When Google boasted that none of its 85,000-plus employees had their accounts hacked since early 2017, it was all thanks to an early version of a security key the company was testing.
And now the latest version of that security key will be available for the world to use.
In an exclusive hands-on, CNET was able to test the Titan Security Key, Google’s own key, which uses multifactor authentication to protect people against phishing attacks. Security keys come in many forms, whether it’s a USB stick or a Bluetooth fob, used to connect to your device when you try logging in.
The point is to provide a second layer of security through multifactor authentication — that is, more than one method of proving you’re the person who’s authorized to log in. Hackers may be able to steal your password online, but they often have a much harder time stealing a physical security key that’s with you.
The Titan Security Key, which comes in both USB and Bluetooth versions, will be available for sale in Google’s online store within the next few months, said Christiaan Brand, a Google product manager for identity and security.
It’ll come in a bundle with both the USB and Bluetooth versions for $50, or you can buy one or the other for about $20 to $25 each, Brand said. The set of security keys should work on any device with a USB port or a Bluetooth connection.
The software on the security keys is developed by Google’s engineers, and the company has been testing it internally since early 2017. Though the Titan security key shares a name with Google’s security chip, it’ll be using a different set of chips.
“We’re very sure of the quality of the security,” Brand said.” We’re very sure of how we store secrets and how hard it would be for an attacker to come in and blow the security up.”
Phishing is one of the most common ways for hackers to get your password. It was how Russian hackers infiltrated the Democratic National Committee — using sophisticated attacks to target people and trick them into giving up their passwords. But these attacks aren’t just reserved for politicians.
They can pop up during tax season and disasters, in coordinated attempts to get everyday people to type in their passwords on an imposter website. Security keys add an extra level of protection because even if hackers were successful in stealing your password through phishing, they wouldn’t be able to grab your security key. Security keys would also be able to warn you if you were visiting a phishing website.
They’re great for security, but sometimes the keys do their job a little too well — as when the Titan temporarily locked me out of my own account when I didn’t have access to the key. More on that below.
Functionally, the Google key should work exactly the same as popular keys already on the market, like YubiCo’s Yubikey, which Google recommended in the past. Sam Srinivas, a product management director for information security at Google, said the company’s not trying to compete with other security keys, but rather expand how many options are available.
“The most important thing is for everyone to use a security key,” said Srinivas. “The Titan Key is specifically for customers who want security keys and trust Google.”
In a response posted after the announcement, Yubico CEO Stina Ehrensvard said the company wouldn’t be following Google’s lead with a Bluetooth version.
“While Yubico previously initiated development of a [Bluetooth] security key, and contributed to the [Bluetooth Universal 2nd Factor authentication] standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability,” Ehrensvard wrote. Bluetooth “does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.”