The tiny Titan keys, which come in USB and Bluetooth form factors, were designed by Google to give users "a complete solution option from Google itself," said Google's Sam Srinivas.
Authentication keys are nothing new, nor is the FIDO authentication framework that Google has built Titan around. What is new is a company as big as Google marketing and selling its own hardware key. With as large a market as Google has, the Titan could be the hardware key that finally replaces vulnerable two-factor authentication (2FA) methods.
Second factors: Still vulnerable
Phishing attacks are growing in sophistication, and that growth comes with new methods for subverting two-factor authentication methods. One-time passwords are increasingly phished, websites that masquerade as legitimate login portals can steal 2FA keys, and some methods simply avoid triggering second login factors altogether.
With 41.6% of all account breaches attributable to phishing, password theft, and pretexting, Google thought it was evident that typical second authentication factors weren't doing their jobs.
SEE: Information security policy (Tech Pro Research)
Hardware security keys, on the other hand, require a user to physically have a device linked to their account that is present at the time of login; this eliminates the need to transmit data at all, significantly improving security. In fact, Google Cloud product manager Christiaan Brand said that Google hasn't had any "reported or confirmed account takeovers due to password phishing since we began requiring security keys."
How Titan security keys work, and why the keys are a good solution for businesses
Titan security keys use the FIDO Universal Second Factor (U2F) protocol, which relies on public key cryptography. Adding a Titan device to an account ties a public encryption key to that account, which is verified against a private key using a cryptographic signature supplied by the Titan device during login.
Titan keys also protect against phishing attacks from fake login portals—even with a compromised password a Titan-enabled account is still protected. When a user logs in to a fake portal, Google said, the key will know that it isn't a legitimate website and will stop the login process immediately.
Don't assume that Titan keys are only usable with Google accounts—the FIDO protocol is a popular one that works with a multitude of websites and applications. Any website that supports U2F will work with a Titan key.
Titan hardware is also built to be secure—Google designed the devices around a secure element hardware chip that contains all the necessary firmware for it to function, and all of that information is sealed in during the manufacturing process, as opposed to being installed afterward. Thus, Google said, "the trust in the security key hardware is anchored in the sealed chip as opposed to any other later step which takes place during manufacturing."
Additionally, Titan keys contain no personally identifying information, and Brand said "don't know who their owner is." If a key is found, it's useless to the person who picked it up, unless they know the owner's account names and passwords.
How to get and use a Titan security key
The retail kits available to the public, which are now on sale in the Google Store, are priced at $50 and contain two keys: A USB key for plugging in to a computer, and a low-energy Bluetooth key designed to be used with mobile devices or Bluetooth-capable computers. When testing the Titan key, I found both incredibly easy to use—all you need to do to add them (and be sure you register both) is to browse to g.co/securitykey and follow the instructions. You'll log in to your Google account's 2FA page, select the option to add a security key, and follow the onscreen prompts.
Android users can log in to an existing or new device by opening the Settings app, logging in on the Account page, and then following the options to use the Bluetooth-enabled key to sign in wirelessly.
iOS users will need to download the Google Smart Lock app to enable the Titan Bluetooth key on their devices. After the app is installed, follow the prompts to log in using your Titan key.
Once you've verified your identity on a particular device, you won't have to log in with your Titan key again—it's only necessary on new devices or browsers.
Enterprises interested in deploying Titan keys in their organization can contact their Google Cloud representative for pricing and ordering information, or purchase the keys through Google partner Insight.
Will Google's Titan security keys revolutionize 2FA?
Whether Titan security keys will truly change the 2FA game remains to be seen. Google said that 2FA users consider most methods inconvenient, but the addition of a piece of hardware may not be perceived as simpler than waiting for a text or tapping a button on a smartphone.
Most of us already have an iOS or Android device in our pockets, and adding another fob to our keychains might not be the solution. With account security as poor as it currently is, something needs to give, and Titan keys may be the start.
The big takeaways for tech leaders:
- Google's Titan security keys are now available for businesses and consumers. Titan keys use the FIDO U2F protocol, which makes them able to secure Google accounts and other services that use U2F.
- Titan keys don't contain any personal information, so businesses shouldn't worry about them being a security risk.
- Cheat sheet: Two-factor authentication (TechRepublic)
- Windows 10 moves closer to killing off passwords with Edge WebAuthn logins (ZDNet)
- Google pledges to foil phishing attacks with new Titan Security Key (TechRepublic)
- Why can't Wear OS smartwatches be security keys too? (CNET)
- Why more people don't use simple two-factor authentication (CNET)
Brandon Vigliarolo has nothing to disclose. He does not hold investments in the technology companies he covers.
Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.