Google Titan security keys hacked by French researchers


In July 2018, after many years of using Yubico security key products for two-factor authentication (2FA), Google announced that it was entering the market as a competitor with a product of its own, called Google Titan.

RELATED POSTS

Security keys of this sort are often known as FIDO keys after the Fast IDentity Online Alliance, which curates the technical specifications of a range of authentication technologies that “[p]romote the development of, use of, and compliance with standards for authentication and device attestation”.

Boldly put, FIDO aims to “help reduce the world’s over-reliance on passwords.”

The Google Titan device, like similar products from Swedish company Yubico and Chinese company Feitian (which actually makes the hardware used in the Titan), looks like a miniature key fob that contains specialised and supposedly tamper-proof hardware for performing secure cryptographic calculations.

Titan product images from the Google Store.

Much like the chip on your credit card (in fact, Titan keys use the same secure processor as some smart cards), or the SIM card in your phone, Titans are designed to do encryption in a rather special way.

Titans can generate encryption keys internally, can encrypt (or digitally sign) data that you send to them, and can export the encrypted (or signed) data.

But they cannot export the secret part of the key itself, which is locked up inside the chip.

As you can probably imagine, this makes it possible to implement a secure login process where:

  • You don’t need to remember a complex password, because the necessary cryptographic secret is stored on the Titan key.
  • The data submitted for authentication is different at every login, thanks to the active cryptographic calculation in the process, unlike a conventional password that is the same every time.
  • You can’t accidentally reveal the secret to anyone else, because it was generated inside the key and can’t be extracted.
  • You can’t login without the key, making it an ideal second factor of authentication – “something you have”, in the jargon, to go along with “something you know”, such as your username and regular password.

Simply put, the fact that the key itself not only generates but also securely stores its own cryptographic secrets means that it can’t, in theory at least, be cloned or copied.

This anti-copying feature provides strong protection against attacks such as phishing, where you get tricked into typing in your password on a fake site, and keylogging, where you get infected by malware that monitors your keystrokes and steals your password as you type it in.

Titan keys use a choice of USB (you plug them briefly into a USB port), NFC (you wave them near an NFC-enabled device such as a phone) or Bluetooth (same idea as NFC). Because they can’t be tricked into spitting out your secret cryptographic keys, they can’t be skimmed or plundered for their data even if you connect them up to a computer or a phone that is itself infected with malware.