The average person in 2018 is at least aware of two-factor authentication in one form or another. Online banking is the most likely place they’ve encountered it and unfortunately the experience is quite lacking. Ignoring that SMS-based 2FA is not secure, remembering and entering a numeric code is a big inconvenience.
However, it is free, with everyone having a phone — not even needing a smart one — the adoption of two-factor in light of countless online threats is only going to increase. If it’s inevitable, the process should be improved and one way to do that is through security keys.
Two-factor authentication works by asking users to confirm via a local device — presumed to be in their possession — that it is really them entering the login and password to an account. Methods include a code sent via SMS message that has to be manually entered or a prompt with options to authorize/deny the login attempt.
The first method is widely considered to be insecure given how SMS can be spoofed, while most regular users should suffice with the built-in Google Prompt on Android and iOS. While phones are always near, most security keys do not have to be charged or have months-long battery life. For example, imagine your phone is dead or lost, but you need to quickly send an email or IM via a public computer. With a security key, you could just plug it in and be on your way.
For those that want the highest level of security, many experts encourage using security keys based on the FIDO Universal 2nd Factor (U2F) protocol. After requiring security keys, Google’s 85,000+ employees have yet to be successfully phished, with other companies using G Suite reporting similar results.
The Titan Security Key features a chip with firmware engineered by Google to resist physical attempts at extracting the code. That firmware is sealed permanently during the secure element’s production and cannot be tampered with. Afterwards, that chip is then delivered to the manufacturing line for assembly of the rest of the key.
While there’s a range of third-party offerings, Google developed its own key after hearing that customers wanted a complete end-to-end hardware and software solution. The key is specifically targeted at IT administrators and other high-value users that have access to sensitive data. Enterprise customers have been able to purchase units since last month.
Starting today, any security-minded individual is able to buy a two-key bundle from the Google Store. The first is shaped like a traditional house key featuring USB-A and NFC. The former connection is used for laptops and desktops, while the latter can be used with phones. At launch, this NFC functionality is not yet operational. Later this year, though, users will be able authenticate by tapping the key to the back of Android devices.
The lack of USB-C on the key is surprising given Google’s adoption on its other hardware devices. While clunky, USB-A to USB-C adaptors work with Google including one in the kit. With more and more devices featuring the universal connector, Google notes that a USB-C version is on the roadmap, but has no specific timeframe. Google chose USB-A first as it is easier to go from the legacy connector to USB-C with an adapter than the other way round.
After logging in, users are prompted to plug-in the key and press a physical button that indents slightly. The key is white and prone to scuffing — especially when worn on a key fob, with the “Titan” brand engraved on the side opposite the gold-colored button.
The second model can also be plugged into a computer, but requires that users connect a cable into the micro-USB port at the bottom. Unlike the first, this Security Key has a battery due to the inclusion of Bluetooth Low Energy, but it’s rated for six months with a blinking indicator light when almost depleted.
The plastic casing is somewhat glossy and features a printed Bluetooth Passcode and Device ID on the rear. Besides the battery status at the bottom, there is also a Bluetooth and Authentication indicator the top left and right, respectively.
Aimed at both Android and iOS mobile devices, users have to tap the sole oval button when prompted, while NFC support is also coming later this year. Google advises users to keep this Key on a keychain with them, while the first unit should be stored somewhere safe.
The set-up process for regular Gmail, Photos, and Drive users involves going to “My Account” on the web and then “Sign-in & security.” On the “Signing in to Google” page, there is a “2-Step Verification” setting where you can “Add security key.” Onscreen prompts walk users through the entire set-up.
To enable the Bluetooth key, users on their next mobile login will be prompted to pair the device with their phone by entering a pincode imprinted on the back of the fob.
Google encourages (by selling the two device bundle) that users always have an activated backup key stored in a safe location in case the first unit is lost. Multiple accounts from Dropbox, Facebook, GitHub, Salesforce, Stripe, and Twitter can be authenticated with the same Security Key.
As I noted in my hands on with the USB Key in July, Google is making these higher levels of security more visible by offering it on the Google Store alongside its other hardware products.
At the end of the day, Google is bringing its brand to the 2FA market. Back in January, Google noted that less than 10% of account owners use any method of two-factor authentication. Google making its own key — and importantly selling it on the Google Store — will definitely spur more average, but still technically savvy, users to give two-factor authentication a try.
Since setting up a Security Key last month, I’ve rarely found myself logging into anything on a phone. I think that usage pattern will bear out for most people, and that Google’s advice of carrying the Bluetooth model at all times will not pan out.
On the other hand, I use the USB key and permanently attached USB-C adapter on my laptop several times a week. Like all dongles, it’s not an elegant solution, but I do find it faster than the Google Prompt and in my experience it takes less effort.
At the end of the day, Security Keys are supposed to be a reliable utility that don’t require active management and work when you need them. They adds a noticeable level of security without much hassle on the part of end-users.
A 2FA Security Key is not for everyone, but at the same time, it’s simplicity allows anyone — that has a basic level of tech-savviness — to adopt it into their security practices. It’s a step up from remembering a code, and more reliable than having a fully charged up phone with you in emergencies when you need to get online. They also can’t be hijacked like your phone number can.
The $50 Bundle featuring two keys is available starting today in the United States through the Google Store. It is coming soon to more countries.