The internet giant has announced a USB-C Titan Security Key, manufactured by Swedish company Yubico, that’s compatible with Android, Chrome OS, macOS, and Windows devices for a price tag of $40. It also looks a lot like the YubiKey 5C. Titan Security Keys are phishing-resistant two-factor authentication (2FA) devices from Google, designed with an intent to cryptographically verify an individual’s identity while signing in to an online service, thereby defending users against account takeover attacks. Google already sells two other models with NFC and Bluetooth capabilities. But they were previously available only as a $50 bundle. That changes starting today, allowing users and enterprises to purchase them individually for $25 and $35 respectively. iPhone or iPad users, on the other hand, may want to give Yubico’s Lightning-equipped key YubiKey 5Ci a shot.
No Bluetooth support
The new security key doesn’t come with Bluetooth support, which you means you can’t unlock your accounts until the Titan Key is actually plugged into your device. And rightly so, for the Bluetooth variants suffered a hardware flaw that made it possible for an attacker to remotely hijack the keys. The problem was serious enough that it prompted Google to offer a free replacement for those who had purchased them. Yubico, for its part, has been consistently against offering a Bluetooth capable key, stating the product “does not meet our standards for security, usability and durability.”
Passwordless authentication on the rise
The security key leverages the FIDO standard — developed jointly by Google and Yubico in 2012 — to provide a second layer of authentication to your login credentials. So, when you register a hardware key with an online service for the first time, it creates a public key-private key pair using asymmetric encryption. During authentication — using a PIN or biometrics — your identity is confirmed by encrypting a secret message with the private key and transmitting it to the online service, which decrypts the message with the public key earlier generated. The development follows Titan Security Key’s expansion to Canada, France, Japan, and the UK, and that of Google’s Advanced Protection Program for G Suite, Google Cloud Platform (GCP), and Cloud Identity customers back in August. Still, passwordless authentication mechanisms — such as those developed by Google and Microsoft — are yet to see widespread adoption. It’s no surprise, then, that the companies are integrating the features into their operating systems in hopes that it would drive users to more secure solutions. “FIDO standards hold a lot of promise for enabling a more passwordless world,” Jim Ducharme, VP of Identity Products at RSA, told TNW. “However, it’s going to take time for the standard to be integrated across user devices, browsers, and applications and it will take even more time to be rolled out and supported by IT departments in organizations.”
Identity as a service
Google is far from the only player investing heavily in identity as a service (IDaaS). There’s Microsoft, Facebook, Twitter, Apple, and even cellular carriers have joined the mix. “Identity is back on the front page, as organizations come to realize that stolen identity is the number one security issue, and often the weakest link in security postures,” Ducharme told TNW. Detecting and managing identity risks, therefore, necessitates organizations to consider a risk-based authentication solution that is able to analyze user access, devices, applications and behavior to provide businesses with the confidence that users are who they say they are based on previous history. Ultimately, FIDO standards are no magic bullets. They require the latest software, browsers, devices and infrastructure in order to function, requiring businesses to assess their infrastructure before going passwordless. “We are still on the journey to a truly passwordless world. Eliminating the password from the user experience during authentication is more easily achieved as we have seen with the adoption of Touch ID and Face ID,” Ducharme said. “We need to move towards an approach that considers credential enrollment, recovery and how users can securely authenticate from devices that don’t have integrated biometrics or FIDO capabilities.” Google’s USB-C Titan Security Keys can be purchased on the US Google Store beginning later today.