In July, we announced Titan Security Keys, FIDO security keys built with a hardware chip that includes firmware engineered by Google to verify the keys’ integrity. Starting today, Titan Security Keys are available for purchase on the Google Store.
Security keys can help to secure your Google Account as well as other consumer and enterprise services by helping to defend against phishing and other social engineering attacks that attempt to steal user credentials. Google considers security keys based on the FIDO standards to be the strongest, most phishing-resistant method of 2-step verification (2SV)--also referred to as two-factor authentication (2FA) or multi-factor authentication (MFA)--on the market today.
Security keys are appropriate for any security-conscious user, and we recommend that all users, especially high value ones such as IT administrators, consider authenticating via security keys. Titan Security Keys can be used anywhere security keys are supported as a second factor of authentication, including Google’s Advanced Protection Program that is designed for anyone at risk of targeted attacks – like journalists, activists, business leaders, and political campaign teams.
Here’s more on how security keys help protect your accounts, and how the Google-designed firmware in Titan Security Keys verifies their integrity.
Enhanced account protection
Attackers are always looking for new ways to compromise user accounts and access sensitive data. According to the Verizon 2018 Data Breach Investigations Report, 41.6% of breaches occurred as a result of stolen passwords, phishing, and pretexting.
With phishing attacks only growing in sophistication, many organizations take a defense-in-depth strategy to elevate their security posture. Common approaches include employing advanced phishing protection to filter phishing emails, warning users of suspected phishing attacks, improving user education through training, and implementing traditional two-step verification (2SV) systems that use SMS, code, or push notifications. While any form of 2SV considerably improves user security, sophisticated attacks can sometimes skirt around them to compromise user accounts.
Starting in 2012, we have been working with Yubico and NXP to develop and deploy security keys internally. At Google, we have had no reported or confirmed account takeovers due to password phishing since we began requiring security keys as a second factor for our employees.
Security keys use a protocol based on standard public key cryptography—the client registers a public key with the online service at initial setup, and during the authentication, the service asks the client to prove its ownership of the private key by providing a cryptographic signature. We jointly contributed these 2SV technical specifications to the FIDO Alliance, and Google launched support in Gmail in 2014.
Because we believe in the effectiveness of security keys to protect user accounts, we recommend and enable Google Cloud customers to enforce the use of security keys in their organizations. Consumers can also protect their Google Accounts using security keys for 2SV or by signing up for the Advanced Protection Program, Google's strongest security for personal accounts.
Titan Security Keys are designed to make the critical cryptographic operations performed by the security key strongly resistant to compromise during the entire device lifecycle, from manufacturing through actual use.
The firmware performing the cryptographic operations has been engineered by Google with security in mind. This firmware is sealed permanently into a secure element hardware chip at production time in the chip production factory. The secure element hardware chip that we use is designed to resist physical attacks aimed at extracting firmware and secret key material.
These permanently-sealed secure element hardware chips are then delivered to the manufacturing line which makes the physical security key device. Thus, the trust in Titan Security Key is anchored in the sealed chip as opposed to any other later step which takes place during device manufacturing.
Google believes in open standards that can ignite a thriving ecosystem. FIDO standardizes the authentication protocol used between the client and the online service, and this protocol is being implemented by many popular operating systems (including Android and Chrome OS) and browsers (including Chrome). Security keys can be used to authenticate to Google as well as Dropbox, Facebook, GitHub, Salesforce, Stripe, Twitter, and other services that support FIDO standards.
In addition to Yubico, FIDO security keys are offered by a strong ecosystem of companies including Feitian and many others. Titan Security Keys are one more option for security-conscious users and organizations looking to implement security keys, such as the data insights company Enplore.
“Our customers trust us to discover insights from their complex data sources, and we are dead serious about data security,” says Niklas Bivald, CTO, Enplore. “We implemented Titan Security Keys across our company to better defend against phishing while maintaining a simple user experience for our employees.”
It’s easy to get started with Titan Security Keys. Kits of two keys (one USB and one Bluetooth) are now available to U.S. customers on the Google Store (and coming soon to additional regions). Titan Security Keys are also available to enterprise customers through a Google Cloud representative or our partner, Insight.
Titan Security Keys can be used anywhere FIDO security keys are supported. To set them up with your Google Account, sign in and navigate to the 2-Step Verification page (see detailed instructions here). Google Cloud admins can enable security key enforcement in G Suite and GCP (through Cloud Identity) to ensure that users use security keys for their accounts.