Sounds interesting, depending on a price might get one. One question - can you use it with multiple accounts?

I'll take one ! Google may or may not be that evil company who wants to control everything, but it just happens that my Gmail is very important for me. Already using 2FA with my phone, but a tiny inconspicuous device that is much less likely to be stolen than a phone. As for losing it... just add it to the house keys which only a complete moron would lose.

sluflyer06:

Yes, there is no meaningful limitation in how many google or other accounts a single device can handle. There is a backup key, something like a seed word combo that you keep offline, they also flat out recommend you use 2 devices... You can and keep in mind hardware tokens for account access has been around for many years now in the corporate world, my company requires all suppliers to buy a key similar to this to login to their supplier portals.

@sluflyer06 Thank you for clarifying this. Sounds interesting, definitelly something to think about.

I'm not so sure this is a good idea, especially considering this is optional (and therefore probably is not physically unique like an actual key). But much like an actual key, devices like these have been made before and have been spoofed via emulated hardware. So, unless Google figured out a way around that, I'm not sure I'd trust something like this. At least for the time being, it would work due to "security via obscurity", which people around here sure like to hate.

Yes moar moneyzz xD Isn't 2 way authenticity, strong pass and email notification secure enough? It is for me, dont see and use of that other than to give them more money.

Kind of seems like geared more towards enterprise, which if it is anyone that works with hardware keys knows that you shouldn't ever lose your fob or authentication key. You won't lost it becuase you don't want to pay for a new one lol

Have your backup passwords stored to your phone on a dropbox account Your phone has a password and fingerprint scan. The dropbox app itself can have a seperate pin. That's what I do, authy 2 factor is on my phone, and authy is installed on my pc and syncs my stuff (its also passworded with a different password to enter my pc)

vbetts:

Kind of seems like geared more towards enterprise, which if it is anyone that works with hardware keys knows that you shouldn't ever lose your fob or authentication key. You won't lost it becuase you don't want to pay for a new one lol

Yeah, it's geared towards high risk users like government employees, reporters, etc. For example this would have prevented the former US Chief of Staff (John Podesta) from getting his emails leaked. Traditional 2 factor is actually pretty easy to compromise... You phish for login, attacker just sends a fake 2FA request to the victim's computer and automates the google login based on phished information - so soon as the person sees the fake 2FA they get a real prompt from google on their phone.. then they type the real google 2FA into the fake prompt which the attacker uses to login to the real account. This prevents that from happening.

exist already without google in the security... (and less expensive)

Who guards your info from Google? Who watches the watchers???

JiveTurkey:

Who guards your info from Google? Who watches the watchers???

also that point... but for some Amazon, Google, Steam... (and other of course) is top secured companies... i won't expend on this point 🙂

JiveTurkey:

Who guards your info from Google? Who watches the watchers???

No one. And this whole thing, like, "vulnerabilities", "spectres", "malicious codes and apps" etc. etc., + the "need" for these super-mega-ultra-fragelistic precautions, they all come from these "giants", companies who want control over people. It's a story about a barman who secretly adds a salt to the "refreshing drinks" in order to sell...yet more those drinks. The thirst has to be carefully and subtly sustained, as to prevent public from noticing what is really going on.

Are you actually suggesting that hackers gaining control computers are made up?

-Tj-:

Yes moar moneyzz xD Isn't 2 way authenticity, strong pass and email notification secure enough? It is for me, dont see and use of that other than to give them more money.

This^^ Although 2 way authenticity is so boring i only use it in really important stuff.

H83:

This^^ Although 2 way authenticity is so boring i only use it in really important stuff.

I dont use that 2way either, was just an example That suspicions email report when I login from another device is enough 🙂 That said I never had a breach, and I used the same pass for over 6yrs, only changed it recently due to that epic games failed login attempts, I deleted epic account in the end, don"t plan play that crap fortnite.:D

Sorry for this in advance 🙄 Fishing is really easy these days with authenticator apps, with valid certificates and everything, it's becoming more common and anyone can set it up. The fake sense of security many have to mobile apps is not good at all. SMS is tragically insecure and is not recommended at all, it's basically what regular unsecure HTTP is today. SMS can be spoofed, fished, intercepted and your number can even be changed to an attackers sim card, you name it SMS probably got it. Also remember your operator can see it in plain text aswell. Paypal is going secure soonish i think, it is kinda absurd they still use SMS, as are other services using it. The worst security of any more known service today has to be Netflix imo. Steam needs to sort out their crappy trade system that prevents them from becoming more secure, i don't see why they can't allow FIDO2\WebAuthn for login and keep their old system for trade. I mean, trade sites and basically every other service and competitor can do it but steam can't, then it's time to redo their trade system i think. A real Alice in wonderland moment is when it is claimed the steam app\authenticator is meant for trade, not account security. In my mind for there to be trade you must first have account security. Oh well i'm sure Steam will solve it and increase security as every other service, preventing it from being able to be completely taken over in like 2 minutes by a site like today. "Smart people" will point out the codes in authenticator apps are only valid for a couple of seconds, yes indeed but think bigger, once you are logged in do you need to use any codes every few seconds? No, attackers don't even bother with the app codes they just steal the entire session instead when you are already logged in to stuff! Paypal for sure is kinda pissing me off, so is Netflix that does not even have anything beside a old fashion username and password still. What is nice with FIDO U2F and FIDO 2\WebAuthn (Web Authentication) is that they are fishing proof, if a site is different to the real site it will get a code that simply won't work. Despite so many already having these Google keys and testing them, there is a lack of confirming if it is the old and proven U2F or the newer FIDO 2 the keys are using or both. While the keys are VERY similar to a certain vendor already selling them, so far i have not seen anything confirming it actually are them being the provider and the keys are just rebranded. Google does have it's very own security chip, actually called Titan that are used in servers and stuff, it would not be impossible for google to have also made their own chip for their security keys, the most we have is that it is not the Titan chip google uses for servers and stuff, that does not mean it is another brands chip in it's security keys tho. So far i like Yubikey Neo the most in terms of features, if only it had FIDO 2 also. What is nice is it can be used instead of authenticator apps (TOTP) for sites not supporting security keys yet and a bunch of other stuff, but then is also only as secure as those are. I like a key on my keychain way more then having everything lost from a phone incident, be it a drop, some kind of water accident etc. I rarely have my keys out but a phone is out regularly, even on tables and can be snatched, a phone is a way bigger target then keys that are most of the times left in your pocket or wallet and not out in the open like a phone. A key can be dropped, a key does not require a battery (unless Bluetooth) or network can always be used. I will be extremely interested in the Google's security keys if they are a contender to the Yubikey Neo in features, especially if they also have FIDO2 support on top of that. Then it would be revolutionary in terms of cost, if you get 2 keys, both a USB\NFC and a Bluetooth\NFC key for the price of 1 Yubikey Neo (ALWAYS have a backup!) Also Google want these things to be dirt cheap in the future like 2 dollars, so i think Google's key will only have support for U2F, or only FIDO2 or both but no other features like a Neo, but it is very nice with NFC (Bluetooth for Apple users). I think Apple has NFC too on their phones, but not opening it up to be used.. Maybe they will Whitelist Google's security keys, but they have not for others before so i think they will just tell users to use the Bluetooth key, then users loose USB that is very useful indeed and also get a battery to worry about.

If you build it, fear monger it through subversive marketing, and sell it cheap...they will come. Just like VPNs being TOTALLY safe to traffic all your data through instead of huge public companies because "we don't log data."