When Google boasted that none of its, it was all thanks to an early version of a security key the company was testing.
And now the latest version of that security key will be available for the world to use.
In an exclusive hands-on, CNET was able to test the Titan Security Key, Google’s own key, which uses multifactor authentication to protect people against phishing attacks. Security keys come in many forms, whether it’s a USB stick or a Bluetooth fob, used to connect to your device when you try logging in.
The point is to provide a second layer of security through multifactor authentication — that is, more than one method of proving you’re the person who’s authorized to log in. Hackers may be able to steal your password online, but they often have a much harder time stealing a physical security key that’s with you.
Google has been advocating for security keys for a while, making them a requirement for its Advanced Protection Program, and touting them as the “strongest, most phishing-resistant authentication factor.”
The Titan Security Key, which comes in both USB and Bluetooth versions, will be available for sale in Google’s online store within the next few months, said Christiaan Brand, a Google product manager for identity and security.
It’ll come in a bundle with both the USB and Bluetooth versions for $50, or you can buy one or the other for about $20 to $25 each, Brand said. The set of security keys should work on any device with a USB port or a Bluetooth connection.
The software on the security keys is developed by Google’s engineers, and the company has been testing it internally since early 2017. Though the Titan security key shares a name with Google’s security chip, it’ll be using a different set of chips.
“We’re very sure of the quality of the security,” Brand said.” We’re very sure of how we store secrets and how hard it would be for an attacker to come in and blow the security up.”
Phishing is one of the most common ways for hackers to get your password. It was how Russian hackers infiltrated the Democratic National Committee — using sophisticated attacks to target people and trick them into giving up their passwords. But these attacks aren’t just reserved for politicians.
They can pop up during tax season and disasters, in coordinated attempts to get everyday people to type in their passwords on an imposter website. Security keys add an extra level of protection because even if hackers were successful in stealing your password through phishing, they wouldn’t be able to grab your security key. Security keys would also be able to warn you if you were visiting a phishing website.
They’re great for security, but sometimes the keys do their job a little too well — as when the Titan temporarily locked me out of my own account when I didn’t have access to the key. More on that below.
Functionally, the Google key should work exactly the same as popular keys already on the market, like YubiCo’s Yubikey, which Google recommended in the past. Sam Srinivas, a product management director for information security at Google, said the company’s not trying to compete with other security keys, but rather expand how many options are available.
“The most important thing is for everyone to use a security key,” said Srinivas. “The Titan Key is specifically for customers who want security keys and trust Google.”
In a response posted after the announcement, Yubico CEO Stina Ehrensvard said the company wouldn’t be following Google’s lead with a Bluetooth version.
“While Yubico previously initiated development of a [Bluetooth] security key, and contributed to the [Bluetooth Universal 2nd Factor authentication] standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability,” Ehrensvard wrote. Bluetooth “does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.”
Google declined to comment on Yubico’s remarks about Bluetooth security.
The hope is now that Google is creating and selling its own security key, it can bring the price down if the device gets popular enough, which is the company’s goal.
“We’re not quite happy where these devices are out of reach for customers who can’t afford it,” Brand said. “We’re thinking that hopefully at some point in time, these keys can be in the sub-$10 range.”
But before prices can drop, Google is going to have to convince people they actually need a security key.
In January, a Google engineer said that less than 10 percent of Gmail users have two-factor authentication enabled on their accounts.
Google is aware of the lack of interest in multifactor authentication, and it’s hoping the Titan key can change that.
There are plenty of reasons why people might not be interested in security keys. It’s another item to carry around. They already have two-factor authentication set up with their phones. They might believe their passwords are already strong enough.
All of these are obstacles Google will have to get around to get more people using security keys.
One of the most popular forms of two-factor authentication is to have the service send a PIN via text message to your phone, which you then type in. It helps, but it’s not foolproof, Srinivas said. Google found that a targeted attack would be able to trick people into giving up that PIN code, too.
In a Twitter thread, Shane Huntley, director of Google’s Threat Analysis Group, explained how someone could still phish a victim through text messages, even with two-factor authentication. Basically, the attacker could send the victim a bogus request for the PIN.
Huntley then recommended using a security key to prevent that from happening.
A security key has other advantages over codes sent to a phone. Though a phone is convenient, Srinivas said, a security key is easier to use and keep track of. You don’t need a network to use it, which is helpful when people are in different countries and can’t receive text messages. You also don’t need power for it, a good thing if your phone battery dies. The Bluetooth version of the Titan key can last for up to six months on a single charge.
“The fundamental thing is that we’ve got to make this easier for real people to use,” Srinivas said.
Google will run awareness campaigns about its new security key, but they’ll be targeted to the people it thinks need them the most: potential targets that hackers are after, like politicians, business executives and journalists.
Those people will be more heavily targeted because their email accounts, and the contents within them, are much more valuable for thieves. Phishing a politician can lead to political turmoil like that tied to the 2016 Democratic National Convention, while a pair of attacks on a bank let thieves steal $2.4 million in eight months.
“Even though carrying this key all the time might not be for the billions, if your account really matters, it’s valuable enough that you should be carrying it,” Srinivas said.
Setting it up
I had a chance to try out the Titan Key myself.
Setting up my security keys was a fairly standard experience. I went to my security settings for Google, and looked for the 2-Step Verification section. From there, I clicked on Add Security Key and was prompted to stick the USB key in and tap the button on it.
I went through the same process for the Bluetooth version, and also set it up for my Facebook account. Now even if someone gained access to my Gmail password, they wouldn’t be able to log in unless they also stole the security key from my pocket.
I did run into a few hiccups without my security key over the weekend — I left it in the office and was asked to enter it to log in to my account from home. Luckily I also set up a backup verification through a Google prompt, which sends an alert to my email on a trusted device, instead of a text message.
But it’s hiccups like that that often push people away from using security keys. If I didn’t have that backup measure, I’d have been locked out of my account until I got access to the key again.
Google’s goal, though, is to get rid of these slip-ups by making security keys second nature, in the same way that people leave their homes every day with a set of house or car keys.
“We want people to understand that this is almost a necessary thing that they should use,” Srinivas said.
Phish out of water
Before Google started testing the Titan Key internally, it found that its own employees were susceptible to phishing attacks.
Google’s Red Team, a group within the company dedicated to testing employees’ security, made multiple successful phishing efforts against Google’s own staffers. It exposed a weakness within Google: If an attack was sophisticated enough, it could gain access to the company.
But once Google’s employees started using security keys, Srinivas said, that essentially stopped.
“They’ve pretty much given up on phishing as a primary vector in our own attacks,” he said.
First published July 25, 9 a.m. PT
Update, 9:36 a.m.: Adds response from Yubico, 10:42 a.m.: To include remarks from Google on Bluetooth.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad of services that will change your life.