Google pledges to foil phishing attacks with new Titan Security Key

If you trust Google, this is the second-factor security key for you.
Written by Liam Tung, Contributing Writer

After boasting that security keys like Yubico's Yubikey had protected all 85,000 of its employees from every single phishing attack since early 2017, Google has launched its Titan Security Key.

The Titan Security Key reduces the risk of attackers using stolen credentials to access a user's account, as the security key is also required to log in.

Google says it developed the firmware to verify the integrity of the second-factor login, which uses cryptography to ensure you're logging into the site you registered the key with, and verifies the key is correct.

Since the keys don't rely on one-time codes, either generated by an app or sent over SMS, there's also less chance an attacker can guess or intercept them.

The Google-designed keys are initially being made available to Google Cloud customers and then will be sold via the Google Store.

Google revealed the key at the Google Cloud Next conference in San Francisco yesterday.

ZDNet's sister site CNET got a brief hands-on with Google's Titan key and notes that it will come in both USB and Bluetooth varieties, both of which will be available in the Google Store in the next few months.

Users can buy a bundle with the USB and Bluetooth versions for $50, or buy either alone for about $20 to $25 each.

See also: You've been breached: Eight steps to take within the next 48 hours (free PDF)

Previously, Google has promoted the Yubikey as the go-to key for second-factor authentication, but now the company's Titan will offer an alternative. Unlike Google's Titan, Yubikey's security keys don't support Bluetooth but do support USB-A, USB-C, and NFC.

Yubikey gave its reasons for not supporting Bluetooth in a recent blog, noting that Bluetooth devices need batteries, and the certifications it had to pass it felt were too great an obstacle.

Besides this, various tech firms -- including Apple, Qualcomm and Intel -- are currently fixing a critical Bluetooth flaw, caused by a validation problem with some vendors' implementation of the cryptographic key exchange, that could allow a man-in-the-middle attack when two devices are pairing.

A Google rep told CNET that it is not looking to compete with Yubico or other security key makers, but merely offering customers more choice.

"The Titan Key is specifically for customers who want security keys and trust Google," said Sam Srinivas, a product management director for information security at Google

"We've long advocated the use of security keys as the strongest, most phishing-resistant authentication factor for high-value users, especially cloud admins, to protect against the potentially damaging consequences of credential theft," Jennifer Lin, product management director at Google Cloud, wrote in a blogpost.

Related: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

"Titan Security Key gives you even more peace of mind that your accounts are protected, with assurance from Google of the integrity of the physical key."

The Titan Security Key conforms with FIDO's U2F specification. FIDO is the same group that is contributing to the new W3C WebAuthn standard for using security keys, phones and biometrics to sign to websites via Chrome, Edge, and Firefox.

Related coverage

Google opens up on Titan security: Here's how chip combats hardware backdoors

Google has explained how its new Titan chip can tackle threats of the type used by nation states.

Google's new Gmail security: If you're a high-value target, you'll use physical keys

Google will launch a new service to protect politicians and senior executives from sophisticated phishing attacks.

How Google has kept 85K employees from getting phished since 2017 (TechRepublic)

Physical security keys in place of passwords have proven effective for Google and other large sites.

Google made the Titan Key to toughen up your online security (CNET)

Major key alert: It's another line of defense against hackers and thieves.

Editorial standards