SoylentNews is people
SoylentNews
Google's in-house security key is now available to anyone who wants one
Google's Titan Security Key is finally available to anyone who wants one. The two-factor token went live today in the Google store, with a full kit available for $50, shipping immediately. The kits include a USB key, a Bluetooth key, and various connectors. The key has been available to Google Cloud customers since July, when the project was first publicly announced.
Built to the FIDO standard, the Titan keys work as a second factor for a number of services, including Facebook, Dropbox, and Github. But not surprisingly, they're built particularly for Google account logins, particularly the Advanced Protection Program announced in October. Because the keys verify themselves with a complex handshake rather than a static code, they're far more resistant to phishing attacks than a conventional confirmation code. The key was initially designed for internal Google use, and has been in active use within the company for more than eight months.
Also at TechCrunch, CNBC, and BGR.
Previously: Google Defeats Employee Phishing With Physical Security Keys
Related: No Key, No Login: G Suite Admins Can Now Make FIDO Security Keys Mandatory
(Score: 4, Interesting) by jelizondo on Friday August 31 2018, @05:43AM (3 children)
It has been reported [cnbc.com] and not denied by Google, that the key is actually made in China.
I understand that there is "sealed chip" at the heart of the device but it is unclear if this chip is made in the U.S., China or elsewhere.
With the US and Australia banning Chinese devices from being used in public networks (government, 5G) one would need to ask if this security key has not been backdoored by China.
All hearsay and no evidence one way or another, but it would be nice to have a statement from Google regarding the allegations.
(Score: 4, Informative) by Anonymous Coward on Friday August 31 2018, @06:54AM (2 children)
It's not made anywhere, just conjured into existence by Google's necromancy powers after killing a puppy for each dongle.
Now, mod me informative.
(Score: 2) by Runaway1956 on Friday August 31 2018, @02:34PM (1 child)
So, that's what happened to all my puppies! Two litters, 15 pups in all. That damned Google Maps car came by, the camera looked the property over, and it left. Next day, no puppies! Bastards came back in the middle of the night!
Abortion is the number one killed of children in the United States.
(Score: 2) by DannyB on Friday August 31 2018, @02:52PM
Disappearing puppies is sad for the profitability of dog food companies.
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 2, Troll) by jmorris on Friday August 31 2018, @07:37AM (2 children)
Like most media reports on tech, especially security and crypto, the article is almost anti-knowledge. Google haz magic thing. No passwords. Apple is forted up in their walled garden. That is about the extent of it.
What I want to know is, are these keyed identically? Google says keep one safe, which implies they are and that would be hella cool. Still means if you lose one you have to replace both, but it would mean you COULD replace them without having to call every business you had registered the thing with and jumping through many hoops. Or watching them ask some stupid "what is your Grandma's maiden name" BS and reset it by automatic. Grr. Having a matched pair solves almost every major concern with using a physical token.
Don't think I could trust Google in $current_year. But if these really are a standard we should see more reliable vendors selling product made in the 1st world. The idiots in the article think these are getting embedded in phones but that is insanity on stilts. One, phones are probably more secure than Windows but Android is certainly less secure than a Linux/GNU/X install. Second people replace phones every year or two. To have a snowball's chance in Hell of being secure the secured element has to be fixed in the hardware, leading to the problem I mention above of contacting every single place you used the old token. They might could get it into the SIM but that still doesn't help when people switch carriers, sim cards shrink again, etc. No, these need to be stand alone with BT or NFC connectivity.
(Score: 2) by PiMuNu on Friday August 31 2018, @11:49AM
More so, is the key based on an open standard. Someone said in another thread "But it's made in China, what if someone hacked it". That's an implementation detail that highlights a flaw in the system architecture.
So if one were to roll out a two-factor authentication STANDARD, then $Manufacturer could set up a production facility in US if that is an issue (or whatever). Otherwise we just get locked in to another Google service, which they may or may not tie to Evil in the future.
(Score: 1) by Muad'Dave on Friday August 31 2018, @01:41PM
That linked article is four years old as well. Apple now allows apps to use the fingerprint reader to log in.
(Score: 2) by Runaway1956 on Friday August 31 2018, @02:38PM (5 children)
I have this super-secure dongle. No one can hack it. It's just MAGIC!! But, Google gave me the damned thing. Doesn't Google know every time I use it? Does Google see that I paid $15 for a meal, and tipped the waitress $1.50? Does Google know that I drove all the way to Colorado, to get a bag of legal grass? Does Google know that I paid the porn model $1500 to piss on me? Oh - wait - that was the president, not me. Maybe that's why Trump doesn't have one of these? He knows that Google will track the hell out of them!!
Abortion is the number one killed of children in the United States.
(Score: 2) by DannyB on Friday August 31 2018, @03:09PM
Presidents need this super secure USB dongle. The secret service can carry it for the president.
If the hooker complains, a president can say he's got something much larger to satisfy with, then whip out the USB dongle to the rescue!
But the dongle is made in China. Sad. Very terrible. I'll hold my breath. [ibb.co]
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 0) by Anonymous Coward on Friday August 31 2018, @03:12PM (1 child)
Dial back the hyperbole. The main purpose of the device is two factor authentication for Google login pages, such as Gmail.
(Score: 1, Redundant) by Runaway1956 on Friday August 31 2018, @04:21PM
Beyond Google? Doesn't that mean "anyplace that allows you to sign in with your Google account"? And, what else? Financial institutions? Basically, that takes in just about everything. Maybe I've hypered the bole a little bit, but I don't really think so.
I can't possibly say how many people there are, but it's very possible that some people use their Google accounts to sign in EVERYWHERE that it is permitted. If this key can also be used as TFA for financial institutions, that will indeed give Google more insight into your life.
Put yourself in that position. The bank suggests that you use TFA. You may choose between the bank's dongle, or, if you already have a Google dongle, you may use it as your TFA. If convenience is your primary consideration, you'll opt for the Google dongle. If there is a fee associated with the bank's dongle, you may well opt to use your Google dongle. If, if, if . . . but if you or I can imagine it, it can probably happen.
Abortion is the number one killed of children in the United States.
(Score: 1) by realDonaldTrump on Friday August 31 2018, @11:39PM
Google search results for “Trump News” shows only the viewing/reporting of Fake News Media. In other words, they have it RIGGED, for me & others, so that almost all stories & news is BAD. Fake CNN is prominent. Republican/Conservative & Fair Media is shut out. Illegal? 96% of results on “Trump News” are from National Left-Wing Media, very dangerous. Google & others are suppressing voices of Conservatives and hiding information and news that is good. They are controlling what we can & cannot see. This is a very serious situation -- will be addressed! #StopTheBias [twitter.com] pic.twitter.com/xqz599iQZw [t.co]
(Score: 0) by Anonymous Coward on Saturday September 01 2018, @01:21PM
You tipped 10%? Asshole. Those people live on tips. 15% next time, minimum.
(Score: 3, Interesting) by dbe on Friday August 31 2018, @09:41PM
When i was looking at the 2 factor authentication products I found Onlykey ( https://onlykey.io/ [onlykey.io] ) product and bought a couple to try them out.
(not affiliated with them)
The concept seems to be a lot better (from my non-domain specialist eyes) than these keys, they can do FIDO U2F but also google authentication, password storage, PGP message signing... the platform is open source and they have been adding more feature over time. The main advantage is that it let you store passwords so no need for the "cloud storage solutions". To use it you connect, enter a PIN to enable the key and then press/long press the right button (upto 12 of them).
The other thing is there is a way to duplicate the key content (protected by PGP) and so if your primary key goes bad you are not stuck with re-registering every websites on earth with a new key you just need a second key re-programmed.
The only "issue" is if you want to use it with a cellphone you have to plug it to work, so you need a USB-OTG adapter ($5).
Also it works for android phones but not iPhones...
Has any other soylentils tried it and would like to share their reflections?
-dbe