Skip to main content

Google announces its own security key for stronger logins

Google announces its own security key for stronger logins

/

Released first to Cloud customers, the key will be made available to the public in the coming months

Share this story

Illustration by Alex Castro / The Verge

Today at the Next conference, Google announced a new product called the Titan Security Key, currently available to Cloud customers and scheduled for general sale in the coming months. The key is used to authenticate logins over Bluetooth and USB, similar to existing offerings from Yubico and other providers. A Google representative said the Titan key also includes special firmware developed by Google to verify its authenticity.

“Titan Security Key gives you even more peace of mind that your accounts are protected, with assurance from Google of the integrity of the physical key,” Google said in a post announcing the key.

The Titan key is built to the FIDO specification, a long-planned authentiation standard supported by a number of apps and browsers. As a result, the device can also be used to log into non-Google services, although those services may not be able to take advantage of the same firmware verification. (Google accounts have supported security key and other FIDO logins since 2014.) Like previous security keys, the Titan key offers significantly stronger security than a confirmation code, which can sometimes be stolen through a relay attack.

Users hoping to take advantage of that protection should make sure to disallow non-security key logins, available through Google’s Advanced Protection program. It’s also wise to keep a second key in protected storage in case the primary key is lost or stolen.

Google has been testing the key internally for over a year, but only recently made it available outside the company. Google employees are required to log in with physical tokens for security reasons, a system that seems to be working. Earlier this week, the company announced it had not had a single successful account takeover since implementing the policy in early 2017.