Today at the Next conference, Google announced a new product called the Titan Security Key, currently available to Cloud customers and scheduled for general sale in the coming months. The key is used to authenticate logins over Bluetooth and USB, similar to existing offerings from Yubico and other providers. A Google representative said the Titan key also includes special firmware developed by Google to verify its authenticity.
How long does it take before someone writes “this is another device that can be used for tracking” in an article. Let’s see
This is a good move from Google, but I’m curious as to what the benefit will be over the many existing FIDO alternatives out there, like Yubikeys. The article makes the nebulous claim of there being “special firmware developed by Google to verify its authenticity”, but the FIDO specification already requires cryptographic verification that the hardware is genuine, so I wonder what this will be.
The special stuff is only for Google. Basically you set this up with google differently. You don’t just specify ” use u2F”. You specify “use Google Titan”. So then during the authentication, there is a slight modification to standard U2F that requires the special firmware that tells Google “YES THIS IS A GOOGLE TITAN u2F token”. The advantage is, well I guess its even more difficult to spoof a Titan token. But that only works that way when google is set up to expect it. it works exactly the same as a yubiko u2f for all other domains.
This is great for Google itself, which has required employees to use them internally. But it doesn’t really buy you anything more for non google sites. As always, it would be nice if there were a way for reputable sites to get a similar treatment. But I guess Google spearheaded u2f standards, so maybe we should just be happy for that… :/
Thanks Bill. FIDO U2F already has tiered certification levels that can be checked during authentication using the vendor Attestation Key baked into the device. I’m wondering whether it’s just an extension of this mechanism, or something else? You say it’s a modification, which would suggest the latter.
You’d have thought having a Google Attestation Key, and some special Google HSM would be enough, which is in line with the standard.
I only know the high level details from the articles I’ve read. Maybe its only using the existing Attestation key?
Yeah, so far the information Google have released is a little vague, so I’ll just have to wait until they’re out in the wild before the full picture becomes clear.