Say bye bye to passwords?
For a company of Google’s size, it seems appropriate for it to have a product called Titan. Released just a few days ago, Google Titan is a hardware-based authentication device that enables users to log into computers and accounts simply by plugging in a USB key and pressing a button. But how does Google Titan work, is it safe, and what makes it different from existing products that do the same thing? (Note: this article is intended as a broad overview rather than a deep dive into the workings of security protocols.)
The most obvious comparison to draw is with the popular YubiKey range, which is based on the same security standards as Titan. Yubico, the company behind the YubiKey, is part of the FIDO (Fast Identity Online) Alliance, a consortium of more than 260 organisations, including Amazon, Microsoft, Google, PayPal, American Express and Qualcomm. Together, they created the FIDO U2F (Universal Second Factor) protocol, a type of multi-factor authentication that protects logins not only with passwords and usernames but also a physical item such as a USB key tag or smartcard, which must be present before access is granted.
Version 1.0 of FIDO was announced in 2014, but by 2015, the alliance had added Bluetooth and NFC (near field communication) support, giving U2F the kind of wireless technology that would make it ideal for mobile devices like smartphones and tablets.
The alliance also created FIDO UAF (Universal Authentication Framework), a protocol that does away with passwords and usernames, replacing them with PINs or biometric data, such as fingerprints, face recognition or voice recognition. You'll find UAF in Windows 10, Android, iOS and more.
Google Titan, YubiKey and products generally all support FIDO U2F, but when looking at their feature lists, you might notice a couple of other technologies prominently presented: OTP and FIDO2. OTP, quite simply, stands for ‘one time password’, which in YubiKey’s case is “a 44-character, one use, secure, 128-bit encrypted Public ID and Password, near impossible to spoof”.
FIDO2, logically, is the next step up for the technology. Still relatively new, with FIDO2 USB keys only beginning to go on sale in early 2018, it essentially turns U2F into a password-free experience. Users only have to plug in their USB key, then press a button on that key, to gain access to their accounts or computers. There are also USB-C products, and ones that support wireless standards like NFC and Bluetooth. Notably, Google Titan supports the latter technology, but Yubico has chosen to forgo it, citing security concerns and the need for battery-powered keys.
Should Google Titan Tighten Security?
Not everyone is impressed by the idea of using USB devices for authentication purposes, however. Addressing U2F, security firm SecSign argued that USB firmware vulnerabilities could be exploited by hackers and that these devices could themselves be used to stored malware. Such concerns may be valid, but it’s worth bearing in mind that this article was written in 2015, before FIDO2. Also, SecSign sells a 2FA (two-factor authentication) app for mobile devices, and its conclusion that this technology is safer than U2F is perhaps inevitable.
Regardless, there are other disadvantages to consider. What if your Google Titan or YubiKey is lost or damaged? How will you ever log into your accounts again? Panic not, for all you need to do is log into your account using some other form of 2FA, which in most cases will be a mobile app like Google Authenticator or Microsoft Authenticator, which will supply you with unique, time-sensitive numerical codes so you can prove who you are.
More of a problem is theft. For example, if someone stole your laptop and your Google Titan, they might as well have the keys to your front door. Unless you notice the Titan is gone and are able to remove it from your accounts before the thief has a chance to use it, you could easily find yourself in a world of pain.
That, of course, is something that could just as easily happen with a smartphone authentication app, and if you were unlucky enough to have your phone stolen along with your Google Titan and laptop, that would be even more worrying.
Such scenarios, though, while possible, are unlikely. The fact is Google Titan, YubiKey and similar FIDO products make logins easier, faster and more secure, and with prices starting at less than £20, they’re affordable too.
Want to get your business secured with multi-factor authentication? Let us know by emailing firstname.lastname@example.org, and we’ll be happy to discuss your requirements with you.