The company credits hardware-based two-factor
authentication with practically eliminating the problem of phishing attacks
that have targeted its own employees of late
Google has announced a hardware security key that is intended to keep
users of its services safe from account-takeover attacks.
Dubbed “Titan Security Key”, the piece of
hardware includes firmware developed by Google to verify the key’s integrity,
according to the firm. The device, which per CNET will come in both USB and Bluetooth and won’t
require any additional software drivers, will provide an additional
authentication factor (i.e. “something the user has”) beyond the password (i.e.
something the user knows).
With two-factor authentication (2FA), even if a malefactor gets
their hands on your account credentials, they can’t get into your account
unless they also possess that second chunk of authentication data. Most
commonly, that second authentication factor comes in the form of a verification
code that is either sent as a text message or can also be generated by an
authenticator app. However, the adoption of physical tokens has been increasing
at a fast clip, too.
“We’ve long advocated the use of security
keys as the strongest, most phishing-resistant authentication factor for
high-value users, especially cloud admins, to protect against the potentially
damaging consequences of credential theft,” the company said. The token is currently available to Google Cloud
customers and is planned for general sale in the next few months.
The announcement comes on the heels of
Google’s revealing for journalist Brian Krebs that none of its
85,000 employees have fallen prey to phishing attacks since early 2017, when the firm made the
use of physical tokens mandatory for its staff. Previously it used one-time
codes generated by a mobile app – Google Authenticator.
Google’s key conforms to the FIDO U2F (“Universal 2nd
Factor”) specification and will enable the user to complete the log-in process
by activating the token, as long as the user has first linked the piece of
hardware to their account.
Back in 2014, Google added support for hardware-based 2FA authentication for
Chrome users when they log into their Google accounts. Early this year, the
company revealed that fewer than one in ten Google account holders use any given
method of 2FA – indeed a rather meagre figure given that multifactor
authentication offers a valuable additional layer of protection in exchange for
little effort.