Passwords are a woefully insecure—and frustrating—authentication technology, but after decades of digital use, they’re ubiquitous. Recently, though, the global tech industry has been working to promote a more secure and simple alternative known as passkeys. And along with its other initiatives to champion the login tech, Google announced today that it is launching a new version of its Titan hardware authentication keys that can store passkeys directly on the device.
For most people on most accounts, passkeys are managed directly from a smartphone or laptop. But for those seeking an alternative, either because they prefer a standalone key for ease of use or because they want maximum security separation, storing passkeys on a hardware token is a valuable option. The new Titan keys are available now and can store more than 250 unique passkeys. They are replacing Google’s existing USB-A and USB-C Titan devices.
“We’re excited about the potential of passkeys, but know there’s no security silver bullet for everyone,” Google wrote in a blog post published today. “Some people require a solution not dependent on smartphones or use devices that don’t support passkeys—everyone has different approaches to security, but we all share one goal: stop attacks. That’s why we intentionally designed the latest Titan Security Keys to encompass the secure cryptography of passkeys on a portable piece of hardware.”
As part of setting up a passkey for a Google account on a Titan device, users will be prompted to create a PIN code that they’ll enter along with producing the security key to log in.
As part of its announcement at the Aspen Cyber Summit in New York City today, Google also said that in 2024, it will give 100,000 of the new Titan keys to high-risk individuals around the world. The effort is part of Google’s Advanced Protection Program, which offers vulnerable users expanded account monitoring and threat protection. The company has given away Titan keys in the past as part of the program, and today it cited the rise of phishing attacks and upcoming global elections as two examples of why it is important to continue expanding the use of secure authentication methods like passkeys.
Hardware authentication tokens have unique protective benefits because they are siloed, standalone devices. But they still need to be rigorously secured to ensure they don’t introduce a different point of weakness. And as with any product, they can have vulnerabilities. In 2019, for example, Google recalled and replaced its Titan BLE-branded security key because of a flaw in its Bluetooth implementation.
When it comes to the new Titan generation, Google tells WIRED that, as with all its products, it conducted an extensive internal security review on the devices and also contracted with two external auditors, NCC Group and Ninja Labs, to conduct their own independent assessments of the new key.