Google Titan Security Key Bundle Review

It turns out that people are actually very bad at creating and remembering passwords, and very good at inventing new ways to break into password-protected systems. Google aims to solve at least one of those problems with its Titan Security Key bundle. The product is made up of two devices that, when used correctly, make it significantly harder for bad guys to break into your online accounts by requiring both a password and a physical key to log in to a website or service.

How It Works

Two-factor authentication (2FA) isn't just a second step after entering a password—although this is often how it plays out in practice. Instead, 2FA combines two different authentication mechanisms (that is, factors) from a list of three possibilities:

• Something you know,
• Something you have, or
• Something you are.

A password, for example, is something you know. In theory it should only exist in your head (or safely inside a password manager). Biometric authentication—such as fingerprint scans, retina scans, heart signatures, and so on—count as something you are. The Titan Security Keys and products like it are something you have.

An attacker could get your password from a distance, perhaps by looking it up on a list of passwords from a data breach or by sending a phishing email that tricks you into handing over your password. But with 2FA, that same attacker would have to somehow get to you, personally, and steal your Titan keys (or fingerprint) in addition to your password. It could be done, but it's much harder, which protects you from the vast majority of attacks that rely on leaked or easily guessed passwords.

There are many other ways to get the protection afforded by 2FA. Signing up to receive one-time passcodes via SMS is perhaps the most common way, but using Google Authenticator and services like Duo (Free at Apple.com) are popular alternatives that don't require receiving an SMS message.

But phones can be stolen and SIM-jacking is apparently a thing we need to worry about now. That's why physical devices like the Titan keys are so attractive. They're simple and reliable, and Google has discovered that deploying them internally completely wiped out phishing attacks and account takeovers.

What's in the Box?

Inside the Titan Security Key Bundle is not one device, but two: a slim, USB key and a Bluetooth powered key fob. Both are cast in sleek white plastic and have a pleasant, sturdy feel to them. The USB key, in particular, makes a very satisfying sound when tossed on a table. I have done this several times just for the joy of it.

The Bluetooth key has a single button, and three LED indicators to show authentication, Bluetooth connection, and that it's either charging or in need of a charge. A single micro USB port on the bottom is for charging and/or connecting the Bluetooth key to your computer. The USB key is flat with a gold disk on one side, which detects your tap and completes the authentication. The USB key device has no moving parts, requires no batteries. According to Google, both devices are water resistant, so you might want to keep them out of the pool.

Both are intended to be put on a keychain and kept on your person (or close at hand), which means that nice white finish may prove a liability. Rattling around on a keyring is sure to put some noticeable wear and tear on the pristine Titan devices. I've been using a Yubico YubiKey 4 for several years, and it's starting to look pretty worn despite being cast in black plastic. In my short time testing the Titan keys, the USB-A connector was already starting to look a little scraped up.

Also in the box are some stylishly designed—if a bit vague—instructions, along with a micro USB to USB-A cable, and a USB-C to USB-A adapter. The Micro USB charges the Titan Bluetooth key, which, unlike the USB key, can run down. A battery indicator flickers red when it's time to recharge. The Titan USB key, like the YubiKey, does not require a battery. You can also use the micro USB adapter is to connect your Bluetooth key to a computer, where it can function in the same manner as the Titan USB key.

Both the Bluetooth and USB-A keys are compliant with the FIDO Universal Two-Factor standard (U2F). This means they can be used as a 2FA option without additional software. This is the only protocol supported by the Titan keys, meaning they can't be used for other authentication purposes.

When the Titan keys were first announced, a journalist discovered that the components of at least the Bluetooth key were from a Chinese manufacturer. Google confirmed to me that the company contracts a third party to produce the keys to the company's specifications. Some in security circles viewed this as a potential risk, considering that China has been accused of carrying out digital attacks on US institutions. To my mind, however, if you don't trust Google to properly vet its hardware partners then you probably don't trust Google enough to use its security products in the first place, and you should look elsewhere.

Turning the Key

Before the Titan keys can be used, they must first be enrolled with a site or service that supports FIDO U2F. Google obviously does, but so do Dropbox, Facebook, GitHub, Twitter, and others. Since the Titan keys are a Google product, I started by setting them up to secure a Google account.

Setting up the Titan keys with your Google account is straightforward. Head over to Google's 2FA page, or visit your Google account security options. Scroll down to Add Security key, click, and the site prompts you to insert and tap your security USB key. That's it! Enrolling the Bluetooth key only requires the additional step of attaching it to your computer via the included micro USB cable.

Once enrolled, I went to sign into my Google account. After entering my password, I was prompted to insert and tap my security key. Plugging the USB key into a port prompts the green LED to flash once. The LED glows steady when you're presented with a request to tap the key.

When I tested using a fresh account that had never used 2FA, Google first required that I set up SMS one-time passcodes. You can remove SMS codes if you prefer, but enrolling in Google's 2FA program requires that you use at least SMS codes, or the Google Authenticator app, or a Google authentication push notification sent to your device. That's in addition to whatever other 2FA options you select. Please note that the Google Titan key does not require SMS or any other service to function, but many services (Twitter included) encourage you to verify a phone number in order to prove you're a real person.

If you select multiple 2FA options, you can choose the one that works for you in a given scenario. It's also a good idea to have a back-up authentication method, in case you lose your keys or your phone breaks. SMS notifications are fine, but I also use paper keys, which are a series of one-time use codes. These codes are widely supported and can be written down or stored digitally (but hopefully encrypted!). However, I did notice that to make changes to my 2FA settings after I enrolled my Titan key, only it and push notifications to my phone via the Google app were acceptable authenticators.

According to the box, the Titan key and Bluetooth key are both NFC compatible, but I wasn't able to get them to work that way. When prompted to use a 2FA device on my Android phone, I followed the instructions and slapped the key on the back of the phone, but to no avail. Google confirmed to me that the devices are NFC capable, but that support will be added to Android devices in the coming months.

I had no such trouble logging into my Google account on an Android device using the Bluetooth key. Again, I was prompted to present my key after entering my password. An option at the bottom of the screen let me select using an NFC, USB, or Bluetooth authenticator. When I selected Bluetooth the first time, I was prompted to pair the Bluetooth key with the phone. Most of this was handled automatically by Google, although I did have to enter the serial number on the back of the Bluetooth key. Enrolling the device in this way this only needs to be done once; every other time you just need to click the Bluetooth key's button to authenticate yourself. Interestingly, I didn't see the Bluetooth key in the phone's list of recent Bluetooth devices, but it still worked just fine.

Just for the heck of it, I also tried logging in using the included USB-C adapter and the USB security key. It worked like a charm.

In addition to its 2FA login scheme, Google also offers Advanced Protection Program to individuals that may be at particular risk for attack. I didn't try out Advanced Protection in my testing, but it notably requires two security key devices, so the Titan Security Key Bundle is ready to work with this login scheme as well.

The Titan keys should work with any service that supports FIDO U2F. Twitter is one such example, and I had no trouble enrolling the Titan USB key with Twitter, or using it to log in later.

How the Google Titan Security Key Compares

There's a growing list of hardware authentication devices that compare with the Titan Security Keys, but the industry leader is likely Yubico's line of YubiKey products. These are nearly identical to the Titan USB-A key: slim, rugged plastic and designed to sit on a key ring with a small green LED and a gold disk that registers your touch with no moving parts.

While Yubico doesn't offer anything like the Titan Bluetooth key, it does have several different form factors to choose from. The YubiKey 4 series, for instance, has two keys of comparable size to the Titan USB key: the YubiKey 4 and YubiKey NEO, the latter of which is NFC-enabled. Yubico also offers USB-C keys, which work with any device that sports that particular port, no adapter required.

If keys aren't your style, you can opt for the YubiKey 4 Nano or its USB-C sibling, the YubiKey 4C Nano. The Nano-style devices are much smaller—just 12mm by 13mm—and are designed to be left nestled inside your device's ports.

All of the YubiKey 4 devices above cost between $40 and $60, and that's just for one key. However, these are all multi-protocol devices, meaning you can not only use them as FIDO U2F devices, but also to replace a smartcard for computer login, for cryptographic signatures, and for an array of other features. Some of these are available through the optional client software provided by Yubico. This lets you change what the YubiKey does and how it behaves, which is sure to tickle any security wonks' fancy. The Titan keys just support U2F and the W3C WebAuthn standard, and have no associated client software to change their functionality.

The least expensive YubiKey is also the one that appears to be closest in functionality to the Google Titan key. The blue Security Key by Yubico works anywhere U2F is accepted, but doesn't support the other protocols as the YubiKey 4 series. It also supports the FIDO2 protocol. It doesn't have the Bluetooth key included in the Google Titan bundle, but it also costs less than half at a mere $20.

While Yubico's products are at least as technologically capable and durable as the Titan key, the company's weakness has been explaining which of its keys do what and where they are supported. The Yubico website has several dizzying charts filled with acronyms that make even my eyes glaze over. The Titan keys, on the other hand, favor an almost Apple-like simplicity and out-of-the-box usability.

There are software solutions to 2FA as well. I've mentioned the Duo, and both Google and Twilio Authy also offer one-time codes via apps, as does LastPass through a dedicated app. Software authenticators are useful, and perhaps more convenient if you always have your phone handy. But hardware 2FA devices like the Titan key are more durable than a phone, never run out of power, and require just a tap instead of entering one-time codes generated by an app. A hardware key is also harder to attack than an app that lives on your phone, though phones are pretty secure these days. In the end, choosing between a hardware or software 2FA solution will likely come down to personal preference.

The Problem of Support

Despite the name, FIDO Universal Two-Factor standard support is far from universal. To use your Titan keys with your Google or Twitter accounts, you need to log in through Chrome. No luck with Firefox (for the moment). The same was true when I used the Titan key with Twitter.

I've used a YubiKey to protect my LastPass (Free at LastPass) account for years, and was surprised to see that my password manager of choice doesn't support the Titan keys. Even with my YubiKey, I can only use it as my second factor authenticator for my Google account via Chrome.

Developers and the people behind FIDO need to work closer to bring broader support for Titan, YubiKey, and U2F generally. I have yet to find a bank that accepts a hardware 2FA, for example. It's frustrating to try and enroll your security key for a service, only to find you're in the wrong browser, or that this specific security key isn't supported by the service. Without broader support, these devices won't get used for much and will likely do more to confuse the uninitiated than help.

An Industry Titan

The Google Titan Security Key Bundle has everything required to secure your Google account from password theft, phishing, and a variety of other attacks. Setup is easy, and plugging in a key or tapping a Bluetooth device is often easier than looking up (and possibly mistyping) a one-time code from an app. The Bluetooth key presents a small, theoretical security liability in that it transmits wirelessly, but of greater concern is that its battery could simply die.

With these two devices, you're ready to secure your Google account and any other supported service. The $50 price tag is well earned with two smart, durable devices. You won't go wrong with these. It takes a top score, but we're withholding an Editors' Choice award for this category until we can review more competing products.

Best Password Manager Picks

• The Best Password Managers for 2020
• The Best Free Password Managers for 2020
• Simple Tricks to Remember Insanely Secure Passwords
• '12345' Is Really Bad: Your Ultimate Guide to Password Security
• More Password Manager Reviews
• More from Google

Further Reading

• Feds Seize WeLeakInfo.com for Selling Access to Stolen Data
• Save 25 Percent on a Top Password Manager
• Microsoft Seizes 99 Domains Used in Iranian Phishing Attacks
• The Head of Verizon Media's Red Team Has One Simple Security Tip
• Facebook Stored Up to 600M User Passwords in Plain Text