Android Devices Can Now Be Used as a Security KeyNew Google Feature Offers Advantages Over Its Titan Keys
Improving security often revolves around creating more hurdles for attackers to stop them or slow them down. But those speed bumps are not necessarily convenient nor are they immune to hackers.
Two-step verification is the perfect example. Although it has undeniably made account takeovers less likely, the many iterations of it have varying weaknesses. For example, two-step codes sent over SMS can be intercepted, and users can be tricked into revealing the codes via phishing attacks.
On the usability side, the code has to be read from a phone and entered into a form. The most secure variation of strong authentication - a separate hardware token with a signing key - has its own problem: The key may be lost.
But on Tuesday, Google introduced at its Cloud Next conference its latest effort to address the problem of humans losing keys: getting rid of the physical security key.
It has launched a beta program where instead of needing a physical token, the private authentication key is stored on an Android phone or device and signs the authentication challenge over Bluetooth. It means of course, that users shouldn't lose their phones.
Cost Advantage Over Titan Keys
The new feature delivers what may be an easier alternative to Google's Titan Security Key, which the company introduced in September 2018. The Titan key bundle has two components, one of which slots into a computer via USB and another that authorizes a login via Bluetooth.
The Titan keys became central to Google's Advanced Protection Program, which the company launched after years of attacks against activists, journalists and political campaign workers.
In one of the most notable incidents, Hillary Clinton's chief of staff John Podesta saw his personal emails released in 2016 after suspected Russian hackers compromised his account. More recently, email accounts of four senior aides within the National Republican Congressional Committee were compromised for several months (see: Top Republican Email Accounts Compromised).
The Titan keys were so successful internally at Google that they were rolled out to the public. Not one of Google's 85,000 employees accounts fell to a phishing attack after the keys were launched in early 2017, computer security writer Brian Krebs reported last year.
Android devices running 7.0 and above are compatible with the new security feature that's an alternative to Titan. Users also need a Bluetooth-compatible computer running Chrome OS, macOS X or Windows 10 with Google's Chrome browser. The feature uses FIDO protocols, the same as Titan.
"This makes it easier and more convenient for you to unlock this powerful protection, without having to carry around additional security keys," write Arnar Birgisson, a software engineer, and Christiaan Brand, a Google product manager, in a blog post.
Another advantage: Enrolling in Google's Advanced Security Protection program is free; the Titan key bundle costs $50.
Google's Advice: Set a Backup Key
Technically, the new feature is two-step verification. True multifactor or two-step authentication would constitute something that you know, something that you have or a biometric component. For the strongest level of security, those items or knowledge shouldn't all be clustered in the same place.
For example, having a password manager on a phone plus Google's Authenticator is a two-step verification combination. Still, having both components on one device is far safer that just relying on a Gmail address and a password.
But there is a catch. While users may not need to have their Titan hardware or Bluetooth key, they still need to have their phone. Google is recommending that users also set up a backup key - either its Titan or one from another vendor - to store in a secure place in case a phone is lost.
That's because recovering an account due to lost security keys is not a trivial process, especially if someone still isn't logged into an account.
"If you have lost both keys and do not have access to a logged-in session, you will need to submit a request to recover your account," Google says. "It will take a few days for Google to verify it's you and grant you access to your account."