In July, Google claimed its 85,000 employees had gone a full year without encountering any security mishaps following a mandatory requirement of using physical security keys for two-factor authentication. Now, its in-house security key is available for sale in the Google Store.
Two-factor authentication (2FA) is the only minimum anyone should be doing to protect their accounts from social engineering hacks like phishing emails. De mest vanlige form 2FA sender en bruger en tekstmelding med en unik kode etter at de har skrevet inn deres grunnleggende passord. Helaas, die metode is kwetsbaar omdat tekstberichten kunnen worden onderschept. En fysisk nøkkel er meget mere sikker, fordi en hacker ville have at have den enhed i hånden iRL for at kunne bryde ind på din konto. Google said earlier this year that only 10 percent of Gmail users have implemented 2FA, and it wants to encourage people to take things a step further and buy its Titan security key.
The physical device appeared in the Google store on Thursday and it's really two devices. For $ 50, you get one USB key that can be inserted into your computer to prove that you are really you, and a backup device that communicates with NFC or Bluetooth. Den idéen er at Googles Advanced Protection Program krever to registrerte enheder i tilfælde af at du taper en, og NFC / Bluetooth-enheten er mer praktisk for at låse en mobilenhed.
Mens det er lett å se dette som Google prøver å få et stykke De lucratieve fysieke sleutelindustrie die voor zakelijke klanten levert met bulk aankopen om de doelgerichte bedrijven te beschermen, zou het bedrijf veel hoofdpijn hebben als zijn gebruikers meer veilig waren. When Titan was first announced, it appeared there might be some bad blood between Google and Yubico, one of the leading physical key manufacturers. De to firmaerne havde tidligere arbejdet sammen om udviklingen af FIDO industristandard. Yubico's CEO claimed that they disagreed with Google's decision to go ahead with Bluetooth implementation, and Yubico still feels that NFC is still the only trustworthy wireless method of verification. The CEO also appeared to call into question the security of Google's manufacturing line.
At the time, a Google spokeswoman declined to comment when Gizmodo asked if they wanted to address those concerns. But in a blog post on Thursday, Christiaan Brand, Product Manager for Google Cloud, said a little more about the manufacturing process:
The firmware performing the cryptographic operations has been engineered by Google with security in mind. This firmware is permanently sealed into a secure element hardware chip at production time in the chip production factory. De beveiligingselement harde schijf die we gebruiken is ontworpen om resistente fysieke aanvallen te richten op het uitpakken van firmware en geheime sleutelmateriaal.
Deze permanent-verzegelde beveiligde hardwarechips worden dan geleverd aan de productielijn die de fysieke beveiligingsleutelapparaat maakt. Thus, the trust in Titan Security Key is anchored in the sealed chip as opposed to any other later step which takes place during device manufacturing.
Android Police points out the fact that Google's keys look remarkably similar to devices by the trusted physical key manufacturer feitian. We asked Google directly if Feitian is handling the assembly and a spokeswoman told us, "Google is the manufacturer of record and we contract a third party to produce the keys. The firmware is the most important piece here. "That may be true, and there's no reason to believe. Feitian producing the keys is something to worry about.
In its post, Google does not even try to kneecap its competitors and acknowledges That devices by Yubico, Feitian, and "many others" are quite good. Det mest viktige kan være at bringe folk inn i Googles Advanced Protection Program, som tilbyder tjenester som at informere dig om at ditt passord har vist seg i online dumpere ved hackers selling info or just causing chaos.
As far as Bluetooth being a security risk, We've seen vulnerabilities pop up in the default, but you could always just stick with NFC for action verification with that device. Pick a key from any of the big names mentioned here and you should be just fine.