You may remember a news item that made the rounds a little more than a month ago about Google prevented phishing attacks on its more than 85,000 employees by changing how they deployed two-factor authentication (2FA). Rather than relying on one-time codes sent via text or through an authenticator app, they began requiring employees to use a physical USB key for 2FA.
Google gave the wildly anticipated Titan Security Key a wide release at the Google Store, on August 30, 2018. The key will set you back $50, and includes both a USB and Bluetooth key, along with various adapters to accommodate several types of connections.
Like Yubikey—Google’s main competitor in the physical 2FA space—its Titan keys are built around the Fast Identity Online (FIDO) Alliance standards. The FIDO standards require that manufacturers and developers use multi-factor authentication solutions that keep security keys (be it a physical key or biometrics) stored on a device. Keeping security keys off 3rd party servers prevents (or at minimum seriously complicates) phishing, man-in-the-middle, and other types of credential-based attacks.
Security researcher Brian Krebs points out that not all web browsers support Universal 2nd Factor (U2F) authentication yet, but, the tech heavies (Apple’s Safari and Microsoft’s Edge browsers, for example) are moving in that direction. So, while physical keys won’t function with every service yet, it’s quite likely that they will soon. Currently, in addition to Google services, Dropbox, Facebook, GitHub, are among those with U2F support baked in.
Though the keys are available to purchase, there’s currently a waitlist, so some patience is required.