- So maybe I'm just
getting a lot more paranoid
as I get older
or maybe it's because my kids
are now old enough to use phones
or maybe it's because we can't go a day
without hearing about some
website getting hacked.
But I've been thinking a lot more
about online security lately
and basically how it's kind
of backwards and broken
for so many people.
But I was really intrigued
by this headline recently.
It said out of Googles 85
thousand some-odd employees,
not a single one had been phished.
Their accounts had not been compromised
since they moved to using these.
Physical hardware security keys.
So their accounts are safe.
I want my account to be safe.
I want my kids accounts to be safe.
So I went down a pretty deep rabbit hole.
I've turned on Google's
advanced protection program
for my person Google account
and that's Google's strongest
consumer level system
that requires these hardware keys to work.
So what are they?
What can they do?
How do you use them?
Hang on, we're gonna
have to get in the weeds
just a little bit here.
We're gonna talk about hardware keys,
we're gonna talk about
advanced protection,
and we're gonna talk about
Google's brand new Titan key.
Yeah, we're gonna nerd out a little.
Here we go.
(playful music)
All right, first things first,
Let's talk about what the
hell I'm talking about.
So look, we all know passwords, okay,
and we all know that we should be using
strong unique passwords.
We all know that we should
be using password managers
for those strong unique passwords
and if you're not doing
that already, go do it.
I'll wait.
All right, good, you're back.
And we all also know about
two-factor authentication.
That's a second password
after your password
but here's the thing,
it's possible for someone to
hijack your text messages.
It's possible for them to
get into your phone account.
It's possible for them to intercept
the one-time passwords you
get via an authenticator app.
This isn't necessarily tinfoil hat stuff
I'm talking about, okay.
I mean yeah, if you're a target,
it's a lot more likely that
someone's gonna try to fish you
because that's spearfishing
but it's also possible
that you could just blunder
across a bad link that somebody sent you
or you just didn't know it
and that's why this
stuff is also important.
And so, more secure than text messages
and authenticator apps are
these physical hardware keys.
So what are they?
Look they're little USB sticks.
They look like thumb drives, yeah.
And the way it works is this.
You take your key and you
stick it in the computer
and you register it
with whatever service it is you're using,
Twitter and Facebook are two.
Dropbox is another really good one.
Google, obviously.
Not every website and
service out there uses them.
I really wish they did.
There's a good website
to use twofactorauth.org.
They have a huge database telling you
what forms of two-factor
authentication websites use
and whether or not they
take hardware keys.
So I use my password,
I stick this in the computer,
I give it a little tap and that's it.
I'm logged in.
Now there are several kinds
of these physical hardware keys, okay.
There's this normal little USB type
which is nice and easy and small,
you can keep it on a keychain if you want
or stash one in a drawer or a
safety deposit box or wherever
as a backup.
That's not a bad idea but remember
the more these you have laying around
with your credentials on them
the more it's possible for
somebody to get a hold of it, right?
Trade-offs.
Phil what about my phone?
Well, okay, you have keys, little USB keys
that also have NFC chips in them
or you have these larger
fobs that have to be charged
but they have little
Bluetooth radios in them
and those work, as well.
In fact, they work with the iPhone
which doesn't have wide open
NFC until iOS 12 comes out.
Really, when it comes
to the keys themselves,
there's, kind of, no
one right way to do it.
Fewer is obviously more secure
but you're gonna have to figure
out what works best for you.
So also, hardware keys
are faster, actually,
and when I really got to using
them it made total sense.
So instead of waiting for
a text message to come in
and then me copying that over
and then pasting it into a website,
I stick this in, I tap it, I'm done.
Same goes for the authenticator apps,
exactly the same deal.
Now what about this Titan key
that you've been hearing about?
Yes, it's all nerdy and sounds Titan key.
That's a great name for it.
It's actually named after
part of what Google uses
on its enterprise servers
for security stuff
and really all it is
is a physical hardware key,
only it's controlled by
Google from start to finish.
Google controls the hardware,
Google controls the firmware,
and that's really all it is.
It's the same kind of physical key
you would get from, say Yubico,
only it has Google's name behind it.
These are now on sale from Google directly
in the Google store
and for 50 bucks you get a Bluetooth fob
that'll work with pretty much everything,
including the iPhone,
and you get a slick looking USB key
that also has NFC built in.
Now one quick note on that,
at launch, the NFC
is not actually working
with Android phones.
They have to do a
behind-the-scenes update on that
so I'm not quite sure
when it's gonna happen
but it is coming.
But let's stick with Google for a second.
So if you're really
worried about keeping your
Google account secure,
there's what's called Google
Advanced Protection Program
and here's how Google explains that.
- [Instructor] But if you're an activist,
journalist,
thought-leader,
business executive,
or other public figure,
or anyone who feels vulnerable
to highly targeted online attacks,
you might need a different
level of security
to keep your data safe.
That's where the Advanced
Protection Program comes in.
It's Google's strongest account security.
- So here's how I explain it.
Once you turn advanced protection on,
the only way to get
into your Google account
is to first, have the password
and second, have one of
the physical hardware keys
attached to your account.
No more text messages.
No more authentication codes.
No more using a second
trusted device, like a phone,
to login.
You have to use a physical key.
And by the way, Google
also makes it harder,
once you turn this on,
for somebody to use the
account recovery process
to actually get into your account.
It includes you, by the way.
So this will, kind of,
break some stuff initially.
When you first turn on advanced protection
it logs you out of every
single device you're in
because now you have to log back into it
using a hardware key.
It means every phone, every computer,
every third-party app
that you might have
used Google to log into,
you're now logged out
and that means you can't
use third-party email apps.
I use Mailplane and Shift on my Mac.
You can't actually log
into your Google account
from the Mac.
You can't use Apple's mail apps anymore.
And the one really weird one,
and I think this is just broken,
I can't even use my NVIDIA shield TV box.
I can't log in with my
Google account on that.
Whoops.
And that actually brings
us to the question,
do you really need Google's
advanced protection?
I'm thinking for the vast
majority of us out there, no.
You have different options, anyway,
when you log into Google accounts, right?
You can use a hardware key
and not use text messages
or not use authenticator apps.
Advanced protection
really just takes things
to the next level where you
have to have the password
and you have to have a physical key
and you can only use a
physical key to login.
And I'm willing to bet that Google's
also doing some other
stuff in the background
to keep an eye on things.
So if you really think you're a target,
if you're a journalist or
a politician or whatever,
then yeah, it would be a really good idea.
For the rest of us,
probably gonna be a little more
of a headache than you need.
All right, that was a lot.
I get it.
Let's recap.
You gotta have a good
strong password, right?
You got to use a password manager.
You gotta use a password manager.
You have to use two-factor
authentication of some kind.
Text messages are okay.
Authenticator apps are okay.
Physical hardware keys are better,
much, much better.
And remember, Google isn't
the only company out there
to use these things, okay?
There's a whole website, twofactorauth.org
where you can look up services
that use hardware keys for
two-factor authentication.
And Chrome isn't the only
browser out there that uses it.
Firefox does and Microsoft just announced
that it's finally
bringing support, as well.
Safari.
Well, Apple's gonna Apple.
And finally, grab yourself
a key to use, okay?
Maybe it's one of these
really simple USB keys
and that's it,
maybe you want one with NFC
so you can use it with your phone,
maybe you want one with
Bluetooth if you have an iPhone
and that's the best way to go.
I can't tell you which way
is gonna be best for you.
You're gonna have to
figure that out on your own
a little bit
but use it.
Get a hardware key.
Register it with these services
and sleep a little better at night.
So that's it on hardware keys
and Google advanced protection
and the new Titan key.
Again, I've got links down
below for all this stuff,
if we went a little fast.
And I've got a link down below
for that talk from
Christian Brand of Google
at the Google cloud conference.
I tell you, it really
opened my eyes to all this
and made it make even more sense
even as I was using it.
Really good, it's worth your time.
So go get a key.
If you got any more questions,
ask them down below in the comments.
That's it, see you next.
(playful music)
