Google’s Titan: End of Cyberthreats?

Google has unveiled the Titan Security Key, a piece of hardware used to authenticate logins over Bluetooth and USB. 

Background 

Google LLC is an American multinational technology company that was founded in 1998 by Larry Page and Sergey Brin while they were Ph.D. students at Stanford University, in California. Google was initially funded by a contribution of $100,000 from Andy Bechtolsheim, co-founder of Sun Microsystems. They later received money from three other angel investors: Jeff Bezos, David Cheriton, and Ram Shriram. 

At IPO, the company offered 19,605,052 shares at a price of $85 per share. There were concerns that Google's IPO would lead to changes in company culture. The stock performed well after the IPO, with shares hitting $350 for the first time in October 2007, primarily because of strong sales and earnings from online advertising. In 2015, Google announced plans to reorganize various interests under a conglomerate called Alphabet Inc. Upon completion, Sundar Pichai became CEO of Google, replacing Larry Page, who became CEO of Alphabet. 

Alphabet declared that it made $3.5 billion in net income and saw sales of $26 billion in the second quarter of 2017.The company's rapid growth since incorporation has triggered a chain of products, acquisitions, and partnerships beyond Google's core search engine. 

Google was the most valuable brand in the world in 2017, but has received significant criticism involving issues such as privacy concerns, tax avoidance, antitrust, censorship, and search neutrality. They have recently been fined with a record $5 billion by the European Union antitrust regulators over “serious illegal behaviour” to secure the dominance of its search engine on mobile phones. Google’s Android system runs about 80% of the world’s smartphones. 

Read More 

Analysis 

When Google announced that their 85,000 employees have not been phished (attempt to obtain sensitive information like passwords and card details, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication) since early 2017, it was because of beta version of a mandated security device now known as the Titan Security Key. 

“We’ve long advocated the use of security keys as the strongest, most phishing-resistant authentication factor for high-value users, especially cloud admins, to protect against the potentially damaging consequences of credential theft,” the company states. 

Google introduced the Titan Security Key during the Google Cloud Next ’18 convention. It is a physical USB-based device that eliminates the need to enter usernames and passwords. The device includes firmware developed by Google’s engineers which verifies its integrity. 

The Fast Identity Online (FIDO) based physical key, similar in physical appearance to a thin USB stick, can be inserted into a USB port or tapped against an NFC-compatible smartphone. The PC will create two encrypted tokens, private and public, when a user creates an online account. The service containing the public token will send a “challenge” requiring you to touch a button on the key, thus unlocking the private token for verification. There’s no personal information sent across the internet, and the private token used to unlock the service remains solely on the physical key. 

Yubico pioneered this technology and is the dominant force in manufacturing U2F devices as well as further refining its protocols. It counts major companies like Facebook among its business clients. Google will directly compete with Yubico, a company with whom they developed the software. However, they are yet to reveal which company will produce the hardware. 

According to Google, “Titan Security Key gives you even more peace of mind that your accounts are protected, with assurance from Google of the integrity of the physical key.” It is expected to cost between $20-25, a relatively economical purchase. 

Earlier verification via SMS has been criticised for easy interception. Moreover, smartphone damage or theft will inevitably cause the loss of private keys. A USB-based key can get damaged as well, but it can hang on a keychain and doesn’t require a network connection. According to Google, the Bluetooth model can supposedly remain active for six months on a single charge. 

According to Wombat Security State of the Phish, 76% of businesses reported being a victim of a phishing attack in the last year. Moreover, phishing rates have increased across most industries and organizations with no company immune to such attacks. Keeping in mind the success of 85,000 Google employees against phishing attacks, the new security key could be a useful new addition to companies susceptible to threats. Journalists, political advisors, business executives and others who rely on sensitive data may also benefit from the Titan key. 

Counterpoint 

The physical key is undeniably a liability, especially in crowded cities where thefts are rampant. Multiple layers of security is expected to affect users who prefer a singular solution to all cybersecurity problems. 

Assessment 

Our assessment is that Google has developed critical technology infrastructure to counter growing threats from cyber criminals. We, however, believe that physical keys may not be the prudent defence in companies which employ over thousands of people and manage highly sensitive data.