Google took its efforts to protect online accounts up a notch this week, announcing its own hardware-based security key.
Announced at Google’s Cloud Next conference, the Titan keys are a two-factor authentication (2FA) solution, designed to combat one of the most prevalent forms of online attack: account hijacking. Without 2FA, attackers who guess or steal a person’s password can use it to log in and impersonate them.
With 2FA, people accessing an account must prove that they are legitimate by using a device that they physically own (or a physical feature like a fingerprint) to log in.
Google had announced earlier this week that it had stopped attackers gaining access to all of its 85,050 employees’ accounts since it began using hardware-based security keys internally in 2017. Now it seems that it wants to extend these benefits to its users.
There will be two versions of Google’s key: a USB one that plugs into your computer, and a Bluetooth one that must be paired with a device before use, aimed at users of mobile devices. They will both meet the Fast IDentity Online (FIDO) authentication standard, making them compatible with a range of other sites beyond Google’s own.
Google has been protecting people with 2FA access for years via its Authenticator app, launched in 2010. These new security keys will provide people with an easier way to secure their accounts because they won’t have to type in any codes.
Will Titan be enough to bolster the relatively poor adoption of 2FA, though? A 2016 University of Maryland and Johns Hopkins study of just over 500 users found that only one in four used 2FA on all of their devices, while 45% used it on some services, but not others. Of the latter, 68% said that they used it mainly when they had no choice, indicating that many users still aren’t taking responsibility for their own security, or don’t understand the risks and benefits.
On that basis, while this key will be available to everyone, don’t expect users to flock to it in droves. It will be of most use to those with the most to lose. Google acknowledges this on the Security Key product page, where it says:
While security keys are recommended for all users for stronger protection against phishing, enforcing security keys for admins and other high-value users should be the first step.
Google has gradually been tightening the security measures around account logins. In 2017, it replaced SMS codes with smartphone prompts as part of its two-step verification process, after the National Institute of Standards and Technology (NIST) deprecated SMS-based 2FA.
The Titan keys will compete directly with those produced by Yubico, which was also a participant in the Cloud Next conference. Yubico, which confirmed that it isn’t making the Titan keys for Google, said that it had considered a Bluetooth version but decided against it.
While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.
Coincidentally, the security of the Bluetooth protocol came under fire this week. A bug in the protocol potentially enables attackers who are in range of a Bluetooth communication to snoop on communications, although many vendors have already fixed the issue.
Laurence Marks
> ” relatively poor adoption of 2FA”
Sure! In Israel for the first half of July. Using Google Hangouts for US calls. Wanted to order from Amazon (which is set for SMS 2FA). Couldn’t.
Who wants nuisances like that? Internet is supposed to make life easier, not harder.
maggotification
Sure, and why not leave your house door unlocked. Who wants the hassle of locking and unlocking every time you go out/in, right?
mike@gmail.com
Using SMS as your source for MFA was your mistake not Amazons or anyone elses. They have ability to use an authenticator app which would have worked for you in IL. On top of that, if you’re insistent on using SMS as a second factor, don’t use a carrier backed number, use a Google Voice or similar number that is behind an account that itself has MFA. This would have worked anywhere as well, and been a lot better than what you’re doing now.