After a few weeks of teasing, having been introduced at Google's Cloud Next Conference, the Google Titan Security Key is now available for purchase in the Google Store. The $50 bundle includes a pair of keys, actually. One is a traditional USB-A (and NFC, but more on that in a second) model. The other includes USB (via a micro-USB adapter) and Bluetooth.
Here's what you need to know:
- The Titan Security Key(s) is based on the standards from the FIDO Alliance, which comes up with the Universal 2-Factor standards used in two-factor authentication. So that's FIDO, U2F, and 2FA, for those of you who prefer acronyms.
- These keys are a more secure form of two-factor authentication. You'll still need your password, but then you'll plug in (or use Bluetooth or NFC) your key and tap it for that second factor of authentication.
- (No, these aren't also fingerprint scanners.)
- The USB Titan Key also does NFC, which works great with phones. However, we're awaiting an update to the Android software itself to be able to use NFC with the Titan Key. (Other U2F NFC keys, like the Yubico Neo, work just fine at the moment.)
- This is the sort of thing you'll need to use in conjunction with the Google Advanced Protection Program. More on that here.
Why's Google doing this? To help push adoption, for one thing. SMS two-factor codes are notoriously interceptable, and even software tokens aren't much better. With a physical hardware key, you're proving that someone (presumably you) are in possession of the key. And as an added layer of security, the keys allow your browser to report back which page you're trying to log in from. If it's from something like www.googl3.com and not www.google.com (or something far more sneaky), it'll be rejected.
Google also controls this hardware, as well as the firmware. Unlike other U2F keys, the firmware is locked down and can't be modified. And to be clear, it doesn't just work with Google's two-factor systems. It still works with anything that uses the FIDO standards.
And that's that. Google is selling these as a bundle, for now, because you really should keep one key on hand, and stash the other as a backup. (You'll need to register both with whatever services you're using, obviously.)
If you can about your online security, this could well be the best $50 you spend.