Google’s employees are now using hardware security keys, including one version designed to look like a real key.
I juggle two password managers that mishmash random characters and numbers together and file them away to ensure optimal encryption across my various accounts on the web. As a result, I can’t even get into my bank account without cross referencing apps and autofills. And you know what? None of this matters all that much when someone just hacks into a database like Yahoo and extracts my perfectly crafted password–no reverse-engineering required.
It’s why, to secure the accounts of its own employees, Google seems to be going another direction. Over 85,000 employees at the company are now using hardware security keys, including one it developed internally called the Titan Key. And yes, one version of the Titan Key is designed to look like a real key.
The device will soon be available to the public to buy in USB or NFC versions, to plug into a computer or sync wirelessly to authenticate your identity across Google services and many third parties. The authentication method itself is a lot like the two-factor authorization that you might use with your phone, but the physicality of the Titan Key eliminates a hacker’s ability to intercept a phone message in transit and hack into your account that way. The only way into your accounts is with the physical key.
Google says that, since implementing the security keys internally, it has reduced its phishing incidents down to zero reported cases. Titan Keys are now available for network admins, and anyone else who wants them, to order through the Google Store for a yet-to-be announced price.
Whether or not carrying around a Titan Key is your jam, I suspect we’ll see a lot more of this type of security soon. Everything across our lives, from apps, to food delivery, to passwords, has become increasingly seamless for users as technology has entered the cloud. That convenience, however, has come at a cost. Generally, the easier and more accessible security is for users, the easier and more accessible it is for hackers, too. We need complexity to be safe–checks and balances that act like speed bumps.
Take what we’ve seen in the world of cryptocurrencies. The savviest users take their money out of online wallets and store it on encrypted, personal hard drives. In one sense, it’s a huge risk–your life savings is stored in a single 3.5-inch box that, if destroyed, crushes your equity, too. However, the physical barrier of the hard drive means that no one can snake their way through the vast sewer system that is the internet, and patiently poke away at your McScrooge safe until they find a way in.
The Titan Key offers a similar level of physical friction to the digital password process. Even with password managers, everything about the password as we know it is just copy and paste-able code. The Titan Key, on the other hand, cannot be digitally copied. It also, technically, never even shares a password. Instead, through a technique called cryptographic signing, it proves to the server that it’s in on the secret of your identity without ever transmitting the algorithms behind it. That secret lives on your key, not on something that can be hacked. So if someone wants to steal your Titan Key authentication, they literally have to pull it from your computer or your pocket. (Oh, and I should clarify–the Titan Key is really a second line of password protection. The potential thief would also have to acquire the main traditional password you use, first. On top of that, as a third layer of security, Titan Key double-checks with your browser at all times to make sure it’s never sharing its data with covert phishing sites in the first place.)
For sure, a Titan Key adds a lot of potential headaches. Like your real car or house key, you need to find it before leaving the house in the morning, and then carry it on you all the time. Otherwise, you simply can’t prove to a computer that you are who you say you are.
However, as more of our life goes digital, the stakes are only getting higher. Perhaps it makes sense that we lock up our email as judiciously as we lock our front doors.