Google launches its own security keys
July 26th, 2018
Two-factor authentication (2FA) has long been an effective protection against account hacking – meaning would-be intruders need something else besides a username and password, usually a code from a phone, to gain access – and today Google is taking 2FA one step further with its own security keys.
If you've set up 2FA on your social networking accounts, or your Google or Apple IDs, you might be familiar with the process of entering a code sent over SMS or generated via an authenticator app. Security keys replace that extra code with something physical that needs to be connected to the computer during the login process.
There's always the chance of losing your key, of course, in which case you would need to nominate a backup method for getting into your account again (like a message to a separate email account). In theory though, the technique is more secure than a text or app code, because those codes can be more easily intercepted.
What's more, security keys such as the new ones unveiled by Google can work without a network and without battery power, which is useful for people on the go.
Google's new product is called the Titan Security Key. Matching up with existing 2FA standards, it comes as either a USB stick for laptops and desktops, or as a Bluetooth dongle for connecting up to mobile devices.
"We've long advocated the use of security keys as the strongest, most phishing-resistant authentication factor for high-value users, especially cloud admins, to protect against the potentially damaging consequences of credential theft," says Google's Jennifer Lin in a blog post.
Security keys as part of 2FA aren't new, and you can already log into sites like Gmail and Facebook with keys from the likes of Yubico. That Google is now making its own products emphasizes just how secure the company thinks they can be, when used correctly.
Earlier this week, Google revealed its employees have been required to use security keys since early 2017, reducing the number of successfully phishing attacks down to zero in the meantime. Even if hackers get hold of usernames and passwords, they can't gain access to any accounts without the physical key.
Google is providing them for cloud business customers first, but says they will go on sale to everyone via the Google Store in the near future. Prices will be in the region of US$20-25 for a single key, or $50 for both the USB and Bluetooth models, CNET reports.
It's definitely worth the few minutes these keys take to set up to keep your accounts better protected, whether you buy from Google or invest in a third-party alternative. However, the account itself also needs to support security key access: The likes of Google, Facebook, Twitter, and Dropbox already do.