Am I correct in my understanding that this will only work for Google devices? It states that, but at least for the physical U2F key I don’t see why that wouldn’t also work on a non-Google device.
EDIT: Revisting, it states anything running Google Chrome should also work. So I guess macOS should be fine, what about iOS?
(I got these at a Google thing at DEF CON.) Both work with Firefox on Linux, without any Google software. Haven't yet found non-Google software on Android (Lineage) that can talk to them.
I asked at DEF CON about these, but they said they were not the same as the Titan. Hardware looks to be the same, but they may not have the Titan firmware, but rather the original Feitian one. I...don't actually know how to verify that claim though.
Pretty cool, I like that it comes with two keys at the start so you have a backup, unlike Yubi where I have to buy two before I can even get started in earnest. Still living the dongle life though, but it appears to come with its own usb a -> c adapter at least.
Similar use case (2FA), but different implementation.
Instead of typing in a code, you press a button. It also protects against phishing by validating the URL of the site you're authenticating on (with a code-based 2FA you can still enter your code on a phishing site, which then forwards it to the real one).
AIUI Krypton is basically doing the same thing as these FIDO2 Security Keys, but their software substitutes an app on your Phone for the Security Key. So a web site offering WebAuthn can't tell the difference (unless you allow it to interrogate the "Security Key" to ask who made it, which you probably shouldn't)
I personally would rather have Security Keys, but a solution like Krypton is definitely easier for a lot of users and obviously the price differential is hard to argue with.
An app has a much larger attack surface (for instance from malware on the phone).
TOTP has to use short easy to enter codes (six digit numbers), Titan is doing a full handshake using modern cryptography with sensable key lengths.
In many use cases pushing the button on the key is quicker/easier then using the app.
While both handle two factor authentication, Authy only assists with time based one time passwords (TOTP) which still leaves the end user open to phishing. These security keys are meant to be used with universal second factor (U2F) which prevents phishing entirely.
The wireless key is the "Feitian MultiPass FIDO Security Key" I'd caution people to read the Amazon reviews (specifically people found it unreliable and it would break if dropped/roughly handled).
They both seem to be re-branded Feitian, which cost less ($25 + $17 = $42) when purchased under that brand from Amazon than the Google Titan moniker.
Yes. Sorry I should have made it clear I was addressing the second part of your comment, i.e. a reason to pay $50 for hardware you can get for $42 elsewhere
I assume everything on Amazon is a counterfeit and plan accordingly. Have you heard anything about Walmart? They have free two day shipping and I haven't heard any counterfeit horror stories (yet)
The key is made by a company called Feitian (Feitian Technologies Co., Ltd), on Amazon. That's the original manufacturer selling directly on Amazon [1]. That's the only one available. Its about as authentic as you can get on Amazon. I'd rather buy it from Gearbest or Banggood but they don't sell this. And Google just sells it rebranded.
Though I won't buy this (I could use the BLE part of it), since for one it doesn't seem to be build strongly (overcome-able but still), it only seems to work with Chrome according to reviews (I use Firefox), and I'm unsure if Bluetooth is secure for this method, nor reliable. NFC should be fine, since its much closer range, and I have a YubiKey NEO but my phone doesn't have NFC, unfortunately.
I read the doc. Seems to be something like a user guide for the Feitan product published a year ago. Never it mentions the hardware/firmware of Titan keys that Google sells today is theirs. Most security keys from various companies look alike.
Sure most security keys look vaguely similar but these are clearly completely identical physical designs. Why would you think they happened to make an extremely detailed clone of the Feitian hardware rather than simply buying it and flashing their in house firmware?
While I don't know whether or not Feitan manufactures those keys, I believe the answer is that they don't. More importantly though, that article doesn't really provide any detail one way or the other. Advanced Protection works with any FIDO/U2F key. Feitan's keys are valid AP keys. Titan keys are valid AP keys. Yubico keys are valid AP keys.
That a key works with AP doesn't say anything about who made it, and that article just says that you can use Feitan's keys with advanced protection, not that they're Google's key manufacturer. In fact I think that article is from before Google announced the Titan keys, but I'm not 100% on that.
Google provided identical Feitan keys for Advanced Protection as recently as a couple of months ago[0]. AP works with any FIDO key, but that isn't what we're discussing, we're discussing that these are re-badged Feitan keys. Which they most likely are.
Yes, Google used to provide Feitan keys. That doesn't really address whether or not these are Feitan keys. (I'm also not sure what you mean by rebadged).
Rebadging is when you primarily change the branding of a product (and some customizable aspects of it). Sometimes these are white label products whose entire purpose is to be rebadged, other times it’s another companies offering.
As a person enrolled in Google's Advanced Protection Program, Google recommended that I use the Feitian Multipass Key upon sign up. I bought a few of those, and it looks exactly like the key in that picture. I'm looking at my Feitian right now, and I can promise you it's the same.
I suspect these keys will be FIDO2, so even if they look the same, even Feitian might raise up its prices a little bit supporting the new standard. I don't know, just guessing.
Also, in Google's $50 there are also 2 cables usb-a2c and c2a. I guess they decided to go the way of the complete package with all you may need.
Uh? Then how do I plug my USB-C Samsung phone into an USB 2.0 A port on my laptop with an official Samsung cable found in the phone's box? Do I misunderstand something? Is the cable "illegal"?
The real reason is to prevent hooking up two dumb Type-A host side power supplies, as I pointed out in another post. A properly implemented Type-C device will not draw high currents without power negotiation. (I'm looking at you, Nintendo)
Cable not adapter. IIRC a cable is okay but the adapter version is not. Like mentioned above/below, this is to prevent other USB-A things from causing problems. When you have a fixed cable, you remove a lot of the potential issues for misuse.
Any adapter that has a USB-C receptacle is prohibited by the standard. This limitation exists to prevent hooking up two USB-A hosts with a USB-C cable.
Or just sell both form factors. Even if they sold a USB-C version, though, it's not really useless for all of us poor schmucks who are using Macbooks with only two ports.
The description doesn't say if the keys are compatible with FIDO2 / Webauthn, which seem to be the new standard superseding FIDO (namely with password-less and multi-factor auth).
It would be disappointing if not...
$50 seems very expensive. The actual hardware probably does not cost more than $10 and I can't see adoption of FIDO keys becoming widespread unless companies are willing to sell keys at or below cost.
If a bluetooth locator tag is only about £3.34 [1], then a tag with an encryption chip should not be 10x the cost. Google has an incentive for their keys to become widespread and well adopted because people will associate their brand with "high security". It also actually helps Google if they don't have to deal with support requests from users who've had their accounts compromised.
The open-source U2F Zero claims ~$3 of parts and a ~$2 PCB [1] ordering a single unit. Making a large volume, that price is only going to come down.
Admittedly you'd have to pay for a plastic case, assembly costs, an envelope and stamps. But if I can get a 16GB flash drive for $8 with free shipping [2] the plastic case, assembly etc can't be that expensive!
Bulk procurement, certification, software all affect cost, of course.
When a flaw was discovered in 4096-bit RSA ley generation, Yubico sent me replacements for all of my registered hardware tokens, no additional cost to me.
Good thing about a standard like U2F is reducing software and certification costs, and sure if you are clear to offer no post-sales support, then you should be able to get legitimate hardware for maybe $10.
Oh, absolutely! I was responding to the statement "The actual hardware probably does not cost more than $10" which refers to the hardware specifically. The retail price would be higher than the hardware costs to cover software, support costs, returns, profit, shipping, credit card fees, and so on.
Yes of course, but the reason I mentioned the hardware cost is because that scales linearly with demand and software cost does not. The market for these kind of security devices is tiny right now but has the potential to be huge in the future. It would make sense for Google to sell their hardware at the lowest price they can in order to get people on board, after which network effects will ensure people stick with Google's services.
When selling hardware, unless you are extraordinarily dominant in a very large and highly competitive market (television manufacturing), care only about marketshare (lower-tier smartphone manufacturers), or have another revenue stream (game console sellers) generally speaking you should target 3x BOM as your final retail price at an absolute minimum.
That's just for hunks of plastic. For complex (not a hunk of injected-molded plastic) devices with high non-BOM costs, you should be targeting 4x-5x at a minimum.
Also, the 3x-5x rule is for bare-bones lean operations. If you actually want to make money, compensate your employees well, practice good environmental stewardship in the construction of your products, use a manufacturer that treats its employees with respect, and have a healthy business where you are prepared to weather future changes in the market, your BOM costs should be LESS THAN 20% of the MSRP.
The model is also different if you are a Shenzhen ripoff factory dumping goods onto the market through Marketplace Sellers or Drop-Shippers. But that is not a model compatible with long-term prosperity or worker satisfaction.
The most likely snoopers are far far away, probably even a different timezone. If you have local burglars around they'll just break your windows and doors to get things anyway.
Let's be real, how often does an attack like that happen?
Yes, a localized attack is still possible but you probably have a different set of worries if attacks are going so far as to be within a short distance of you.
These tools are about reducing the effectiveness remote attacks which are much more logical to carry out.
How often do you work from a coffee shop? Ever wonder if anyone else in the shop has a minimized wardriver or "blue-driver" sniffing wireless connections? Or maybe their device is infected with a trojan, and a remote attacker is using their device to sniff a random network, which you happen to also be using.
Really? I would assume that the snoopers have access to another Bluetooth-enabled device nearby, such as pretty much any modern desktop or laptop computer.
Vanguard lets you use a security key as a second factor. It is the only finance-related website I've ever seen that does so. (And it's probably because Google made them, as that's where my Google 401k was.)
Nice for humans, but these dongles don't solve the problem of automated background services having to log in to machines to complete their tasks. How do people solve this problem?
A persistent token like OAuth. Generally, you want these to be time-limited, scope-limited, and traceable to a human (probably issued by touching a security key).
Part of the idea behind the security key is to prove that a human is requesting access and that is why there is a button to press. If your application is designed to give privileges to robots, then a security key is completely orthogonal to that.
The store page sucks balls - no details whatsoever!
Does anyone know how these keys could be used for TOTP? In case of Yubikey one could use an app which effectively acted as a proxy between the TOTP-based system and a hardware key. Does the Google key support the same functionality?
These devices don't have a real-time clock, so TOTP is out of the question. A Yubikey by itself is incapable of doing TOTP, too – it just acts as a hardware authenticator for the actual password generator. HOTP/counter mode doesn't have this requirement.
Is it possible to use the Bluetooth dongle with a desktop computer without a cable? Having to carry both on your keyring kind of defeats the purpose, because even Google's own guidelines tell you to store one in a safe place and keep the other one in daily use.
Excuse my ignorance (I'm trying to understand by googling). I know it's not the same technology but is it the same concept (public/private key) as for example the Estonian government uses for identity and accessing government services?
The Feitan key's Bluetooth works with Android and iPhone but it won't work with your Mac or Windows. I own one, that bit was an unexpected pain for me.
The problem I think is the browser, e.g. Chrome only implements CTAP over USB. The Secure Click (yet another security key) is sold with a usb2ble dongle, so you can use it wirelessly also with your laptop/desktop.
I would prefer one from Apple. I don't trust Google as much as I do Apple, simply because I know they don't make money from my data. The fact that the FBI couldn't get into an iPhone makes me trust Apple much more. If I start using this Google key, I'm not sure how far in bed they are with the government and if they can crack my accounts.
I would prefer one from Apple as well, but mostly because my laptop (which was built by Apple) only has USB-C ports, so carrying an USB-A adapter, like the one shown in the picture [1], would be a deal breaker for me and many others. Something like the YubiKey 4C Nano [2] would be good.
If it gets stolen, and the thief is actually trying to take over your accounts, then the process of proving that you are the rightful owner is probably easier if you have the key than if the thief has both the laptop and the key.
We don't know if or when the FBI will be able to crack iPhones. There are news (maybe fake) on the internet about a machine that can be plugged into iPhones and dump data from it, and that machine is only sold to thieves or gov agencies.
When you look at the recent clashes with Google and the gov, for example stopped military project or Trump accusing Google of political bias, it doesn't seem Google is "in the same bed" than the gov.
To me, both Apple and Google are good trustable and competent entities. They both have high standards. I personally trust Google more about data security, but I guess everyone is different.
143 comments
[ 6.7 ms ] story [ 275 ms ] threadUse this link to force-redirect to the US product page: https://store.google.com/us/product/titan_security_key_kit?h...
(mods, can we please change the story URL to the above one? It should show the correct item globally and thus leaving less people confused.)
EDIT: Revisting, it states anything running Google Chrome should also work. So I guess macOS should be fine, what about iOS?
Instead of typing in a code, you press a button. It also protects against phishing by validating the URL of the site you're authenticating on (with a code-based 2FA you can still enter your code on a phishing site, which then forwards it to the real one).
Seems like it might be useful, but haven't had the time to try it out yet.
I personally would rather have Security Keys, but a solution like Krypton is definitely easier for a lot of users and obviously the price differential is hard to argue with.
https://en.wikipedia.org/wiki/Time-based_One-time_Password_a...
https://en.wikipedia.org/wiki/Universal_2nd_Factor
They both seem to be re-branded Feitian, which cost less ($25 + $17 = $42) when purchased under that brand from Amazon than the Google Titan moniker.
This way a reputation system is more effective.
The comingling of products in the binning process isn't good, though.
The key is made by a company called Feitian (Feitian Technologies Co., Ltd), on Amazon. That's the original manufacturer selling directly on Amazon [1]. That's the only one available. Its about as authentic as you can get on Amazon. I'd rather buy it from Gearbest or Banggood but they don't sell this. And Google just sells it rebranded.
Though I won't buy this (I could use the BLE part of it), since for one it doesn't seem to be build strongly (overcome-able but still), it only seems to work with Chrome according to reviews (I use Firefox), and I'm unsure if Bluetooth is secure for this method, nor reliable. NFC should be fine, since its much closer range, and I have a YubiKey NEO but my phone doesn't have NFC, unfortunately.
[1] https://www.amazon.com/Feitian-MultiPass-FIDO-Security-Key/d...
It's only a syllable away.
While I don't know whether or not Feitan manufactures those keys, I believe the answer is that they don't. More importantly though, that article doesn't really provide any detail one way or the other. Advanced Protection works with any FIDO/U2F key. Feitan's keys are valid AP keys. Titan keys are valid AP keys. Yubico keys are valid AP keys.
That a key works with AP doesn't say anything about who made it, and that article just says that you can use Feitan's keys with advanced protection, not that they're Google's key manufacturer. In fact I think that article is from before Google announced the Titan keys, but I'm not 100% on that.
[0] https://i.imgur.com/5EWh0jx.png
Also, in Google's $50 there are also 2 cables usb-a2c and c2a. I guess they decided to go the way of the complete package with all you may need.
We're having a kickstarter soon, and if you're interested you can join the waiting list at https://solokeys.com/
2. this link does not work outside US
The only computer I own that has a USB Type C port is my homebuilt desktop, and it's on the back, and I don't think the Windows driver actually works.
https://store.google.com/us/product/titan_security_key_kit?h...
To my knowledge there are no such adapters that are compliant with the USB spec.
https://www.yubico.com/product/yubikey-4-series/
What makes you think that the cost to produce the hardware is less than $10? And what reason would companies have to offer keys below cost?
This is more like the Yubikey Security Key ($20): https://www.yubico.com/product/security-key-by-yubico/#secur...
[1]http://amzn.eu/d/bMowBkS
Admittedly you'd have to pay for a plastic case, assembly costs, an envelope and stamps. But if I can get a 16GB flash drive for $8 with free shipping [2] the plastic case, assembly etc can't be that expensive!
[1] https://github.com/conorpp/u2f-zero [2] https://www.amazon.com/SanDisk-Cruzer-Low-Profile-Drive-SDCZ...
When a flaw was discovered in 4096-bit RSA ley generation, Yubico sent me replacements for all of my registered hardware tokens, no additional cost to me.
Good thing about a standard like U2F is reducing software and certification costs, and sure if you are clear to offer no post-sales support, then you should be able to get legitimate hardware for maybe $10.
That's just for hunks of plastic. For complex (not a hunk of injected-molded plastic) devices with high non-BOM costs, you should be targeting 4x-5x at a minimum.
Also, the 3x-5x rule is for bare-bones lean operations. If you actually want to make money, compensate your employees well, practice good environmental stewardship in the construction of your products, use a manufacturer that treats its employees with respect, and have a healthy business where you are prepared to weather future changes in the market, your BOM costs should be LESS THAN 20% of the MSRP.
The model is also different if you are a Shenzhen ripoff factory dumping goods onto the market through Marketplace Sellers or Drop-Shippers. But that is not a model compatible with long-term prosperity or worker satisfaction.
Let’s hope that one day Apple opens full access to the NFC chip.
(And Bluetooth isn't that bad either?)
I'd rather force them to smash my windows and doors rather than just give them what they want in passing.
Yes, a localized attack is still possible but you probably have a different set of worries if attacks are going so far as to be within a short distance of you.
These tools are about reducing the effectiveness remote attacks which are much more logical to carry out.
TOTP does not solve phishing in any meaningful way.
[0] https://twofactorauth.org/#banking
I'll probably wait out for the FIDO2 upgrade on the u2fzero...
Per-purpose users (with very limited rights) on machines, inside per-purpose VMs (with very limited network if any)... etc.
Part of the idea behind the security key is to prove that a human is requesting access and that is why there is a button to press. If your application is designed to give privileges to robots, then a security key is completely orthogonal to that.
Does anyone know how these keys could be used for TOTP? In case of Yubikey one could use an app which effectively acted as a proxy between the TOTP-based system and a hardware key. Does the Google key support the same functionality?
One of these keys has bluetooth so it also works with iphone without any cable.
Have you managed to authenticate your Google account with your U2F keys on your Mac?
If you have, please help the rest of us out, I get an error:
> You can only use your Security Keys with Google Chrome.
Here's a StackExchange question for some karma: https://apple.stackexchange.com/questions/327491/how-do-i-us...
[1] https://i.imgur.com/79ojvAK.jpg
[2] https://www.yubico.com/product/yubikey-4-series/#yubikey-4c-...
When you look at the recent clashes with Google and the gov, for example stopped military project or Trump accusing Google of political bias, it doesn't seem Google is "in the same bed" than the gov.
To me, both Apple and Google are good trustable and competent entities. They both have high standards. I personally trust Google more about data security, but I guess everyone is different.
You sure about that?
1. FBI unlocks iPhone without Apple's help
2. Snowden documents show 100% success rate against iPhones
3. Graykey device to break into iPhones
[1] https://www.npr.org/sections/thetwo-way/2016/03/28/472192080...
[2] https://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-rep...
[3] https://blog.malwarebytes.com/security-world/2018/03/graykey...