On Thursday the 30th of August (today), Google announced their Titan Security Key ? – a two-factor authentication token that in theory should make it impossible for hackers to breach your online accounts that utilize 2FA.
(They have already sold out)
You may have heard about the Titan Security Keys before because Google already announced them to Google Cloud users last month. Google explained in a blog post that the Titan keys are built on FIDO standards.
Google makes a point to explain that the firmware in charge of the crypto operations can’t be hacked before the product ships to consumers:
The firmware performing the cryptographic operations has been engineered by Google with security in mind. This firmware is sealed permanently into a secure element hardware chip at production time in the chip production factory. The secure element hardware chip that we use is designed to resist physical attacks aimed at extracting firmware and secret key material.
These permanently-sealed secure element hardware chips are then delivered to the manufacturing line which makes the physical security key device. Thus, the trust in Titan Security Key is anchored in the sealed chip as opposed to any other later step which takes place during device manufacturing.
Google has also reportedly started working with Yubico and NXP to develop security keys for internal use, as it has already been made compulsory for all employees to utilize them. Google had no reported or confirmed account takeovers following phishing attacks.
For those of us who are potential targets for hackers – politicians, business leaders, journalists or activists, Google’s Titan Key paired with Google’s Advanced Protection Program night be worth looking into. The Titan Security Keys are compatible with the following services: Dropbox, Twitter, Facebook, GitHub, SalesForce, Stripe and any other services (not mentioned) that also use FIDO standards. The Titan Keys are only available to U.S buyers for the moment but they’ll soon be available in other regions too.