Google is not afraid of bold claims.
"There have been no reports or confirmed account takeovers since implementing security keys on Google," a spokesperson told TechCrunch.
And that's probably true. Imagine a security key, such as a two-factor authentication code, sent to your phone – but instead a USB stick in your pocket. Two-factor authentication is stronger than just a username and password, but text message codes can be trapped, and many sites and services do not yet support the stronger authentication codes. Security Keys are one of the strongest defenses against account fraud. That's because a hacker on the other side of the world needs not only your password, but your physical key ̵
Although there's a handful of security key brands out there – Yubikey and Feitian, to name but two – Google thinks it can handle its own Titan security keys better.
As of Thursday, the company's proprietary and in-house developed security keys can be purchased. One is a USB stick and the other supports Bluetooth and NFC for mobile devices. You need to register both keys – one stays in a safe area and the other stays with you.
These keys are no different from keys previously offered by Google under the Advanced Protection Program. Like journalists, activists and government officials – protect their accounts from sophisticated nation-state hackers. In fact, they look almost identical. But the company says these keys strike a blow that makes them stronger and more resilient than any other security key on the market.
First, the search giant says that it makes the most of what's already available – like FIDO standards – taken and added additional protection features. The company also praises its own special sauce – the software that is embedded on each key and protects against manipulation. Each key stores its firmware in a secure element that can not be changed. This will prevent anyone from extracting the private data in the key that authenticates you when you log in to Google. By sealing the encryption data before delivering the hardware chips to the plant where the keys are being created, Google reduces the risk of attack on the production line.
You can use any key with just about any modern browser and mobile device, and a number of websites that go beyond Google support the login key like Dropbox, Facebook, Salesforce, Stripe, and Twitter.
But beyond that, it's just another security key.
But although they are almost impervious to security, these keys – like any other on the market – are fiddly and uncomfortable. And that comes from someone who lives security and breathes – and uses a security key.
Google is not close to fixing this issue. Granted, any kind of two-factor authentication is a pain, but it's a price you pay for the gold standard to keep your account safe. Each time you sign in to your account from a new device, you will be asked to enter your email address and password. A quick press of your key – either via Bluetooth or an inserted USB key – tells Google that you are the right account holder.
One downside to the physical key is that you lose it when you lose toast to it. That's why you have two keys – one is intended as a backup. Google says it can help you access your account again, but the recovery process can take days.
Do you need a key? It depends on how paranoid you are.
The reality is that these keys are not for the masses – not yet. Although physical keys have been developed for high quality goals, they bless even the most basic attacks and inexperienced users. Phishing attacks are common when someone sends you an e-mail to get you to enter your e-mail address and password. If they have your password, they have your data. However, security keys only protect work on the legitimate domain in which you log in. Phishing attempts become virtually useless.
And although Google says the devices are secure, Yubikey – an important developer of security keys – criticized Google for supporting Bluetooth. This adds another level of attack to anyone nearby and cites current Bluetooth errors. An attacker could theoretically receive a user's encryption key wirelessly when in a short range of the Bluetooth device. Despite the company's criticism, the scope of the attacks is so small that they are almost negligible – but the risk factors are all different.
We are still in the early days with security keys. Although Google wants these keys to be cheap, accessible and available to the masses, there are too many barriers for the average user – even so –
But for those who know they need this extra layer of protection, these keys could enough to save you from the catastrophe.