Google really, really wants you to use physical security keys to protect yourself from hackers. After announcing that its 85,000 employees have managed to go more than a year without getting phished because of mandated security devices, Google now has its own physical security key to sell you.
On Wednesday, the company announced its new Titan security key, a device that protects your accounts by restricting two-factor authentication to the physical world. It’s available as a USB stick and in a Bluetooth variation, and like similar products by Yubico and Feitian, it utilizes the protocol approved by the FIDO alliance. That means it’ll be compatible with pretty much any service that enables users to turn on Universal 2nd Factor Authentication (U2F).
At this point, everyone should be familiar with the basic two-factor authentication that adds an extra layer of security on top of the standard password. You can request a text message or use an authenticator app to generate a code that also has to be entered to access your account. This helps mitigate the risk involved with being tricked into handing over your password. But the technique can still be circumvented by a hacker.
U2F goes further by requiring a USB device that’s inserted into your computer or an NFC device to be in close proximity to your device. Google is also spearheading the move to using Bluetooth (BLE) for its U2F. Bluetooth aside, however, it’s unclear what exactly sets Google’s product apart from its competitors.
In an email to Gizmodo, the company said, “Titan Security Key gives you even more peace of mind that your accounts are protected, with assurance from Google of the integrity of the physical key.” So it appears that above all, Google is simply betting on brand recognition—and it’s true that you don’t want to buy this kind of gear from an unknown source.
Yubico pioneered this technology and is the dominant force in manufacturing U2F devices as well as further refining its protocols. It counts major companies like Facebook among its business clients. Google has also been a Yubico client and the two companies have worked together on the development of the FIDO standards over the years.
Following today’s announcement of the Titan key, Yubico CEO Stina Ehrensvard wrote a blog post that was slightly critical of Google’s new product. Ehrensvard insisted that everyone at Yubico “are true supporters of open standards” and all new competitors in the field are welcome. But she singled out a couple of points for users to keep in mind if they’re trying to decide if they want to go with Titan. From her post:
Yubico strongly believes there are security and privacy benefits for our customers by manufacturing and programming our products in the USA and Sweden.
Google’s offering includes a Bluetooth (BLE) capable key. While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.
When we asked Google if it would like to respond to the concerns Ehrensvard raised, a spokesperson declined. Her point about the country in which Titan is being manufactured is a bit confusing. It appears she’s trying to say that Google’s device is being manufactured in a country that could leave it open to being compromised. When we asked Yubico what this meant and where Titan is being produced, a spokesperson referred us back to Google.
Yubico’s spokesperson did point us to a recent warning from the U.S. Computer Emergency Response Team that Bluetooth devices potentially contain a vulnerability that would allow an attacker to access your data. Yubico says it’s focused on near-field communication (NFC) instead of Bluetooth and it plans to “announce another secure and user-friendly solution for iOS” soon.
Speaking of user-friendly solutions, U2F, in general, is a bit of a pain in the ass. CNET got a hands-on preview of the Titan key and found themselves locked out of their accounts when they forgot the device at the office. They recommend setting up a backup verification with Google that sends a notification to get you back into your accounts to a trusted device. But I’m sure most people are pretty good about remembering the keys to their house or car, and carrying this could become second-nature after a while.
As far as why Google is doing this at the moment, it seems reasonable that it’s genuinely trying to ingrain that kind of second-nature into the public. Yubico makes plenty of money, but not the kind of fuck-you money that fuels Google. Titan appears to be mostly about spreading public awareness and doing some brand building around security. Earlier this year, Google lamented that only 10 percent of Gmail users have enabled two-factor authentication. Encouraging users to get into security keys widens the Overton window on what people are willing to tolerate as a necessary annoyance.
Google Cloud customers can already order Titan keys through their Google rep and the company says they’ll be available to everyone soon for $20 to $25, which is a fairly standard price. If you don’t want to wait, Yubico and Feitian have respected keys that are ready to ship out now.