Is Titan the KEY to Your Security? - Comments Page 1

I'm hoping the Titan will be more reasonably priced than the other examples you linked.

IT employer used 2FA with a hardware Key at least ten years ago. The system worked flawlessly and was easy to use. HINT: The device was not connected physically to the computer; not Bluetooth either.

I would use a Titan Key as soon as I could get one.

Many years ago, PayPal introduced their Security Key which was a credit card sized device with a push button & numeric display. We got one & used it for every transaction.

Recently our last one died & they have gone to only using mobile phone SMS or a phone call.

We are in a "black spot" so mobile phone calls do not work in our house although SMS often will. Relying on mobile phone coverage is not ideal for many people because of coverage problems, losing phones,or phone numbers being hijacked.

The number of horror stories of mobile phones being diverted to beat SMS 2 Factor Authentication is increasing.

I am totally against using biometrics because I really dread what the results will be if it is the major security system & someone manages to "crack" or work around biometrics. Like all data, t is also only a matter of time before the biometric data gets harvested. Even if there are proper safegauards designed to protect the biometric data there will be silly idiots that do not adequately safeguard it.

What do you do when the only security system relies on something that can not be altered?

Regards,
Brian.

will be useful when most sites allow it to be used. I use more than Google sites

I have gotten a YubiKey recently. It's easy to use with LastPass and Google. My issue is that a lot of financial institutions do not implement 2FA at all, necessitating periodically changing passwords. As for secret questions, I use LastPass to save my answers, which have nothing to do with the questions. (My mother's maiden name wasn't Timbuktu).
Any site that allows for 2FA gets used, whether it is SMS, Google Authenticator or Microsoft Authenticator until I get switched to YubiKey. However, YubiKey isn't always an option.

I'm amazed at the comment about the Yubikey being unreasonably priced. I got two to use in conjunction with Lastpass, one in my pocket and a spare that I've never touched, and I honestly don't remember how much it cost, but not much at all. How can any company be expected to develop and distribute technology like this for free and stay in business? I use other types of 2FA and frankly prefer Google Authenticator over all others.

So, what is the backup for a hardware key? If it's not physically permanently connected to the user (like an embedded chip?), they will get lost sooner or later (or stolen). How do you authenticate when this happens?

I've had a Yubikey a while now and use it for any service that offers using it for 2FA. Also like the Google Authenticator. Do have couple that only use the SMS option, interesting article on the vulnerability issue.

At Daniel Knorowski and perhaps others: Probably 15 years ago my IT employer gave each employee an electronic card that had (I believe) a 6-digit numeric display that changed every 10 minutes. It was synchronized with the company network. The only way we could remotely log into the network (with VPN) was entering the code on that device. It worked very well.

From thehackernews.com:
"For now, Google hasn't announced pricing for the Titan Security Key but is said to be around $20 or $30."

I use whatever 2FA is offered, fingerprint, Google and Microsoft Authenticator, text, phone call or email. Email can be problematic where we live.

Really Google Authenticator seems the simplest solution. It works without internet connection even allowing you to download a series of codes.

I wonder if the profusion of different types of authentication isn't a better deterrent than everybody having the same one "uncrackable" way to do it?

Fort Knox: I am not.
Titan Key: I am.
I loath those who say "I don't care about security; I have nothing to hide!" but I still fail to comprehend the extent of privacy-protection an individual could possibly believe they have the need for.
Then, there is that whole 'trusting google' with all the family jewels thing and THEN having to pay $20 for a TitanKey to continue being their zero-cost product...

I would use a hardware key from a well documented and secure company.

I trust NOTHING Google.

I guess I must be getting more thick-headed as I age. I've been using computers since the days of MS-DOS, but I'm not grasping what this "key thing" would or would not do for me:
My sign-in to my bank account is the most "sensitive" thing I do on-line: First I give my user name & password. Next. I use 2FA (maternal grandmother's maiden name, etc), and bingo! there's my account displayed on the screen.
What would I then do with this "key thing"? I assume since I'm on the PC, I'd need to plug it into a USB port, and then it would somehow communicate with the bank's security system, and it would let me "do my banking", am I correct? I'm really not seeing what the benefit of this extra step is. Please 'splain me. Thanks

Is bluetooth that secure? Seems like it would be hackable.

Suncorp Bank in Australia has been using these security keys for years. A constatnly digital code allows access to your account.

I’ve been using a Yubikey since they came on the market. No problems with it but it needs to be inserted into USB drive so won’t work on smartphone as far as I know.

People seem to be referring to an RSA key generator that I also used in 1994. I guess that was more secure than a 2FA phone generator.

The issue I see with this device is that it is a USB device.
Drivers and all kinds of malware can be embedded in such a device, and as a security device that can be problematic.

Access to a logical device can be detrimental to security. I can understand why having a physical usb device may be comforting, as it provides the impression of a physical key, which most everyone already uses regularly with a great deal of trust, but if weaponized with malware, this can be immensely insecure.

In a logical world, this is not a practical scenario, as USB devices in particular are often loaded with device drivers which will be automatically delivered to a client machine they are connected to. If, for whatever reason, the security device is tampered with or infected it can be detrimental to the system it is connected to, and the assets it is intended to protect.

Ultimately we need a better way, and conveniently the better way can be utilized with various security protocols. OAuth or SAML for instance both provide authentication, and authorization (the ability to validate a login in the case of OAuth), capabilities to a secondary device and/or service.

This can be quite burdensome until one begins to look at secondary services which can provide this sort of service.

Quite frankly the time for passwords on the internet is over, it is time for secondary authentication services to allow access.

All the current hoopla about 2FA (which many have pointed out has been around for a significant amount of time) is basically useless. The breaches of data to this point are all but a negligible amount having occurred from someone walking up to a server & stealing it or hacking in to a server to steal it.

Unless 2FA is applied to the network hardware and the servers the data resides on, ya'll are just thumping your chest for nothing.

Today's 2FA is just a step on the rung to securely storing and transfering things of value, with any degree certainty. While better than nothing, the current use of SMS, e-mail, phone call-backs, as well as Google and Microsoft Authenticator apps to provide information-based keys, are assuredly solutions with compromises. Notably, they share loss-of-access inconvienience, with the physical keys mentioned in Bob's article.

In time, as blockchain technology continues to mature, distributed validation of trust will be used to secure and verify our identities (providing a digital watermark confirmation, if you will), for numerous purposes - including the lowly account login. But until then, we'll just have to make do... maybe slip a veterinarian a few extra bucks for a personal microchip implantation? Make mine in the lower-left buttock, tanx...