Google's $50 Titan Security Keys for consumer accounts now available in U.S.

Posted:
in General Discussion
Google has started to sell its Titan Security Keys to the public in the United States, expanding the availability of the Google-produced hardware tokens from just its cloud customers to anyone who wants to enhance the security of their Google account -- and they work on the Mac and iOS.




Originally developed as a FIDO security key for internal use before being sold to Google Cloud customers from July, the Titan Security Key's availability has been expanded to anyone who wants to add an extra physical security element to their account. At present, they are available to purchase through the Google Store for customers in the United States priced at $50, with availability in other markets expected soon.

The keys are a form of physical two-factor authentication, in a similar way to how an authenticator app or a text message to a designated smartphone is used. While SMS, code, or push notifications are useful, sophisticated attacks can potentially acquire this data and allow an attacker to reach the account.

Physical security keys, such as Titan Keys or those by Yubikey, are considered to be more secure than the software or information-based two-factor authentication systems. In the case of the Titan Keys, Google advises each includes firmware stored in a secure element hardware chip at the time of production, making it impossible to tamper with the firmware.

Since the keys are used to perform a long cryptographic handshake with the host rather than sharing a short and copyable code, this also makes the use of such keys much more secure.

After supplying the Titan Keys to its approximately 85,000 employees and requiring their use as a second security factor last year, Google claims not to have a single reported or confirmed instance of an account takeover from its staff caused through password phishing.

Consisting of USB and Bluetooth security keys, a USB-C to USB-A adapter, and a USB-C to USB-A cable, the kit is built to FIDO Alliance standards, with the same key able to be used to secure other supporting services, including Facebook, Twitter, and Dropbox.

Mac and iOS devices are supported, but in some cases macOS users may need to use a different browser than Safari to log in.

Comments

  • Reply 1 of 20
    gatorguygatorguy Posts: 19,275member
    Great idea but I'd be concerned about how durable those are. For now I'm sticking with Yubikey.
  • Reply 2 of 20
    lkrupplkrupp Posts: 6,398member
    Is this a joke? 
    anton zuykovwatto_cobra
  • Reply 3 of 20
    gatorguygatorguy Posts: 19,275member
    lkrupp said:
    Is this a joke? 
    Hardly. It's an exceptionally secure way of authenticating your account. I use my Yibikey a couple times a week.
  • Reply 4 of 20
    gatorguy said:
    lkrupp said:
    Is this a joke? 
    Hardly. It's an exceptionally secure way of authenticating your account. I use my Yibikey a couple times a week.
    Could this command higher ad revenues for 'authenticated' if 'anonymized' user data...?
    lostkiwianton zuykovwatto_cobra
  • Reply 5 of 20
    gatorguygatorguy Posts: 19,275member
    gatorguy said:
    lkrupp said:
    Is this a joke? 
    Hardly. It's an exceptionally secure way of authenticating your account. I use my Yibikey a couple times a week.
    Could this command higher ad revenues for 'authenticated' if 'anonymized' user data...?
    Nope. 
    It doesn't log anything, nor does it do anything other than authenticate your user credentials. Far more secure than passwords. Instead of the two-factor authentication you might be using now which generally requires a password and entering a texted security code which bad actors might see/use, this is a much stronger hardware-based solution. No physical key, no account access. 

    This explains it better than I can:
    https://www.yubico.com/solutions/fido-u2f/
    edited August 30
  • Reply 6 of 20
    nunzynunzy Posts: 662member
    Knowing Google, this is just a spying device.
    lostkiwicwingravwatto_cobra
  • Reply 7 of 20
    What if you lose it?
    watto_cobra
  • Reply 8 of 20
    Mike WuertheleMike Wuerthele Posts: 3,309administrator
    BittySon said:
    What if you lose it?
    This is why you get two for your $50. One to use, and one to put in a safe place.
  • Reply 9 of 20
    gatorguy said:
    gatorguy said:
    lkrupp said:
    Is this a joke? 
    Hardly. It's an exceptionally secure way of authenticating your account. I use my Yibikey a couple times a week.
    Could this command higher ad revenues for 'authenticated' if 'anonymized' user data...?
    Nope. 
    It doesn't log anything, nor does it do anything other than authenticate your user credentials. Far more secure than passwords. Instead of the two-factor authentication you might be using now which generally requires a password and entering a texted security code which bad actors might see/use, this is a much stronger hardware-based solution. No physical key, no account access. 

    This explains it better than I can:
    https://www.yubico.com/solutions/fido-u2f/
    Anonymized highly protected users spells doom to Google's business model. Why would they want to do that, unless they thought of the ways to identify and track you better?
    lkruppwatto_cobra
  • Reply 10 of 20
    BittySon said:
    What if you lose it?
    This is why you get two for your $50. One to use, and one to put in a safe place.
    There must be a way to get a replacement or turn off MFA if you lose both, surely.
    watto_cobra
  • Reply 11 of 20
    gatorguy said:
    gatorguy said:
    lkrupp said:
    Is this a joke? 
    Hardly. It's an exceptionally secure way of authenticating your account. I use my Yibikey a couple times a week.
    Could this command higher ad revenues for 'authenticated' if 'anonymized' user data...?
    Nope. 
    It doesn't log anything, nor does it do anything other than authenticate your user credentials. Far more secure than passwords. Instead of the two-factor authentication you might be using now which generally requires a password and entering a texted security code which bad actors might see/use, this is a much stronger hardware-based solution. No physical key, no account access. 

    This explains it better than I can:
    https://www.yubico.com/solutions/fido-u2f/
    Anonymized highly protected users spells doom to Google's business model. Why would they want to do that, unless they thought of the ways to identify and track you better?
    Encryption of user data transfers is not what this is about. It’s just a strongly encrypted method of assuring the validity of identity credentials — that is, establishing that you are who you say you are, and not one of these guys: https://krebsonsecurity.com/2018/08/hanging-up-on-mobile-in-the-name-of-security/ .
  • Reply 12 of 20
    gatorguygatorguy Posts: 19,275member
    gatorguy said:
    gatorguy said:
    lkrupp said:
    Is this a joke? 
    Hardly. It's an exceptionally secure way of authenticating your account. I use my Yibikey a couple times a week.
    Could this command higher ad revenues for 'authenticated' if 'anonymized' user data...?
    Nope. 
    It doesn't log anything, nor does it do anything other than authenticate your user credentials. Far more secure than passwords. Instead of the two-factor authentication you might be using now which generally requires a password and entering a texted security code which bad actors might see/use, this is a much stronger hardware-based solution. No physical key, no account access. 

    This explains it better than I can:
    https://www.yubico.com/solutions/fido-u2f/
    Anonymized highly protected users spells doom to Google's business model. Why would they want to do that, unless they thought of the ways to identify and track you better?
    It's for security. Imagine whatever silliness you want. It has zippity to do with ads or data or tracking, none of which can be affected by a hardware key. 
    Surely you're capable of doing a little research on your own. Do you really need spoon-feeding? I doubt it.
    edited August 30
  • Reply 13 of 20
    nunzy said:
    Knowing Google, this is just a spying device.
    Indeed.  

    And just so im clear: the company that has been revealed to be secretly invading my privacy in spite of my privacy settings is trying to sell me a device for $50 that helps ensure my data remains private.  
    nunzylkruppwatto_cobra
  • Reply 14 of 20
    zimmiezimmie Posts: 167member
    gatorguy said:
    gatorguy said:
    lkrupp said:
    Is this a joke? 
    Hardly. It's an exceptionally secure way of authenticating your account. I use my Yibikey a couple times a week.
    Could this command higher ad revenues for 'authenticated' if 'anonymized' user data...?
    Nope. 
    It doesn't log anything, nor does it do anything other than authenticate your user credentials. Far more secure than passwords. Instead of the two-factor authentication you might be using now which generally requires a password and entering a texted security code which bad actors might see/use, this is a much stronger hardware-based solution. No physical key, no account access. 

    This explains it better than I can:
    https://www.yubico.com/solutions/fido-u2f/
    Anonymized highly protected users spells doom to Google's business model. Why would they want to do that, unless they thought of the ways to identify and track you better?
    This is a device for authenticating you to an account. It is literally the exact opposite of anonymized.

    As an aside, Google doesn't sell user data. That data is their competitive advantage. They sell the ability to target ads based on interests, not the ability to see users' interests. They collect data.
  • Reply 15 of 20
    gatorguygatorguy Posts: 19,275member
    zimmie said:
    gatorguy said:
    gatorguy said:
    lkrupp said:
    Is this a joke? 
    Hardly. It's an exceptionally secure way of authenticating your account. I use my Yibikey a couple times a week.
    Could this command higher ad revenues for 'authenticated' if 'anonymized' user data...?
    Nope. 
    It doesn't log anything, nor does it do anything other than authenticate your user credentials. Far more secure than passwords. Instead of the two-factor authentication you might be using now which generally requires a password and entering a texted security code which bad actors might see/use, this is a much stronger hardware-based solution. No physical key, no account access. 

    This explains it better than I can:
    https://www.yubico.com/solutions/fido-u2f/
    Anonymized highly protected users spells doom to Google's business model. Why would they want to do that, unless they thought of the ways to identify and track you better?
    This is a device for authenticating you to an account. It is literally the exact opposite of anonymized.

    As an aside, Google doesn't sell user data. That data is their competitive advantage. They sell the ability to target ads based on interests, not the ability to see users' interests. They collect data.
    ..which the security key doesn't do anyway, nor does it even assist with it. 
  • Reply 16 of 20
    No fingerprint reader and it costs $50? Really?
    watto_cobra
  • Reply 17 of 20
    zimmiezimmie Posts: 167member

    nunzy said:
    Knowing Google, this is just a spying device.
    Indeed.  

    And just so im clear: the company that has been revealed to be secretly invading my privacy in spite of my privacy settings is trying to sell me a device for $50 that helps ensure my data remains private.  
    It isn't to ensure your data remains private, it is to ensure nobody else can impersonate you using your account. One side-effect of account compromise is the attacker can access all the data your account can, but the place holding your data can already do that.
    watto_cobra
  • Reply 18 of 20
    zimmiezimmie Posts: 167member
    gatorguy said:
    zimmie said:
    gatorguy said:
    gatorguy said:
    lkrupp said:
    Is this a joke? 
    Hardly. It's an exceptionally secure way of authenticating your account. I use my Yibikey a couple times a week.
    Could this command higher ad revenues for 'authenticated' if 'anonymized' user data...?
    Nope. 
    It doesn't log anything, nor does it do anything other than authenticate your user credentials. Far more secure than passwords. Instead of the two-factor authentication you might be using now which generally requires a password and entering a texted security code which bad actors might see/use, this is a much stronger hardware-based solution. No physical key, no account access. 

    This explains it better than I can:
    https://www.yubico.com/solutions/fido-u2f/
    Anonymized highly protected users spells doom to Google's business model. Why would they want to do that, unless they thought of the ways to identify and track you better?
    This is a device for authenticating you to an account. It is literally the exact opposite of anonymized.

    As an aside, Google doesn't sell user data. That data is their competitive advantage. They sell the ability to target ads based on interests, not the ability to see users' interests. They collect data.
    ..which the security key doesn't do anyway, nor does it even assist with it. 
    The security key itself has nothing to do with data collection, obviously. It doesn't even give them more data on a user than an ordinary password. The data from an account using one may be a tiny bit more valuable to Google than the data from an account without one, simply due to the kind of person likely to buy a security key. The big step in data value comes from the user having an account at all.
    watto_cobra
  • Reply 19 of 20
    gatorguygatorguy Posts: 19,275member
    zimmie said:
    gatorguy said:
    zimmie said:
    gatorguy said:
    gatorguy said:
    lkrupp said:
    Is this a joke? 
    Hardly. It's an exceptionally secure way of authenticating your account. I use my Yibikey a couple times a week.
    Could this command higher ad revenues for 'authenticated' if 'anonymized' user data...?
    Nope. 
    It doesn't log anything, nor does it do anything other than authenticate your user credentials. Far more secure than passwords. Instead of the two-factor authentication you might be using now which generally requires a password and entering a texted security code which bad actors might see/use, this is a much stronger hardware-based solution. No physical key, no account access. 

    This explains it better than I can:
    https://www.yubico.com/solutions/fido-u2f/
    Anonymized highly protected users spells doom to Google's business model. Why would they want to do that, unless they thought of the ways to identify and track you better?
    This is a device for authenticating you to an account. It is literally the exact opposite of anonymized.

    As an aside, Google doesn't sell user data. That data is their competitive advantage. They sell the ability to target ads based on interests, not the ability to see users' interests. They collect data.
    ..which the security key doesn't do anyway, nor does it even assist with it. 
    The security key itself has nothing to do with data collection, obviously. It doesn't even give them more data on a user than an ordinary password. The data from an account using one may be a tiny bit more valuable to Google than the data from an account without one, simply due to the kind of person likely to buy a security key. The big step in data value comes from the user having an account at all.
    It doesn't just validate Google accounts...
    You can use the hardware key with nearly any browser and/or mobile device, and with several major websites beyond Google including Dropbox, Facebook, Twitter, Salesforce, etc. 
  • Reply 20 of 20
    clandestine8clandestine8 Posts: 1unconfirmed, member
    BittySon said:
    What if you lose it?
    This is why you get two for your $50. One to use, and one to put in a safe place.
    There must be a way to get a replacement or turn off MFA if you lose both, surely.
    You will be given single use backup codes which you can print off and store somewhere safe. Or you can go through an extensive manual identity verification process in order to reset and account. Ultimately the idea that you are physically tied to this key and if you lose it your account is unretrievable. This is the only way to truly protect an account from being compromised digitally or physically. Currently many 2FA methods get by passed by tricking mobile carriers into issuing new SIM cards or forwarding text messages. If this is possible with google's physical 2FA then it is no better than a text message. SO replacement is going to be difficult without backups.
    gatorguy
Sign In or Register to comment.