website you enter it into track the fact you just logged into them.
  By definition you have identified yourself with a username, and proven it really is you with your password.
  As a 2FA hardware device does the same two tasks with one certificate, of course the website you use it to login to can track you equally the same.
  That includes if you sign in to google, google will know you signed into them.
  I would however highly suggest you stop trying to sign into google using your username/password for other websites. It isn't going to actually work, and there is no good reason to give google that info.
9. Re:Trust Google? by Anonymous Coward · 2018-08-30 09:02 · Score: 0
  
  Made in China - LOL LOL LOL
  https://www.cnbc.com/2018/08/30/google-titan-made-by-chinese-company-feitian.html
10. Re:Trust Google? by Anonymous Coward · 2018-08-30 09:51 · Score: 0
  
  It's made in China, so that's enough reason on its own to avoid it. If you aren't supposed to use Kaspersky Antivirus or buy Huawei phones, you shouldn't use this thing.
11. Re:Trust Google? by AHuxley · 2018-08-30 10:59 · Score: 1
  
  All the crypto is then back to one ad company.
  
  --
  Domestic spying is now "Benign Information Gathering"
12. Re:Trust Google? by Anonymous Coward · 2018-08-30 20:37 · Score: 0
  
  Trusting Google requires having one's brain partly damaged. They have turned from being a search engine company into being the public front for the US intelligence community and a provider of AI and data for them to operate command & control mechanisms over the general population.
13. Re: Trust Google? by dbialac · 2018-09-11 00:32 · Score: 1
  
  Because that 2FA token sends info from the website you're logging into to Google. Google knows the ID of your 2FA and now knows you are a user of that website and when you log in.
14. Re: Trust Google? by dissy · 2018-09-11 12:53 · Score: 1
  
  Because that 2FA token sends info from the website you're logging into to Google. Google knows the ID of your 2FA and now knows you are a user of that website and when you log in.
  But I use them on internal systems without Internet access at all.
  How exactly are you saying the token keys send anything to google?
  My Yubico key, which uses the exact same protocol and backend PAM modules, I've used for years to login to a machine that not only doesn't have Internet access, but has no network access at all.
  Perhaps you are just confused because for the first couple months google only sold the keys to people with google cloud accounts, not realizing they now sell them to anyone?
  Or perhaps you are mistakenly thinking google invented the fido u2f protocol, and don't understand it's existed for years?
  The PAM module is open source: https://developers.yubico.com/...
  No networking required after you download the GIT tree.
Google Authenticator by Tomahawk · 2018-08-30 02:59 · Score: 1

I use Google Authenticator on my phone for my MFA needs. I think I'm more likely to notice my phone going missing than I am to notice a small usb key going missing, and I'm also more likely to remember to bring my phone wherever I'm going.
So I think I'll just stick with using my phone and save the $50.
1. Re:Google Authenticator by AmiMoJo · 2018-08-30 03:07 · Score: 4, Interesting
  
  There are a few benefits to using these kinds of keys. I don't know about the Google one specifically but others have features like being able to act as a USB keyboard and enter very long, complex passwords for you when you press the button. There is also the speed factor, no opening an app and copying a code manually.
  The down side is that these keys have no physical security. Your phone is at least lockable, but if someone takes your key there is nothing to stop them using it. Mainly a concern for people who might get targeted specifically or people at risk from law enforcement in bad countries.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
2. Re:Google Authenticator by Frederic54 · 2018-08-30 04:02 · Score: 1
  
  Same, I don't use SMS anymore for 2FA, I setup my google, FB, reddit, using the Google Authenticator, works well for me.
  
  --
  "Science will win because it works." - Stephen Hawking
3. Re:Google Authenticator by Anonymous Coward · 2018-08-30 04:36 · Score: 0
  
  There's a little slide-switch on the side of the device that locks the key.
  The more you know...
  CAP == 'archival'
4. Re:Google Authenticator by bogd · 2018-08-30 04:49 · Score: 1
  
  Google Authenticator is nice, but:
  1) it is vulnerable to man-in-the-middle and phishing attacks. While U2F is designed to resist those (if someone gets a user to generate a code on a phishing website hosted on "goog1e.com", that code will not work on "google.com").
  2) it is impossible to backup the keys. Lost/destroyed/changed your phone? You're going to spend the next two days resetting 2FA on all those accounts... (I know there are workarounds for this second part, but some of them trade convenience for lower security...)
5. Re:Google Authenticator by Anonymous Coward · 2018-08-30 05:02 · Score: 0
  
  Wouldn't somone who'd stolen your key just flip that switch to unlock it?
6. Re:Google Authenticator by Lab+Rat+Jason · 2018-08-30 05:05 · Score: 1
  
  Does that same switch also unlock the key? I think you missed the point.
  
  --
  Which has more power: the hammer, or the anvil?
7. Re:Google Authenticator by Anonymous Coward · 2018-08-30 06:08 · Score: 0
  
  What do you mean "physical security"? Your phone's screen lock surely isn't physical security?
  At least for the signing/ssh authentication/... usages these keys most definitely have a PIN, so at least as secure as your phone.
  If there's no PIN for the 2FA usage that's purely a design decision without any (good) technical reason.
8. Re:Google Authenticator by Anonymous Coward · 2018-08-30 06:44 · Score: 0
  
  Please explain how Google Authenticator is vulnerable to either MITM or phishing attacks?
9. Re:Google Authenticator by Anonymous Coward · 2018-08-30 07:45 · Score: 0
  
  You enter your password on a fake page, you enter the current code on the fake page, they can use the code to log in to your account instantly on the backend. Once it changes they couldn't log in again, but as long as they have that session they are fine.
  Once in they can do things like register a new token without providing the current (changed) pin, among other things.
  U2F is not vulnerable to this.
10. Re:Google Authenticator by davecb · 2018-08-30 10:01 · Score: 1
  
  If you don't have to also provide a pin as part of the key response, it's "something you have" without "something you know". Ie, 1FA instead of 2FA.
  
  --
  davecb@spamcop.net
11. Re:Google Authenticator by Anonymous Coward · 2018-08-30 10:35 · Score: 0
  
  Your username and password are one factor, the code from the app is the second factor.
12. Re:Google Authenticator by davecb · 2018-08-30 11:11 · Score: 1
  
  Good! Thanks, AC!
  
  --
  davecb@spamcop.net
13. Re:Google Authenticator by AmiMoJo · 2018-08-30 19:58 · Score: 1
  
  Typically you would have a password as well, and then re-authenticate using just the key periodically when you want to perform specific actions.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
14. Re:Google Authenticator by Anonymous Coward · 2018-08-31 03:59 · Score: 0
  
  I think you don't know how these actually work. At least with the Yubikey, OTP generation can be secured behind a password. Plus it's a genuine smartcard, so RSA tasks are required to be behind a pin with a 3 entry lockout. Static string blurting doesn't require authentication, but that's pretty useless considering the key supports the previous. U2F also doesn't have password protection but I don't use it since it seems like not many platforms support it, and sometimes it just won't work.
why would I trust Uncle sam by Anonymous Coward · 2018-08-30 03:08 · Score: 0

or his pals at the nsa?
Curious if different from the Feitian model by PhrostyMcByte · 2018-08-30 03:12 · Score: 1

These Titan keys are the same hardware as the Feitian FIDO keys, but supposedly with a custom firmware so not a simple rebranding.
I'm curious to know how these compare.
1. Re:Curious if different from the Feitian model by Wolfrider · 2018-08-30 03:29 · Score: 1
  
  --Bring the price down to $25 and I might consider it
  
  --
  .
  == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
2. Re:Curious if different from the Feitian model by q4Fry · 2018-08-30 05:37 · Score: 1
  
  Not to be coy: They do give you two keys for the $50.
3. Re:Curious if different from the Feitian model by tmshort · 2018-08-30 06:20 · Score: 1
  
  And adapter cables!
4. Re:Curious if different from the Feitian model by Anonymous Coward · 2018-09-02 11:49 · Score: 0
  
  but supposedly with a custom firmware so not a simple rebranding.
  But the FIDO U2F stuff relies on being mathematically secure, so what could they possibly be changing in the firmware? It's not like the thing has a tcp session it runs that could possibly be a backdoor. And if theres a flaw in the hardware that allows key extraction... well its the same damned hardware.
Who cares? by jittles · 2018-08-30 03:16 · Score: 5, Interesting

Seriously, who cares? Who trusts Google, a company that makes all of its money by spying on the users of its platform, with anything that has to do with security? Their whole business model is based around taking your data. I would trust it more if it was a product of the NSA or CIA.
1. Re:Who cares? by Anonymous Coward · 2018-08-30 04:27 · Score: 0
  
  Who trusts Google
  Literally billions of other people.
  Not you, not I, but don't kid yourself for a moment about how many people "Trust Google".
2. Re:Who cares? by Anonymous Coward · 2018-08-30 04:31 · Score: 0
  
  Good news!
3. Re:Who cares? by jareth-0205 · 2018-08-30 05:01 · Score: 1
  
  Seriously, who cares? Who trusts Google, a company that makes all of its money by spying on the users of its platform, with anything that has to do with security? Their whole business model is based around taking your data. I would trust it more if it was a product of the NSA or CIA.
  There is a difference between personal security, web security, which is something that is both in your and Google's interest to secure, and the mining of personal information, which is in their interest, but not yours. This is obviously a product for the first.
  Not everything Google does fits into the hysterical OH MAH GAWD THEYRE TAHKIN ALL MAH DATA narrative.
4. Re:Who cares? by jittles · 2018-08-30 06:49 · Score: 1
  
  Seriously, who cares? Who trusts Google, a company that makes all of its money by spying on the users of its platform, with anything that has to do with security? Their whole business model is based around taking your data. I would trust it more if it was a product of the NSA or CIA.
  There is a difference between personal security, web security, which is something that is both in your and Google's interest to secure, and the mining of personal information, which is in their interest, but not yours. This is obviously a product for the first.
  Not everything Google does fits into the hysterical OH MAH GAWD THEYRE TAHKIN ALL MAH DATA narrative.
  If you’re right then there is still no reason to buy it. Google drops basically every service they offer that does not provide value to their advertising platform. They do it time and time again. So if they aren’t actually harvesting useful metrics through the use of this device then they will just EOL it after 2-3 years.
5. Re:Who cares? by Anonymous Coward · 2018-08-30 07:52 · Score: 0
  
  It doesn't matter it they drop it.
  These devices generally do not have updatable firmware because that is an attack vector.
  There is no registration of a website to the token through some online process, but to use it with a website or any other system you do have to register the token with the server, just like RSA or any other second factor.
  These devices do not need to phone home to a server in order to perform the authentication steps. You can do offline authentication using local authentication servers.
  Google could disappear tomorrow and this device would continue working just fine. It is a standalone cryptographic device just like a Yubikey.
6. Re:Who cares? by jareth-0205 · 2018-08-30 07:58 · Score: 1
  
  Well that I would agree with...
7. Re:Who cares? by kosmosik · 2018-08-30 08:48 · Score: 1
  
  Google customers care. The ones that are actually paying Google for their cloud services. You know that Google is not only web and email right? There is also the Cloud Platform. I personally would like a strong 2FA device to protect my accounts for running my business on GCP.
  Trust is one issue, cost and business is other. Lots of business pay Google for services so they also trust Google to run their business. Ones like Snapchat, Airbnb, Costco, Philips, TiVo, Citrix, Ubisoft... etc.
  https://cloud.google.com/custo...
8. Re:Who cares? by Anonymous Coward · 2018-08-30 09:27 · Score: 0
  
  Heaps of (your) data is their most valuable asset; the're pretty good at protecting it from others.
9. Re:Who cares? by thegarbz · 2018-08-30 09:53 · Score: 1
  
  Me, and here's why:
  Security and and a business model of handling your data are not exclusive. In fact one would hope that the people who make a business of handling your data are also some of the best in the aspects of security. Now this isn't applied universally. If you take a company like Verizon who will bulk sell your data to the highest bidder then security (of that data) is a non issue. However if you deal with a company whose sole source of income is selling access to you by way of profiling your data, and while maintaining that your data is effectively their carefully guarded CocaCola recipe, then you should apply a bit more nuanced thought.
  On top of that you should also take care to look at the quality of products and code produced to date, as well as security practices, hiring and staffing practices, and general industry standings.
  With all that in mind I trust Google more on matters of security than a company like Semantic, and a fuck ton more than a company which collects my data as an incidental revenue stream (looking at you Samsung, Verizon etc).
  But then you throw thought out the window when it comes to data as evident that you prefer to trust security to agencies which almost exclusively are out to determine if you are thinking wrong and to punish you for it.
10. Re:Who cares? by jittles · 2018-08-30 10:36 · Score: 1
  
  Me, and here's why:
  Security and and a business model of handling your data are not exclusive. In fact one would hope that the people who make a business of handling your data are also some of the best in the aspects of security. Now this isn't applied universally. If you take a company like Verizon who will bulk sell your data to the highest bidder then security (of that data) is a non issue. However if you deal with a company whose sole source of income is selling access to you by way of profiling your data, and while maintaining that your data is effectively their carefully guarded CocaCola recipe, then you should apply a bit more nuanced thought.
  On top of that you should also take care to look at the quality of products and code produced to date, as well as security practices, hiring and staffing practices, and general industry standings.
  With all that in mind I trust Google more on matters of security than a company like Semantic, and a fuck ton more than a company which collects my data as an incidental revenue stream (looking at you Samsung, Verizon etc).
  But then you throw thought out the window when it comes to data as evident that you prefer to trust security to agencies which almost exclusively are out to determine if you are thinking wrong and to punish you for it.
  Your problem is that you're misunderstanding whose security Google cares about. They care about their own. Whatever protection they provide to your data is only due to the fact that they make money off of that data. At least I know that the NSA and CIA are going to spy on me and generally do things that aren't in my interest. Google is the kind of company that, with their "Do no evil" mantra claim that they're a great company. And yet they spy on you worse than even Facebook does. There are plenty of companies who make this kind of hardware that do not make their money on spying. Why should you trust Google more than one of them?
11. Re:Who cares? by AHuxley · 2018-08-30 10:59 · Score: 1
  
  With PRISM 2.0 a user can get that security service part for free.
  
  --
  Domestic spying is now "Benign Information Gathering"
12. Re:Who cares? by thegarbz · 2018-08-30 21:02 · Score: 1
  
  Your problem is that you're misunderstanding whose security Google cares about. They care about their own.
  Not at all. Re-read my post. My post talked about caring about their own security for protecting their Cocacola recipe: your data. That also means they invest in security. That also means security trickles down to their retail products. Companies don't typically waste time writing lots of new things from the ground up to suite nearly identical needs.
  
  And yet they spy on you [wsj.com] worse than even Facebook does.
  And they are the one group whose spying I'm not worried about. Google spy on users in order to make money by selling access. That makes them orders of magnitude more trustworthy than those who spy on users in order to sell data wholesale (Verizon) , or spy on users to actively attack the users in question (NSA / CIA)
  
  There are plenty of companies who make this kind of hardware that do not make their money on spying.
  There are. And there are few who are putting as much effort into integration efforts across products as Google. If this form of compatibility didn't matter, Apple wouldn't exist. It was their entire reason for being when they were making their comeback: It Just Works.
I just love it by nospam007 · 2018-08-30 03:18 · Score: 1

Before, if they didn't get to me by phishing they were bust.
Now they have to come to my home and hit me over the head with a wrench and take my titan-dongle.
Re: Trump Done Did It! by Anonymous Coward · 2018-08-30 03:20 · Score: 0

Did what? Learn how to color the flag properly? The suspense is killing me!
Curious to have a product with no customers by SuperKendall · 2018-08-30 03:23 · Score: 4, Funny

it's "for customers who want security keys and trust Google
It doesn't seem like anyone there ran through the Venn diagram on that one, because I come up with approximately zero customers...
And that includes Google employees.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:Curious to have a product with no customers by fibonacci8 · 2018-08-30 04:00 · Score: 2
  
  I suspect you mistakenly substituted "should trust Google" in your own diagram, when the customers are those who "do trust Google".
  
  --
  Inheritance is the sincerest form of nepotism.
2. Re:Curious to have a product with no customers by doconnor · 2018-08-30 04:32 · Score: 1
  
  There are people who mange multi-million dollar adwords/adsense accounts with Google. There are people who make their living from their YouTube videos.
3. Re:Curious to have a product with no customers by SuperKendall · 2018-08-30 08:34 · Score: 1
  
  Yep, and you seriously think EITHER of those groups trust Google?
  Just ask any YouTuber about play counts and get a sense of how much "trust" and "love" there is for Google.
  Even on the ad side I don't see much trust that Google is actually accurate with counts. But what else are the advertisers going to do?
  You don't have to trust or even like someone to do business with them you know.
  
  --
  "There is more worth loving than we have strength to love." - Brian Jay Stanley
4. Re:Curious to have a product with no customers by Anonymous Coward · 2018-08-30 09:29 · Score: 0
  
  Everyone who wants 2FA for their Gmail account?
5. Re: Curious to have a product with no customers by doconnor · 2018-08-31 07:32 · Score: 1
  
  Well not trusting Google doesn't mean they want thier account hacked by someone else.
RSA keys by Anonymous Coward · 2018-08-30 03:24 · Score: 0

How is this different from the $5 RSA keys?
Google's new motto by Anonymous Coward · 2018-08-30 03:33 · Score: 0

Don't allow anyone else to be evil!
Two Things: by Cornwallis · 2018-08-30 03:36 · Score: 4, Interesting

1) "A downside of physical keys is that if lose them, you're toast." Bullshit. I use Yubikey and if I lose it I simply use the backup alpanumeric codes I created when I established the 2FA account on the site.
2) You're gonna trust Google?
1. Re:Two Things: by Anonymous Coward · 2018-08-30 05:27 · Score: 0
  
  If there is a backup method of accessing the account, then it is a backup methodology, and it is NOT the FIDO U2F protocol.
  The base PKI concept is really simple: The device contains a public and private key. The public key is registered with the website. The private key stays on the device. When the website issues a challenge, the challenge is signed by the device, then it is sent back to the website. The website verifies the challenge using the registered public key. If you lose the USB stick, then you have to register a new stick, i.e., register a new public key.
  An Atmel AT88CK590 development stick can do all of this and more for $25. The PKI keys can be generated internally by the chips themselves. If you're paranoid about the device, you can look at the spec sheets and the controller's code, and make changes yourself.
  What I'm still wondering is what the Google branding gives a person.
2. Re:Two Things: by Anonymous Coward · 2018-08-30 08:34 · Score: 0
  
  What I'm still wondering is what the Google branding gives a person.
  literally convenience. They made this to solve an internal problem. and they're just releasing it to public. If you want a physical key and you want to buy it from the google store then you can do that.
3. Re:Two Things: by kosmosik · 2018-08-30 08:43 · Score: 1
  
  2) Lots of serious corporations use commercial Google products especially G Suite. I worked in two such corporations. Such 2FA product is mostly targeted for power (these are few) and corporate users (these are hundreds of thousands and they are paying). So if they are using it they are probably also trusting Google. If you use G Suite it is a very good idea to protect at least the administrative accounts (eg. with domain control) with strong 2FA devices.
  1) Take look at 2 - this is targeted to corporate environments. In corporate environment when you loose your 2FA device you usually have a procedure to recover your account and get a new one.
4. Re:Two Things: by SuperKendall · 2018-08-30 09:17 · Score: 1
  
  2) You're gonna trust Google?
  I posted a joke response earlier, but I kid you not - I was reading through the summary and thinking about buying one, then I came to the line "and those who trust Google" and I instantly decided not to buy it after all.
  
  --
  "There is more worth loving than we have strength to love." - Brian Jay Stanley
5. Re:Two Things: by thegarbz · 2018-08-30 09:57 · Score: 1
  
  2) You're gonna trust Google?
  Trust with what? Trust is not a universal concept. It is contextualised. I trust my mother to have my best interests in heart. I don't trust her not to fill my computer with viruses and therefore she doesn't get to touch it.
  I don't trust Google with a lot of things, however they have quite consistently shown to produce quite good back end code and generally don't appear frequently in the list of companies which have left users to malicious exploits due to poor code, or sold out customers. Mind you I don't trust them to code a functional UI to enter the 2FA codes into, however that doesn't really come into when talking about security.
This device is for whom exactly? by AnthonywC · 2018-08-30 03:36 · Score: 2

If you actually want a 2FA you would probably have enabled it with your phone or possibly a physical key device (similar to this one). However this is a Bluetooth device and we all know how secure that is.
1. Re:This device is for whom exactly? by Anonymous Coward · 2018-08-30 04:48 · Score: 0
  
  This is one of the main reasons the Yubikey doesn't do bluetooth, also dealing with batteries in a pain. They do have an NFC one but somebody is going to have to get uncomfortably close to use it.
That exÃ¥lains the shitty support for Yub by Anonymous Coward · 2018-08-30 03:48 · Score: 0

Why support a superior product when you can just delay them and roll your own shittier version?
Really slashdot? by Anonymous Coward · 2018-08-30 04:01 · Score: 1

Why does the "and now it's widely available for purchase in the US through company's Google Store" link go to an engadget article instead of the fucking Google Store?
IT'S BULLSHIT by the_B0fh · 2018-08-30 04:06 · Score: 4, Interesting

To use a hardware token as 2FA on FaceBook, Twitter, DropBox and so on, YOU FIRST HAVE TO ENABLE 2FA VIA SMS.
AFTER THEY HAVE FUCKING COLLECTED YOUR PHONE NUMBER, THEN AND ONLY THEN WILL HARDWARE TOKEN 2FA BE AVAILABLE AS AN OPTION.
WHAT THE FUCK?
1. Re:IT'S BULLSHIT by Anonymous Coward · 2018-08-30 04:45 · Score: 0
  
  I wonder if the $50 includes the cost for the burner phone
2. Re:IT'S BULLSHIT by bogd · 2018-08-30 04:53 · Score: 1
  
  Your shift key seems to be stuck :)
  There is a reason for requiring your phone number - most likely, they are using SMS as a backup recovery mechanisms - so that you are not "toast" when you lose your security key. If you lose the physical key, you will still be able to recover your account via SMS.
3. Re:IT'S BULLSHIT by Anonymous Coward · 2018-08-30 05:08 · Score: 0
  
  Your shift key seems to be stuck :)
  Not stuck, just cruise control.
4. Re:IT'S BULLSHIT by jittles · 2018-08-30 05:14 · Score: 2
  
  most likely, they are using SMS as a backup recovery mechanisms - so that you are not "toast" when you lose your security key. If you lose the physical key, you will still be able to recover your account via SMS.
  Well then I will save my $50 and not buy a security key if they’re going to insecure it in that manner. It just takes a few minutes of social engineering to hijack someone’s number and therefore their SMS.
5. Re:IT'S BULLSHIT by Anonymous Coward · 2018-08-30 05:14 · Score: 0
  
  Burner phone. Use it!
6. Re:IT'S BULLSHIT by nine-times · 2018-08-30 05:27 · Score: 1
  
  Ok, here's the problem with that:
  If you can use SMS as a recovery path when you lose your 2FA token, that means you don't need the 2FA token. You can just use SMS. Though that might sound handy, SMS is insecure.
  It's the same basic problem with "security questions". A lot of services have the option where, if you forget your password, you can reset it with security questions. And then, they ask you security questions like, "What's your mother's maiden name?" That's information that isn't necessarily hard to find out these days. So now, instead of having to hack the site or guess someone's password, you can get unauthorized access to the account just by knowing the person's mother's maiden name.
  "Security is only as strong as its weakest point." It's a bit of an oversimplification, but accurate enough. If, in the name of security, you make your default method of authentication so onerous that people need an easy and insecure backup method, then you've just undermined your own security.
7. Re:IT'S BULLSHIT by Anonymous Coward · 2018-08-30 05:45 · Score: 0
  
  I have to repeat this every once in a while as AC: It is to link advertising information.
  An email address is not necessarily a unique identifier. It could be shared, and a single person could have N email addresses. A cell phone number does tend to be unique. The one you provide to verify your account is unlikely to be shared. The few people who carry multiple cell phones (and never more than 3) are also unlikely to use different ones within the same context where advertising profiles are useful.
  They want to merge the data they have on you with data they can purchase elsewhere.
8. Re:IT'S BULLSHIT by bogd · 2018-08-30 05:45 · Score: 1
  
  Well, I won't argue with you there :) . It's one of those cases in which they choose usability over security. :/
9. Re:IT'S BULLSHIT by tlhIngan · 2018-08-30 05:46 · Score: 2
  
  If you lose the physical key, you will still be able to recover your account via SMS.
  Have we not learned? a phone number is not something you have. NIST discovered this a few years ago and updated their guidelines - no SMS, phone call, or other thing can be valid for identification at all.
  Hell, this existed even before cellphones were popular - phone phreaking was a thing and it was possible to reprogram a switch to temporarily redirect a phone call to another phone. Many used it to bypass "phone verification" systems that banks and such implemented where they would call you back at your home or something. And this was done in the late 80s.\
  2FA is only as strong as the weakest mechanism. The fact you can "recover" by SMS means it doesn't matter how strong your 2FA mechanism is, you're bound by the weakest link, in this case, SMS. (Think about it - why have the most secure key in the world, if anyone else can claim to "lose" it and thus revert to SMS?()
10. Re:IT'S BULLSHIT by bogd · 2018-08-30 05:52 · Score: 1
  
  As I answered above, that is true. Unfortunately, this is one of the many cases in which they (the companies implementing the security options) chose usability over security.
  Unfortunately, there is no magic bullet here - very strong security would lead to many users being locked out of their accounts, and many very unhappy customers (who will happily scream at the support people, even when they are themselves to blame for locking themselves out - maybe by losing the security key, or forgetting their passwords, etc).
  Even Google offers alternatives - when logging in these days, you have at least 5 or 6 methods of verifying your identity (approval on an Android device, U2F key, Authenticator, offline codes, SMS codes, pre-generated keys, etc). All of them equivalent - if a single one of those is compromised, so is your account. This is somewhat mitigated by the "new login detected" prompts and emails, but it does remain a valid security concern.
11. Re:IT'S BULLSHIT by afaiktoit · 2018-08-30 05:58 · Score: 1
  
  yes! exactly what I was thinking when I tried to set up a u2f on facebook. what the hell?
12. Re:IT'S BULLSHIT by the_B0fh · 2018-08-30 06:29 · Score: 1
  
  No. You can remove your phone number as a 2FA after you've added physical tokens.
  So it's bullshit.
13. Re:IT'S BULLSHIT by Anonymous Coward · 2018-08-30 07:14 · Score: 0
  
  no, they just want to collect your phone number. Google does the same thing with gmail. Apple does the same thing with icloud.
  Just because they all do it doesn't make it okay or a good idea.
14. Re:IT'S BULLSHIT by thegarbz · 2018-08-30 10:00 · Score: 1
  
  AFTER THEY HAVE FUCKING COLLECTED YOUR PHONE NUMBER
  I take it you've never used Google Maps, or Android, or any services by Google. Here's a hint: They have your phone number. Don't pretend to think that they don't. That would be incredibly foolish.
  Also as an aside, when did you become so petrified that you freak out about giving out something that we used to give out to everyone, and routinely also publish in a big book that was freely delivered to everyone?
  Google has my phone number? Oh the humanity! What will I do!
15. Re:IT'S BULLSHIT by Anonymous Coward · 2018-08-30 14:34 · Score: 0
  
  $50 burner phone is expensive, why not get a SIM.
16. Re:IT'S BULLSHIT by Anonymous Coward · 2018-08-30 14:37 · Score: 0
  
  There was that time I got my security answer mailed back (snail) with the answer printed in bold. And it was an offensive answer.
17. Re:IT'S BULLSHIT by Anonymous Coward · 2018-08-31 04:20 · Score: 0
  
  Security is only as good as the weakest link. SMS two factor has been proven to be reliably insecure.
  Don't use SMS two factor.
18. Re:IT'S BULLSHIT by the_B0fh · 2018-08-31 05:30 · Score: 1
  
  Apparently Android users feel that being abused is the right thing to do, so why worry, be happy.
19. Re:IT'S BULLSHIT by thegarbz · 2018-08-31 20:19 · Score: 1
  
  No, Android users don't need to run off to some safe space because someone has their phone number.
Adult Supervision Needed by Anonymous Coward · 2018-08-30 05:35 · Score: 0

Reading Exhibit 2 of the Damore lawsuit against Google pretty much deflated my assessment of Google's ability to professionally handle sensitive data. Every organization has its politics, but I've never seen anything like that before.
$50 for a U2F key - LOL by Anonymous Coward · 2018-08-30 07:22 · Score: 0

Overpay for a U2F key, AND lend your trust to Google. Brilliant strategy.
1. Re:$50 for a U2F key - LOL by Anonymous Coward · 2018-08-30 08:04 · Score: 0
  
  $50 is for a bundle that actually gets you two keys (one bluetooth, one USB) and the various cables. $25 for just a USB key is competitive, and the Yubikey Neo with NFC is $50.
nope not me by renegade600 · 2018-08-30 09:17 · Score: 1

as nice as it sounds to be more secure, I would lose it within a week. me iz gettin old and tend to misplace things a lot :-(
Google announces new Micro USB-C connector by Eric+Smith · 2018-08-30 10:22 · Score: 1

That's the most impressive part of the announcement, if you ask me. Their store page says that they have a "USB-C to USB-A adapter", which is nothing special, but also a "Micro USB-C to USB-A connecting cable".
I'm eager to hear when this new "Micro USB-C" connector will start appearing on Android phones and tablets.
FSF or GNU should put out a version by Anonymous Coward · 2018-08-30 12:05 · Score: 0

I would trust them long before I would trust Google. The FSF/GNU would at least make it a specification to be available on multiple platforms.
Security? by Agripa · 2018-08-30 23:50 · Score: 1

How can they be secure if Google can restore access even if it takes days? Doesn't that mean Google can restore access for someone else?