19 November 2023

Google’s New Titan Security Key Adds Another Piece to the Password-Killing Puzzle

LILY HAY NEWMAN

Passwords are a woefully insecure—and frustrating—authentication technology, but after decades of digital use, they’re ubiquitous. Recently, though, the global tech industry has been working to promote a simpler and more secure alternative known as passkeys. Along with its other initiatives to champion the login tech, Google announced today that it is launching a new version of its Titan hardware authentication keys that can store passkeys directly on the device.

For most people on most accounts, passkeys are managed directly from a smartphone or laptop. But for anyone seeking an alternative, either because they prefer a stand-alone key for ease of use or because they want maximum security separation, storing passkeys on a hardware token is a valuable option. The new Titan keys are available now and can store more than 250 unique passkeys. They are replacing Google’s existing USB-A and USB-C Titan devices.

“We’re excited about the potential of passkeys, but know there’s no security silver bullet for everyone,” Google wrote in a blog post published today. “Some people require a solution not dependent on smartphones or use devices that don’t support passkeys—everyone has different approaches to security, but we all share one goal: stop attacks. That’s why we intentionally designed the latest Titan Security Keys to encompass the secure cryptography of passkeys on a portable piece of hardware.”

As part of setting up a passkey for a Google account on a Titan device, users will be prompted to create a PIN code that they’ll enter, along with producing the security key to log in.

As part of its announcement at the Aspen Cyber Summit in New York City today, Google also said that in 2024 it will give 100,000 of the new Titan keys to high-risk individuals around the world. The effort is part of Google’s Advanced Protection Program, which offers vulnerable users expanded account monitoring and threat protection. The company has given away Titan keys through the program in the past, and today it cited the rise of phishing attacks and upcoming global elections as two examples of the need to continue expanding the use of secure authentication methods like passkeys.

Hardware authentication tokens have unique protective benefits because they are siloed, stand-alone devices. But they still need to be rigorously secured to ensure they don’t introduce a different point of weakness. And as with any product, they can have vulnerabilities. In 2019, for example, Google recalled and replaced its Titan BLE-branded security key because of a flaw in its Bluetooth implementation.

When it comes to the new Titan generation, Google tells WIRED that, as with all of its products, it conducted an extensive internal security review on the devices and it also contracted with two external auditors, NCC Group and Ninja Labs, to conduct independent assessments of the new key.


No comments: