One of the smartest things you can do for yourself — at least when it comes to your digital life — is to start using proper universal two factor hardware keys. (We call 'em U2F in the biz.) Those are the little USB keys you use in conjunction with your password to prove that you — and not some black-hoodied hacker somewhere — are in fact the one seeking access to your accounts.
There are a few problems with U2F keys, though. First is that nobody likes having to jump through a new security hoop, especially if all you're trying to do is just get into your damn Facebook account. (Never mind that one of the other smartest things you can do for yourself is to delete your Facebook account, but that's another column for another time.)
And physical hardware keys have the added complication of needing to be accessible to you when you need them, as opposed to, say, your phone, which you're more likely to have on you at all times. That's by design, of course, and now is a good time to mention that using two-factor authentication on your phone is better than not, and certainly pretty convenient — but a U2F key is even more secure than that.
One more problem is that there's no single U2F key that's perfect for everyone, thanks to the mishmash of connection standards. Maybe you can get away with only using a USB-C hardware key, but many more folks are going to find themselves in a mix of USB-A and Lightning and USB-C and maybe Bluetooth. But we're getting closer, especially now that USB-C is growing more prevalent as a standard, with really just the iPhone as the last holdout.
So that makes this a pretty good time to declare the following: Google should include a USB-C Titan Key with every new purchase of a device baring the "Pixel" name.
That means Pixelbooks. That means Pixel phones. And, well, OK. That's it.
Think about it for a second. There's no better time to onboard a new security feature than when you're starting up a new device for the first time. It's why things like face unlock first shipped on a new phone, and not just via a software update.
So including a U2F key along with new hardware makes perfect sense. As you're signing in to your Pixel phone or new Pixelbook, you're also prompted to set up your Titan key. It'll take just a few screens to do it, and help educate you about the other (though too few) services that support it.
Heck, I'd maybe even go so far as to make setting up the Titan key a mandatory function of signing into the phone for the first time. (OK, that's definitely a step too far, but that doesn't mean it's a bad idea.)
This isn't going to solve all of our digital security problems. At least not all at once. And for many folks, the idea of having a physical key for our digital lives is a nonstarter. And for a good many of those folks, the idea of using your phone as the secondary authentication probably is enough.
But U2F hardware keys are even more secure, especially if you're using them in conjunction with Google's Advanced Protection Program. (And, again, even that remains overkill for most folks, even if it's really the right thing to use from a security standpoint.) And at the end of the day, securing your online world is all about mitigating risk, not eliminating it.
Because the threats never really will go away.
The security key
Google Titan Key (USB-C)
A safer way to live
Google has made huge strides in improving consumer-grade security. Its U2F Titan Keys go a step further and work with pretty much any device you have.
The Pixelbook Go is a stupendous all-round laptop that doesn't pretend to be anything different. It can't fold to become a tablet, but it can last nearly 10 hours on a charge and make typing feel fun again. This is the premium Chromebook to buy right now.
Google Pixel 4
The Pixel 4 is another strong entry in the company's smartphone lineup, with an excellent camera, flawless performance, and an incredible display. But the experience is undermined by the phone's inexcusably bad battery life.
Geez...given that the entire cloud is routinely hacked and surveiled, how is local device encryption on a cloud access device a game changer? Just saying...
That's ... not what this is?
"Geez...gevin that the cloud is routinely hacked and surveiled*. What's your source?
You talk about "the entire cloud" as if it were one central place that contains all information and it's all monitored by somebody other than you. There are tens of thousands+ cloud servers around the world, some ran by big tech companies like Apple and Google and some run by smaller entities like a mom and pop hosting website or somebody like myself running a private web server for personal family's photos and docs. I can't speak for the other companies out there but as far as my security goes, the only user allowed to "monitor" my files is either myself or my wife with the correct login credentials and verification with an authenticator. I feel like many people make assumptions based on what very little info they read on Facebook or Twitter. The cloud servers on Google and apple are not 100% guaranteed to be safe from prying eyes, hence why I decided to set up my own. However, in my opinion they are still a very safe way to store sensitive data. Don't forget that these tech companies have their own sensitive data and it, too must be stored on a hard drive somewhere. So I guess what I'm getting at is that the likelihood of your personal files being "hacked" or stolen is less likely than you're alluding to. To be safe, always activate a two step verification method into your sensitive logins and/or add something such as this Titan key for 100% piece of mind that your stuff isn't at risk.
A physical key also has a major drawback that isn't discussed often - the potential for lost/stolen keys with no way to track them that I can tell (unlike a phone which can be tracked (and wiped if necessary) via the "Find my phone" service provided by Google/Apple).
If you lose or have the key stolen, you unenroll the key. Pretty simple remedy.
It actually even secures the cloud because they would need to have a physical key to access your online accounts , all Google accounts support titan keys and so does Facebook etc. All the major ones do. Now if u lose it that's on u.
I would attach it to my keys since those are always in my pocket and they have to steal them from me to have access that's the ultimate security and makes it practically impossible to get hacked without them having your key
The Pixel 3, 3a and 4 series phones actually can work as physical Titan key via the built in Titan M security chip. Of course that doesn't help protect your phone, but you can use your phone as the physical unlock key for other devices.
Exactly, Along with the Pixelbook (not sure on the Slate) as well can use the power button as a U2F key. If the thought was providing a USB-C key as a secondary authentication method in case something happened to your phone then that could push adoption. I agree with every other part of the article except the reasoning
Why should the Pixel 4 come with one? The Pixel 4 already has an onboard TPM.
I currently use a Yubikey with NFC. my only problem is that since it's on a key chain, it's a bit klugey with my phone. Is the Titan wireless key as secure?
Hey Phil, it's good to see you around!
This got me thinking. With many phones having many methods of unlocking, including multiple biometric options, is there a way to secure your device that it won't unlock unless you use 2 of them? For example if you have a fingerprint as well as a face scanner, have a 2 step process to unlock your phone.
Google is not selling those or only in some countries, all I get with the links you provide is a site in foreign language (as usual when Google or others try to second-guess the user's language), which is selling very few Google devices. This seems more an annoyance than anything else, yet another device one has to bring about, insert in every computer and hopefully not forget there when leaving. I don't see this as a practical solution, really, when all it requires is a really secure challenge in case of sensitive websites like banks, or in most case, just a password. Also, coming from Google, we'd have to know exactly why they provide this and what it does, it's not really their main market, not even close. Unless the device uses the user's activity another way. So a regular peer review of the product seems necessary. Gadget and hype are words that come to mind ;-)
Release the Titan!!!! (Google)
Get the best of Android Central in in your inbox, every day!
Thank you for signing up to Android Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.