This is a pretty compelling U2F solution. It matches the price of a Yubikey but you really get a Bluetooth key and a USB version in the box (with a USB C adaptor ?).
EDIT : child comment says the USB key also has NFC.
No it's not. It's manufacturered in China, a state devoted to spying on its own citizens to a degree higher than the NSA (social credit scores, etc) and preventing the free flow of information. I wouldn't trust this thing to store my zip code securely, much less a private key.
Since the key doesn't have wifi or anything, how can the private key flow back to China? (This is a serious question - is there enough wiggle room in the U2F protocol to allow the device to reveal the private key to a Chinese website, if they can trick you into visiting it, or something?)
OK, "the device is secretly a USB Rubber Ducky-style device that will send keyboard shortcuts to open a new tab, send data, and close it" is definitely a potential attack, sure. It would almost certainly be super noticeable (unless everyone else's browsers are much faster at opening and closing tabs than I am) so it seems like the sort of thing you'd only deploy against a couple of high-value targets at some single opportune moment, but that's arguably within Advanced Protection's threat model I guess.
That's easy: The Chinese government could infiltrate the factory and keep a record of the on-chip private key, then kill anyone who doesn't agree to go along with it. Or bug the programming devices. Chinese courts are far from independent - they do as they are ordered by the Communist party, and rulings highly depend on guanxi or connections (family, party, or both).
The whole security key thing relies on a chain of trust. Unless you are designing your own chips (and verifying samples of them to ensure nothing has been added), you can't ever really know if some bad actor or state actor has compromised the chain somewhere along the way.
So far in the US, such things are not legally required and where ordered by lower courts the appeals courts have overruled them. As it stands today the government can't require anyone outside of a telephone company to implement any technological measure to assist them in spying (telcos are required to assist with wiretaps). Companies might go along with a request of course.
I'm not saying there is a perfect solution here, but in general I trust chips and devices manufactured in the US and Sweden to a much higher degree than devices made in China.
> Since the key doesn't have wifi or anything, how can the private key flow back to China?
The bluetooth one has a bluetooth radio (obviously). I suppose it's conceivable that the firmware could have a backdoor that allowed exfiltration of the private keys via that radio. Such a backdoor could probably be used in a targeted way against particular people in public places like a airports or cafes.
Given that Google is marketing these things towards high-value targets such as journalists, campaign advisors, and Google engineers; building such a backdoor would be very tempting. It wouldn't even have to be present in stock keys, if the shipments could be intercepted in the mail on their way to particular targets.
It's also manufactured by Google, which is equally adept in spying and probably more unworthy of trust.
But more importantly, it's just a bad deal. A yubikey neo can do GPG, PIV, OATH, OTP, HMAC challenge response, and a few other things in addition to NFC U2F for the same price. The Titan dongles package just does U2F, and U2F isn't even that great.
> This is a pretty compelling U2F solution. It matches the price of a Yubikey
Not really. The $50 Yubikey does a lot more than these (e.g. storing PGP keys, etc). If you only want U2F, Yubico sells their blue key for only $20 (or a 2-pack for $36):
Oof, you know there're problems with USB-C when even Google in their official press shots show a dongle being used with their hardware key. Not very elegant, is it.
That's quite a leap. Most people don't have USB C, it makes sense to ship A/B and call attention to that unless you're making accessories for specific laptop models.
I work at Google but have no internal knowledge of whether USB-C version is being considered for production or not. I personally really need one, since that Pixelbook on the product page is actually standing with the help of the USB port, as adapter is much thicker than the laptop itself.
I am quickly losing confidence in Google's ability to do hardware. Google Home is the only bright point on an otherwise terrible landscape of hardware releases.
Pixel 1 : Great phone but they just couldn't keep the supply chain filled.
Pixel 2 : see above.
Android Wear / Wear OS : Version 1.x solved all the problems of early Android handsets, by Google taking control of the firmware. Version 2.x completely crippled existing watches to the point of making them unusable. I think this was in a bid to gain more iPhone users.
Pixel 3 : It's not out yet and it's already being slated for having a huge notch. Let's hope they can make enough this time.
Google is to hardware what Sony Pictures is to movies. You get the odd great release but generally they're bogus.
To be fair, most other top hardware makers they're being compared to have been in the game for decades. And even then, the flaws were never that big. The biggest one so far has been a screen that shifts blue on tilt, but Apple and Samsung (the two biggest and best hardware makers out there) have had bigger issues (exploding phones, bending phones, reception issues, etc).
Also not sure why you randomly mention Android Wear, which to this point is purely software for Google, in the middle of a hardware comment.
I'd say even that is questionable. Their insistence on using two microphones with "superior software" looks great on paper. Reality is it's significantly less sensitive than Alexa/echo in practice.
FYI, we're going to launch a Kickstarter for Solo, an open source FIDO2 security key (https://solokeys.com), and we're planning to offer free shipping in both US and EU. I'm an Italian living in the US, and I personally care a lot about this aspect. It's incredibly sad to see that companies with unlimited resources still completely ignore non-US markets.
Usb-a (or -c), and NFC will be available. Price for NFC should be around $30-35, to be confirmed. Plus various Kickstarter discount.
We won't have bluetooth, at least in the first iteration. The chip we chose is pin-compatible with another one with BLE, so it's not excluded in the future.
Honestly, I really hope Apple will announce a more open NFC next week.
We want to provide an open source alternative (hardware & firmware).
As others mentioned, note that there's a difference between the new Yubikey Security Key (FIDO2 only) and previous Yubikeys, that do multiple things, including pgp/ssh support.
By being open, eventually we think that Solo can also support these features, and maybe more. But to start, we want to focus on FIDO2 (and U2F, because FIDO2 is backward compatible).
Weird that not a single picture here or in the Google store shows the back of either of the keys, especially since this article says both keys have a Google Titan logo on their backs.
The case design shape and LED positions are identical.
You'll need to check the USB VID and Bluetooth MAC vendor ID's to be sure the hardware inside is the same.
1. Nothing in that article makes me more worried about a Chinese company being potentially compromised than I am worried about a US company being potentially compromised. Every single argument there - performative patriotism, military-industrial complex, government expectations of backdoors - would apply equally well to the US.
2. The threat model makes no sense. Why would Google send you to a compromised vendor of cheap devices with weak radios to falsely secure logins to your Google account, when Google already has control over your Google account?
There's a simpler answer, which is that the only vendors that have Android NFC U2F devices are China-based. The YubiKey doesn't support U2F over NFC (at least last I checked). That's why they previously had you get one YubiKey and one Feitian. On that assumption, the most rational thing for Google to do if they have good intentions is to suggest the leading Chinese security key in the short term, and in the medium term, white-label that key's hardware and flash their own firmware (or at least firmware they've audited) onto it and rebrand it, which appears to be exactly what they've done.
>Nothing in that article makes me more worried about a Chinese company being potentially compromised
Unfortunately my anecdotal experience biases me to believe it. After getting hundreds of Microsoft product keys from Dell, and having 20 to 50÷ of them from China being compromised even with the security scratch off intact. Have not ran into an issue with a single us printed one. Ya, no faith here.
> Nothing in that article makes me more worried about a Chinese company being potentially compromised than I am worried about a US company being potentially compromised.
I think that this is a terribly naive assumption. Privacy is cheap if not meaningless in China. The government can request access to server private keys and it often does. Anyone that has tried to deploy a service in China knows that it is an absolute security nightmare because of the security allowances you have to make for the government.
> And it's not fear of Google accessing your account, which they already do. Is the Chinese state actor doing so. Which they will.
Is the claim here that Google is wilfully facilitating China accessing your account? If so, those fears are the same.
(If the claim is that Google is unintentionally facilitating this, I think we need a bit more of a story about why Google - which wrote the U2F protocol with Yubico in the first place, and is generally seen to be competent at this - would make this mistake. "They want to make China happy" is the beginning of such a story but not nearly enough.)
Does that mean that it would support touch-verification on iOS?
[I bought half a dozen yubikeys with NFC last year for my family, setup and tested lastpass, extensively tested my android and PC... when it all fell flat on their iPhone. Whopsie!]
This article is made up entirely out of innuendo. With the same facts you can write an article about how much Google trusts the design of U2F and this particular hardware to put its name and reputation behind it, ship it to its own Advanced Protection Program customers and hand it out to its own employees.
I still can't tell if these are just rebranded Feitian Multipass keys [0], which I've already owned for several years. Has Google added something that I've missed?
Disclaimer: I'm working on Solo (https://solokeys.com), open source FIDO2 security key, which is the successor of U2F Zero (https://u2fzero.com), open source U2F token.
I'm perplexed at the cost of these. I get that they're aimed at the corporate market, and this is probably spare change from their perspective, but does that mean that the education, small-business and personal markets don't deserve the same level of security?
The device must cost a couple of dollars (at most) to manufacture, and I highly doubt the development and service costs add up anything close to the amount they're being sold for, so is the price simply what they can get away with?
Security-wise, how does this compare against a (free) phone-based 2FA app (be it TOTP or network based)?
I'm not against paying the real cost for a product/service, but this seems to be one where it doesn't add up.
There's two keys here and some adapters. It costs the same, or a bit less than buying your own keys individually. These counter phishing better than TOTP.
With a security key, how does it get from the usb device to the browser? The token I used for my last work (I think it was a yubikey) appeared to the computer as a keyboard, and activating the 'button' on it simply sent a bunch of letters into an input field in a browser. This would be susceptible to phishing in the same way, no?
Your example would be valid if U2F simulated a keyboard, but it doesn’t. The U2F key is a non-keyboard USB-HID device. The browser has special code embedded to identify and communicate with U2F keys using low level operating system USB api calls. The authentication process is a challenge response mechanism where the site challenges and the key signs and responds to the request. The browser adds an additional piece of information to the challenge and embeds the actual URL (and tls session id if supported) and the server verifies this additional information. Phishing and mitm are prevented because the server is validating the actual URL of their own site when checking the signed response. The whole process is really cool when you get into the details and is very well designed for security.
"Hardware security key" has come to mean "U2F key".
Older hardware keys (include Yubikeys in OTP mode) didn't do any better at preventing phishing than TOTP. But U2F keys do; they generate credentials that are cryptographically bound to site origins, and work out-of-band from the keyboard. They were designed specifically to combat phishing.
Yeah, but even before that there were things you might call a "security key" (but which most people called "hardware tokens") that just displayed a single TOTP-like code; if you talk to enterprise people about security keys, those SecurID tokens might be what they're thinking about.
Does feel like Google putting their brand (and support) behind u2f keys will improve public perception of it. Though understand the concern about it being China made.
Hope this means other bigco will come out and improve manufacturing options, distribution options, bring the consumer cost down etc?
Qn of why are so few companies selling security keys if it's so important? Is Yubikey the ONLY safe option?
agree that cost is still prohibitive for small companies, home consumers, those in countries with weaker forex etc. Security should be able to cost less in order to be more widespread. Current it's like a first world luxury for those who can afford it, to be walled off into a harder-to-attack group like how mac users used to be more secure because there so few of them they were not worth general hacking.
Am glad to see Google strongly, actively, loudly pushing anti phishing security forward to all consumers through all their channels, which all other companies can do much more of. Eg if Apple sold a $100 u2f key through all their retail stores etc.
I had a similar question recently about https/ssl certs being so important and why most major ssl vendor ecommerce sites are so seedy/early 2000s design patterns.
One has to say, that Yubico website is Da Crap! Half of my screen filled with informational void, no comparison table of the products, no easy place, to learn why there is so many different keys, why I can not have a Nano with FIDO2 and so on and so on...
It made me really aggressive and I was happey, when I left it. Too much sales pitch, too little info.
89 comments
[ 3.4 ms ] story [ 140 ms ] threadEdit: it seems like the USB key supports NFC, but not the Bluetooth key. From the website:
USB Security Key
For use with your computer. You can also connect to most Android devices that support USB or NFC.
No it's not. It's manufacturered in China, a state devoted to spying on its own citizens to a degree higher than the NSA (social credit scores, etc) and preventing the free flow of information. I wouldn't trust this thing to store my zip code securely, much less a private key.
0. https://www.wired.com/2014/07/usb-security/
The whole security key thing relies on a chain of trust. Unless you are designing your own chips (and verifying samples of them to ensure nothing has been added), you can't ever really know if some bad actor or state actor has compromised the chain somewhere along the way.
So far in the US, such things are not legally required and where ordered by lower courts the appeals courts have overruled them. As it stands today the government can't require anyone outside of a telephone company to implement any technological measure to assist them in spying (telcos are required to assist with wiretaps). Companies might go along with a request of course.
I'm not saying there is a perfect solution here, but in general I trust chips and devices manufactured in the US and Sweden to a much higher degree than devices made in China.
The bluetooth one has a bluetooth radio (obviously). I suppose it's conceivable that the firmware could have a backdoor that allowed exfiltration of the private keys via that radio. Such a backdoor could probably be used in a targeted way against particular people in public places like a airports or cafes.
Given that Google is marketing these things towards high-value targets such as journalists, campaign advisors, and Google engineers; building such a backdoor would be very tempting. It wouldn't even have to be present in stock keys, if the shipments could be intercepted in the mail on their way to particular targets.
You're assuming the key needs to flow back.
But more importantly, it's just a bad deal. A yubikey neo can do GPG, PIV, OATH, OTP, HMAC challenge response, and a few other things in addition to NFC U2F for the same price. The Titan dongles package just does U2F, and U2F isn't even that great.
Digipass Secure Click sells with a ble2usb dongle, that let you use ble with your laptop (I have it fixed into my external monitor for example).
Note that it's not a limitation of the security key, it's more the browsers that only implement fido2/u2f (ctap) over usb.
Not really. The $50 Yubikey does a lot more than these (e.g. storing PGP keys, etc). If you only want U2F, Yubico sells their blue key for only $20 (or a 2-pack for $36):
https://www.yubico.com/product/security-key-by-yubico/#secur...
I've been using them for years and see no reason to switch.
Looks like the Titan Security Key (USB) has NFC and the Yubico Security Key does not. And the Titan Security pack has two adapters.
I call it a draw.
I work at Google but have no internal knowledge of whether USB-C version is being considered for production or not. I personally really need one, since that Pixelbook on the product page is actually standing with the help of the USB port, as adapter is much thicker than the laptop itself.
Pixel 1 : Great phone but they just couldn't keep the supply chain filled.
Pixel 2 : see above.
Android Wear / Wear OS : Version 1.x solved all the problems of early Android handsets, by Google taking control of the firmware. Version 2.x completely crippled existing watches to the point of making them unusable. I think this was in a bid to gain more iPhone users.
Pixel 3 : It's not out yet and it's already being slated for having a huge notch. Let's hope they can make enough this time.
Google is to hardware what Sony Pictures is to movies. You get the odd great release but generally they're bogus.
Also not sure why you randomly mention Android Wear, which to this point is purely software for Google, in the middle of a hardware comment.
I'd say even that is questionable. Their insistence on using two microphones with "superior software" looks great on paper. Reality is it's significantly less sensitive than Alexa/echo in practice.
https://www.yubico.com/product/yubikey-4-series/#yubikey-4c-...
FYI, we're going to launch a Kickstarter for Solo, an open source FIDO2 security key (https://solokeys.com), and we're planning to offer free shipping in both US and EU. I'm an Italian living in the US, and I personally care a lot about this aspect. It's incredibly sad to see that companies with unlimited resources still completely ignore non-US markets.
We won't have bluetooth, at least in the first iteration. The chip we chose is pin-compatible with another one with BLE, so it's not excluded in the future.
Honestly, I really hope Apple will announce a more open NFC next week.
As others mentioned, note that there's a difference between the new Yubikey Security Key (FIDO2 only) and previous Yubikeys, that do multiple things, including pgp/ssh support.
By being open, eventually we think that Solo can also support these features, and maybe more. But to start, we want to focus on FIDO2 (and U2F, because FIDO2 is backward compatible).
https://www.androidpolice.com/2018/09/04/google-titan-securi...
I'll probably stick with my Yubikey for the time being.
https://www.zdnet.com/article/google-launches-titan-security...
https://www.ftsafe.com/products/FIDO/Multi
The case design shape and LED positions are identical. You'll need to check the USB VID and Bluetooth MAC vendor ID's to be sure the hardware inside is the same.
2. The threat model makes no sense. Why would Google send you to a compromised vendor of cheap devices with weak radios to falsely secure logins to your Google account, when Google already has control over your Google account?
There's a simpler answer, which is that the only vendors that have Android NFC U2F devices are China-based. The YubiKey doesn't support U2F over NFC (at least last I checked). That's why they previously had you get one YubiKey and one Feitian. On that assumption, the most rational thing for Google to do if they have good intentions is to suggest the leading Chinese security key in the short term, and in the medium term, white-label that key's hardware and flash their own firmware (or at least firmware they've audited) onto it and rebrand it, which appears to be exactly what they've done.
Unfortunately my anecdotal experience biases me to believe it. After getting hundreds of Microsoft product keys from Dell, and having 20 to 50÷ of them from China being compromised even with the security scratch off intact. Have not ran into an issue with a single us printed one. Ya, no faith here.
The Yubikey NEO has since 2015, and I use it with Advanced Protection.
Brad Hill's author choice here: https://github.com/hillbrad/U2FReviews#neo
Personally, I prefer the flat key profile over something bulbous on the keychain.
I think that this is a terribly naive assumption. Privacy is cheap if not meaningless in China. The government can request access to server private keys and it often does. Anyone that has tried to deploy a service in China knows that it is an absolute security nightmare because of the security allowances you have to make for the government.
And it's not fear of Google accessing your account, which they already do. Is the Chinese state actor doing so. Which they will.
Is the claim here that Google is wilfully facilitating China accessing your account? If so, those fears are the same.
(If the claim is that Google is unintentionally facilitating this, I think we need a bit more of a story about why Google - which wrote the U2F protocol with Yubico in the first place, and is generally seen to be competent at this - would make this mistake. "They want to make China happy" is the beginning of such a story but not nearly enough.)
[I bought half a dozen yubikeys with NFC last year for my family, setup and tested lastpass, extensively tested my android and PC... when it all fell flat on their iPhone. Whopsie!]
https://store.google.com/us/product/titan_security_key_kit
Otherwise users get redirected to the regional stores that do not have it available.
[0] https://smile.amazon.com/Feitian-MultiPass-FIDO-Security-Key...)
Is there any reason to believe at least the hardware isn't rebranded?
Disclaimer: I'm working on Solo (https://solokeys.com), open source FIDO2 security key, which is the successor of U2F Zero (https://u2fzero.com), open source U2F token.
One small note about your home page - 'kickstarter will launch in early fall' isn't ideal for people outside the US / northern hemisphere.
Not google's branded version.
I would be interested if I knew for sure that it works also with Fastmail, Twitter, my banks, etc. is there a list of compatible services?
The device must cost a couple of dollars (at most) to manufacture, and I highly doubt the development and service costs add up anything close to the amount they're being sold for, so is the price simply what they can get away with?
Security-wise, how does this compare against a (free) phone-based 2FA app (be it TOTP or network based)?
I'm not against paying the real cost for a product/service, but this seems to be one where it doesn't add up.
Older hardware keys (include Yubikeys in OTP mode) didn't do any better at preventing phishing than TOTP. But U2F keys do; they generate credentials that are cryptographically bound to site origins, and work out-of-band from the keyboard. They were designed specifically to combat phishing.
This is a short edu video, I'd be curious if you have any feedback: https://twitter.com/_conorpp/status/1036751355346595840
https://news.ycombinator.com/item?id=17875658
Hope this means other bigco will come out and improve manufacturing options, distribution options, bring the consumer cost down etc?
Qn of why are so few companies selling security keys if it's so important? Is Yubikey the ONLY safe option?
agree that cost is still prohibitive for small companies, home consumers, those in countries with weaker forex etc. Security should be able to cost less in order to be more widespread. Current it's like a first world luxury for those who can afford it, to be walled off into a harder-to-attack group like how mac users used to be more secure because there so few of them they were not worth general hacking.
Am glad to see Google strongly, actively, loudly pushing anti phishing security forward to all consumers through all their channels, which all other companies can do much more of. Eg if Apple sold a $100 u2f key through all their retail stores etc.
It made me really aggressive and I was happey, when I left it. Too much sales pitch, too little info.