Google introduced the Titan Security Key during its Google Cloud Next ’18 convention, a physical USB-based device that eliminates the need to enter usernames and passwords. The FIDO-based device includes firmware developed by Google’s engineers that verifies its integrity, so you can log onto your favorite sites worry-free. It’s available now for Google Cloud customers followed by a full mainstream availability “soon.”
“We’ve long advocated the use of security keys as the strongest, most phishing-resistant authentication factor for high-value users, especially cloud admins, to protect against the potentially damaging consequences of credential theft,” the company states.
Google’s key is based on the FIDO U2F protocol, short for “universal 2nd factor.” Borrowing from the smart card concept, you merely insert the key into a USB port or tap it against an NFC-compatible smartphone. When you create an online account (or update your existing security preferences), your PC will create two encrypted tokens: one public and one private.
Later when you log into the account, the service containing the public token will send a “challenge” requiring you to touch a button on the key, thus unlocking the private token for verification. There’s no personal information sent across the internet, and the private token used to unlock the service remains solely on the physical key.
Google and Yubico originally developed this protocol along with support by NXP but now its maintained by the FIDO Alliance. Yubico already offers its YubiKey series for desktop and mobile, such as the YubiKey 4 supporting multiple protocols, the Android-friendly YubiKey NEO, and the Security Key with out-of-the-box support for Gmail, Facebook, and more.
That said, Google’s new Titan Security Key will be in direct competition with Yubico’s products. The difference is that one of Google’s models will rely on a Bluetooth Low Energy component, a standard Yubico helped build but decided not to use because “it does not meet our standards for security, usability, and durability.” Bluetooth, according to Yubico, doesn’t offer the same security level as NFC and USB.
There’s no information about the Titan Security Key’s manufacturer, but Google plans to sell both USB- and Bluetooth-based models in a bundle for $50 or separately for around $25 each — possibly in the sub-$10 range in the future. Moreover, the Titan Security Key won’t have anything to do with Google’s Titan-branded chip used to protect cloud-based servers.
“Titan Security Key gives you even more peace of mind that your accounts are protected, with assurance from Google of the integrity of the physical key,” Google says.
Although smartphones are good for two-factor authentication, SMS-based messages can be intercepted. Even more, if your smartphone is lost or damaged, it takes your private keys with it. A USB-based key can get damaged as well, but it can hang on a keychain and doesn’t require a network connection. According to Google, the Bluetooth model can supposedly remain active for six months on a single charge.
Google will initially target customers who need the Titan Security Key the most: Journalists, business executives, politicians, and the like.