Cache of the Titans: Let's take a closer look at Google's own two-factor security keys

If it's good enough for me...

key throw

Analysis Intriguing news for anyone who believes that FIDO two-factor authentication keys are the obvious way to stop phishing attacks that not enough people use – Google is launching its own authentication token.

Called the Titan Security Key (not to be confused with Google’s Titan security chip), its announcement at Google's Cloud Next 2018 conference in July may explain why the web giant was keen some days ago to boast that its 85,000 employees have not suffered a single successful account takeover since the company mandated the use of these keys in early 2017.

When Google bragged that factoid, it seemed more likely than not that the keys in question were Yubikeys simply because the company that makes them, Yubico, has mentioned how many Google has bought from it in recent years. Now it appears as if some or even many of those keys were Google’s Titans, which wouldn’t be entirely surprising given that Google (along with Yubico) was instrumental in pushing the industry FIDO Alliance and co-developing protocols - such as U2F - that underpin their use.

From the product images, it appears that there are two versions: one designed to plug into a USB port and a second for mobile users which works via Bluetooth.

The Titan can also be used to authenticate on other sites supporting FIDO U2F tokens such as GitHub, Facebook, Dropbox, various password managers, and a selection of others.

Google Cloud customers can get their hands on one now, with everyone else able to buy them for about $20 (£15) from the Google online store in most countries “soon”.

The good bit

FIDO U2F authentication tokens have been around for years and yet from anecdotal evidence (Amazon sales numbers, Google’s own estimate of its users), few beyond a small number of business sectors use them.

They should be an easy sell because they stop attackers from compromising accounts without having physical access to the key, even if they have somehow phished the user’s password.

One reason is that they are still surprisingly expensive, particularly outside the US. For example, for most of this year on Amazon UK, the Yubikey has been sold as an import for up to £30 ($40), which is a lot to ask someone to pay for something whose benefits they possibly don’t understand.

That’s the other glaring issue – barely anyone has heard of these tokens, a reflection of the fact that nobody with a big enough marketing budget has taken the time to tell them.

If that was ever going to change it was Google that was going to do it. It helped develop the technology after all, and has the resources to promote them to a wider audience.

From launch the USB Titan will cost around $20-$25, or both keys for $50. Not terribly enticing perhaps but with Google in the game sales volumes will rise and unit costs fall.

Yubikey maker Yubico now has competition from one of the biggest companies on Earth, which prompted a blog that took issue with Google’s decision to base the wireless key on Bluetooth rather than NFC.

“Google’s offering includes a Bluetooth (BLE) capable key. While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability,” wrote CEO Stina Ehrensvard.

That design decision boosts compatibility with mobile devices, not all of which have NFC, but comes with the disadvantage that, “BLE does not provide the security assurance levels of NFC and USB and requires batteries and pairing that offer a poor user experience.”

It’s also true that Yubico’s NFC products, the Neo, is expensive at $50 (or £50), which might be why it’s rarer than a unicorn amongst consumers. ®




Biting the hand that feeds IT © 1998–2018