Google Launches Its Own Physical Security Key

An anonymous reader writes: Google launched its own Titan Security Key on Wednesday, a small USB device which includes firmware developed by the omnipresent tech giant itself. This comes days after Google said its workforce has been phish-proof for more than a year thanks to security keys distributed to its 85,000 employees. The new key means new competition for Yubikey manufacturer Yubico which confirmed it is not involved with Google's new key. The product is available now to Google Cloud customers and will eventually be available to general customers, the company announced Wednesday at its Google Cloud Next conference in San Francisco. CNET, which tested the device, adds: It'll come in a bundle with both the USB and Bluetooth versions for $50, or you can buy one or the other for about $20 to $25 each, Brand said. The set of security keys should work on any device with a USB port or a Bluetooth connection.

And will it still work

[Oswald McWeany]

And will it still work when Google abandon the project. Google are probably the most famous company on earth for abandoning projects that don't take off right away.

Re: And will it still work

[greenfruitsalad]

I bet they had to make the bluetooth version because of their employees with macbooks.

Re: And will it still work

[DontBeAMoran]

Why? They could have made USB-C versions.

Re: And will it still work

[greenfruitsalad]

And how would that employee then charge their laptop? Or connect a screen or charge their phone or connect to a wired network? It's a harsh life for fruit aficionados. #lovemahdongle

Re:

[networkBoy]

W.T.(actual)F?!?!
While I am not an apple fan, my current employer provided me a Macbook Pro for my worstation, and I have 4 USBc ports available. We use Yubikey C's for our 2fa and that still leaves me two open ports after using one for power for a docking station and monitor or wired ethernet and monitor if on the road...

Re: And will it still work

[DontBeAMoran]

Your MacBook Pro has four USB-C ports.
A MacBook only has one USB-C port.

Re:

[r1348]

Google uses only MacBook Pro internally.

Re:

[DontBeAMoran]

And since they just launched their security key to the public, how is that information helpful in any way?

Re:

[r1348]

It wasn't, that's why I complemented it with a further comment.

Re:

[r1348]

And to add to this, the Pixelbook, which has only 2 ports and is extensively used internally in Google, has a hardware security key built in the power button.
It makes sense that soon we'll see that in smartphones too.

Re:

[mjwx]

Your MacBook Pro has four USB-C ports.
A MacBook only has one USB-C port.

My Asus has 4 USB A ports, a headphone jack, and an SD card reader... It also cost 1/3 of the price of a Macbook Pro for the same hardware.

Re:

[tepples]

And how would that employee then charge their laptop?

Hub.

Or connect a screen

Hub. One is already required in order to connect a screen while charging the laptop.

or charge their phone

Hub. One is already required in order to charge the phone while charging the laptop or connecting a screen.

or connect to a wired network?

Hub. One is already required in order to connect to a wired network while charging the laptop, connecting a screen, or charging a phone.

Re:

[bondsbw]

If you need a hub, then you've already failed.

Re:

[Kjella]

If you need a hub, then you've already failed.

At the office where you're likely to have more displays, keyboard, mouse, wired network, printer and so on? No. On the go you need as many ports as you're likely to actually simultaneously use on the go. Assuming you got a Bluetooth mouse etc. I'd say power and occasionally a USB stick instead. What do you think normal people use 2+ ports for on the go?

Re:

[bill_mcgonigle]

I bet they had to make the bluetooth version because of their employees with macbooks.

Sure, it was definitely Macbooks and definitely not for phones without NFC (like a Yubikey uses).

Re:

[r1348]

NFC has a small security issue in which it's enough to have a smartphone close by to make it work. This leaves a small corner case where the user is not physically present but an attacker is just swinging by (admittedly, very close by). Bluetooth requires the user to turn on, connect, and press a physical button to authenticate, therefore is required for higher level access to corp resources from smartphones.

Re: And will it still work

[Jane Q. Public]

And this is why NFC is a terrible technology to use for making payments.

It doesn't have to be "very close by" if you have a big enough antenna. That's the thing about RF. Make an antenna big enough, and you can send and receive at a distance, even with a device that is extremely low-powered.

In general, people should not use anything that operates over radio frequencies to access their bank account. It's a fool's errand. Christopher Soghoian, the same guy who read RFID chips from passports outside an airport from 30 feet away, also cracked NFC before it ever became common in consumer products. With a portable device that cost only $200 to build.

Put your NFC-capable cards in a foil sleeve (they're cheap), or snip the coil antenna. Instructions for the latter are all over the internet.

Re:

[thegarbz]

It doesn't have to be "very close by" if you have a big enough antenna. That's the thing about RF. Make an antenna big enough, and you can send and receive at a distance, even with a device that is extremely low-powered.

Sure aim your big antenna my direction. When the 4 cards in my wallet respond in unison and you receive nothing but garbage assuming you don't actually hit anyone else in the queue ... I wish you good luck sir.

There's a reason why NFC is so short range despite in theory being capable of something longer.

Put your NFC-capable cards in a foil sleeve (they're cheap), or snip the coil antenna. Instructions for the latter are all over the internet.

Given the number of cases of this happening the best instructions are probably: https://www.quirkbooks.com/pos... [quirkbooks.com]

Re:And will it still work

[bickerdyke]

As they were involved in developing the U2F standard, it shouldn't depend on any Google servers. It's more about how long Chrome will support U2F, but that would effect not only Google security keys.

Re:

[r1348]

Probably forever, considering every single Google employee and a sizable part of TVC users has at least one device using it. Don't expect U2F support to disappear from Chrome in the next two decades.

Re:And will it still work

[DontBeAMoran]

"Announcing the new Google T... - this project is now discontinued."

Re:

[DCFusor]

Intel's attempts at IoT also come to mind. Never design in parts from a company that does this.

Re:

[networkBoy]

I was at intel when they released the Edison...
Even internally there was lots of sideways glances of "this is cool, but how long is it going to be around?"

Re:

[Anonymous Coward]

And will it still work when Google abandon the project.

Yes it will. The key is based off an open technology standard called U2F, which is becoming increasingly common, and supported by many security key makers. With luck, it'll become as ubiquitous as http(s). As long as Google keeps supporting U2F, they key will still work.

0wned by Google

[DogDude]

I imagine this thing will make sure to slurp up every last piece of data that the good little Google drones aren't already giving the Mothership.

Re:

[r1348]

You have no idea on how U2F works, do you?

Re:

[Unknown User]

Google is not trustworthy.

Re:

[r1348]

Whatever, they don't have to. They provide a U2F-compatile chip, they're not the only actor in the market, and they don't manage your certs. And the fact that someone alleges that this could be somehow used to steal data is ludicrous, and really don't understand what U2F is for and how it works.

Re:

[DogDude]

It's a USB storage device. It could do anything. Just because it has a chip, doesn't mean it couldn't have all sorts of other wonderful stuff with it too. Kinda' like all of those simple web pages people visit every day (like this one), that are filled with crap, including Google trackers.

Re:

[skids]

Such negative language. The upload of the private keys to the cloud will be a "backup service" and the usage tracking data collected by the management app and uploaded to google servers will be a "security auditing service."

In all seriousness, though, why should we trust Yubikey, Google, or any security key that doesn't publicly post its design and firmware for independent external audit? FST-01 or bust.

Re:

[flink]

In all seriousness, though, why should we trust Yubikey, Google, or any security key that doesn't publicly post its design and firmware for independent external audit? FST-01 or bust.

The USB flavor of the Yubi key is FIPS-140 [nist.gov] certified, so it has been independently audited, albeit not in a public manner.

Re:

[fph il quozientatore]

The USB flavor of the Yubi key is FIPS-140 certified, so it has been independently audited, albeit not in a public manner.

So Uncle Sam checked that no other country has put backdoors on it?

Re:

[jareth-0205]

I imagine this thing will make sure to slurp up every last piece of data that the good little Google drones aren't already giving the Mothership.

Do we actually have any evidence of them doing something clearly bad? Because it would have leaked by now. This trope is getting really tired, back up your claims with some fucking actual data. I would be the first to want to read about it.

Google push boundaries in some uncomfortable ways, but they have yet to do anything even remotely like you are suggesting they would with this. Grow up.

Bluetooth? Secure? Hahahaha that's hilarious

[Rick Schumann]

According to this story [slashdot.org] just posted yesterday, Bluetooth security is far from absolute.

Re:

[Anonymous Coward]

Oh noes, so you might be able to intercept an OTP that's intended for (...drumroll...) one time use and already used up...

Re:

[Anonymous Coward]

The point of OTPs is that they are entirely random - there is no algorithm used to generate the OTP

https://en.wikipedia.org/wiki/HMAC-based_One-time_Password_algorithm

Re:Bluetooth? Secure? Hahahaha that's hilarious

[darkain]

As the other reply mentioned, yeah, its a ONE-TIME password. In fact, the existing market alternative is a Yubikey with NFC support, which is zero security rather than minimal security. The catch? You need physical access to the device either way. And once the time-based OTP is used, its gone forever. Someone would literally have to be at the login prompt at the same exact time you are, in physical proximity to you to intercept the OTP communication wirelessly, and input it into the web site before you did. On top of that, most of these systems nowadays send out push notifications of new device logins, so while the OTP would fail for you (because someone just highjacked it), their device information will be pushed to your notifications on your cell phone or similar device.

In other words, bashing someone upside the head with a brick would be far more convenient.

Re:

[buchanmilne]

In fact, the existing market alternative is a Yubikey with NFC support, which is zero security rather than minimal security.

details on the yubikey "zero security"? or do you mean NFC has zero security? because yeah, that's... why I leave NFC off when not in use.

Obviously NFC security, because there are many alternative U2F devices that don't have wireless (Bluetooth or NFC) support, including a number of open-source (hardware+software) dongles like u2fzero, but very few that have either NFC (mainly Yubikey Neo) or Bluetooth (mainly Fetian, but it seems pretty poor hardware).

Re:

[AHuxley]

Think of a NGO, charity worker, guest, new staff member who got into a site. To a trusted internal network behind a firewall.
That collection of all wireless in real time could be done with collection hardware they placed. Created a new network out of the building in real time. Too many random people wondering around.

Re:

[AHuxley]

Whats the way around that?
A physical usb port? A really well and totally shielded "small USB device".
That would stop some of the easy location short range long term wireless collection efforts.
The bad people would have to enter the site. Have a reason that allowed them to use the computer with a "small USB device" working.
A wired device offers one less really easy way to collect on.

Re:

[war4peace]

Do they come in cock ring variants?

Phish-Proof?

[Marc_Hawke]

Can someone tell me how a physical key makes you 'phish-proof.' Phishing is primarily social engineering isn't it?

Re:Phish-Proof?

[chubs]

Yes, but what if I social engineer your password and it's still useless because all your accounts use 2FA and I don't have your key?

Re:

[chubs]

In this case, it doesn't matter what 2-factor authentication method you use. I don't think this proves Google's device is any better or worse than any other 2FA mechanism, merely proving "requiring 2FA makes phishing less effective".

Re:Phish-Proof?

[neurojab]

>In this case, it doesn't matter what 2-factor authentication method you use. I don't think this proves Google's device is any better or worse than any other 2FA mechanism, merely proving "requiring 2FA makes phishing less effective".

Actually the U2F protocol (yubikey and google's new key) is more phish-proof than TOTP or SMS based 2FA. In TOTP, it would be possible to for a phishing attacker to set up a fake website which passes credentials directly to the real website, thus owning the account. In SMS, it would be possible for an attacker to trigger the SMS authentication through the same means (passing the first factor to the real website, then presenting a form for the second factor). 2FA outside of U2F makes phishing more difficult, but still is possible, and these kinds of attacks do happen. U2F is "practically unphishable" because it doesn't allow a user to type in a OTP on a fake website.

Re:

[thsths]

Indeed. U2F is like an ssh key stored on the server: it is based on a trust relationship between the key and the server. So as far as I understand, only the right website can induce the key to authenticate. A fake website would not have the right credentials.

Of course there are always forwarding attacks, and if only by forwarding the USB protocol. But that is very hard work, and not nearly as easy as regular phishing attacks.

Re:

[zlives]

what happens when you lose your key... fall back is always some info

Re:

[Ichijo]

When you register your key, you print out some temporary codes and keep that paper in a safe place. Then if you lose your key, you would use one of the temporary codes to log in.

Re:

[jittles]

When you register your key, you print out some temporary codes and keep that paper in a safe place. Then if you lose your key, you would use one of the temporary codes to log in.

And if my house burns down with my key and my paper and I can no longer access a machine that, for whatever reason, is not consumed in the inferno?

Re:

[tepples]

Why did you not store a copy of the codes in your safe deposit box at your bank?

Re:Phish-Proof?

[Ichijo]

The 3-2-1 backup strategy says you should have 3 copies of important information, 2 copies onsite but on separate drives or mediums and 1 copy offsite in case of malware or the kind of disaster you're describing.

Re:

[Areyoukiddingme]

And if my house burns down with my key and my paper and I can no longer access a machine that, for whatever reason, is not consumed in the inferno?

Generally speaking the keys are designed to be connected to your machine and left there permanently. I have the Yubikey Nano, because my employer requires two factor authentication to Github, and I leave it in the machine. So if the key was destroyed in a fire, so was the machine I use to connect.

I used to carry the Yubikey on my key ring, but its own lanyard cut right through the metal loop on the back of it. Not well designed at all as a removable device.

Re:

[iCEBaLM]

Well, if you forgot your password, lost your security key, and your house burned down, then you have bigger problems.

But seriously, fireproof lock boxes are a thing, and they're not that expensive.

Re:

[nine-times]

So someone just needs to use social engineering to get you to provide one of those codes.

Re:

[arth1]

So someone just needs to use social engineering to get you to provide one of those codes.

Not even. It's likely even easier to use social engineering to get a user to run a program that opens a tunnel.

Re:Phish-Proof?

[neurojab]

A phishing attack generally takes the form of a web form that looks like a legitimate site, the idea that the victim will enter their user and password into the form and the attacker will then be able to steal the credentials. 2FA is not always immune to this sort of attack since the second factor could be stolen and passed along immediately to the target site. In the U2F protocol implemented by these security keys, there is a public/private key pair generated for each site (which is in turn tied to the TLS certificate of that site). Proof of possession of the key by means of a signature is the second factor. This makes it pretty difficult to phish since the fake server owned by the phisher would not be able to stand up the same domain and TLS cert in order to get U2F on the client to generate a challenge that would be accepted by the attacked site.

Maybe I didn't explain it that well.. but the point is that the key becomes cryptographically tied to the target site in a way that cannot be replayed by a standard phishing attack.

Re:

[Anonymous Coward]

Can someone tell me how a physical key makes you 'phish-proof.' Phishing is primarily social engineering isn't it?

Because it's 2 factor authentication. So if an attacker has your password, they still cannot access your account without the token, which is a physical thing that you use to generate a one time string that confirms you have the physical device.

Of course, it's possible to duplicate a token, but the way they generate the one time strings to verify their presence is usually some one way encrypted hash that changes over time using a private/public key. This means that the end point can verify the string was

Cloning device instead of token..

[SuperKendall]

I seems like if you had some window of time and access to a physical key, you could probably clone it... after all it holds everything needed to generate a OTP.

But probably beyond the skill of almost anyone other than government agencies.

Re:

[itsme1234]

I seems like if you had some window of time and access to a physical key, you could probably clone it... after all it holds everything needed to generate a OTP.

Cloning is easy only for things that were designed to be read easily, from mag-stripes to normal flash memory (for example) that is specifically designed to give you the data you're asking for. Otherwise in real world it is really, really, really hard to clone things. If you don't believe me go and clone a kidney, heck even a tooth; your body has all

Re:

[ctilsie242]

A Yubikey ensures that there is a live body sitting at the computer/phone/whatever that is requesting access. Yes, malware could put up a fake request, but what the key does is narrow down the attack to just the time it takes to press that button and acknowledge things.

Re:

[JoePete]

First, let's qualify the statement. It's that no Google employee has apparently been successfully phished for a work account. It's not that Google employees haven't been fished for any account. Bear in mind this claim is a bit like a company that has switched from using office keys to RFID cards saying that "no one has lost their keys or had them stolen." Of course not; they don't use them any more. However, these tokens are not necessarily two-factor authentication (at least that is not detailed in the re

Re:

[Locke2005]

The server sends a challenge to the device, then the device sends a response back. Without knowing the private key used by the device, the response cannot be calculated by third parties, and recording the response is useless because a different challenge is used every time. Yes, that doesn't fit the definition of "two factor authentication", but I see no reason why it would be less secure. https://www.securenvoy.com/two... [securenvoy.com]

Re:

[AHuxley]

Try some penetration test on site https://en.wikipedia.org/wiki/... [wikipedia.org] and some social engineering https://en.wikipedia.org/wiki/... [wikipedia.org]
Distance to a new network, physical access? A new best friend? Someone new with a charity, NGO, gov, mil wondering around?

Find your phone

[null etc.]

Hopefully it will be better than Google's "Find your phone" feature.

"Lost your phone? Finding it is simple! To start, sign in by typing the six-digit code we've just sent to your lost phone."

Re:

[DontBeAMoran]

Keyboard not found. Press F1 to continue.

Re:

[linuxguy]

> "Lost your phone? Finding it is simple! To start, sign in by typing the six-digit code we've just sent to your lost phone."

I use the Google find your phone feature often. I have never seen the process you describe above.

Re:

[null etc.]

I have never seen the process you describe above

Have you ever tried to find your phone using a phone or device that you've never used to login to Google before? For example, a friend's phone?

Re:

[thegarbz]

Hopefully it will be better than Google's "Find your phone" feature.

"Lost your phone? Finding it is simple! To start, sign in by typing the six-digit code we've just sent to your lost phone."

??? I have no idea what you're talking about and I use this feature quite often.

Chrome only

[sremick]

Wake me up when these things work with browsers other than Chrome.

Re:Chrome only

[Average]

U2F is perfectly functional in Firefox 60+ as downloaded. But, for reasons I honestly can't get, it's not turned on by default. It worked before FF 60 with plugins.

about:config -> security.webauth.u2f true

Re:

[Anonymous Coward]

Good morning.

My Yubikeys work perfectly with Lastpass on Firefox.

My setup:

Two Yubikeys. (Lastpass allows you to register more than one key)
- Yubikey Nano kept in my laptop's USB ports.
- Yubikey 4 kept on my key chain.

Several family members also have a copy of my Yubikey Grid Multifactor Authentication paper printout for key backup should I lose both.

Feitian keys look similar to the Google one...

[ctilsie242]

Looks like Feitian is the maker that Google chose to OEM. At $16.99 and $24.99, they are fairly reasonably priced, and the Bluetooth one actually supports iOS.

Re:

[c_g_hills]

Feitian NFC has worked perfectly for me with my Android phone.

Re:

[c_g_hills]

+1 for Feitian. One key for my phone and computer (as well as additional keys in safe places).

Physical keys

[Locke2005]

"And if our experiments show it works well for securing computers, we're going to try using them on DOORS next!"

BS Pricing

[thsths]

Individually, they cost $20 to $25, and together, the bundle is $50.

Why would anybody buy the bundle? Is this marketed at stupid people?

So is it physical or virtual?

[AbRASiON]

The article last week could be taken both ways, as if a phone with google authenticator was good enough?

Personally? I'm happy with fairly complicated passwords, a unique email for most sites and 2FA (soft, on phone)

If it requires a dongle? I'm not in, I'm sorry but I don't care about the security that much. If it can't be done with a soft token on my phone (and ipad, thanks Authy!) then I can't be bothered and the general public will be even worse.

Customer base

[dromgodis]

From TFA: "The Titan Key is specifically for customers who want security keys and trust Google."

I figure that the overlap of those two groups should be rather small.