Now more than ever, companies and services are pushing you to use more advanced methods to secure your accounts. Security keys have been around for a while, especially from the likes of YubiKey. Now, Google is entering the market with the Titan Security Key.
For $50, you get a USB-A key and a Bluetooth key in a bundle. It's not the cheapest option, but Google is hoping to differentiate itself with a special layer of verification software.
Google hasn't reinvented the wheel with Titan, offering folks a physical alternative to traditional two-factor authentication (2FA) methods of receiving codes over text or even its own Authenticator App.
With its extra layer of verification and the Google brand, is the Titan Security Key worth $50?
Titan looks like a security key
The device looks like a traditional security key. That's not a bad thing, but when it comes to the ports being put on the keys, it's a strange decision.
Both the USB-A and Bluetooth keys have NFC built in, but the functionality isn’t turned on yet. Hopefully it will come when Google unveils its new Pixel devices. The Titan doesn't work with iOS devices, but with Apple opening up the iPhone's NFC capabilities in recent updates, that may change at some point.
The USB-A key will work for most laptops, and a USB-A-to-USB-C dongle is included in the box — handy if you have a MacBook or MacBook Pro. The Bluetooth version of the key has a microUSB port for charging, but it would have made much more sense if Google made this a USB-C port for fast charging, especially since Google has been championing the port.
It's almost like the team that designed the Titan Security Key wasn't in contact with Google's larger hardware team. The discrepancies among port choices are confusing and will likely cause people with USB-C devices to look elsewhere.
Issues with the ports aside, these are your typical plastic security keys that are sealed and feel pretty durable. I've dropped both of them a few times and neither cracked. Users can feel confident attaching either of these alongside your keys and resting easy. I noticed that the Bluetooth one has a glossy finish which is more prone to scratching, while the USB-A key has a matte finish which doesn't scuff as easy. It’s not really an issue, but a more cohesive design approach would have been appreciated.
A simple setup for Google accounts
Linking either of the Titan Security Keys to a Google account is easy. That's nice, but not every service is Google, and the company can't control how other FIDO (Fast IDdentiy Online) services handle setup.
To set up via your Google account, head over to g.co/securitykey, and you'll learn that two-step verification (AKA 2FA) is a requirement before going forward. This means you'll need to have a phone number or authenticator app associated with the account. After that, you will see the option to add a security key.
Simply plug the key into your computer (you'll need to attach a micro-USB cable to the Bluetooth key to perform this task). Then tap either the gold button with the WiFi symbol on the USB-A model or the white button on the Bluetooth key to start pairing. Once paired, the Titan Security Keys will be linked to your account.
While Google claims that the keys need to be associated with the Advanced Protection Program (APP), I did not find this to be the case. The APP is Google's strongest form of security for accounts, and it requires a physical authenticator. It disables SMS authentication texts and the ability to use the authenticator app.
A word of warning: Turning on the Advanced Protection Program will log you out of all sessions. While this is for your account's protection, it's a pain. To get back in after this process is complete, you'll need to use the key to sign-in. It comes down to personal preference, but we'll see if Google enforces the requirement of APP. For now, it also works with two-step verification.
Mixing the FIDO standard with a layer of verification
The special sauce that Google provides with the key is an extra layer of verification. Google developed a cryptographic firmware that is on a secure element chip in both of these keys. That chip cannot be modified or tampered with once the key is sealed.
This firmware essentially checks the URL you are logging into, keeping your security code private until it can verify the source you're logging onto. So in the event of a phishing attack on, say, Facebook, that leads you to an exact copy of the site that has one character in the URL swapped, it won't let you sign in. This is a clever and useful feature that can provide some peace of mind.
Google is playing nice with the standard that lays out the rules for two-factor authentication, FIDO. I checked out the YubiKey Neo a few weeks back, which also supports this standard, and the experience here is similar. There are still a limited number of services that support FIDO, though.
I got the Titan Security Key working with Facebook, LastPass, Dropbox, and of course Google. It performed well with these, but other services are missing. It's still an uphill battle to get more services to support FIDO, but the security key companies can only do so much to get third parties to implement the standard.
There are better security keys to get
There are many things to like about the Google Titan. The setup is super-simple, and it works with almost all USB-A or Bluetooth devices. NFC compatibility is seemingly missing at launch, and the Advanced Protection Program can be daunting to use.
The bigger issue is that $50 isn't affordable for the masses, even for two keys. I was hoping that when Google brought the Titan to market that it would be less expensive. For now, you can get other security keys from the likes of Yubico for less.
At $50 and with a small list of FIDO services, the Titan doesn't offer enough that differentiates itself from other physical authenticators. There's nothing wrong with the Titan, but there's not a lot to recommend it, either. The name, in other words, is kind of a misnomer.
Topics Cybersecurity Google Reviews