The thing that makes me a bit jumpy about hardware 2FA with things like this or a Yubikey is around what happens if I lose it or it breaks.
It's not so much a problem in a corporate setup (like internally at Google) where you could go to a central admin team to revoke/replace the key.
But if you're a home user using this for a wide variety of sites and the token fails then the failure mode seems to be "go figure out the fallback for every site you use and use that", which could be really painful.
I prefer the, possibly less secure but more flexible option of TOTP applications that let me synch to multiple devices, so the loss of one device isn't very painful.
I think I'd like a version of this scheme which works a bit like email-based verification: you have a trusted provider (like an email provider today, you can self-host or use any of the many 3rd party hosts) that you use to vouch for your identity. When you want to log into a website you use a certificate authenticating you, the website checks if it's valid with your authority (similar to the current email-based verification on most websites). If you want to change your certificate for any reason you only have to do it with your authority and everything else keeps working as usual. The drawback of course is that you have a single point of failure, if the authority is compromised you're naked in the wild.
IIRC OpenID worked like that but unfortunately it never gained traction. It's a shame really.
More practically I do use a yubikey myself but mostly as a GnuPG smartcard, not for 2FA. I actually have the same key stored on multiple tokens as a backup, so if my current key breaks I just have to fetch an other one. Of course if instead I lose it or it's stolen I'll probably have to generate new keys (even though the PIN should theoretically still protect me) so the problem still exists.
See https://twofactorauth.org/ . I thought there was an ongoing effort to add backup/restore steps to this informative site.
Indeed, I was recently locked out of some of my accounts: I used some "one-shot backup codes", but some sites didn't deliver them (and so, required involvment of admin/support by mail+phone).
With yubikeys, you can effectively clone them when setting them up initially. So you carry one and keep another spare in a safe location. If your primary fails, you can buy another and promote your hot standby to primary having set the new one up to be a clone.
For both cases, what you want to have is a central account that you authenticate to using the key, and that account uses OpenSocial/OAuth-like protocols to grant access to separate services.
That’s how those central teams manage to revoke keys easily.
In the original U2F spec, I think there was an "answer" to this revocation issue: "enroll a second device for every origin, and keep this one in a safe". This way you can still connect even if you lose the first one.
umm, buy two, enroll both and keep one safe somewhere?
I'm very surprised when people voice this concern. These keys cost a mere $20 or so. There's no limit to how many website you can set them up with. So $40 or even $60 is all you need to invest in.
I'm not sure if this is the "hardware security module" they've been touting for Pixel 2 devices, too.
I assume this project was spun-off from Project Vault, or at least they re-used some of the ideas/code from that, but it's still a shame we won't be getting the microSD "HSM" anymore. I guess that idea died when Google and other manufacturers decided to kill support for microSD in their devices altogether.
Quite neat. Though I'm still dissapointed in the U2F/Security Key market.
The Yubico's cost 50€ the piece or 20€ for the U2F key only. And to get NFC usage you have to buy a worse variant of the other keys that doesn't support 4096bit RSA and some other features.
There is not much competition either, Nitro is just as expensive and doesn't feature a good and cheap key either.
Open Source variants are also fairly rare, I would love to DIY some Yubikey 4-like stick with the same or similar/comparable function set. Only thing so far I found is the U2F zero but that didn't offer RSA.
Quite annoying, maybe some competitor other than Yubikey and Nitro can solve this. (It doesn't seem Google is selling the Titan, I see no pricetag)
Why Google 'sell' this as an advantage over 2FA over mobile phone? In this case it works on computer only, or you have to be at some computer, with mobile app, you can be anywhere? I see that as huge disadvantage.
Mobile phones can be hacked; if you use your Authenticator app to log into an application on your mobile phone, it's by definition no longer two-factor authentication. The basis of that is having a separate device. Having that in a key that cannot be compromised by e.g. being rootable, internet connected, etcetera is an extra layer of security.
The mobile phone is more convenient though, and I also don't know how these things work when you try and log in via a mobile device. For high security access though, like google cloud consoles and such, a policy of not allowing access via mobile phones does make sense. (also because said console is probably not very usable on mobile).
Security tokens are more secure and can't be as easily fished as phone-based 2FA solutions. It's not about using the key on a mobile phone, it's about replacing phone-based 2FA.
You're right however that their key doesn't seem to have any interface other than USB so it won't be practically usable on smartphones. Yubico has NFC tokens[1] for that use case but it doesn't seem that Google's version offers that yet.
The yubikey version of this works with phones, you can plug it in if your phone has the appropriate usb port, and it theoretically supports nfc and bluetooth but those rarely seem to work for me. I'm not sure if the google version also supports the wireless protocols but I don't see why you couldn't plug it into your phone.
All answers above sounds as great explanation! I don't understand mobile 2FA as an app only but also possibility to e.g. being called by system and you have to put some PIN/key over phone.
They need to do better at explaining what this is.
Is it a physical device like in the pictures, or a piece of software? It does not make it clear. I can make a best guess, but from this landing page it is uncertain.
[+] [-] larkeith|7 years ago|reply
[+] [-] raesene9|7 years ago|reply
It's not so much a problem in a corporate setup (like internally at Google) where you could go to a central admin team to revoke/replace the key.
But if you're a home user using this for a wide variety of sites and the token fails then the failure mode seems to be "go figure out the fallback for every site you use and use that", which could be really painful.
I prefer the, possibly less secure but more flexible option of TOTP applications that let me synch to multiple devices, so the loss of one device isn't very painful.
[+] [-] simias|7 years ago|reply
IIRC OpenID worked like that but unfortunately it never gained traction. It's a shame really.
More practically I do use a yubikey myself but mostly as a GnuPG smartcard, not for 2FA. I actually have the same key stored on multiple tokens as a backup, so if my current key breaks I just have to fetch an other one. Of course if instead I lose it or it's stolen I'll probably have to generate new keys (even though the PIN should theoretically still protect me) so the problem still exists.
[+] [-] moviuro|7 years ago|reply
Indeed, I was recently locked out of some of my accounts: I used some "one-shot backup codes", but some sites didn't deliver them (and so, required involvment of admin/support by mail+phone).
[+] [-] chillydawg|7 years ago|reply
[+] [-] bertil|7 years ago|reply
That’s how those central teams manage to revoke keys easily.
[+] [-] suixo|7 years ago|reply
In practice, well, meh...
[+] [-] pentestercrab|7 years ago|reply
[+] [-] oxplot|7 years ago|reply
I'm very surprised when people voice this concern. These keys cost a mere $20 or so. There's no limit to how many website you can set them up with. So $40 or even $60 is all you need to invest in.
[+] [-] mtgx|7 years ago|reply
https://cloudplatform.googleblog.com/2017/08/Titan-in-depth-...
I'm not sure if this is the "hardware security module" they've been touting for Pixel 2 devices, too.
I assume this project was spun-off from Project Vault, or at least they re-used some of the ideas/code from that, but it's still a shame we won't be getting the microSD "HSM" anymore. I guess that idea died when Google and other manufacturers decided to kill support for microSD in their devices altogether.
https://techcrunch.com/2015/05/29/googles-project-vault-is-a...
This is Yubico's response to the Titan Key announcement, if you care to read it:
https://www.yubico.com/2018/07/the-key-to-trust/
[+] [-] moviuro|7 years ago|reply
[+] [-] gonvaled|7 years ago|reply
Why should I trust USA produced products?
[+] [-] zaarn|7 years ago|reply
The Yubico's cost 50€ the piece or 20€ for the U2F key only. And to get NFC usage you have to buy a worse variant of the other keys that doesn't support 4096bit RSA and some other features.
There is not much competition either, Nitro is just as expensive and doesn't feature a good and cheap key either.
Open Source variants are also fairly rare, I would love to DIY some Yubikey 4-like stick with the same or similar/comparable function set. Only thing so far I found is the U2F zero but that didn't offer RSA.
Quite annoying, maybe some competitor other than Yubikey and Nitro can solve this. (It doesn't seem Google is selling the Titan, I see no pricetag)
[+] [-] dogma1138|7 years ago|reply
If your phone is compromised by someone who can exploit it then your adversarial outlook is pretty dire to begin with.
[+] [-] moviuro|7 years ago|reply
[+] [-] aichi|7 years ago|reply
[+] [-] Cthulhu_|7 years ago|reply
The mobile phone is more convenient though, and I also don't know how these things work when you try and log in via a mobile device. For high security access though, like google cloud consoles and such, a policy of not allowing access via mobile phones does make sense. (also because said console is probably not very usable on mobile).
[+] [-] moviuro|7 years ago|reply
Still vulnerable to phishing. If you include a convincing iframe, your attacker can store your TOTP, and use it from their machine.
U2F relies on the domain of the page you are currently browsing, so the code can't be used by another party on the real site.
And if you were thinking about SMS... vulnerable to any attack on the mobile network + phishing + ...
[+] [-] simias|7 years ago|reply
You're right however that their key doesn't seem to have any interface other than USB so it won't be practically usable on smartphones. Yubico has NFC tokens[1] for that use case but it doesn't seem that Google's version offers that yet.
[1] https://www.yubico.com/products/yubikey-for-mobile/
[+] [-] pliny|7 years ago|reply
[+] [-] aichi|7 years ago|reply
[+] [-] lodyb|7 years ago|reply
Is it a physical device like in the pictures, or a piece of software? It does not make it clear. I can make a best guess, but from this landing page it is uncertain.
[+] [-] ckocagil|7 years ago|reply
[+] [-] caiob|7 years ago|reply
[+] [-] bdz|7 years ago|reply