Google / WIRED
Your passwords – or at least the one you repeatedly use – has been compromised. Billions of records have been exposed in data breaches in recent years and it’s almost inevitable that your login details have been hoovered up.
With so many passwords and login details being traded through online forums and the dark web, it has become increasingly easy for hackers to brute force their way into your accounts through credential stuffing. This involves taking compromised user details and then using a script to automatically enter these login details one after the other into online platforms to access accounts.
This year Deliveroo accounts have been the victim of credential stuffing, with fake orders defrauding people of money. Sky has also been hit by the attack type and 12 billion attempts have targeted gaming websites in the last 17 months.
Now, Google is finally bringing its security key to the UK. From today it’s possible to get the Titan login device from the web giant’s online store. (Until now it’s only been on sale in the US, where it was first revealed in August 2018).
The device is designed to bolster your two-factor authentication efforts – one of the most effective ways to protect yourself against credential stuffing – by providing a set of physical hardware keys that can be used with your digital accounts.
Costing £50, the Titan hardware set comes with two devices: a key-shaped USB stick and a Bluetooth key fob. Both pieces of kit serve the same purpose. They act as a physical authentication tokens that prove you are who you say when you’re trying to login. The principle of two-factor authentication adds an extra step to the login process, where a separate proof of identity is needed in addition to a password.
Typically, two-factor uses a SMS code sent to a mobile phone or an app that generates a separate login codes. The Titan security key – along with other hardware approaches – moves the authentication method into the physical world. Why opt for this over SMS two-factor? Well, not only does the USB option remove the need to get that SMS each and every time you login, it also will work when you have no Wi-Fi or network signal, plus it can work across multiple websites.
Is it effective in stopping accounts being compromised? Seemingly so. When Google launched the Titan key last year it boldly claimed success. “We have had no reported or confirmed account takeovers since implementing security keys at Google,” a spokesperson told TechCrunch.
Despite the company’s data-heavy business model – learn how to delete your Google history – it has a decent record with protecting user information. Other than the Google Plus API data leak, effecting 500,000 people during March 2018, there haven’t been any high-profile success attacks on the company in recent years. (After the key was released in the US last year, Google had to do a partial recall of devices after finding a flaw in its Bluetooth setup).
Setup of the Titan key is a relatively simple process. To use it with a Google account you need to have two-factor authentication turned on – which, by now, you should really use already. (Find the settings here).
Once it is activated, select the option for a new hardware login device and then plug the key into a computer’s USB port. One press of the fob’s button, or a tap of its NFC chip if you’re setting up the USB key, and it will be linked to your Google account. The entire process takes five minutes.
From here, you’re ready to use the keys to login. The next time you access your Google account, you can press the button after entering your password. It means an SMS message doesn’t need to be sent to your phone. However, Titan’s real power comes away from your Google details.
Because the hardware key uses the FIDO standards – an open-source set of guidelines for authentication – it can be used for two-factor approval on other websites. These include Coinbase, Twitter, Dropbox, Facebook and more. A full list of supported websites is here.
If you’d prefer not to trust Google with the literal keys to all your data, there are other options, too. In recent years there has been a surge in the number of hardware authentication keys available. Other options include keys from Yubikey or Thetis.
More great stories from WIRED
?️ How to harness Google Photos to your messy pictures
? Heatwaves make people more violent, angry and grumpy
? England has an ambitious plan to eradicate smoking by 2030
?? It’s time you ditched Chrome for a privacy-first web browser
? A vaccine for Alzheimer’s is on the verge of reality
