At Google Cloud Next 2018, Google revealed that they had suffered zero successful phishing attacks since 2017, despite having nearly 100,000 employees. And they said it was all thanks to the integration of hardware two-factor authentication (2FA) keys.
After their success, it wasn’t surprising to see an announcement for the Titan Security Key at Google Cloud Next. Plenty of breakout sessions often found ways to mention the importance of hardware security keys. This was part of a big overall focus on security during the San Francisco-based conference.
Titan Security Key overview
Google plans to release two versions of the Titan Security Key: a USB version and a Bluetooth version—both using FIDO Universal 2nd Factor (U2F). You can purchase both versions of the Titan Security Key for $50 or at about $20 to $25 separately, once publicly available in the Google Store later this year. It’s already available to Google Cloud customers.
Many of the presentation decks for security-focused breakout sessions at Cloud Next used images of the well-known Yubikey from Yubico. So, it was a surprise then to see how both models of the Titan Security Key looked a lot more like Yubico competitor Feitian’s 2FA keys instead.
The Titan Security Key works the same as any hardware security key available on the market.
Going up against Yubikey
Given how popular the Yubikey is, it’s a little surprising to see Google decide to release their own security key instead of maybe pushing Yubico as a security partner. Product manager director for information security Sam Srinivas told CNET that Google isn’t trying to compete in this space, they just want to increase usage. “The most important thing is for everyone to use a security key.”
If Google is as focused on getting more customers to add hardware 2FA as part of their cloud security, then adding their name to one product could potentially increase the possibility of adoption. Another possible reason Google didn’t simply promote Yubico might be that the latter doesn’t plan to offer a Bluetooth low energy (BLE) version of their Yubikey. They offer Near Field Communication (NFC) versions, instead.
Yubico even dropped a blog post the same day as the Titan Security Key announcement explaining why they opted for NFC over Bluetooth. “We decided not to launch [a BLE version] as it does not meet our standards for security, usability, and durability.”
Unlike Bluetooth, NFC doesn’t require battery power to work with an NFC-capable device, like most smartphones. Just getting customers to carry another piece of hardware (even one barely larger than a house key) could be hard enough, and tack on that you have to charge the Bluetooth Titan Security Key in order to use it and you have a recipe for low adoption.
Additionally, there have been recent concerns about the security of Bluetooth. A cybercriminal could, theoretically, gain access to the encryption key used by any device using BLE. Distance is another aspect of Bluetooth that someone could take advantage of—NFC can only send a signal up to a few centimeters, while Bluetooth can transmit up to 32 feet.
IAM leading the way
The bigger picture for authentication is that while hardware 2FA is a great addition, it’s still just one factor. For identity management, the trend is to take into account more factors, like user’s device, location, behavior, etc. To help with that, Google also announced context-aware access alongside the Titan Security Key, as another part of Google Cloud Identity (Jack plans to deep dive into this soon).
If you’re not a current Google Cloud customer and like the idea of the nigh-impossible-to-crack security of hardware security keys, and you don’t want to wait for the Titan—there are many options already out there on the market.