Developers & Practitioners

Security keys and zero trust

February 8, 2021

Max Saltonstall

Senior Developer Relations Engineer, Google Cloud

Priyanka Vergadia

Staff Developer Advocate, Google Cloud

A security key is a physical device that works alongside your username and password to verify your identity to a site or app. They provide stronger login protection than an authenticator app or SMS codes, and the same device can be used for many services, so you don't need to carry around a necklace of dongles and fobs.

Security Keys provide the highest level of login assurance and phishing protection.

Tweet this quote

In this issue of GCP Comics we are covering exactly that. Think of a Security Key as a way to protect yourself–and your company–from bad passwords and tricked users, as it stops fake sites from tricking people into logging in. Here you go!

https://storage.googleapis.com/gweb-cloudblog-publish/images/Google-Cloud-Comic-issue6-Exports_full-com.max-2200x2200.png

A password alone turns out to be fairly minimal protection for an account, so we've seen many new options for 2-Step Verification (also called multi-factor authentication), a phrase meaning "more than just your username and password" to log in.

Getting a code by SMS or voice call is a little better than just a password, but you can still be fooled into feeding that code to a fake site, giving up your account credentials to an attacker. Backup codes and authenticator apps fall prey to the same malicious strategies, where an attacker harvests your info and then uses it to perform their own multi-factor authentication, gaining access to your account.

Only a security key can stop the cleverest of phishing attacks.

Why a security key over other multi-factor methods?

A key must be registered in advance to a specific account, an action you take once to enhance the level of security for your sign in.
The security key and the website perform a cryptographic handshake, and if the site doesn't validate the key's identity, including matching a previously registered URL, the login is stopped.
Using open standards (FIDO) the same security key can be used for multiple sites and devices. You only need to carry one around, and they can be used for both personal and work accounts and devices.
The firmware of Google Titan Security Keys is engineered to verify integrity, preventing any tampering.
They come in all kinds of shapes and sizes, so you can get USB-A, USB-C, or NFC to match the use case that fits you best!
In our experience deploying security keys to replace older forms of 2-Step Verification, we’ve seen both faster logins and fewer support tickets raised.

Resources

Want more GCP Comics? Visit gcpcomics.com & follow us on medium pvergadia & max-saltonstall, and on Twitter at @pvergadia and @maxsaltonstall and to not miss the next issue!

Security & Identity

Titan Security Keys: Now available on the Google Store

To make stronger, more phishing-resistant 2nd factor verification accessible to more people, our Titan Security Keys, based on FIDO standards, are available to anyone on the Google Store.

By Christiaan Brand • 4-minute read