This month, Google revealed the extreme effectiveness of FIDO Universal 2nd Factor (U2F) security keys against phishing within the company. Google has now announced that it has built its own U2F security key, called the Titan Key, which promises secure and easy-to-use PC and mobile authentication for both enterprise cloud customers and consumers.
Google’s U2F-Based Titan Key
The most known security key maker right now is Yubico, which is also one of the founding members of the FIDO Alliance. The FIDO Alliance is the same group that develops the U2F and WebAuthn standards for secure and easy-to-use, hardware-backed authentication tools.
Yubico has consistently released quality security keys with support for PCs, mobile phones and even servers, which is why its keys have become so popular. Google now plans to give Yubico a run for its money by launching the Titan Key. (opens in new tab)
On the dedicated page for its security key, Google claims Titan Key is something every security-conscious user should have and is an absolute must for IT professionals and other similar high-value targets.
Google’s own developers wrote a custom firmware for the Titan Key to verify the integrity of the generated encryption keys at the hardware level. Google’s security key uses the same FIDO U2F standard that everyone else, including Yubico, uses too. The security key works with services such as the company’s G Suite, Cloud Identity and Cloud Platform, as well as other services, like GitHub, Dropbox and Facebook.
Although Google is only making the Titan Key available to its cloud customers for now, it will soon sell the security key in its Play Store so anyone can get one.
The Need For More Secure Authentication
These days, we seem to hear about a major data breach or leak exposing the data of millions or tens of millions of users every month or two, if not more often. Large companies almost seem defenseless against sophisticated attackers, although they are certainly not without blame either. The data breaches are usually enabled by companies continuing to use legacy and unpatched software, poor security practices that don’t emphasize endpoint security strongly enough and social engineering or phishing.
According to Google, a common phishing attempt is to put up a fake website that pretends to be a Google service (such as Gmail) asking for a two-factor authentication code. Once the criminals get that code, and assuming they’ve already gotten the victim's passwords, they can then attempt to recover credentials for work-related data too. Eventually, they can gain access to data hosted by certain cloud providers or enterprise companies hosting it on their own servers.
How U2F Keys Improve Authentication
U2F security keys have proven to be virtually invulnerable to phishing, which is why they're increasingly being adopted, even by federal U.S. federal agencies. They're not just highly resistant to phishing, but they're literally as easy to use as clicking one button next to your device when you're trying to log into a website.
The reason U2F keys make phishing so difficult is because the public encryption key that needs to be sent to the corresponding website when a user tries to authenticate with a U2F security key will simply not work with the fake website.