With all the talk about security breaches and people being able to hack systems, it’s no wonder that Google is trying to give us options to protect ourselves. Google recently announced that their 85,000 employees had managed to go more than a year without getting phished, because of mandated security devices, Google is attempting to sell them to you. It’s not a bad idea, but will it work? And will it be helpful? On Wednesday, Google announced their new Titan security key. It’s a device that protects your accounts by restricting two-factor authentication to the physical world.
The device is available as a USB stick and in a Bluetooth variation – similar to products like Yubico and Feitian. All of these devices utilize the protocol approved by the FIDO alliance. Which means, it will be compatible with almost any service that enables users to turn on Universal 2nd Factor Authentication (U2F).
Everyone knows what two-factor authentication is, right? If you aren’t familiar with it, it’s the ability to add an extra layer of security on top of the standard password. Meaning, you can request a text message or use an authenticator app to generate a code, that also has to be entered in order to access your account. It’s kind of your basic security feature at this point. What this does is allows users to help mitigate the risk involved with being tricked into handing over your password.
Here’s a good example of how someone can be duped. Once I complete my taxes, and they’ve been assessed by the government, they send me an email notification, that says – you need to log into your account because there’s information in there for you to see. There is no link to their website. It’s a straight message that says, log into your account. Sure, it’s a little scary, but at the same time, I’m not clicking from that email and going to the site. Which is how phishing can occur.
But this goes further by requiring a USB device to be inserted into your computer or an NFC device to be in close proximity to your device. Google is also taking the lead on moving to using Bluetooth for this particular U2F. All of that aside, we don’t necessarily know how this particular product is better than anyone else’s.
In fact, following the news of the product release, Yubico CEO penned the following in a blog post:
Yubico strongly believes there are security and privacy benefits for our customers by manufacturing and programming our products in the USA and Sweden. Google’s offering includes a Bluetooth (BLE) capable key. While Yubico previously initiated development of a BLE security key and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability, and durability. BLE does not provide the security assurance levels of NFC and USB and requires batteries and pairing that offer a poor user experience.
Does that mean that Google’s product is inferior? It’s hard to know at this point. Unfortunately, the only way to know is by purchasing the product and then using it. Or, worst case scenario, using it and getting hacked. Regardless, this product indicates that security is becoming a bigger concern, and we’re going to have more choices to make in the coming months and years.