Google’s own two-factor authentication (2FA) physical security keys are now available to add an extra layer of protection against phishing attacks.
Gmail users now have one more ultra-secure option to implement 2FA on their account, which until now has included the Google app or its Authenticator app, or for higher-risk users, hardware security keys from Yubico or Feitian.
Now users can buy a set of Google’s Titan security keys for $50 on the Google Store. The bundle includes one Bluetooth key for wireless authentication that can be used with Android and iOS devices, as well as computers, while the other needs to be plugged into a USB port on a computer or Android device. NFC support is coming in the future, according to Google.
Google's keys only available in the US store currently but the company says it will be rolling it out to other regions soon.
The main difference to existing key options are that they come with Google-built firmware that’s added to the keys’ hardware chip during production at the chip making factory, which happens prior to their delivery to the device manufacturer.
The idea was to protect the firmware and secret cryptographic key material from attackers who get physical access to the keys.
Google doesn’t guarantee this will prevent all attacks, but argues it making the keys “strongly resistant” to them, from production through to their use.
The Titan keys are also built to FIDO Alliance standards, meaning they can be used with online with services that support FIDO, like Twitter, Facebook and Dropbox, and they will also be compatible with major browsers, including Chrome, Firefox, Opera, and Edge via their support for the W3C’s WebAuthn or Web Authentication, the emerging standard for password-less sign-in.
The Titan keys can also be used with Google’s recently launched locked down version of Gmail known as the Advanced Protection Program that caters to at-risk uses, such as journalists, politicians and business execs.
Google launched its own Titan key after rolling out hundreds of thousands of Yubico keys for its own staff and claims its staff haven't been successfully phished since.
One of Yubico’s key criticisms of the Titan Bluetooth model was that Bluetooth requires batteries and that it didn’t meet some of its security standards. Google notes in a support page that the Bluetooth Titan key can still be used via USB if it isn't charged, however it adds that users should avoid fully draining the battery on the key and to “charge the battery often”.