As the world gets more digital, some of our most valuable possessions are increasingly those which we cannot touch: documents, photos, emails and other private messages. You may even want to protect your social media accounts. But locking down things you can’t touch can, to some, be confusing. Other high-value possessions require a human touch to ensure protection. Cars get locked with keys, pushing a button, closing a garage or all of the above. Houses are secured in a similar manner, while cash and jewelry go in a vault secured with a code you must navigate with your fingers. But protecting your digital assets is usually a virtual affair.
This is all changing with security keys, hardware that provides an extra layer of security by requiring you to touch them in order to log into certain applications. Google has entered the market with its Titan Security Keys, which were announced last month and arrived in the Google Store today for $50.
I tried out the key for myself and while I had a little trouble getting set up, I feel confident in my security in important accounts, like Google and Twitter. But is the security enabled really as strong as the god-like Titan names implies?
Setting Up My Google Titan Key
Journalists are one of the high-risk users Google identifies as a good candidate for its Titan Key. I for one do a lot of my work using Gmail, Docs and Sheets. The Titan Key is also compatible with Salesforce, GitHub, Stripe, Dropbox, Twitter and Facebook, and any other company that supports FIDO standards.
The $50 Titan bundle comes with one USB/NFC Titan Security Key, one Bluetooth key to carry on the go, one micro-USB cable for charging the Bluetooth key and one USB Type-A to USB Type-C converter (a USB-C version is in the works).
Both keys are small, white, lightweight, plastic and miniscule, so they’re not burdensome neither on your desk nor on your keys.
However, sliding the Bluetooth key onto my key ring was problematic. When opening my key ring, I leaned the Titan Key against the ring while sliding it on (like I do with all my other keys), but this ended up creating a nasty scratch on the key’s upper left side.
Setting up the USB key was simple. All I had to do was go to a website Google lists with the product and follow the accurate step-by-step instructions.
The Bluetooth key needs to be registered separately. Once I registered the Bluetooth key, I was able to use it to sign into accounts my PC.
However, to use it with my iPhone, I was required to download Google’s Security Lock app. Once I downloaded it and enabled Bluetooth on my phone, I signed into my Google account. But that’s as far as I got.
Clicking on my Google account opened a web browser window reading “You’re all set. Your account has been securely set up on this phone” with an option to hit done. I hit done, and it took me back to the Smart Lock app with the same page listing my Google accounts. And despite enabling my phone’s Bluetooth, I still haven’t been able to find the key in the available devices list. The Bluetooth key did work when my colleague tried it on an Android phone, but I've never been able to pair it with my iPhone.
For me, the Titan Key is limited to my PC unless I get an Android phone. I reached out to Google about the issue, but they were not able to help me fix it in time for publication.
It's also worth noting that some, including Yubico, find Bluetooth inherently insecure. In response to Titan Key's unveiling last month, Yubico CEO Stina Ehrensvard wrote in a blog post: "While Yubico previously initiated development of a [Bluetooth] security key and contributed to the [Bluetooth] U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. [Bluetooth] does not provide the security assurance levels of NFC and USB and requires batteries and pairing that offer a poor user experience."
Update 5/15/19: Today Google announced a security flaw among its Bluetooth keys and started offering free replacements. It also noted that using one of its keys is still more secure than not using one at all. You can learn more about how Google Titan's Bluetooth security key can be hacked here.
Using My Google Titan Key
The Titan Key performed superbly on Google applications (again, on my PC only); however, it only works with the Google Chrome browser. When I tried logging into Google Mail, Docs or Sheets on a new device, or even after clearing my browser history, I was asked to enter my password. Afterwards, I was met with a second barrier of defense.
The only way to get through this next wall is to insert my USB key into a USB port on my computer, and then touch the little gold circle with my finger. And with no one able to access my secret workings (including, at the time, a draft of this article) unless they dare pry it out of my hands, I can rest assured that even people who manage to guess my password will be blocked off.
Note that the USB key is not a fingerprint reader, so anyone who can access the key can press it and break down that extra wall of security. As such, it’s really important you keep your USB key somewhere safe where no one else can find it. It’s necessary to remove it from your computer after each use unless you only work at home, and you’ll need a safe place to store it. However, this is a small requirement for a notable boost in security.
Google Titan and Social Media
While the Titan Key is compatible with a number of apps outside the Google realm, I decided to try it out on social media, since even non-professionals frequent those sites and I use Twitter and Facebook often.
To perhaps no one’s surprise, Facebook remained the most vulnerable. On my first day with the key I added the security key but was never asked to implement it after clearing my browser history or logging in on a PC I don't always use. So, I looked at my privacy settings again but could not find a way to register the key.
Twitter fared a bit better. After (easily) registering my account with 2FA and my Titan Key, I cleared my browser history and attempted logging in. After entering my password, I was indeed met with a prompt asking me to touch my key to proceed. I can rest assured that there will be no rogue tweets coming from my account.
Using a mobile browser was another story. When I tried logging into Twitter on the Safari browser on my phone, I was told my browser doesn’t support security keys. So, I begrudgingly downloaded Google Chrome (Safari has always worked just fine as a mobile browser for me); however, I encountered the same error message. Therefore, I can’t log into my Twitter account on my phone anymore unless I use the Twitter app.
Google: Security Key Customer-Turned-Seller
In 2009, Google partnered with Yubico's YubiKey to develop it for public key cryptography. The two firms collaborated on a “a strong authentication protocol based on the concept of a single unphishable key to secure all services,” according to Yubico, which would later be adopted by the FIDO Alliance as the FIDO Universal 2nd Factor (U2F) standard. By 2012, Google was working with both Yubico and NXP Semiconductors to develop and deploy keys.
In 2016, after two years of analyzing other security measures, such as one-time passwords (OTPS) and TLS certificates, Google adopted the YubiKey to “all staff and contractors for secure computer and server login, reaching more than 70,000 employees to date” with the following results:
In October 2017, Google launched its Advanced Protection Program, targeting high-risk users. The program makes use of a hardware-backed FIDO U2F security key a requirement for logging into Google accounts.
Now, Google is ready to take on its former vendor with the Titan Security Key, a FIDO security key that comes with a built-in hardware chip running firmware Google engineered itself. Christiaan Brand, Google Cloud product manager, further explained the reasoning in a blog post today, hailing FIDO-based security keys as “the strongest, most phishing-resistant second factor of authentication on the market today.” The blog also cites a 2018 security report by Verizon, finding that 41.6 percent of breaches in the 12-month period researched resulted from stolen passwords, phishing and pretexting.
Do You Need a Google Titan Key?
One of the biggest arguments for getting a Titan Key is your profession. When I asked Google’s Brand which users the key targets, he said, “This is any user who kind of feels particularly at risk maybe because of their stature or their affiliation, reporters dealing with a particularly sensitive story, perhaps dissidence, or powerful executives, or anyone, really, that feels that they have a need for this advanced network protection.”
Professionals, such as IT administrators, business leaders, journalists or those in politics, are the strongest candidates for a Titan Key. But anyone who who wants to protect their data can benefit and should consider one.
But it also depends which apps you use. If you leverage popular supported apps, like Salesforce, Dropbox, Twitter and especially Google productivity apps--even for not-so-clandestine activities--it’s comforting to have an eternal bonus layer of security for a one-time $50 cost.
However, if you don’t use any of the supported apps, it's likely not worth your time until more services include security keys.
But, if you have $50, the keys are lightweight and carefree enough to not be a burden to anyone besides hackers and other nosy folks seeking access to your accounts.
If your job’s dealings are confidential this easy-to-use key can make sure they stay that way, saving you from the being the source of an embarrassing leak. And if you just want a way to make sure no one snoops around your social media accounts and email, the Titan Key has value--just not for Facebook (but how secure do you really expect that to be anyway?).