Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google's $50 Titan Security Keys Are Now Available in the US (engadget.com)

Posted by msmash on from the for-the-record dept.

Last month, Google introduced its Titan Key -- a physical security key used for two-factor authentication -- and now it's widely available for purchase in the US through company's Google Store. Almost any modern browser and mobile device, as well as services such as Dropbox, Twitter, Facebook, Salesforce, Stripe support the Titan Key. It's Google's take on a Fast Identity Online key, a physical device used to authenticate logins over Bluetooth. From a report: For $50, you'll get a USB security key and a Bluetooth security key as well as a USB-C to USB-A adapter and a USB-C to USB-A connecting cable. What happens if you lose them? From a report: A downside of physical keys is that if lose them, you're toast. That's why you have two keys -- one is meant to be a backup. Google says it can help you gain access to your account again but the recovery process can take days. VentureBeat adds: It's not meant to compete with other FIDO keys on the market, stressed Sam Srinivas, product management director for information security at Google, during a press pre-briefing. Rather, it's "for customers who want security keys and trust Google," he said. Further reading: None of Google's 85,000 Employees Have Been Phished in More Than a Year After Company Required Them to Use Physical Security Keys For 2FA.

15 of 127 comments (clear)

  1. Curious by the_skywise · · Score: 3, Interesting

    None of Google's 85,000 Employees Have Been Phished in More Than a Year After Company Required Them to Use Physical Security Keys For 2FA

    How many of them using 2FA and NOT using physical keys got phished?
    Getting phished for the password sure - but who gives out the 2FA code? Even presuming a hacked website I would think the key would just hand over the data to the fake website?

    1. Re:Curious by olsmeister · · Score: 4, Interesting

      I was closing an account at Capital One a couple of weeks ago, and as a security precaution they asked me for my phone #, sent me a code via text message, and had me repeat that code back to them. I was like, I don't understand what the hell that just accomplished but whatever, I just want to close the damn account. Maybe that's their idea of 2FA.

    2. Re: Curious by Anonymous Coward · · Score: 2, Insightful

      Well they just proved that whoever was closing the account had a phone number. Can never be too sure these days. It's not like just anyone can have a phone number.

    3. Re:Curious by fibonacci8 · · Score: 2, Insightful

      It sounds like you got phished by Capital One for you phone number, have you taken any steps in case they misuse it?

      --
      Inheritance is the sincerest form of nepotism.
  2. Trust Google? by Anonymous Coward · · Score: 2, Insightful

    Would you trust Google to make you secure when Google mines details about as many people as it can?

    1. Re: Trust Google? by dbialac · · Score: 2, Insightful

      Yep. Donâ(TM)t think for a second that this isnâ(TM)t another way to track you online.

  3. Re:Google Authenticator by AmiMoJo · · Score: 4, Interesting

    There are a few benefits to using these kinds of keys. I don't know about the Google one specifically but others have features like being able to act as a USB keyboard and enter very long, complex passwords for you when you press the button. There is also the speed factor, no opening an app and copying a code manually.

    The down side is that these keys have no physical security. Your phone is at least lockable, but if someone takes your key there is nothing to stop them using it. Mainly a concern for people who might get targeted specifically or people at risk from law enforcement in bad countries.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  4. Who cares? by jittles · · Score: 5, Interesting

    Seriously, who cares? Who trusts Google, a company that makes all of its money by spying on the users of its platform, with anything that has to do with security? Their whole business model is based around taking your data. I would trust it more if it was a product of the NSA or CIA.

  5. Curious to have a product with no customers by SuperKendall · · Score: 4, Funny

    it's "for customers who want security keys and trust Google

    It doesn't seem like anyone there ran through the Venn diagram on that one, because I come up with approximately zero customers...

    And that includes Google employees.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Curious to have a product with no customers by fibonacci8 · · Score: 2

      I suspect you mistakenly substituted "should trust Google" in your own diagram, when the customers are those who "do trust Google".

      --
      Inheritance is the sincerest form of nepotism.
  6. Two Things: by Cornwallis · · Score: 4, Interesting

    1) "A downside of physical keys is that if lose them, you're toast." Bullshit. I use Yubikey and if I lose it I simply use the backup alpanumeric codes I created when I established the 2FA account on the site.

    2) You're gonna trust Google?

  7. This device is for whom exactly? by AnthonywC · · Score: 2

    If you actually want a 2FA you would probably have enabled it with your phone or possibly a physical key device (similar to this one). However this is a Bluetooth device and we all know how secure that is.

  8. IT'S BULLSHIT by the_B0fh · · Score: 4, Interesting

    To use a hardware token as 2FA on FaceBook, Twitter, DropBox and so on, YOU FIRST HAVE TO ENABLE 2FA VIA SMS.

    AFTER THEY HAVE FUCKING COLLECTED YOUR PHONE NUMBER, THEN AND ONLY THEN WILL HARDWARE TOKEN 2FA BE AVAILABLE AS AN OPTION.

    WHAT THE FUCK?

    1. Re:IT'S BULLSHIT by jittles · · Score: 2

      most likely, they are using SMS as a backup recovery mechanisms - so that you are not "toast" when you lose your security key. If you lose the physical key, you will still be able to recover your account via SMS.

      Well then I will save my $50 and not buy a security key if they’re going to insecure it in that manner. It just takes a few minutes of social engineering to hijack someone’s number and therefore their SMS.

    2. Re:IT'S BULLSHIT by tlhIngan · · Score: 2

      If you lose the physical key, you will still be able to recover your account via SMS.

      Have we not learned? a phone number is not something you have. NIST discovered this a few years ago and updated their guidelines - no SMS, phone call, or other thing can be valid for identification at all.

      Hell, this existed even before cellphones were popular - phone phreaking was a thing and it was possible to reprogram a switch to temporarily redirect a phone call to another phone. Many used it to bypass "phone verification" systems that banks and such implemented where they would call you back at your home or something. And this was done in the late 80s.\

      2FA is only as strong as the weakest mechanism. The fact you can "recover" by SMS means it doesn't matter how strong your 2FA mechanism is, you're bound by the weakest link, in this case, SMS. (Think about it - why have the most secure key in the world, if anyone else can claim to "lose" it and thus revert to SMS?()