Google's $50 Titan Security Keys Are Now Available in the US

Last month, Google introduced its Titan Key -- a physical security key used for two-factor authentication -- and now it's widely available for purchase in the US through company's Google Store. Almost any modern browser and mobile device, as well as services such as Dropbox, Twitter, Facebook, Salesforce, Stripe support the Titan Key. It's Google's take on a Fast Identity Online key, a physical device used to authenticate logins over Bluetooth. From a report: For $50, you'll get a USB security key and a Bluetooth security key as well as a USB-C to USB-A adapter and a USB-C to USB-A connecting cable. What happens if you lose them? From a report: A downside of physical keys is that if lose them, you're toast. That's why you have two keys -- one is meant to be a backup. Google says it can help you gain access to your account again but the recovery process can take days. VentureBeat adds: It's not meant to compete with other FIDO keys on the market, stressed Sam Srinivas, product management director for information security at Google, during a press pre-briefing. Rather, it's "for customers who want security keys and trust Google," he said. Further reading: None of Google's 85,000 Employees Have Been Phished in More Than a Year After Company Required Them to Use Physical Security Keys For 2FA.

Curious

[the_skywise]

None of Google's 85,000 Employees Have Been Phished in More Than a Year After Company Required Them to Use Physical Security Keys For 2FA

How many of them using 2FA and NOT using physical keys got phished?
Getting phished for the password sure - but who gives out the 2FA code? Even presuming a hacked website I would think the key would just hand over the data to the fake website?

Re:Curious

[olsmeister]

I was closing an account at Capital One a couple of weeks ago, and as a security precaution they asked me for my phone #, sent me a code via text message, and had me repeat that code back to them. I was like, I don't understand what the hell that just accomplished but whatever, I just want to close the damn account. Maybe that's their idea of 2FA.

Re:Google Authenticator

[AmiMoJo]

There are a few benefits to using these kinds of keys. I don't know about the Google one specifically but others have features like being able to act as a USB keyboard and enter very long, complex passwords for you when you press the button. There is also the speed factor, no opening an app and copying a code manually.

The down side is that these keys have no physical security. Your phone is at least lockable, but if someone takes your key there is nothing to stop them using it. Mainly a concern for people who might get targeted specifically or people at risk from law enforcement in bad countries.

Who cares?

[jittles]

Seriously, who cares? Who trusts Google, a company that makes all of its money by spying on the users of its platform, with anything that has to do with security? Their whole business model is based around taking your data. I would trust it more if it was a product of the NSA or CIA.

Two Things:

[Cornwallis]

1) "A downside of physical keys is that if lose them, you're toast." Bullshit. I use Yubikey and if I lose it I simply use the backup alpanumeric codes I created when I established the 2FA account on the site.

2) You're gonna trust Google?

IT'S BULLSHIT

[the_B0fh]

To use a hardware token as 2FA on FaceBook, Twitter, DropBox and so on, YOU FIRST HAVE TO ENABLE 2FA VIA SMS.

AFTER THEY HAVE FUCKING COLLECTED YOUR PHONE NUMBER, THEN AND ONLY THEN WILL HARDWARE TOKEN 2FA BE AVAILABLE AS AN OPTION.

WHAT THE FUCK?