Today, Google's Titan Security Keys is now available through the Google Store for $ 50. The kit gives buyers two security keys, one of which can serve as a backup if you lose the other.
Titan Security Keys looks and works like any other security keys on the market, so do not expect any game-changing. But Google's keys can help protect your Google, Facebook, or Dropbox accounts from sophisticated phishing attacks.
Need for a physical key
A security key is a device that essentially adds a new step in the login process for the account. To break in, an attacker would need your password and the physical key that can sign a digital authentication request to unlock your account.
Unfortunately, most still keep accounts with just one password, which can make them too easy to burst. An attacker can only guess the login information or create an email to try to trick you into giving up the details.
To prevent account withdrawals, the technology industry operates two-factor authentication (2FA). This forces a user to log in with both a password and another piece of information, usually a one-time password generated on a smartphone. The largest internet services offer all 2FA as a free solution to protect online accounts, but this setup is also not completely hack-proof.
Making Your Account Unphishable
In rare cases, a persistent attacker can actually defeat two-factor authentication, said Christiaan Brand, Google Cloud Product Manager.
Cybercriminals can access the one-time 2FA password sent to the phone through what is called "SIM swap", which mimics the victim and gives you a mobile provider to give up access to the person's mobile account. Or they can forge an email from Google and convince victims to sign in to a Gmail page that is actually under the control of an attacker.
Brand says tofactors authentication makes it much more difficult for bad actors to break into your account. However, one-time passwords generated over the phone can still be given, mostly because passwords and special codes are all digital, making them easy to send and copy.
The technology also works against phishing attacks that trick you into visiting fake websites under the control of the hacker. The security key only starts the authentication process on the real web site, not on dumb sites legitimate to the human eye.
Google has provided physical security keys to all company employees at the beginning of the year, and since then, the Company has reported non-confirmed acquisition of work-related accounts.
How do the keys work?
Using a security key involves registering the device with the electronic account you want to protect. Services like Google, Facebook, Dropbox, Twitter and Github support all the technology, which you can enable in account settings, usually under the security section. (Here's a guide to using a security key with Google's advanced protection program, its highest account security system.)
Activation will prompt you to connect the key to your computer. Once the registration process is complete, your account will now be associated with the security key.
You will also notice that services like Google, Facebook and Dropbox let you register more than one key, or disable any of them. This is available if you lose a key and you must use a backup.
Although Google's Titan Kit contains two security keys, both are designed differently. The first key can easily be connected to a portable USB port. In addition, it also has an NFC chip so it can work over an Android smartphone.
The other key is specifically designed to communicate
PCMag tried the Titan keys and found them to be generally easy to set up, but not different from other products on the market. Google's product also uses the FIDO authentication protocol, which other technical giants and security key manufacturers have all adopted. So if you already own a security key, do not miss Google's technology.
The Bluetooth version of the key appears to be almost identical to a sold by Feitian Technologies, a Chinese company, but it actually contains some custom firmware from Google designed to ward off any manipulation, even from the suppliers of the supply chain.
Benefits and Limitations
People who are not familiar with security keys have some questions. For example, can I log in to my account with the key? The answer is no, you do not. The key is usually only required for first time logins from a new device. So feel free to travel without it.
But what if I lose a key? Well, do not panic.
"If you lose a key or drop it on the street, this key has no identifying information about you," said Sam Srinivas, a Google Product Management Director. The company's Titan Security Keys are also designed with hardware to withstand attacks that can extract cryptographic information inside. To protect yourself, you should only de-list the lost key from your online accounts.
During our brief test of the Titan keys PCMag found that it could take some effort to set up them with your electronic accounts. For whatever reason, our notebook and iPad are not always the first authentication request from devices when you connect via USB and Bluetooth. So it can take some patience.
The Bluetooth version of the key is also encased in a hard plastic that may not survive the toughest drops. It also uses a battery that lasts for six months. The good news is that you can charge it through a micro USB port.
Currently, Google only sells Titan's security keys in its U.S. online store as a couple, but plans to make them available to other markets soon. Business customers using Google Cloud can purchase individual keys.
Editor's Note: This story has been updated with more information about the Bluetooth version of the key.