Mobile Technology

Google launches its own security keys to limit your chances of getting hacked

Google launches its own security keys to limit your chances of getting hacked
Google's Titan Security Key will come in USB and Bluetooth forms
Google's Titan Security Key will come in USB and Bluetooth forms
View 2 Images
Google's Titan Security Key will come in USB and Bluetooth forms
1/2
Google's Titan Security Key will come in USB and Bluetooth forms
Connect the Titan key to your laptop, access your Gmail
2/2
Connect the Titan key to your laptop, access your Gmail

Two-factor authentication (2FA) has long been an effective protection against account hacking – meaning would-be intruders need something else besides a username and password, usually a code from a phone, to gain access – and today Google is taking 2FA one step further with its own security keys.

If you've set up 2FA on your social networking accounts, or your Google or Apple IDs, you might be familiar with the process of entering a code sent over SMS or generated via an authenticator app. Security keys replace that extra code with something physical that needs to be connected to the computer during the login process.

There's always the chance of losing your key, of course, in which case you would need to nominate a backup method for getting into your account again (like a message to a separate email account). In theory though, the technique is more secure than a text or app code, because those codes can be more easily intercepted.

What's more, security keys such as the new ones unveiled by Google can work without a network and without battery power, which is useful for people on the go.

Google's new product is called the Titan Security Key. Matching up with existing 2FA standards, it comes as either a USB stick for laptops and desktops, or as a Bluetooth dongle for connecting up to mobile devices.

Connect the Titan key to your laptop, access your Gmail
Connect the Titan key to your laptop, access your Gmail

"We've long advocated the use of security keys as the strongest, most phishing-resistant authentication factor for high-value users, especially cloud admins, to protect against the potentially damaging consequences of credential theft," says Google's Jennifer Lin in a blog post.

Security keys as part of 2FA aren't new, and you can already log into sites like Gmail and Facebook with keys from the likes of Yubico. That Google is now making its own products emphasizes just how secure the company thinks they can be, when used correctly.

Earlier this week, Google revealed its employees have been required to use security keys since early 2017, reducing the number of successfully phishing attacks down to zero in the meantime. Even if hackers get hold of usernames and passwords, they can't gain access to any accounts without the physical key.

Google is providing them for cloud business customers first, but says they will go on sale to everyone via the Google Store in the near future. Prices will be in the region of US$20-25 for a single key, or $50 for both the USB and Bluetooth models, CNET reports.

It's definitely worth the few minutes these keys take to set up to keep your accounts better protected, whether you buy from Google or invest in a third-party alternative. However, the account itself also needs to support security key access: The likes of Google, Facebook, Twitter, and Dropbox already do.

Source: Google

2 comments
2 comments
S Michael
They are charging us money to protect their data... hummmm
christopher
This is a seriously half-baked idea, which has no mutual-authentication whatsoever (their "Standards" lie about this too - they say it's there, but it didn't work through deep-packet-inspection firewalls, so they disabled it).
It also has no screen, so no capability to defend against malware, or perform transaction signing, etc.
The very worst thing about this nutty gadget is that it's going to be WAY harder to get rid of it and switch to an *effectively* secure solution after it starts getting adopted.
Oh yeah, and on that front, it's already been around for years, and practically nobody uses it, so it's not actually going to protect even 1% of users, which means that the fact it exists is going to rob the other 99% of getting an effective solution instead.
Why is a company supposedly so smart, so much the exact opposite when it comes to security?