Google is Now Selling a 2FA Security Key

Posted on August 30, 2018 by Paul Thurrott in Cloud, Google, Hardware, Mobile with 8 Comments

Google has announced the availability of its Titan Security Key, a hardware two-factor authentication (2FA) solution.

Before we get to the hardware, however, let’s take a quick security side-trip. Because Google refers to this key as a “two-step verification” solution, not a 2FA solution.

And security geeks will tell you, correctly, that these two terms are not interchangeable. I don’t really care, and I don’t really see the difference from the perspective of the user, but let’s go down the rabbit hole.

With 2FA, you use two mechanisms to authenticate your user account. This is usually a password (“something you know”) and your phone, either using a platform-based pop-up or an authenticator app (“something you have”). (It can also include “something you are,” which refers to biometric authentication.)

Two-step authentication is literally just two authentications, each of which could be the same type of authentication. So, for example, in that phone-based example where you’re asked to authenticate using a pop-up or an app, that is technically not “something you have,” but is often rather just a second password-like thing. (Microsoft, for example, often makes you match a number that is displayed where you are signing in to one in its authenticator app pop-up.)

That’s the theory. But like I said, whatever. For most people, the difference is largely theoretical, and you can’t perform the second authentication without something you have, e.g. your phone. And you (should) need to authenticate to get into the phone in the first place.

Yes, security is tedious.

Anyway, I’ve been preaching the need for 2FA/two-factor authentication in all online accounts for years, and in particular for your core online accounts, such as those from Amazon, Apple, Google, and Microsoft, and for any accounts for which you are saving payment information.

And Google supports a variety of 2FA/two-factor authentication solutions. You can use an authenticator app, receive SMS-based security codes, or, more recently, use your phone itself as the second factor via those handy platform-based pop-ups.

And now Google supports a new hardware-based 2FA solution via its Titan Security Key solution. Available now for $50 from the Google Store, the Titan Security Key works like other fob-based authenticators (Yubikey and so on) by providing its own onboard security firmware to ensure that the system is secure and safe from phishing attacks.

Titan Security Keys are compatible with Google accounts, of course, including consumer (Gmail) accounts, G Suite, Google Cloud Identity, and Google Cloud Platform. But because they are FIDO-compatible, they also work with other compatible account types, including Facebook, Dropbox, Stripe, Twitter, and many more.

The Titan Security Key is available in the U.S. today but will be shipping to additional regions soon, Google says.

Should you buy one?

No, probably not. For most individuals, the 2FA capabilities in your smartphone are enough to protect your online accounts. This is especially true if your phone has a secure fingerprint reader that’s been configured as a requirement for any authentication request.

But if you’re curious, you can learn more about this technology from the Google Cloud blog or from the Titan Security Key website.

 

Tagged with , ,

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (8)

8 responses to “Google is Now Selling a 2FA Security Key”

  1. Polycrastinator

    I love the fact that to use the USB component with Google's own laptop, you need an adapter. So that's 3 things you need to carry around, the fob, the bluetooth component for your phone, and a USB adapter.

    • Paul Thurrott

      In reply to Polycrastinator:

      Yeah I thought that was goofy too. Why not release it in USB-C form and make the dongle for the other connector?

    • wright_is

      In reply to Polycrastinator:

      I'll stick with my YubiKey Neo, NFC on my smartphone, USB on my PC, one device. Just a shame it doesn't come in USB-C.

      Also a shame you can't use dongles with Google accounts if you aren't using Chrome.

      I've been using the YubiKey for about 5 years now with my LastPass account, it is really good. It also has MiFare support, so I used it as a door key at my old place of work as well.

      • Polycrastinator

        In reply to wright_is:

        I have the same Yubikey. NFC works great with LastPass, but I wasn't able to make the NFC work when I was setting up my new Android phone and ended up having to fall back on a code from my old phone, which was disappointing.

        I believe the dongles also work with Firefox and Google, although I could be wrong on that. It just seems there's a restriction in Edge that stops them from working there, which should be fixed in the next Windows release IIRC.

  2. rmlounsbury

    I started using a Yubikey for the first time thanks to the freebie key that Wired gave out with new subscriptions. It is pretty handy though it doesn't have NFC so it limits the utility of it a bit and as some folks noted it is USB-A so to use it with anything I own these days I need a USB-C adapter (but I need that for anything I want to plug in practically).


    The only downside to something like a Yubikey is that they are still pretty limited. There are plenty of services/accounts I use that have no support for such a device. Much to my surprise, my preferred password management application 1Password doesn't support such a device either. Hopefully they fix that in the not so distant future.

  3. overseer

    I used a Yubikey for a long time, but I always had a bit of concern as to what happens if I were to lose it. Most of the recovery options for the accounts involve the same old phone/email type process, which means the Yubikey doesn't really offer any extra protection beyond just using phone/email for the 2nd factor anyway.


    What I really want to see is the ability to secure your account with multiple physical keys. That way I could keep a backup key in a secure location in case I were to lose the primary key.


    I also would note that the Yubikey did eventually wear out, the USB contacts eventually became unreliable and I had to retire it before I lost access completely.

  4. Alexander Rothacker

    For really good security, a dongle based solution is the preferred solution at this point, but I would agree that using an authenticator app is plenty secure for the average user.

    However, I would strongly advise against SMS based solutions, SIM swapping is just to easy these days. https://krebsonsecurity.com/2018/08/reddit-breach-highlights-limits-of-sms-based-authentication/ is a good article to scare you out of using it. Also, using SMS to recover from lost passwords or locked accounts is an equally bad idea, but still plenty in use.

    And of course, account recovery questions should be treated like passwords, too. Never answer truthfully, your mothers maiden name, your birthplace, your first car, all of those are way to easy to find out and I consider them almost public information.

Leave a Reply