Hands On With the Google Titan Security Key (Update)
As the world gets more digital, some of our most valuable possessions are increasingly those which we cannot touch: documents, photos, emails and other private messages. You may even want to protect your social media accounts. But locking down things you can’t touch can, to some, be confusing. Other high-value possessions require a human touch to ensure protection. Cars get locked with keys, pushing a button, closing a garage or all of the above. Houses are secured in a similar manner, while cash and jewelry go in a vault secured with a code you must navigate with your fingers. But protecting your digital assets is usually a virtual affair.
This is all changing with security keys, hardware that provides an extra layer of security by requiring you to touch them in order to log into certain applications. Google has entered the market with its Titan Security Keys, which were announced last month and arrived in the Google Store today for $50.
I tried out the key for myself and while I had a little trouble getting set up, I feel confident in my security in important accounts, like Google and Twitter. But is the security enabled really as strong as the god-like Titan names implies?
Setting Up My Google Titan Key
Journalists are one of the high-risk users Google identifies as a good candidate for its Titan Key. I for one do a lot of my work using Gmail, Docs and Sheets. The Titan Key is also compatible with Salesforce, GitHub, Stripe, Dropbox, Twitter and Facebook, and any other company that supports FIDO standards.
The $50 Titan bundle comes with one USB/NFC Titan Security Key, one Bluetooth key to carry on the go, one micro-USB cable for charging the Bluetooth key and one USB Type-A to USB Type-C converter (a USB-C version is in the works).
Both keys are small, white, lightweight, plastic and miniscule, so they’re not burdensome neither on your desk nor on your keys.
However, sliding the Bluetooth key onto my key ring was problematic. When opening my key ring, I leaned the Titan Key against the ring while sliding it on (like I do with all my other keys), but this ended up creating a nasty scratch on the key’s upper left side.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Setting up the USB key was simple. All I had to do was go to a website Google lists with the product and follow the accurate step-by-step instructions.
Bluetooth Woes
The Bluetooth key needs to be registered separately. Once I registered the Bluetooth key, I was able to use it to sign into accounts my PC.
However, to use it with my iPhone, I was required to download Google’s Security Lock app. Once I downloaded it and enabled Bluetooth on my phone, I signed into my Google account. But that’s as far as I got.
Clicking on my Google account opened a web browser window reading “You’re all set. Your account has been securely set up on this phone” with an option to hit done. I hit done, and it took me back to the Smart Lock app with the same page listing my Google accounts. And despite enabling my phone’s Bluetooth, I still haven’t been able to find the key in the available devices list. The Bluetooth key did work when my colleague tried it on an Android phone, but I've never been able to pair it with my iPhone.
For me, the Titan Key is limited to my PC unless I get an Android phone. I reached out to Google about the issue, but they were not able to help me fix it in time for publication.
It's also worth noting that some, including Yubico, find Bluetooth inherently insecure. In response to Titan Key's unveiling last month, Yubico CEO Stina Ehrensvard wrote in a blog post: "While Yubico previously initiated development of a [Bluetooth] security key and contributed to the [Bluetooth] U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. [Bluetooth] does not provide the security assurance levels of NFC and USB and requires batteries and pairing that offer a poor user experience."
Update 5/15/19: Today Google announced a security flaw among its Bluetooth keys and started offering free replacements. It also noted that using one of its keys is still more secure than not using one at all. You can learn more about how Google Titan's Bluetooth security key can be hacked here.
Using My Google Titan Key
The Titan Key performed superbly on Google applications (again, on my PC only); however, it only works with the Google Chrome browser. When I tried logging into Google Mail, Docs or Sheets on a new device, or even after clearing my browser history, I was asked to enter my password. Afterwards, I was met with a second barrier of defense.
The only way to get through this next wall is to insert my USB key into a USB port on my computer, and then touch the little gold circle with my finger. And with no one able to access my secret workings (including, at the time, a draft of this article) unless they dare pry it out of my hands, I can rest assured that even people who manage to guess my password will be blocked off.
Note that the USB key is not a fingerprint reader, so anyone who can access the key can press it and break down that extra wall of security. As such, it’s really important you keep your USB key somewhere safe where no one else can find it. It’s necessary to remove it from your computer after each use unless you only work at home, and you’ll need a safe place to store it. However, this is a small requirement for a notable boost in security.
Google Titan and Social Media
While the Titan Key is compatible with a number of apps outside the Google realm, I decided to try it out on social media, since even non-professionals frequent those sites and I use Twitter and Facebook often.
To perhaps no one’s surprise, Facebook remained the most vulnerable. On my first day with the key I added the security key but was never asked to implement it after clearing my browser history or logging in on a PC I don't always use. So, I looked at my privacy settings again but could not find a way to register the key.
Twitter fared a bit better. After (easily) registering my account with 2FA and my Titan Key, I cleared my browser history and attempted logging in. After entering my password, I was indeed met with a prompt asking me to touch my key to proceed. I can rest assured that there will be no rogue tweets coming from my account.
Using a mobile browser was another story. When I tried logging into Twitter on the Safari browser on my phone, I was told my browser doesn’t support security keys. So, I begrudgingly downloaded Google Chrome (Safari has always worked just fine as a mobile browser for me); however, I encountered the same error message. Therefore, I can’t log into my Twitter account on my phone anymore unless I use the Twitter app.
Google: Security Key Customer-Turned-Seller
In 2009, Google partnered with Yubico's YubiKey to develop it for public key cryptography. The two firms collaborated on a “a strong authentication protocol based on the concept of a single unphishable key to secure all services,” according to Yubico, which would later be adopted by the FIDO Alliance as the FIDO Universal 2nd Factor (U2F) standard. By 2012, Google was working with both Yubico and NXP Semiconductors to develop and deploy keys.
In 2016, after two years of analyzing other security measures, such as one-time passwords (OTPS) and TLS certificates, Google adopted the YubiKey to “all staff and contractors for secure computer and server login, reaching more than 70,000 employees to date” with the following results:
In October 2017, Google launched its Advanced Protection Program, targeting high-risk users. The program makes use of a hardware-backed FIDO U2F security key a requirement for logging into Google accounts.
Now, Google is ready to take on its former vendor with the Titan Security Key, a FIDO security key that comes with a built-in hardware chip running firmware Google engineered itself. Christiaan Brand, Google Cloud product manager, further explained the reasoning in a blog post today, hailing FIDO-based security keys as “the strongest, most phishing-resistant second factor of authentication on the market today.” The blog also cites a 2018 security report by Verizon, finding that 41.6 percent of breaches in the 12-month period researched resulted from stolen passwords, phishing and pretexting.
Do You Need a Google Titan Key?
One of the biggest arguments for getting a Titan Key is your profession. When I asked Google’s Brand which users the key targets, he said, “This is any user who kind of feels particularly at risk maybe because of their stature or their affiliation, reporters dealing with a particularly sensitive story, perhaps dissidence, or powerful executives, or anyone, really, that feels that they have a need for this advanced network protection.”
Professionals, such as IT administrators, business leaders, journalists or those in politics, are the strongest candidates for a Titan Key. But anyone who who wants to protect their data can benefit and should consider one.
But it also depends which apps you use. If you leverage popular supported apps, like Salesforce, Dropbox, Twitter and especially Google productivity apps--even for not-so-clandestine activities--it’s comforting to have an eternal bonus layer of security for a one-time $50 cost.
However, if you don’t use any of the supported apps, it's likely not worth your time until more services include security keys.
But, if you have $50, the keys are lightweight and carefree enough to not be a burden to anyone besides hackers and other nosy folks seeking access to your accounts.
If your job’s dealings are confidential this easy-to-use key can make sure they stay that way, saving you from the being the source of an embarrassing leak. And if you just want a way to make sure no one snoops around your social media accounts and email, the Titan Key has value--just not for Facebook (but how secure do you really expect that to be anyway?).
Google’s Titan Security Key bundle comes with a one-year limited warranty and is available via the Google Store. You can learn more about how it works via Google’s product page.
Update 7/31/2019: Today, Google made this Titan Security Key Bundle available in the UK (£50), Canada ($65), France (€55) and Japan (¥6,000).
Scharon Harding has a special affinity for gaming peripherals (especially monitors), laptops and virtual reality. Previously, she covered business technology, including hardware, software, cyber security, cloud and other IT happenings, at Channelnomics, with bylines at CRN UK.
-
mikewinddale Thanks for this review. I've been using a YubiKey for a few months now, but it's nice to see there's an alternative - in case I ever need one. I have the YubiKey with NFC, and I've been able to use it on my Android.Reply
One huge problem I see with *all* these keys is that many sites have "Don't ask again on this computer" checked by default (see the Google screenshot). This means that if you're using a public computer, you have to remember to uncheck the box. If you use public computers a lot - say, you're a college student who uses the library - then this means a lot of opportunities to forget to uncheck the box. But the moment you forget to uncheck the box once, you've just lost all the extra security benefits. Now someone only needs your password and nothing else (on that specific computer, of course).
I wish websites would uncheck that box by default. That way, when you use a public computer and forget to look at the box, you haven't compromised your security. On your own personal computers, you'll have to remember to check the box, but once you check it, you're good to go. So it's hardly less convenient, but far more security. It astounds me that few if any websites have realized that unchecking the "remember me" box would offer greater security without almost zero cost. -
gggplaya That usb key is way too big for a laptop. It will be adopted by people with sensitive data on their pc's, but for mass adoption the key needs to be the same size as a nano mouse dongle. Most people are fine leaving it on their computers all the time. Losing their computers or having them stolen is not their main concern. They just don't want some hacker in russia to log into their accounts.Reply -
bloodroses 21278199 said:Has Google given a work around to the Chinese government already?
Only Apple does that kind of stuff.
Google backed out of China in 2006 due to not agreeing to China's rules. By the time they tried to re-enter, China already made their own, or use open source (Android), software. It is not Google supported though. You can't even get the Google Play Store to work out there. Here is an interesting article talking about issues between Google/China (and is recent).
http://www.forbes.com/sites/cognitiveworld/2018/08/30/why-china-is-a-no-go-land-for-google -
mikeebb So if I have this straight: this is like a Yubikey, but only really works for social apps and Google stuff? I have Windows (with Bitlocker disk encryption) and Linux computers, a Windows phone, no social network or app accounts other than LinkedIn (rarely used), and use mostly free and/or open source applications on the computers. Sounds like I'll be getting a Yubikey, which seems to be more generically acceptable, rather than this one, and relying on whatever my employer distributes (eventually) for the work computer.Reply -
Olle P Seems like it only offers (some) protection against third parties hi-jacking one's social media account. Should be useful for those that are high profile and have many followers (and haters).Reply
It seems to not offer protection against access to the stored data. Neither from Google admins nor from government agencies or anybody else with access to the servers. Since the key is registered one must assume that Google has the ability to easily circumvent it on demand. -
humorific 21278199 said:Has Google given a work around to the Chinese government already?
It's manufactured in China so that part is already taken care of. -
odaniel9 Has anyone been able to get a Bluetooth Titan key to handle the second step of verification via Bluetooth on a PC? My key registered and paired correctly but only does the verification via USB. Has anyone else had any success doing the verification via Bluetooth on a PC?Reply