Google offers two multi-factor authentication services. If you hesitate between the mobile application and the physical key to secure your digital identity, here is something to fuel your choice.
Announced a year ago for the United States, Google's Titan key landed in France at the beginning of August. It allows you to add an extra layer of protection when accessing your digital accounts … just like Google Authenticator, an application that the Mountain View company launched in 2010.
But why on earth is Google proposing two products that serve more or less the same? The Titan key and the Google Authenticator both perform the same type of process: multi-factor authentication ("MFA" for multi-factor authentication, or "2FA" when there are only two factors).
The MFA consists of asking the user several pieces of information to identify him, instead of a simple password. This is for example the case when our bank sends us an SMS to confirm a payment. If the MFA is always better than nothing, it is far from perfect depending on the solutions used. In the case of SMS, it does not protect against phishing by fraudulent sites, and hackers can intercept the SMS or spoof the SIM card.
Authenticator and Titan are more sophisticated forms of MFA, but each has its advantages and disadvantages.
Why use Google Authenticator (or another TOTP app)
Google Authenticator relies on a well-proven algorithm of MFA procedures: the Time-based One-Time Password (TOTP), a central standard of the OATH consortium promoting common authentication methods. You have all been dealing with TOTP, which sends you a third-party code on a third-party device, which you then enter into the site where you want to identify yourself.
Like any good TOTP, you only need your smartphone to use Authenticator or a competing application like Authy. No need to spend money, it's free for both. End-to-end encryption provides much better resistance to attack than SMS allows. However, some defects inherent in TOTP are retained. In particular, it does not protect againstPhishing. If the user tries to authenticate on a fraudulent site, the hackers have only to quickly retype its identifiers (including TOTP code) in the real site.
The other problem of Authenticator is that the identifiers are stored on a single device: the smartphone of the user. If you lose your phone, you lose your IDs. Similar incidents can also occur when switching to a newer device if you are not careful. You must then start the recovery process of your Google account.
Other TOTP applications, such as Authy, help avoid this problem by keeping his identifiers in the cloudwhere they can be accessed from multiple devices. But then it becomes more likely to hackers, who can take control of the application if they manage to impersonate the victim's phone number (this is the same kind of vulnerability as for an SMS MFA).
Why use a Titan key (or other U2F key)
The arrival of the standard Universal 2nd Factor (U2F) in 2014 was acclaimed by the cybersecurity community. The latter makes it possible to use as a second identification factor a physical key, connected by USB or communicating with NFC. The U2F is in the hands of the FIDO Alliance and was jointly developed by Google and the start-up Yubico, now known for its YubiKey identification.
Google has for some years had its own Advanced Protection program, offering U2F compatibility for its services, but only now is it offering its own version of the YubiKey in the form of the Titan key.
The key kit Titan costs 55 euros in France. For that price, resistance to phishing is guaranteedbecause the (true!) site must be able to verify that the key is physically present. That was the selling point of Google when it launched its product last year. The use is probably simpler than that of Authenticator, since it is enough to connect the key to his device and press a button. There is no need to copy a code on the screen during a given time.
The kit contains two keys, a main and a backup. It is not too serious to lose one, but if we misplace bothyou have to go through the account recovery box. Overall, with a Titan key, you risk losing access to your accounts only if you are very up-to-date; while with an application of TOTP, it will happen especially if you steal your phone.
U2F keys are generally safer and more efficient than TOTP applications, even if they are not immune to security breaches either. Last May, Google had to recall some of its Titan keys because of a vulnerability in the Bluetooth function.
SMS, code, physical key: is double authentication really foolproof?