Thursday, July 26, 2018

What are "Titan keys" and why would I want one?

Google recently announced their "Titan Security Key", that's grabbed some headlines [CNET]. But what is it, and why is it a big deal?

To talk about security keys, one must first understand multi-factor authentication. Each "factor" is a way to prove who I am to somebody who wants to provide me a service.

What I know! I prove who I am because I know a secret that only I should know. Passwords are the common example of this, as well as their cousin, PIN numbers. The weakness is that secrets are hard to keep, and easy to duplicate. Anyone who discovers my password can pretend to be me.

What I have! I prove who I am because I possess something that should belong to me. Credit cards work this way - if I have the card, I can swipe it and make a purchase - sorry, nobody ever looks at the signature. It's usually harder (but not impossible) to copy something I possess, and requires the evil impersonator to be physically close to my possession.

Who I am! I prove who I am because I can be physically identified. This is how a driver's license works - the photo should match how I look. Fingerprints are a popular way to validate people as well. The problem being that physical properties can be hard to verify - is that fingerprint a real finger, or just a piece of tape copying a fingerprint off a door handle?

Two factor authentication systems require TWO of the above factors to prove who I am. These are far more secure, since an impersonator would have to circumvent two different security systems, usually in very different ways. A common example of a two-factor authentication system is a debit card - to use the card I have to have the card in my hand (what I have) and enter a PIN number (what I know). To steal my money, you would have to get both at the same time without my knowledge (or else I'll just change my PIN or replace the card).

Security keys are designed to be a second factor in such a system. Systems that support them require both your password and the presence of the key before they let you log in. This makes my account more secure - if my password is discovered, nobody can use my account because I have the key. If my key is stolen, the thief can't use it for anything without knowing my password.

This does NOT mean you don't need a password anymore. A security key is actually not very secure on its own, because people overall are shockingly good at losing things. A security key's power is specifically in it's use as a second factor.

The Google Titan Security Key is just Google's take on security keys - and are conceptually similar to offerings from other companies (eg. YubiCo).

But why do I need a security key?
Because your password is bad. You used the same password for your bank account as you did on Snapchat, and you told your friend that password so they could continue your streak. But you can't change that password now, because it's the same password you've used since you were 16 years old. It's the password you shared with that Nigerian Prince who needed it to send you your lottery winnings, and entered it accidentally in that response from that email from But really, your password was just your middle name with a 1 on the end, so it was not hard to guess in the first place.

Your password is probably already hacked. If you don't think so, Have I Been Pwned is a fun reality check.

Where can I use it?
There's two variants being offered by Google - one for phones (bluetooth and tap), and one for computers (USB).

The downside is that not many online services support security keys yet, but a few big players do: notably Google, Facebook, and Twitter.

Questions you never asked?
Q: Do I need to use the key every time I use a website?
A: No, most sites will remember you on a particular computer or phone after you use your key once (for 30 days or so).

Q: How does it work with phones?
A: Phone support is still not the greatest, but if you have the right phone and the right security key, you can tap it to the back of the phone.

Q: What if I lose the key?
A: They're made to be cheap enough that you could have more than one. As long as you have one working key left, you can use it to deactivate old keys and add new keys. Generally you can also reset your account through a phone call or other hoops.