Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Google Technology

Google's $50 Titan Security Keys Are Now Available in the US (engadget.com) 127

Last month, Google introduced its Titan Key -- a physical security key used for two-factor authentication -- and now it's widely available for purchase in the US through company's Google Store. Almost any modern browser and mobile device, as well as services such as Dropbox, Twitter, Facebook, Salesforce, Stripe support the Titan Key. It's Google's take on a Fast Identity Online key, a physical device used to authenticate logins over Bluetooth. From a report: For $50, you'll get a USB security key and a Bluetooth security key as well as a USB-C to USB-A adapter and a USB-C to USB-A connecting cable. What happens if you lose them? From a report: A downside of physical keys is that if lose them, you're toast. That's why you have two keys -- one is meant to be a backup. Google says it can help you gain access to your account again but the recovery process can take days. VentureBeat adds: It's not meant to compete with other FIDO keys on the market, stressed Sam Srinivas, product management director for information security at Google, during a press pre-briefing. Rather, it's "for customers who want security keys and trust Google," he said. Further reading: None of Google's 85,000 Employees Have Been Phished in More Than a Year After Company Required Them to Use Physical Security Keys For 2FA.
This discussion has been archived. No new comments can be posted.

Google's $50 Titan Security Keys Are Now Available in the US

Comments Filter:
  • Am I missing something? Is there a full article? Who supports this? Amazon? Shopping Sites? Banking or Investment? It seems that more effort could have been put into this post.

    • by Tomahawk ( 1343 )

      Use the 2nd link for a longer article. It lists a few sites that use it (facebook and twitter being in there, along with Google)

      • At least mention the ones that matter, this is slashdot after all. It will be supported by the Worldwide Web Consortium’s Web Authentication API, as well as github.
    • who? "Posted by msmash" "Google" does. this story has been re-posted plenty of times here at /. its a slashvertisement. click the related links it goes on and on from their.
  • Curious (Score:4, Interesting)

    by the_skywise ( 189793 ) on Thursday August 30, 2018 @09:55AM (#57224800)

    None of Google's 85,000 Employees Have Been Phished in More Than a Year After Company Required Them to Use Physical Security Keys For 2FA

    How many of them using 2FA and NOT using physical keys got phished?
    Getting phished for the password sure - but who gives out the 2FA code? Even presuming a hacked website I would think the key would just hand over the data to the fake website?

    • Re:Curious (Score:4, Interesting)

      by olsmeister ( 1488789 ) on Thursday August 30, 2018 @10:03AM (#57224856)
      I was closing an account at Capital One a couple of weeks ago, and as a security precaution they asked me for my phone #, sent me a code via text message, and had me repeat that code back to them. I was like, I don't understand what the hell that just accomplished but whatever, I just want to close the damn account. Maybe that's their idea of 2FA.
      • Re: Curious (Score:2, Insightful)

        by Anonymous Coward

        Well they just proved that whoever was closing the account had a phone number. Can never be too sure these days. It's not like just anyone can have a phone number.

        • by Anonymous Coward

          This isn't the worst thing. I mean, it would be (and might be) stupid if they required the ability to text your number, since land lines are still a thing and not everyone has unlimited texting, but it does add *some* level of validation.

          When you call in, they (probably) get your caller ID number, but that can easily be forged (this isn't theory; I've done it, and it's done as a normal course of business on nearly all business and 800 lines). The feedback loop they provided by sending you a code and having

      • Re: (Score:3, Insightful)

        by fibonacci8 ( 260615 )
        It sounds like you got phished by Capital One for you phone number, have you taken any steps in case they misuse it?
        • It sounds like you got phished by Capital One for you phone number, have you taken any steps in case they misuse it?

          Are you implying that there are people out there who have dealings with a financial institution like Capital One who haven't already given them their phone number? To be clear we are talking about a financial services company here. If there's one group of people I want to be able to contact me urgently, it's the damn ones looking after my money.

      • by hoggoth ( 414195 )

        That is moronic!

        Also, Vanguard has TOPT 2FA (Authy, Google Authenticator, etc), but on the page that asks you to enter your code there is a button 'I don't have my security device with me, send me an SMS instead'. This cannot be disabled. I am not making this up. I complained but the support rep couldn't understand why this is bad. She just kept asking if I wanted to turn off 2FA altogether.

        • by Hadlock ( 143607 )

          I would imagine they're in a transitionary stage and/or the project manager in charge of this doesn't trust their implementation enough to switch cold turkey.

    • Actually, the FIDO U2F standard would not allow man-in-the-middle attacks with a spoofed website. The key will only work with the specific domain that authenticated the key, so a fake domain wouldn't work. If the website itself is hacked on the back end, then all bets are off. Same thing if the user's browser/computer is hacked.

      https://www.yubico.com/2017/10... [yubico.com]

    • by bogd ( 912084 )

      Getting phished for the password sure - but who gives out the 2FA code?

      Oh, you would be surprised how many people do... There have been plenty of attacks in the wild doing exactly that - persuading people to give out 2FA codes (from Steam Authenticator codes to banking token codes). And it is amazing how many people willingly hand them out.

      Even presuming a hacked website I would think the key would just hand over the data to the fake website?

      That's the beauty of U2F - the generated code depends (among others) on the actual URL. So if you get a phishing link on goog1e.com, that site will receive a totally different 2FA code, one that will NOT work on the original website.

      More d

  • Trust Google? (Score:2, Insightful)

    by Anonymous Coward
    Would you trust Google to make you secure when Google mines details about as many people as it can?
    • Re: Trust Google? (Score:3, Insightful)

      by dbialac ( 320955 )
      Yep. Donâ(TM)t think for a second that this isnâ(TM)t another way to track you online.
      • Yep. Donâ(TM)t think for a second that this isnâ(TM)t another way to track you online.

        [citation needed]

        Oh no, wait, it's 2018. Spouting unfounded bullshit without having to back it up with anything is just how things are now.

      • by dissy ( 172727 )

        Yep. DonÃ(TM)t think for a second that this isnÃ(TM)t another way to track you online.

        Well without a 2FA hardware token, that means you are currently typing in a username and password.

        I don't see how your claim that entering a username and password doesn't let the website you enter it into track the fact you just logged into them.
        By definition you have identified yourself with a username, and proven it really is you with your password.

        As a 2FA hardware device does the same two tasks with one certificate, of course the website you use it to login to can track you equally the same.

        That include

        • by dbialac ( 320955 )
          Because that 2FA token sends info from the website you're logging into to Google. Google knows the ID of your 2FA and now knows you are a user of that website and when you log in.
          • by dissy ( 172727 )

            Because that 2FA token sends info from the website you're logging into to Google. Google knows the ID of your 2FA and now knows you are a user of that website and when you log in.

            But I use them on internal systems without Internet access at all.
            How exactly are you saying the token keys send anything to google?

            My Yubico key, which uses the exact same protocol and backend PAM modules, I've used for years to login to a machine that not only doesn't have Internet access, but has no network access at all.

            Perhaps you are just confused because for the first couple months google only sold the keys to people with google cloud accounts, not realizing they now sell them to anyone?

            Or perhaps yo

    • by AHuxley ( 892839 )
      All the crypto is then back to one ad company.
  • I use Google Authenticator on my phone for my MFA needs. I think I'm more likely to notice my phone going missing than I am to notice a small usb key going missing, and I'm also more likely to remember to bring my phone wherever I'm going.

    So I think I'll just stick with using my phone and save the $50.

    • by AmiMoJo ( 196126 ) on Thursday August 30, 2018 @10:07AM (#57224880) Homepage Journal

      There are a few benefits to using these kinds of keys. I don't know about the Google one specifically but others have features like being able to act as a USB keyboard and enter very long, complex passwords for you when you press the button. There is also the speed factor, no opening an app and copying a code manually.

      The down side is that these keys have no physical security. Your phone is at least lockable, but if someone takes your key there is nothing to stop them using it. Mainly a concern for people who might get targeted specifically or people at risk from law enforcement in bad countries.

      • by davecb ( 6526 )
        If you don't have to also provide a pin as part of the key response, it's "something you have" without "something you know". Ie, 1FA instead of 2FA.
    • Same, I don't use SMS anymore for 2FA, I setup my google, FB, reddit, using the Google Authenticator, works well for me.

    • by bogd ( 912084 )
      Google Authenticator is nice, but:

      1) it is vulnerable to man-in-the-middle and phishing attacks. While U2F is designed to resist those (if someone gets a user to generate a code on a phishing website hosted on "goog1e.com", that code will not work on "google.com").

      2) it is impossible to backup the keys. Lost/destroyed/changed your phone? You're going to spend the next two days resetting 2FA on all those accounts... (I know there are workarounds for this second part, but some of them trade convenience fo

  • These Titan keys are the same hardware as the Feitian [amazon.com] FIDO keys, but supposedly with a custom firmware so not a simple rebranding.

    I'm curious to know how these compare.

  • Who cares? (Score:5, Interesting)

    by jittles ( 1613415 ) on Thursday August 30, 2018 @10:16AM (#57224954)
    Seriously, who cares? Who trusts Google, a company that makes all of its money by spying on the users of its platform, with anything that has to do with security? Their whole business model is based around taking your data. I would trust it more if it was a product of the NSA or CIA.
    • Seriously, who cares? Who trusts Google, a company that makes all of its money by spying on the users of its platform, with anything that has to do with security? Their whole business model is based around taking your data. I would trust it more if it was a product of the NSA or CIA.

      There is a difference between personal security, web security, which is something that is both in your and Google's interest to secure, and the mining of personal information, which is in their interest, but not yours. This is obviously a product for the first.

      Not everything Google does fits into the hysterical OH MAH GAWD THEYRE TAHKIN ALL MAH DATA narrative.

      • Seriously, who cares? Who trusts Google, a company that makes all of its money by spying on the users of its platform, with anything that has to do with security? Their whole business model is based around taking your data. I would trust it more if it was a product of the NSA or CIA.

        There is a difference between personal security, web security, which is something that is both in your and Google's interest to secure, and the mining of personal information, which is in their interest, but not yours. This is obviously a product for the first.

        Not everything Google does fits into the hysterical OH MAH GAWD THEYRE TAHKIN ALL MAH DATA narrative.

        If you’re right then there is still no reason to buy it. Google drops basically every service they offer that does not provide value to their advertising platform. They do it time and time again. So if they aren’t actually harvesting useful metrics through the use of this device then they will just EOL it after 2-3 years.

    • Google customers care. The ones that are actually paying Google for their cloud services. You know that Google is not only web and email right? There is also the Cloud Platform. I personally would like a strong 2FA device to protect my accounts for running my business on GCP.

      Trust is one issue, cost and business is other. Lots of business pay Google for services so they also trust Google to run their business. Ones like Snapchat, Airbnb, Costco, Philips, TiVo, Citrix, Ubisoft... etc.

      https://cloud.google.com [google.com]

    • Me, and here's why:

      Security and and a business model of handling your data are not exclusive. In fact one would hope that the people who make a business of handling your data are also some of the best in the aspects of security. Now this isn't applied universally. If you take a company like Verizon who will bulk sell your data to the highest bidder then security (of that data) is a non issue. However if you deal with a company whose sole source of income is selling access to you by way of profiling your dat

      • Me, and here's why:

        Security and and a business model of handling your data are not exclusive. In fact one would hope that the people who make a business of handling your data are also some of the best in the aspects of security. Now this isn't applied universally. If you take a company like Verizon who will bulk sell your data to the highest bidder then security (of that data) is a non issue. However if you deal with a company whose sole source of income is selling access to you by way of profiling your data, and while maintaining that your data is effectively their carefully guarded CocaCola recipe, then you should apply a bit more nuanced thought.

        On top of that you should also take care to look at the quality of products and code produced to date, as well as security practices, hiring and staffing practices, and general industry standings.

        With all that in mind I trust Google more on matters of security than a company like Semantic, and a fuck ton more than a company which collects my data as an incidental revenue stream (looking at you Samsung, Verizon etc).

        But then you throw thought out the window when it comes to data as evident that you prefer to trust security to agencies which almost exclusively are out to determine if you are thinking wrong and to punish you for it.

        Your problem is that you're misunderstanding whose security Google cares about. They care about their own. Whatever protection they provide to your data is only due to the fact that they make money off of that data. At least I know that the NSA and CIA are going to spy on me and generally do things that aren't in my interest. Google is the kind of company that, with their "Do no evil" mantra claim that they're a great company. And yet they spy on you [wsj.com] worse than even Facebook does. There are plenty of

        • Your problem is that you're misunderstanding whose security Google cares about. They care about their own.

          Not at all. Re-read my post. My post talked about caring about their own security for protecting their Cocacola recipe: your data. That also means they invest in security. That also means security trickles down to their retail products. Companies don't typically waste time writing lots of new things from the ground up to suite nearly identical needs.

          And yet they spy on you [wsj.com] worse than even Facebook does.

          And they are the one group whose spying I'm not worried about. Google spy on users in order to make money by selling access. That makes them orders of magnitude

    • by AHuxley ( 892839 )
      With PRISM 2.0 a user can get that security service part for free.
  • Before, if they didn't get to me by phishing they were bust.
    Now they have to come to my home and hit me over the head with a wrench and take my titan-dongle.

  • by SuperKendall ( 25149 ) on Thursday August 30, 2018 @10:23AM (#57225010)

    it's "for customers who want security keys and trust Google

    It doesn't seem like anyone there ran through the Venn diagram on that one, because I come up with approximately zero customers...

    And that includes Google employees.

    • I suspect you mistakenly substituted "should trust Google" in your own diagram, when the customers are those who "do trust Google".
    • There are people who mange multi-million dollar adwords/adsense accounts with Google. There are people who make their living from their YouTube videos.

      • Yep, and you seriously think EITHER of those groups trust Google?

        Just ask any YouTuber about play counts and get a sense of how much "trust" and "love" there is for Google.

        Even on the ad side I don't see much trust that Google is actually accurate with counts. But what else are the advertisers going to do?

        You don't have to trust or even like someone to do business with them you know.

  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Thursday August 30, 2018 @10:36AM (#57225102)
    Comment removed based on user account deletion
    • 2) Lots of serious corporations use commercial Google products especially G Suite. I worked in two such corporations. Such 2FA product is mostly targeted for power (these are few) and corporate users (these are hundreds of thousands and they are paying). So if they are using it they are probably also trusting Google. If you use G Suite it is a very good idea to protect at least the administrative accounts (eg. with domain control) with strong 2FA devices.

      1) Take look at 2 - this is targeted to corporate env

    • 2) You're gonna trust Google?

      I posted a joke response earlier, but I kid you not - I was reading through the summary and thinking about buying one, then I came to the line "and those who trust Google" and I instantly decided not to buy it after all.

    • 2) You're gonna trust Google?

      Trust with what? Trust is not a universal concept. It is contextualised. I trust my mother to have my best interests in heart. I don't trust her not to fill my computer with viruses and therefore she doesn't get to touch it.

      I don't trust Google with a lot of things, however they have quite consistently shown to produce quite good back end code and generally don't appear frequently in the list of companies which have left users to malicious exploits due to poor code, or sold out customers. Mind you I don't t

  • by AnthonywC ( 4415891 ) on Thursday August 30, 2018 @10:36AM (#57225104)
    If you actually want a 2FA you would probably have enabled it with your phone or possibly a physical key device (similar to this one). However this is a Bluetooth device and we all know how secure that is.
  • by Anonymous Coward

    Why does the "and now it's widely available for purchase in the US through company's Google Store" link go to an engadget article instead of the fucking Google Store?

  • IT'S BULLSHIT (Score:5, Interesting)

    by the_B0fh ( 208483 ) on Thursday August 30, 2018 @11:06AM (#57225314) Homepage

    To use a hardware token as 2FA on FaceBook, Twitter, DropBox and so on, YOU FIRST HAVE TO ENABLE 2FA VIA SMS.

    AFTER THEY HAVE FUCKING COLLECTED YOUR PHONE NUMBER, THEN AND ONLY THEN WILL HARDWARE TOKEN 2FA BE AVAILABLE AS AN OPTION.

    WHAT THE FUCK?

    • by bogd ( 912084 )
      Your shift key seems to be stuck :)

      There is a reason for requiring your phone number - most likely, they are using SMS as a backup recovery mechanisms - so that you are not "toast" when you lose your security key. If you lose the physical key, you will still be able to recover your account via SMS.

      • most likely, they are using SMS as a backup recovery mechanisms - so that you are not "toast" when you lose your security key. If you lose the physical key, you will still be able to recover your account via SMS.

        Well then I will save my $50 and not buy a security key if they’re going to insecure it in that manner. It just takes a few minutes of social engineering to hijack someone’s number and therefore their SMS.

        • by bogd ( 912084 )
          Well, I won't argue with you there :) . It's one of those cases in which they choose usability over security. :/
      • Ok, here's the problem with that:

        If you can use SMS as a recovery path when you lose your 2FA token, that means you don't need the 2FA token. You can just use SMS. Though that might sound handy, SMS is insecure.

        It's the same basic problem with "security questions". A lot of services have the option where, if you forget your password, you can reset it with security questions. And then, they ask you security questions like, "What's your mother's maiden name?" That's information that isn't necessarily h

        • by bogd ( 912084 )
          As I answered above, that is true. Unfortunately, this is one of the many cases in which they (the companies implementing the security options) chose usability over security.

          Unfortunately, there is no magic bullet here - very strong security would lead to many users being locked out of their accounts, and many very unhappy customers (who will happily scream at the support people, even when they are themselves to blame for locking themselves out - maybe by losing the security key, or forgetting their pass

      • by tlhIngan ( 30335 )

        If you lose the physical key, you will still be able to recover your account via SMS.

        Have we not learned? a phone number is not something you have. NIST discovered this a few years ago and updated their guidelines - no SMS, phone call, or other thing can be valid for identification at all.

        Hell, this existed even before cellphones were popular - phone phreaking was a thing and it was possible to reprogram a switch to temporarily redirect a phone call to another phone. Many used it to bypass "phone verificati

      • No. You can remove your phone number as a 2FA after you've added physical tokens.

        So it's bullshit.

    • yes! exactly what I was thinking when I tried to set up a u2f on facebook. what the hell?
    • AFTER THEY HAVE FUCKING COLLECTED YOUR PHONE NUMBER

      I take it you've never used Google Maps, or Android, or any services by Google. Here's a hint: They have your phone number. Don't pretend to think that they don't. That would be incredibly foolish.

      Also as an aside, when did you become so petrified that you freak out about giving out something that we used to give out to everyone, and routinely also publish in a big book that was freely delivered to everyone?

      Google has my phone number? Oh the humanity! What will I do!

      • Apparently Android users feel that being abused is the right thing to do, so why worry, be happy.

        • No, Android users don't need to run off to some safe space because someone has their phone number.

  • as nice as it sounds to be more secure, I would lose it within a week. me iz gettin old and tend to misplace things a lot :-(

  • That's the most impressive part of the announcement, if you ask me. Their store page says that they have a "USB-C to USB-A adapter", which is nothing special, but also a "Micro USB-C to USB-A connecting cable".

    I'm eager to hear when this new "Micro USB-C" connector will start appearing on Android phones and tablets.

  • How can they be secure if Google can restore access even if it takes days? Doesn't that mean Google can restore access for someone else?

Every successful person has had failures but repeated failure is no guarantee of eventual success.

Working...