Google’s rollout of a new security key, a dongle that people can plug into their laptops to confirm their identity, is getting lots of attention—like this story on CNBC that recommends people use it. These keys aren’t new. For some time, Google, Facebook and Dropbox, among other services, have let people use their keys to beef up security.
Ironically, though, the institutions that should be offering this capability—the banks—are not. Banks still rely on text-messaging authentication, an approach that is easy for hackers to break. (And some banks don’t even offer that!).
Meanwhile, Google’s choice of a Chinese manufacturer Feitian Technologies to produce its Titan Security Key raises other questions around the security of the devices. Two sources confirmed Google is using the manufacturer. Google said it is ensuring the security of the keys by developing the firmware itself, then sealing it inside of a secure element hardware chip before being diverted to the manufacturer. But security researchers said they still had some concerns.
Adam Meyers, vice president of intelligence at security firm Crowdstrike, said making the hardware in China could open the door for supply chain attacks on Google and its users. Supply chain attacks involve hackers exploiting weaknesses at an outside firm that deal with a major company, instead of the company itself. “Broadly speaking, anytime that a foreign government or a foreign company is involved in production in any equipment, security or otherwise, there is a supply chain concern,” Mr. Meyers said. “The supply chain is becoming a real concern and [attacks] are popping up every day now.”