Google’s in-house security key is now available to anyone who wants one

Photo by James Bareham / The Verge

Google’s Titan Security Key is finally available to anyone who wants one. The two-factor token went live today in the Google store, with a full kit available for $50, shipping immediately. The kits include a USB key, a Bluetooth key, and various connectors. The key has been available to Google Cloud customers since July, when the project was first publicly announced.

Built to the FIDO standard, the Titan keys work as a second factor for a number of services, including Facebook, Dropbox, and Github. But not surprisingly, they’re built particularly for Google account logins, particularly the Advanced Protection Program announced in October. Because the keys verify themselves with a complex handshake rather than a static code, they’re far more resistant to phishing attacks than a conventional confirmation code. The key was initially designed for internal Google use, and has been in active use within the company for more than eight months.

According to Google, the production process also makes the keys more resistant to supply chain attacks. “This firmware is sealed permanently into a secure element hardware chip at production time in the chip production factory,” Cloud product manager Christian Braand said in a post today. “The secure element hardware chip that we use is designed to resist physical attacks aimed at extracting firmware and secret key material.”

You can enable security keys in your Google account from the two-step verification page, or sign up for the Advanced Protection Program here.


No USB C version? That’s a bit annoying.

Their own product page has shows the Pixelbook using an adapter.

That is.. considerably goofier than I would have expected from Google. I get that they want to show off their own hardware when possible, but that just looks silly with an adapter.

apple normalised adapters. It’s no longer silly but essential

Apple didn’t normalize anything; they just force them on people with every "update." But they’ve always looked silly, and will continue to do so.

Being normalized and looking "normal" are not mutually exclusive.

it’s a feature! an extra security step! the potential hacker would need to find an adapter. It’s safer!

It’s also manufactured in China so…

The USB key is meant as the backup key, not the primary — it makes perfect sense to keep it to the current "everyone has one" (or can adapt to one) style of port.

It’s Bluetooth…. What you’re describing is the backup. It makes sense for this to be USB A because that’s still by far more common.

Google’s in-house security key is now available to anyone IN THE US who wants one

yeah Verge staff should be less US-centric in their titles

If they won’t change their clickbaity ways, this won’t change as well. This gets more views.

i’m not even that annoyed by the omission in the title but at least put it in the article.

The last link in the article for the Advanced Protection Program gives me links to the maker of the FIDO key. It seems to ship overseas, but I can’t be sure.

i still have to study it a bit better (sellers seems a bit sketchy) but i got referred to amazon italy to buy the wireless and usb keys. thanks for the suggestion.

Also, the USB key is different.

It leads me to this page:

And from there if you look at the USB NFC key it looks similar?

the wireless key looks the same.
the usb backup key i see looks like this:
(this is not the exact link, it’s just a reference)

Ah I see. I think it should work the same, since it’s all part of the same standard? If you choose the USB NFC option it looks like the one in the article though!

That dongle!

Does anyone have more details on how it works exactly? Do you pair the BT dongle with each device you want to authenticate, or does it just pair with your phone and it authenticates you? If the former, will it connect with multiple devices a once, like my phone and my laptop?

Many of the posts do point out problems with this particular implementation, but I do think it is a step in the right direction. I understand two factor authentication, but how is this more secure than fingerprint recognition?

I’m not sure it’s much more secure but it is for different use cases. Afaik, you can’t use a fingerprint for 2FA for many (any?) online services. Sure, some apps allow you to authenticate with a fingerprint but that is only single factor as the fingerprint usually replaces the password whereas this device is in addition to a traditional password.

Beyond that, it seems like Google has gone above and beyond to ensure that the chip itself is secure throughout production since there is a possibility for these chips to be compromised physically before they even get to consumers.

Fingerprints are more of a convenience security then anything else. There is nothing more secure then a long password secured in your brain but of course that isn’t feasible for 10 million online accounts so your next best bet is an encrypted password vault with 2FA enabled. Simply using your fingerprint all it does is tell the system to use the password or decrypt the data, it doesn’t use a completely separate method of verification like 2FA.

Also remember that the government or someone who abducts you for that matter will force you to give them your fingerprint and they can unlock your stuff with it. They can’t force you to give up a password.

Interesting! I didn’t realize that the fingerprint reader just unlocked and entered the password. I assumed that the fingerprint WAS the password. Thanks guys!

View All Comments
Back to top ↑