When Google bragged that none of its 85,000 or more employees had been hacked since early 2017, it forgot to mention that it was thanks to a beta version of its security key, the Titan Security Key. After a long test phase, the latest version of this U2F security key will be available soon, enough to push the adoption of this process?
We were able to test the Titan Security Key, Google’s key that uses multifactor authentication to protect users from phishing attacks.
Security keys come in many forms, from a USB key to a Bluetooth remote control, used to connect to your device when you try to connect. The goal is to provide a second layer of security through multifactor authentication, i.e. more than one method to prove that you are the person authorized to connect.
From 20$ onwards
Hackers may be able to steal your password online, but they often have a much harder time stealing a physical security key that is with you. Google has been advocating for security keys for some time, making them a requirement for its advanced protection program and presenting them as the “strongest and most phishing-resistant authentication factor”.
The Titan security key, which comes in both USB and Bluetooth versions, will be available for sale in Google’s online store in the coming months, said Christiaan Brand, a Google product manager for identity and security. It will be available with both USB and Bluetooth versions for $50, or you can buy either for about $20 to $25 each. the security keys will work on any device with a USB port or Bluetooth connection.
Push for the adoption of security keys
Phishing is one of the most common ways for hackers to obtain your password. And security keys add an extra level of protection because even if hackers managed to steal your password by phishing, they couldn’t enter your security key. Security keys would also be able to notify you if you visit a phishing website.
The Google key works exactly the same way as the keys already on the market, such as the Yubikey from YubiCo, which Google has recommended in the past. Sam Srinivas, director of information security product management at Google, said the company is not trying to compete with other security keys, but rather to expand the number of options available.
Google also hopes that by selling its own security key, at a lower price than those of competitors in the market, it will make this security feature more popular. But before prices can drop, Google will have to convince users that they need a security key.
In January, a Google engineer said that less than 10% of Gmail users have two-factor authentication on their accounts. Google is aware of the lack of interest in multifactor authentication, and hopes that the Titan key can change this.
One of the most popular forms of two-factor authentication is to ask a service to send a code by SMS to your phone, which you then type. This process is not infallible,” says Srinivas. Google discovered that a targeted attack would be able to deceive users by also giving them an authentication code.
A security key has other advantages over codes sent to a phone. Although a phone is convenient, a security key is easier to use and track. You don’t need a network to use it, nor do you need electricity, which is a good thing if your phone’s battery is dead.
The Bluetooth version of the Titan key can last up to six months with a single charge.
In practice, this means
I had the chance to try the Google Titan key by myself. Setting up the security keys was a fairly simple experience. I checked my Google security settings, and I searched for the two-step verification section.
From there, I clicked on Add a security key and was asked to insert the USB key and press the button that works fine. Simplism.
I followed the same process for the Bluetooth version, and I also configured it for my Facebook account. Now, even if someone had access to my Gmail password, they couldn’t connect unless they also stole the security key from my pocket.
However, I had a little scare over the weekend – I had left it at the office and was asked to log into my account from home. Fortunately, I also set up a backup check, which sends an alert by email to a trusted device, instead of an SMS. It is this kind of fear that makes users reluctant to use security keys. If I had not had this backup, I would not have been able to access my account until I had physical access to the key again.
Google’s goal, however, is to get rid of these problems by making it a habit to keep your security keys on, in the same way that people leave their homes every day with their house or car keys.