Google open sources its security key technology

The hope is to make the more secure 2FA option cheaper and better.

Physical security keys are one of the strongest ways you can protect your online accounts from unauthorized access, but most people don’t use them. Google hopes to change that by open-sourcing the technology behind its Titan security keys, therefore giving developers and manufacturers the tools needed to easily produce their own security keys.

Bringing down the cost of security keys — Google says that creating a security key with its OpenSK project is as easy as flashing the firmware onto a Nordic chip dongle — a $10 chip that includes USB, NFC, and Bluetooth Low Energy. Once you’ve done that, Google’s project even includes the design for a case to put around the chip that can be 3D-printed.

“By opening up OpenSK as a research platform, our hope is that it will be used by researchers, security key manufacturers, and enthusiasts to help develop innovative features and accelerate security key adoption,” Google said in a blog post. Right now Google’s Titan security key costs $65, a tough ask for most everyday people who don’t even enable two-factor authentication. The thinking is that giving away the software and demonstrating its use on a cheap dongle will help bring prices down. Developers will also be able to improve on the technology and contribute back to the project.

The benefit of security keys — Security keys prevent phishing attacks wherein a hacker is able to trick their victim into submitting their login credentials through a spoofed website. The key must be physically present in order to complete the sign-in process, so a password alone isn’t good enough. Security keys are also more secure than SMS two-factor authentication because hackers can trick mobile networks into transferring a phone number to a new SIM card, therefore giving them access to a victim’s text messages. It’s believed this is how Twitter CEO Jack Dorsey recently had his account accessed.

Physical security keys have an obvious downside in that you can lose them. Most online services with support for keys also provide backup login codes you can use in the event you lose your key. Thankfully Google’s Titan, and the OpenSK framework, both utilize the latest FIDO standard, meaning you can use the keys even with a smartphone like the iPhone because they support communication over NFC and Bluetooth.

Google said in 2018 that less than 10 percent of Gmail users had two-factor enabled, so it’s understandable why security keys haven’t gained traction yet. Hopefully, the OpenSK project will get more affordable options on the market.