Well, that is very coincidental. A few days after Krebs on Security has published a message that Google has no more phishing attacks since 2017 after everyone obliged to use a USB security key, it appears that Google will sell similar things to consumers.
Apart from this relatively transparent sales trick, it is still interesting to look at what Google is planning. Two-factor authorization is seen as an increasingly important aspect of personal security, and after it has been shown that an SMS is being imitated to your phone with childlike ease, the hardware keys are becoming more and more visible.
Google’s key is called the Titan Security Key. If it is activated you can only log in to your account if you have that key nearby. Google is planning to make two versions as you will see with other hardware keys like Yubikey: one version that only supports USB, and another version that can also ‘open’ smartphones via bluetooth.
In the blogpost in which Google announces the keys among others, they also announce that the Titan Security key complies with the FIDO standard. That is an important detail, since FIDO is the new standard for giving permission. In that new standard, that process is completely encrypted, so that even intercepting the code that is sent back and forth can not help anyone who tries to break into you. In addition, it also has the advantages that all these kinds of hardware keys: you do not need a network, you do not need power (the battery in the Titan comes with one charge for six months according to Google) and it is also useful for ‘ ordinary people.
We are going to see that standard more and more in the future, so it’s handy that Google’s key here already makes use of it. It may seem a bit exaggerating to let your log-in hang from a device that you have to have with you (and therefore can also be forgotten or lost), but if you hang on to very important things behind that login, that is not a luxury. It is also no coincidence that Google currently only makes the Titan available to administrators and customers of their cloud services. Regular internet users can ‘buy’ such a key in the Google Store soon, but the company did not yet want to say what they would cost.
Everyone at the key
However, it is important to Google that the keys become affordable for everyone, so that almost all the thresholds to use such a thing go away. The ultimate goal is to ensure that such a thing only costs a decade, but it will not start with that. Ultimately, they do not necessarily want to compete with the makers of other security keys. “We just want more choices, people do not have to use our key, if they only use one, and we’re going to try to raise the awareness that such security is worthwhile if your account is really important to you is. ” Whether that is a sales pitch or not: if this ensures that security keys become affordable for everyone, it is a good thing.