Those of us that care about our online security probably use some form of two-factor authentication to secure our most important accounts, but even the strongest password and the longest authentication code are still subject to something as simple as a phishing attack, which is why so many have switched to hardware security keys. Google helped to create the Universal 2nd Factor (U2F) hardware authentication standard, and now it's releasing its own product to consumers: the $50 Titan Security Key.
The "Key" is actually two keys: a USB-A security key with NFC, and a battery-powered, Micro-USB-equipped Bluetooth/NFC key. Together they can provide some extra security for your Google account — as well as other FIDO U2F-compatible services. Paired with Google's Advanced Protection Program, your account is about as secure as it can be.
With so much of our finances, communications, and general lives taking place on remote servers, the responsibility of digital security should always be in the back of our minds, and it takes more than just a good password to stay safe. But is the Titan Security Key worth your attention? If you haven't used any security keys before or if Google's customer support is important to you, then it may be worth a look. But with USB Type-C only available via adapters, and Bluetooth/NFC support being limited to Android and iOS, for most of us it's probably a pass.
Why use hardware 2FA?
If you care about the security of an account (i.e., if it has direct or indirect access to anything you'd regret losing), then it's a good idea to enable at least some form of 2FA authentication for it, but not all methods are equal. Depending on the value of the account, the convenience of SMS verification can actually be more of a risk than a benefit. SMS-based verification is subject to interception and socially engineered attacks at the carrier level (i.e., someone can call in pretending to be you and change where that number points).
While your security may be improved for low-effort attacks and the "good enough" mentality can encourage you to settle, if you do have genuinely high-value account access, every one of those SMS-secured accounts can be a stepping stone for attack escalation, and the potential catastrophe is just not worth the risk — for some of us.
App-based code authentication is a little more secure, and for many, the balance of convenience vs. risk settles there. But, all user input code-based systems are vulnerable when it comes to phishing attacks. While most of us think of phishing as low-effort and easy to avoid, you'd be surprised. A well-designed spoof with a deceptively close URL can catch even the security-conscious off guard. It's not just our parents or grandparents that fall for them, even Google employees had issues internally until a year ago.
For particularly high-value accounts, the most secure solution is a hardware security key like Google's Titan Security Key.
Advanced Protection Program
In our meeting with Google, a big point was made of the company's Advanced Protection Program, and that consumers using the Titan Keys would be enrolled in it. So far, that seems to be optional, as I was able to add both of my keys to my account without also enrolling into the Advanced Protection Program.
If you do enable Advanced Protection, you need to re-register your keys and be especially careful not to lose them. In fact, we were told the best thing to do is set aside one as a backup in a secure location, like a home safe.
That's because, if you're part of the Advanced Protection program, all other 2FA methods like authenticator codes or phone verification are disabled. There is only one configurable fallback method: a one-time password. I also got the implication that using that fallback wasn't really recommended.
At least you'll only really need the hardware security keys for signing into a new device for the first time. And, if you do end up needing it, Google does have a heavily scrutinized account recovery process.
If you elect not to use Advanced Protection, your old fallback methods will continue to work until you disable them, leaving you susceptible to so-called "downgrade" attacks, since less secure methods like SMS could be forced by third parties.
Enrolling is also, frankly, a bit of a pain in the ass. Although it will tremendously enhance security, it also immediately logs you out of every device you're currently logged in on. Due to the sheer number of devices I'm using at the time and the work happening in parallel with this review, that wasn't something I was comfortable testing at this time.
Google also gives you a bit of time to get comfortable with the keys on your own terms before it offers you to register with the Advanced Protection Program with a reminder via email.
Design, hardware, what's in the box
As I touched on before, the Titan Security Key is actually a set of two keys: one USB-A/NFC and one Bluetooth/NFC.
The wired USB-A key also supports NFC. It's flat, made of white, matte plastic, and just barely thicker than the space for the male connector inside a USB port at a little over 1/8". It has a flat, recessed gold "button" with an NFC-like logo on it which you tap when it's plugged in for authentication. A hole for attaching it to a keyring is just above that, and the back has Google's "Titan" logo embedded into it.
The wireless key supports Bluetooth and NFC, together with wired USB via the Micro USB port at the bottom — though using it requires plenty of adapters and dongles in most cases. It's made of glossy white-painted silver plastic. It is much bulkier than the USB-A key at around 1/3" thick, but it's still small enough to fit on a keyring. It has one large, indented and clicky white plastic button, plus two labeled windows for the Bluetooth and authentication LED indicators. The back has the same "Titan" logo, plus laser-etched unique name and PIN for Bluetooth pairing.
The keys come with two adapters, one for male USB Type-A to male Micro-USB, the other for male USB Type-C to female USB Type-A. Between the various ways of using each with the two Titan Security Keys, you should be able to plug both keys into pretty much any recent computer or phone.
The process to add the keys on your account is simple, but they will require that you use a computer. So far as I can tell, there isn't a way to set up a security key via Android.
Just visit the Sign-in and security section of myaccount.google.com, go to “2-Step Verification,” and scroll down to the “Set up alternative second step” section. There you can add a Security Key to your account, including Google’s first-party Titan Security Keys.
Select “ADD SECURITY KEY” and follow the linear instructions, which include plugging in your Titan Key when asked. For the wireless unit, that means using dongles and adapters as required, unfortunately.
You can allow Google to see and make a note of the make/model of your key for later alerts if the security of a specific piece of hardware is ever called into question. Lastly, give it a name, so you know what it is on your account details, and you’re good to go. You are now set up to use Google’s Titan Security Key. Well, one key, at least.
I had assumed that being sold in a matched pair, the two keys would operate functionally as one. Turns out, that's not how it works. You have to set up both individually, which is a bit annoying. So once you’ve finished with one, start these instructions all over again for the second one.
When you’ve finished, I urge you to set aside the USB-A key in a safe place and consider using the Bluetooth/NFC key as your primary. That way if anything happens to that wireless key, you’ll still have the backup at home (or wherever you choose to leave it). You can also register more than two keys so you can set aside other backups as well.
If you'd further like to join Google's Advanced Protection program, you'll need to go to the setup page for that and add both of these keys again.
Logging in with your Titan Security Key
Not all software platforms support the same login methods, so I thought it would be best to examine the process on every major operating system I had access to — at least when it comes to using the keys for logging into a Google account.
Out of all the platforms on this list, Android is the only one that works with Bluetooth and NFC according to both the Titan Security Key product manual and my own testing.
The sign-in process is the same with and without two-factor authentication up until you've entered your account's password, at which point your phone will ask you to choose how you'd like to use your security key to log in — assuming you set that up. If you haven't and you try to use a key that isn't paired with your account, it will let you know when you try to use it.
To sign in with Bluetooth, tap "Use Security Key with Bluetooth." It will provide you with step-by-step instructions that aren't too difficult to follow, but I've put the process together into a list just below, with images to follow along with.
The individual steps required to log in with the Bluetooth security key are:
- Select "Use Security Key with Bluetooth" at the 2FA selection screen.
- Place your Bluetooth/NFC Titan Security Key into pairing mode when asked by pressing and holding its lone button for at least five seconds, until the Bluetooth logo on its face begins to flash.
- Once it's ready, tap next until you can select your security key. It should appear in the list with the 6-letter name inscribed on the back of the key.
- When you've found it, select your Security Key from those on the list.
- You'll be asked to enter a six-digit PIN to go with it, that number is also etched on the back of the Bluetooth/NFC Titan Security Key, just above the name.
- After a (very) short wait for verification, you're in. Should your key not be registered to your account, you'll be warned to register it before trying to use it, and login will fail.
Ostensibly, both of the Security Keys work via NFC for Android and iOS, but in reality that doesn't seem to be the case. Despite extensive testing and experimentation, I was entirely unable to get NFC-based authentication to work on my Pixel 2 XL.
Although the instructions say to "Hold your Security Key flat against the back of your device until it stops vibrating," all I get from either of the two NFC keys is a quick buzz as NFC sees them for a moment, and then nothing, even with the keys placed directly over the phone's NFC antenna location.
I have reached out to Google for additional information about my difficulties with NFC, but have yet to hear back. If I am able to get it to work, I'll update this review with those instructions.
I ran into a few issues trying to use the battery-powered Bluetooth/NFC security key over USB on my Pixel 2 XL. It took me a couple of tries for it to work, so you might run into some trouble as well.
The first time, after Play services requested access, it just hung for 2-3 minutes, before spitting me back to the initial login page. I was warned that this is typical behavior when using wired 2FA keys on Android by Corbin, who has a similar issue with his Yubikey, so YMMV.
When it did work, the steps were as follows:
- Select "Use Security Key with USB" at the 2FA selection screen.
- Connect the key to your phone via whatever adapters are required, and press whatever button or "gold disk" it has.
- Grant Google Play services access to the key.
- Once it has verified the key is attached to your account, you should be in (when it chooses to work).
Although almost every Chromebook since my trusty CR-48 has had Bluetooth, the current stable version of Chrome OS (v68) does not accept anything but USB for security keys. I hope that is set to change in the future, but for the time being, it means you're required to use your Chromebook's USB ports for hardware 2FA. In the case of the Titan Keys, which only come in USB-A and Micro-USB varieties, you'll have to break out the dongles.
Dongles plugged into adapters.
At least the wired login method is a single exceedingly simple step. Once you input your username and password during the setup process, the Chromebook will ask you to plug your security key in and press a button.
Chromebooks don't save screenshots taken during the setup process, so I was forced to take a photo.
Using the Bluetooth Titan Key with the Pixelbook requires both of the adapters included with the Titan Key set (USB Type-C -> USB Type-A -> Micro-USB). Annoying as that was, I didn't run into any issues, and the process took mere seconds.
Just plug in one of the Titan Keys you have registered to your account when asked during the login process, and push the button. It's a single additional step, and no more time consuming than entering a code or tapping "Yes" on an Android device — at least, if you have your key on you.
I tried the keys with Chrome in OSX, and they worked just fine. But, as expected, only in USB mode. There's no NFC or Bluetooth support (yet).
Just sign in on your Google account as usual via Chrome, and when you make it to the 2FA step, you'll be asked to use your hardware security key.
Plug it in, press the button or "gold coin," and you should be in. The steps required are basically identical to Chromebooks and Windows.
It's so easy, I don't even need to put it into a step-by-step list.
The process for using a security key for signing into Chrome via Windows is identical to that on OSX. Just sign into your account, and after entering your password, you'll be presented with the 2FA authentication challenge.
Once asked, plug in your security key and press whatever button or gold coin it has, and you should be in. Like OSX, there's no support for Bluetooth or NFC yet, so far as I can tell, but both keys work fine with the appropriate adapters over USB.
Should you buy it?
Probably not. If you're interested in dipping your toes into increased account security, Google's pair of Titan Security Keys are a convenient package with the benefit of Google support. On the other hand, if you already have a couple security keys and you're just interested in getting the Bluetooth/NFC key from the Titan set, I'm 99% sure it's just a rebadged Feitian model which you can buy separately. So far as I can tell, there isn't any added exclusive functionality to be found from the Google-branded version of these security keys.
Annoyingly, I was not able to get NFC functionality to work for either key on Android, and I'm not sure what the cause of the issue may be. Over the course of this review I factory reset my Pixel 2 XL at least six or seven times (probably more), and in between testing the different security key login methods, I tried NFC multiple times. No matter what, I could not get it to work.
I was also a bit miffed that neither key was USB Type-C. By far the majority of my devices have no USB Type-A port, and that's only going to be a greater annoyance as time goes on. Having to use dongles for both of the Titan Security Keys was awkward, and it entirely eliminated the usefulness of a battery-powered, keychain security key. What good is having it always on hand if it won't work with most of the hardware I expect to use it with?
In related angst, the lack of Bluetooth support for security keys on Chromebooks is also confusing, since that means the wireless functionality of the combo Bluetooth/NFC battery-powered Titan Security Key is only compatible with phones — and the tediousness of the Bluetooth 2FA process makes it anything but convenient compared to USB. Both keys are also FIDO U2F and not FIDO2, so it isn't future-proof for the coming era of password-less authentication.
In my opinion, most people would be much better served picking up a cheap USB-A key and a USB-C key for the same price (or less). For just $20 you can get a FIDO2-compatible security key, and you can get the same Bluetooth/NFC battery-powered key for only $25 on Amazon.
Buy it if:
- You're a Google Cloud or other corporate customer that wants hardware 2FA security keys with the benefits of Google's support.
- You're interested in dipping your toes into hardware 2FA and the world of security keys and want a convenient package you don't need to research.
Don't buy it if:
- You've already got similar hardware security keys to those included in the Titan package.
- Most of your devices use USB Type-C.
- You want something with FIDO2 support for the future.
- You already think 2FA security codes are too inconvenient.