Cache of the Titans: Let's take a closer look at Google's own two-factor security keys

If it's good enough for me...

Analysis Intriguing news for anyone who believes that FIDO two-factor authentication keys are the obvious way to stop phishing attacks that not enough people use – Google is launching its own authentication token.

Called the Titan Security Key (not to be confused with Google’s Titan security chip), its announcement at Google's Cloud Next 2018 conference in July may explain why the web giant was keen some days ago to boast that its 85,000 employees have not suffered a single successful account takeover since the company mandated the use of these keys in early 2017.

When Google bragged that factoid, it seemed more likely than not that the keys in question were Yubikeys simply because the company that makes them, Yubico, has mentioned how many Google has bought from it in recent years. Now it appears as if some or even many of those keys were Google’s Titans, which wouldn’t be entirely surprising given that Google (along with Yubico) was instrumental in pushing the industry FIDO Alliance and co-developing protocols - such as U2F - that underpin their use.

From the product images, it appears that there are two versions: one designed to plug into a USB port and a second for mobile users which works via Bluetooth.

The Titan can also be used to authenticate on other sites supporting FIDO U2F tokens such as GitHub, Facebook, Dropbox, various password managers, and a selection of others.

Google Cloud customers can get their hands on one now, with everyone else able to buy them for about $20 (£15) from the Google online store in most countries “soon”.

The good bit

FIDO U2F authentication tokens have been around for years and yet from anecdotal evidence (Amazon sales numbers, Google’s own estimate of its users), few beyond a small number of business sectors use them.

They should be an easy sell because they stop attackers from compromising accounts without having physical access to the key, even if they have somehow phished the user’s password.

One reason is that they are still surprisingly expensive, particularly outside the US. For example, for most of this year on Amazon UK, the Yubikey has been sold as an import for up to £30 ($40), which is a lot to ask someone to pay for something whose benefits they possibly don’t understand.

That’s the other glaring issue – barely anyone has heard of these tokens, a reflection of the fact that nobody with a big enough marketing budget has taken the time to tell them.

If that was ever going to change it was Google that was going to do it. It helped develop the technology after all, and has the resources to promote them to a wider audience.

From launch the USB Titan will cost around $20-$25, or both keys for $50. Not terribly enticing perhaps but with Google in the game sales volumes will rise and unit costs fall.

Yubikey maker Yubico now has competition from one of the biggest companies on Earth, which prompted a blog that took issue with Google’s decision to base the wireless key on Bluetooth rather than NFC.

“Google’s offering includes a Bluetooth (BLE) capable key. While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability,” wrote CEO Stina Ehrensvard.

That design decision boosts compatibility with mobile devices, not all of which have NFC, but comes with the disadvantage that, “BLE does not provide the security assurance levels of NFC and USB and requires batteries and pairing that offer a poor user experience.”

It’s also true that Yubico’s NFC products, the Neo, is expensive at $50 (or £50), which might be why it’s rarer than a unicorn amongst consumers. ®

Similar topics

Broader topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022