Is Titan the KEY to Your Security?
Recently I wrote an article about the importance of using two-factor authentication (2FA), with a caveat that there is a serious flaw in the way most people use it. Today you'll learn about a gadget called the Titan Key that makes 2FA (and your online accounts) virtually hacker-proof. Read on... |
Hardware Keys for Two Factor Authentication
Two-factor authentication (2FA) is the current best practice when it comes to securing your online accounts. With so many massive data breaches being reported, it's unlikely that your username and password are known only to you. That's why you need something in addition, to prevent unauthorized access to your email, e-commerce, online banking, and other accounts.
But in order for 2FA to protect your account, you have to get the details right. Last week, in my article When 2FA Goes Bad, I described how one popular online service got hacked because they were using SMS (text messaging) to implement their two-factor logins.
In a two-factor authentication system, you need more than just your username and password to gain access to an account. In addition to those login credentials, you need another "factor," which can be something only you are, (e.g., your fingerprint), something only you know, (e.g., the street on which you grew up), or something only you have, (e.g., a smartphone).
It is immediately apparent that things you know are not necessarily things that ONLY you can know. A personal physical trait such as a fingerprint can be replicated well enough to fool an authentication system if it can be observed by a stranger. The best 2FA type is probably a physical object that only you have.
Such objects are called “hardware keys.” They are designed to be nondescript on the outside and uniquely complex on the inside. A ring, a keychain fob, and a USB thumb drive all make good form factors for a hardware key. Inside, encrypted, lies a digital code that cannot be divined by observation from a distance. Plug the key into a matching device on a phone, PC, or door lock and the two things shake hands, the code is decrypted, and the user is authenticated.
Is Google's Titan Key the Answer?
Google would like everyone to use hardware keys. That’s rather ambitious given that only 10% of Gmail users have added any form of 2FA to their accounts. But the company has shown that hardware keys tighten security about as tight as it can be.
Google recently reported that none of its 85,000-plus employees’ accounts was compromised in 2017, and credits much of that remarkable success to its in-house deployment of a hardware key system dubbed the Titan Key.
A Titan key can be plugged into a USB port or communicate wirelessly over short-range Bluetooth radio frequencies. The Bluetooth option is likely to be more popular because it does not require any more daily effort than attaching the key to one’s person, once a day.
Titan keys probably won’t be embedded in smartphones because phones are not “nondescript” and tens of millions are lost or dropped into toilets each year. Titan keys embedded in wallets are one possibility, but wallets are targets for thieves. Google plans to offer Titan keys in its Play Store this year. With the marketing power of Google behind it, hardware key tech just may stand a chance against human inertia.
Google’s hardware key is not the first of its kind. Yubico has been making hardware keys since 2007. The open-source project, NitroKey, has been around since 2008. And at least one attempt at a fashion ring that contains hardware key circuitry is available. But Google’s market power and credibility may help its Titan key overcome human inertia.
Most people don’t deal with highly sensitive data, or at least they think their personal data isn’t highly sensitive. So it will be tough to convince them to put up with the slightest inconvenience in exchange for a significant improvement in online security.
Would you use a hardware key? Do you know anyone who should? Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 6 Aug 2018
For Fun: Buy Bob a Snickers. |
Prev Article: When 2FA Goes Bad |
The Top Twenty |
Next Article: How to Spot a Bot |
There's more reader feedback... See all 26 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Is Titan the KEY to Your Security? (Posted: 6 Aug 2018)
Source: https://askbobrankin.com/is_titan_the_key_to_your_security.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Is Titan the KEY to Your Security?"
(See all 26 comments for this article.)Posted by:
Allan Edmonds
06 Aug 2018
So, what is the backup for a hardware key? If it's not physically permanently connected to the user (like an embedded chip?), they will get lost sooner or later (or stolen). How do you authenticate when this happens?
Posted by:
Bruce J Deeter
06 Aug 2018
I've had a Yubikey a while now and use it for any service that offers using it for 2FA. Also like the Google Authenticator. Do have couple that only use the SMS option, interesting article on the vulnerability issue.
Posted by:
Stuart Berg
06 Aug 2018
At Daniel Knorowski and perhaps others: Probably 15 years ago my IT employer gave each employee an electronic card that had (I believe) a 6-digit numeric display that changed every 10 minutes. It was synchronized with the company network. The only way we could remotely log into the network (with VPN) was entering the code on that device. It worked very well.
Posted by:
Kenneth Heikkila
06 Aug 2018
From thehackernews.com:
"For now, Google hasn't announced pricing for the Titan Security Key but is said to be around $20 or $30."
I use whatever 2FA is offered, fingerprint, Google and Microsoft Authenticator, text, phone call or email. Email can be problematic where we live.
Really Google Authenticator seems the simplest solution. It works without internet connection even allowing you to download a series of codes.
I wonder if the profusion of different types of authentication isn't a better deterrent than everybody having the same one "uncrackable" way to do it?
Posted by:
RandiO
06 Aug 2018
Fort Knox: I am not.
Titan Key: I am.
I loath those who say "I don't care about security; I have nothing to hide!" but I still fail to comprehend the extent of privacy-protection an individual could possibly believe they have the need for.
Then, there is that whole 'trusting google' with all the family jewels thing and THEN having to pay $20 for a TitanKey to continue being their zero-cost product...
Posted by:
Phil
06 Aug 2018
I would use a hardware key from a well documented and secure company.
I trust NOTHING Google.
Posted by:
Henry
06 Aug 2018
I guess I must be getting more thick-headed as I age. I've been using computers since the days of MS-DOS, but I'm not grasping what this "key thing" would or would not do for me:
My sign-in to my bank account is the most "sensitive" thing I do on-line: First I give my user name & password. Next. I use 2FA (maternal grandmother's maiden name, etc), and bingo! there's my account displayed on the screen.
What would I then do with this "key thing"? I assume since I'm on the PC, I'd need to plug it into a USB port, and then it would somehow communicate with the bank's security system, and it would let me "do my banking", am I correct? I'm really not seeing what the benefit of this extra step is. Please 'splain me. Thanks
Posted by:
dweeb
06 Aug 2018
Is bluetooth that secure? Seems like it would be hackable.
Posted by:
Oliver Fleming
06 Aug 2018
Suncorp Bank in Australia has been using these security keys for years. A constatnly digital code allows access to your account.
Posted by:
Robin
06 Aug 2018
I’ve been using a Yubikey since they came on the market. No problems with it but it needs to be inserted into USB drive so won’t work on smartphone as far as I know.
Posted by:
chj genes
07 Aug 2018
People seem to be referring to an RSA key generator that I also used in 1994. I guess that was more secure than a 2FA phone generator.
Posted by:
Kyle
07 Aug 2018
The issue I see with this device is that it is a USB device.
Drivers and all kinds of malware can be embedded in such a device, and as a security device that can be problematic.
Access to a logical device can be detrimental to security. I can understand why having a physical usb device may be comforting, as it provides the impression of a physical key, which most everyone already uses regularly with a great deal of trust, but if weaponized with malware, this can be immensely insecure.
In a logical world, this is not a practical scenario, as USB devices in particular are often loaded with device drivers which will be automatically delivered to a client machine they are connected to. If, for whatever reason, the security device is tampered with or infected it can be detrimental to the system it is connected to, and the assets it is intended to protect.
Ultimately we need a better way, and conveniently the better way can be utilized with various security protocols. OAuth or SAML for instance both provide authentication, and authorization (the ability to validate a login in the case of OAuth), capabilities to a secondary device and/or service.
This can be quite burdensome until one begins to look at secondary services which can provide this sort of service.
Quite frankly the time for passwords on the internet is over, it is time for secondary authentication services to allow access.
Posted by:
Richard C
07 Aug 2018
All the current hoopla about 2FA (which many have pointed out has been around for a significant amount of time) is basically useless. The breaches of data to this point are all but a negligible amount having occurred from someone walking up to a server & stealing it or hacking in to a server to steal it.
Unless 2FA is applied to the network hardware and the servers the data resides on, ya'll are just thumping your chest for nothing.
Posted by:
SysOp404
07 Aug 2018
Today's 2FA is just a step on the rung to securely storing and transfering things of value, with any degree certainty. While better than nothing, the current use of SMS, e-mail, phone call-backs, as well as Google and Microsoft Authenticator apps to provide information-based keys, are assuredly solutions with compromises. Notably, they share loss-of-access inconvienience, with the physical keys mentioned in Bob's article.
In time, as blockchain technology continues to mature, distributed validation of trust will be used to secure and verify our identities (providing a digital watermark confirmation, if you will), for numerous purposes - including the lowly account login. But until then, we'll just have to make do... maybe slip a veterinarian a few extra bucks for a personal microchip implantation? Make mine in the lower-left buttock, tanx...
Posted by:
swabyw
07 Aug 2018
I would love to get this type of security. But I assume that since it is hardware with USB it is restricted to one computer at a time. I have 6 computer in my network. The kids are on two of them daily, when they are not in school, (they have their own accounts). And quite possible I use my laptop at the same time and also a wireless computer that I sued almost every day when I to watch movies. I can use any of these computer for a quick bill pay. Two of them I use regularly to update my banking activities.
Posted by:
TimGpw:2nd
07 Aug 2018
First, people posting here should read Bob’s previous article on 2FA and it’s comments. Second, this idea of a physical key to plug into your device is not new. In fact, if you’re old enough you may know that the idea and implementation of a security key was around as early as in the late 1970’s (it used a serial port). Third, Bob said “The Bluetooth option is likely to be more popular because it does not require any more daily effort than attaching the key to one’s person, once a day.” Here we go again, a bastardization of a good security concept which will open the door to easy software hacking and lead to articles such as Bob’s previous article on 2FA flaws. An important aspect to personal security is personal laziness, or rather the lack of it. If you’re too lazy to plug in a key into your device, then you might as well not bother with a password on your cell phone because swiping and putting a number every time is a real pain.
Posted by:
Butch
07 Aug 2018
My understanding is that to use 2FA, one must own a cell phone which can receive text. What does one do when he/she/they don't have a cell phone? What if a person is on a limited income (SSA)? Having txt capability costs extra. Not everyone is well-to-do like one particular female whose name appears quite frequently here.
Posted by:
SamG
08 Aug 2018
Thanks for the article Bob. The European NFC finger rings have some attractive styles and I'd use one. Since locating my keys or wallet is often a problem here. Using a ring to unlock accounts and cell phones seems a lot less trouble.
Posted by:
SamG
08 Aug 2018
Now if online businesses which we have no control over like Equifax would tighten their security. With their control of our credit, security should be a bigger priority than making money off our info. And financial institutions encourage online business. Instead of snail mail correspondence "to save the trees". How about renewable hemp paper to "save the trees"?
Posted by:
Joseph
23 Sep 2018
I have, for use with the local social security people, SecureID from RSA. It does not need USB or Blue Tooth. It changes a 6-figure number every 60 seconds and is used together with two different sorts of passwords, one of which is a prefix to the ever-changing number, in addition to the user ID. It is guaranteed to keep time with the generator at head office for four years. I don't know how much it costs as I don't pay the manufacturer but it seems pretty good to me. The drawback is that I suppose one may need a different one for each application one uses it for.