In July, Google claimed its 85,000 employees had gone a full year without encountering any security mishaps following a mandatory requirement of using physical security keys for two-factor authentication. Now, its in-house security key is available for sale in the Google store.
Two-factor authentication (2FA) is the bare minimum anyone should be doing to protect their accounts from social-engineering hacks like phishing emails. The most common form of 2FA is sending a user a text message with a unique code after they’ve entered their basic password. Unfortunately, even that method is vulnerable because text messages can be intercepted. A physical key is much more secure because a hacker would need to have the device in hand IRL in order to break into your account. Google said earlier this year that only 10 per cent of Gmail users have implemented 2FA, and it wants to encourage people to take things a step further and buy its Titan security key.
The physical device appeared in the Google store on Thursday and it’s really two devices. For $50, you get one USB key that can be inserted into your computer to prove that you’re really you, and a backup device that communicates with NFC or Bluetooth. The idea is that Google’s Advanced Protection Programme requires two registered devices in case you lose one, and the NFC/Bluetooth device is more convenient for unlocking a mobile device.
While it’s easy to see this as Google trying to get a piece of the lucrative physical key industry that supplies enterprise customers with bulk purchases in order to protect target-rich businesses, it would save the company a lot of headaches if its users were more secure. When Titan was first announced, it appeared there might be some bad blood between Google and Yubico, one of the leading physical key manufacturers. The two companies had previously worked together on the development of the FIDO industry standard. Yubico’s CEO claimed that they disagreed with Google’s decision to go forward with Bluetooth implementation, and Yubico still feels that NFC is still the only trustworthy wireless method of verification. The CEO also appeared to call into question the security of Google’s manufacturing line.
At the time, a Google spokesperson declined to comment when Gizmodo asked if they wanted to address those concerns. But in a blog post on Thursday, Christiaan Brand, product manager for Google Cloud, said a little more about the manufacturing process:
The firmware performing the cryptographic operations has been engineered by Google with security in mind. This firmware is sealed permanently into a secure element hardware chip at production time in the chip production factory. The secure element hardware chip that we use is designed to resist physical attacks aimed at extracting firmware and secret key material.
These permanently-sealed secure element hardware chips are then delivered to the manufacturing line which makes the physical security key device. Thus, the trust in Titan Security Key is anchored in the sealed chip as opposed to any other later step which takes place during device manufacturing.
Android Police points out the fact that Google’s keys look remarkably similar to devices by the trusted physical key manufacturer Feitian. We asked Google directly if Feitian is handling the assembly and a spokesperson told us, “Google is the manufacturer of record and we contract a third-party to produce the keys. The firmware is the most important piece here.” That may be true, and there’s no reason to believe Feitian producing the keys is anything to worry about.
In its post, Google doesn’t even try to kneecap its competitors and acknowledges that devices by Yubico, Feitian, and “many others” are quite good. The most important thing may be to bring people into Google’s Advanced Protection Programme that offers services like notifying you if your password has shown up in online dumps by hackers selling info or just causing chaos.
As far as Bluetooth being a security risk, we have seen vulnerabilities pop-up in the standard, but you could always just stick with NFC for handling verification with that device. Pick a key from any of the big names mentioned here and you should be just fine. [Google via Android Police]