Access Management , Endpoint Security , Enterprise Mobility Management / BYOD

Android Devices Can Now Be Used as a Security Key

New Google Feature Offers Advantages Over Its Titan Keys
Android Devices Can Now Be Used as a Security Key
Photo: Google

Improving security often revolves around creating more hurdles for attackers to stop them or slow them down. But those speed bumps are not necessarily convenient nor are they immune to hackers.

See Also: Conversational Cyber Insurance: How Cybersecurity and Cyber Insurance are Interwined

Two-step verification is the perfect example. Although it has undeniably made account takeovers less likely, the many iterations of it have varying weaknesses. For example, two-step codes sent over SMS can be intercepted, and users can be tricked into revealing the codes via phishing attacks.

On the usability side, the code has to be read from a phone and entered into a form. The most secure variation of strong authentication - a separate hardware token with a signing key - has its own problem: The key may be lost.

But on Tuesday, Google introduced at its Cloud Next conference its latest effort to address the problem of humans losing keys: getting rid of the physical security key.

It has launched a beta program where instead of needing a physical token, the private authentication key is stored on an Android phone or device and signs the authentication challenge over Bluetooth. It means of course, that users shouldn't lose their phones.

Cost Advantage Over Titan Keys

The new feature delivers what may be an easier alternative to Google's Titan Security Key, which the company introduced in September 2018. The Titan key bundle has two components, one of which slots into a computer via USB and another that authorizes a login via Bluetooth.

The Titan keys became central to Google's Advanced Protection Program, which the company launched after years of attacks against activists, journalists and political campaign workers.

In one of the most notable incidents, Hillary Clinton's chief of staff John Podesta saw his personal emails released in 2016 after suspected Russian hackers compromised his account. More recently, email accounts of four senior aides within the National Republican Congressional Committee were compromised for several months (see: Top Republican Email Accounts Compromised).

The Titan keys were so successful internally at Google that they were rolled out to the public. Not one of Google's 85,000 employees accounts fell to a phishing attack after the keys were launched in early 2017, computer security writer Brian Krebs reported last year.

Android devices running 7.0 and above are compatible with the new security feature that's an alternative to Titan. Users also need a Bluetooth-compatible computer running Chrome OS, macOS X or Windows 10 with Google's Chrome browser. The feature uses FIDO protocols, the same as Titan.

A diagram showing a simplified example of how FIDO protocols function. (Source: FIDO Alliance)

"This makes it easier and more convenient for you to unlock this powerful protection, without having to carry around additional security keys," write Arnar Birgisson, a software engineer, and Christiaan Brand, a Google product manager, in a blog post.

Another advantage: Enrolling in Google's Advanced Security Protection program is free; the Titan key bundle costs $50.

Google's Advice: Set a Backup Key

Technically, the new feature is two-step verification. True multifactor or two-step authentication would constitute something that you know, something that you have or a biometric component. For the strongest level of security, those items or knowledge shouldn't all be clustered in the same place.

For example, having a password manager on a phone plus Google's Authenticator is a two-step verification combination. Still, having both components on one device is far safer that just relying on a Gmail address and a password.

Google's Titan security keys. (Source: Google)

But there is a catch. While users may not need to have their Titan hardware or Bluetooth key, they still need to have their phone. Google is recommending that users also set up a backup key - either its Titan or one from another vendor - to store in a secure place in case a phone is lost.

That's because recovering an account due to lost security keys is not a trivial process, especially if someone still isn't logged into an account.

"If you have lost both keys and do not have access to a logged-in session, you will need to submit a request to recover your account," Google says. "It will take a few days for Google to verify it's you and grant you access to your account."

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.