Imagine the following scenario: you are sitting in front of your computer, managing your finances through online banking when you suddenly receive an email from the bank explaining that someone else is trying to log in under your name and that they need to authenticate your identity. The sender’s email address and story checks out, and so you provide your credentials and carry on. However, the next day you discover that all your savings are gone because you’ve been spoofed by a fake address.
The moral of this story is that after someone gets hold of your login data, there is nothing to stop them from exploiting your account; they even know how to circumvent a second authentication step as cyber criminals are more than capable of intercepting messages and emails, only to use them to empty your wallet or send malware. And even though this particular scenario seems a bit farfetched, many Bitcoin owners have lost their cryptocurrency due to similar scams.
Physical Authentication vs Digital Authentication
Security keys are hardware alternatives to digital authentication. These are slick thumb drives or key fobs with a button on them that does the identification for you. Online verification includes some form of SMS or email message that asks you to drop the login process and copy over a code or click on a link. In the case of a security key, it is plugged into your computer or wave it in front of an NFC-enabled smartphone and after the message pops up just press the button and voila, authentication is taken care of.
Security keys are not only faster and easier to use but also safer. It’s a serious blow to phishers since even if they do get their hands on your email address and password they still won’t be able to use them unless they also have the thumb drive key. In other words, this security hardware prevents people on the other side of the world from messing with your account. Of course, losing the key will potentially open up a security hole but it can be easily countered by denouncing the key like you would if you lost your credit card.
The Titan Security Key From Google
For some time the number one security key was YubiKey but the company has met with a fearsome competitor in the form of Google, who just released its own take on hardware-based authentication. The Titan Security Keys are available from the Google store and despite looking like any other product of its kind, there are a few clever features under the hood. Ordering Titan provides two different keys, a wireless key fob and an NFC-compatible USB drive, both of which are capable of interacting with desktop computers and touchscreen devices – which isn’t something that every YubiKey can do.
What makes Titan interesting is the addition of Google’s Advanced Protection Program. In order to use it you need to register both of your keys. In the next step the system logs you out from every device and service that uses your Google account. From that point, the only way to log in with that account is by using the physical key as a secondary authentication. In brief, Advanced Protection grants extremely tight security at the cost of a slight inconvenience.
Who Guards the Guardians?
Of course, the new technology isn’t without issues. Even though these devices prevent data phishing so long as the keys are in your possession, what happens if someone tampers with the hardware before it is are delivered to you and ultimately hiding a backdoor for future exploitation? The inherent danger of physical authentication was brought to light by Google when it was revealed that the company imports the devices from Feitan, a Chinese manufacturer.
Whether or not Google came up with its own patented idea and Feitan only produced it or the U.S. tech giant simply slapped its name on someone else’s product is still undetermined, but the irony of entrusting a country infamous for waging cyber espionage against the U.S. to manufacture a product to protect our data from being stolen has not eluded us.
Best VPN Services of 2019