Just yesterday, a report highlighted how Google secured the official accounts of all of its 89,000+ employees by deploying physical Security Keys to login and complete two-factor authentication, instead of the usual SMS and OTP-based authentication methods. Now, the company has gone a step further by announcing its own hardware Security Key called the Titan Security Key, to protect Google account holders from potential attacks or Phishing attempts triggered by those with a malicious intent.
The Titan Security Key comes with Google’s own firmware and will be made available to the company’s Cloud customers first, before regular users can have access to it. Google says the key will be sold through the Google Store soon.
The device is reported to come in both USB and NFC/Bluetooth variants, to allow users to log into their Google accounts by inserting or pairing the physical Security Key, instead of using a password. When launched more widely, the Titan Security Key could be available for around $20 or $25, with a bundled option for $50. The key works with many devices and apps, and support the FIDO protocol.
“We’ve long advocated the use of security keys as the strongest, most phishing-resistant authentication factor for high-value users, especially cloud admins, to protect against the potentially damaging consequences of credential theft. Titan Security Key gives you even more peace of mind that your accounts are protected, with assurance from Google of the integrity of the physical key,” Google wrote in a blogpost.
Physical Security Keys are not a new concept and can be easily purchased online. Google introduced the option for two-factor authentication using hardware Security Keys through its Advanced Protection Programme in October last year. If a users is enrolled to use a U2F (Universal 2nd Factor) key or FIDO Key, other forms of authentication like SMS, OTP, and even the Google Authenticator app are disabled.
Currently, Firefox, Chrome, and Opera browsers supports physical security keys to provide access to services like Gmail, Google Photos, GitHub, Facebook, and other. Once a device is enrolled for a specific website that supports security keys, users no longer needs to enter their password on that site (unless they try to access the same account from a different device, in which case it will ask the user to insert their key). Unlike other 2-step verification methods that use one-time codes via text message, security keys don’t require a phone number on your account. Google says that two-step verification with a security key uses cryptography to provide two-way verification: it makes sure you're logging into the service you originally registered the security key with, and the service verifies that it's the correct security key as well. This provides superior protection to text-message verification.