New two-factor security key coming out; made by Google

fox · July 27, 2018, 10:40:30 AM

Looks to be cheaper than the current versions of Yubikey, and will be available in usb and bluetooth versions. Read about it here.

Jason · July 27, 2018, 05:27:44 PM

Interesting. Thanks for sharing. Good article for explaining why everybody should be using 2FA. I'm not sure about a Bluetooth model. Bluetooth can be pretty flaky and goes too great a distance for being secure in my opinion. But more competition can't hurt.

Btw, anybody can use 2FA even without a hardware key (and you should). You just download the Google Authenticator app to your phone/tablet which, despite it's name, can be used for lots of different services. But a 2FA hardware device makes it so much easier. No numbers to have to type in. Just plug it in or if it's already plugged in, just touch it. As Google has discovered, it pretty much wipes out phishing vectors. With Linux, you can even use with encrypted drives.

fox · July 27, 2018, 07:26:54 PM

Quote from: Jason Wallwork on July 27, 2018, 05:27:44 PM
....
Btw, anybody can use 2FA even without a hardware key (and you should). You just download the Google Authenticator app to your phone/tablet which, despite it's name, can be used for lots of different services. ....

I found a short video here which explains how it works. As I understand it, you donÂ´t have to keep entering the verification code if you have the Google Authenticator app. But what if you want to sign in to a Google service on your computer. Do you have to have to authenticate there each time?

Jason · July 27, 2018, 08:01:34 PM

Quote from: fox on July 27, 2018, 07:26:54 PM
As I understand it, you donÂ´t have to keep entering the verification code if you have the Google Authenticator app.

You mean you don't have to keep entering it when you use various Google apps on your phone? That's correct.

QuoteBut what if you want to sign in to a Google service on your computer. Do you have to have to authenticate there each time?

Yes, you do have to enter the verification code each time because it's only good for a particular time (a maximum of a minute). In the Authenticator app, it shows each passcode and a like a pie-chart circle shrinking in size as it counts down. Every minute it's a new passcode, for each and every service registered with Google Authenticator.

Now if you don't want to enter it every single time you login, for example, on a trusted computer (that's not shared), you just tick the box that says 'Don't ask for codes again on this computer'. Thereafter it looks as if you don't have 2FA though you still get the protection that anybody trying to hack your account on google won't be able to get into it even with your password. They need that cookie saved on your drive. I do that on my home computer. I don't do it on my laptop because if I lose my laptop and somebody brute forces my password, I'm SOL. This is especially important for LastPass which stores all my passwords.

Hope that helps. Be happy to show you sometime how it works.

dougal · September 04, 2018, 12:23:16 PM

google launched their Titan security key last week @$50 and USA only at this time

https://bgr.com/2018/08/30/google-titan-security-key-release-date-price-and-features/

fox · September 04, 2018, 12:30:52 PM

Thanks for reporting this, dougal. I was hoping that the price would be lower, but Google's version connects in just about every way possible, so would be useful for all kinds of devices. I'm pretty sure that they will release in Canada very soon.

Jason · September 04, 2018, 01:36:00 PM

Cool. Not sure about them including Bluetooth, though. From a security standpoint, I'm not sure about Bluetooth. I've worn my Bluetooth headphones taking garbage out and I got almost to the curb before it flaked out.

Anyway, I noticed on the blog that you're actually buying two keys for that price, a Bluetooth one and a USB-A one. It also comes with adapters for micro USB and USB-C.

fox · September 22, 2018, 07:35:27 AM

One of the advantages of having a physical security key for two-factor authentication is that it works without having to remember yet another password. However, once set up, what happens if you lose the device itself? Is there some way to still access secure files?

Jason · September 22, 2018, 07:53:01 AM

Quote from: fox on September 22, 2018, 07:35:27 AM
One of the advantages of having a physical security key for two-factor authentication is that it works without having to remember yet another password. However, once set up, what happens if you lose the device itself? Is there some way to still access secure files?

That question was asked and answered elsewhere in the forums.

And I want to be clear, you still use a password alongside with two-factor authentication. What I mean is that, for example, when you login to Gmail, you will enter your username and password (as you did before you added 2FA) and then insert your security key. I don't want people to think that it does away with ever remembering passwords. But if you're smart and use a password manager like Bill and I do, you only have to remember one password and the manager provides the rest.

Update: I provided the link I was trying to find that answers the question of how to prepare in case you lose your security key.