Google has announced a hardware security key that is intended to keep users of its services safe from account-takeover attacks.
Dubbed “Titan Security Key”, the piece of hardware includes firmware developed by Google to verify the key’s integrity, according to the firm. The device, which per CNET will come in both USB and Bluetooth and won’t require any additional software drivers, will provide an additional authentication factor (i.e. “something the user has”) beyond the password (i.e. something the user knows).
With two-factor authentication (2FA), even if a malefactor gets their hands on your account credentials, they can’t get into your account unless they also possess that second chunk of authentication data. Most commonly, that second authentication factor comes in the form of a verification code that is either sent as a text message or can also be generated by an authenticator app. However, the adoption of physical tokens has been increasing at a fast clip, too.
“We’ve long advocated the use of security keys as the strongest, most phishing-resistant authentication factor for high-value users, especially cloud admins, to protect against the potentially damaging consequences of credential theft,” the company said. The token is currently available to Google Cloud customers and is planned for general sale in the next few months.
The announcement comes on the heels of Google’s revealing for journalist Brian Krebs that none of its 85,000 employees have fallen prey to phishing attacks since early 2017, when the firm made the use of physical tokens mandatory for its staff. Previously it used one-time codes generated by a mobile app – Google Authenticator.
Google’s key conforms to the FIDO U2F (“Universal 2nd Factor”) specification and will enable the user to complete the log-in process by activating the token, as long as the user has first linked the piece of hardware to their account.
Back in 2014, Google added support for hardware-based 2FA authentication for Chrome users when they log into their Google accounts. Early this year, the company revealed that fewer than one in ten Google account holders use any given method of 2FA – indeed a rather meagre figure given that multifactor authentication offers a valuable additional layer of protection in exchange for little effort.