Google isn’t one to shy away from bold claims.
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” a spokesperson told TechCrunch.
And it’s probably true. Think of a security key as like a two-factor authentication code that’s sent to your phone — but instead a USB stick in your pocket. Two-factor authentication is stronger than just a username and password, but text message codes can be intercepted and many sites and services don’t yet support the stronger authenticator codes. Security keys are one of the strongest lines of defense against account breaches. That’s because a hacker on the other side of the world trying to break into your account needs not only your password but also your physical key — and that’s not something a hacker can easily or covertly steal.
Although there are a handful of security key brands out there — Yubikey and Feitian to name two — Google thinks it can do better with its own Titan security keys.
Out Thursday, the company’s own branded and in house-developed security keys are now available to buy. One is a USB key, and the other supports Bluetooth and NFC for mobile devices. You need to enroll both keys — one stays in a safe space, and the other stays with you.
These keys don’t look too dissimilar from keys Google previously offered under its Advanced Protection Program, which help high-risk users — like journalists, activists, and government officials — protect their accounts from sophisticated nation-state hackers. In fact, they look almost identical. But the company says these keys pack a punch that make them stronger and more resilient than any other security key on the market.
USB-C to USB-A connector (left), Titan USB key (middle), Titan Bluetooth key (right)
For one, the search giant says it’s taken the best of what’s already available — like FIDO standards — and built extra protections inside. The company is also touting its own special sauce — the software that’s embedded on each key, which protects against tampering. Each key stores its firmware in a secure element that can’t be modified, preventing anyone from extracting the private data in the key that’s authenticates you with Google when you login. By sealing in the encryption data before the hardware chips are delivered to the factory where the keys are built, Google says it reduces the risk of manufacturing attacks down the line.
You can use each key with almost any modern browser and mobile device, and a range of websites beyond Google support the key for login, like Dropbox, Facebook, Salesforce, Stripe and Twitter.
But beyond that, it’s pretty much just another security key.
But while they provide near-impermeable security, these keys — like every other on the market — are fiddly and inconvenient. And that’s coming from someone who lives and breathes security — and uses a security key.
Google isn’t close to fixing that problem. Admittedly, any kind of two-factor authentication is a pain, but it’s a price you pay for the gold standard in keeping your account safe. Every time you log in to your account from a new device, you’ll be prompted to enter your email address and password. A swift push of a button on your key — either through Bluetooth or a plugged-in USB key — will tell Google that you’re the real account owner.
A downside of physical keys is that if lose them, you’re toast. That’s why you have two keys — one is meant to be a backup. Google says it can help you gain access to your account again but the recovery process can take days.
Do you need a key? It depends on how paranoid you are.
Logging into Gmail with the Titan key — seamless and user friendly.
The reality is that these keys aren’t for the masses — just yet. Although physical keys are designed for high-value targets, they’re a blessing in disguise for even the most basic attacks and novice users. Phishing attacks are common, where someone will send you an email to try to trick you into entering your email address and password. If they have your password, they have your data. But security keys protect only work on the legitimate domain you’re logging into, making phishing attempts practically useless.
And although Google says the devices are secure, Yubikey — a major developer of security keys — criticized Google’s move to support Bluetooth, which adds another attack layer for anyone nearby, citing recent Bluetooth flaws. An attacker could theoretically grab a user’s encryption key over-the-air if they’re within a short range of the Bluetooth device. The company’s critiques notwithstanding, the scope of attacks are so slim that they’re almost negligible — but everyone’s risk factors are different.
We’re still in early days with security keys. Although Google wants these keys to be cheap, accessible and available for the masses, there are too many barriers in the way — even still — for the average user.
But for those who know they need that extra layer of protection, these keys could be enough to save you from catastrophe.