Google Titan Security Key Bundle Review - PCMag

The Google Titan Security Key Bundle has everything required to secure your Google account from password theft, phishing, and a variety of other ... Home Reviews Security PasswordManagers By MaxEddy MaxEddy SeniorSecurityAnalyst MyExperience Sincemystartin2008,I'vecoveredawidevarietyoftopicsfromspacemissionstofaxservicereviews.AtPCMag,muchofmyworkhasbeenfocusedonsecurityandprivacyservices,aswellasavideogameortwo.Ialsowritetheoccasionalsecuritycolumns,focusedonmakinginformationsecuritypracticalfornormalpeople.IhelpedorganizetheZiffDavisCreatorsGuildunionandcurrentlyserveasitsUnitChair. ReadFullBio September19,2018 facebook (Opensinanewwindow) twitter (Opensinanewwindow) flipboard (Opensinanewwindow) socialshare Flipboard (Opensinanewwindow) Pinterest (Opensinanewwindow) Reddit (Opensinanewwindow) LinkedIn (Opensinanewwindow) Email (Opensinanewwindow) Copied Error! CopyLink https://www.pcmag.com/reviews/google-titan-security-key-bundle Comments 4.0 Excellent TheBottomLine Google'sTitanSecurityKeyBundleisapairofsmallUSBdevicesthataddsupersecuretwo-factorauthenticationtoyouraccounts.Thepricemayseemsteep,buttheextrasecurityisworththecost. MSRP$50.00 $25.00at GoogleStore SeeIt (Opensinanewwindow) PCMageditorsselectandreviewproductsindependently.Ifyoubuythroughaffiliatelinks,wemayearncommissions,whichhelpsupportourtesting. Pros Twodevicesforfastandsecuretwo-factorauthentication. USBkeyrequiresnobatteries. BluetoothkeyconnectstobothphoneandPCs. EasyintegrationwithGoogle. Increasingsupportonotherplatforms. Cons Notyetwidelysupported. RequiresChromeforsomeservices. Battery-poweredBluetoothkeyispointoffailure,requiresmicroUSB. Nocohesiveon-boarding. Itturnsoutthatpeopleareactuallyverybadatcreatingandrememberingpasswords,andverygoodatinventingnewwaystobreakintopassword-protectedsystems.GoogleaimstosolveatleastoneofthoseproblemswithitsTitanSecurityKeybundle.Theproductismadeupoftwodevicesthat,whenusedcorrectly,makeitsignificantlyharderforbadguystobreakintoyouronlineaccountsbyrequiringbothapasswordandaphysicalkeytologintoawebsiteorservice. HowItWorks Two-factorauthentication(2FA)isn'tjustasecondstepafterenteringapassword—althoughthisisoftenhowitplaysoutinpractice.Instead,2FAcombinestwodifferentauthenticationmechanisms(thatis,factors)fromalistofthreepossibilities: Somethingyouknow, Somethingyouhave,or Somethingyouare. Apassword,forexample,issomethingyouknow.Intheoryitshouldonlyexistinyourhead(orsafelyinsideapasswordmanager).Biometricauthentication—suchasfingerprintscans,retinascans,heartsignatures,andsoon—countassomethingyouare.TheTitanSecurityKeysandproductslikeitaresomethingyouhave. OurExpertsHaveTested16ProductsinthePasswordManagersCategoryThisYear Since1982,PCMaghastestedandratedthousandsofproductstohelpyoumakebetterbuyingdecisions. Seehowwetest.(Opensinanewwindow) Anattackercouldgetyourpasswordfromadistance,perhapsbylookingituponalistofpasswordsfromadatabreachorbysendingaphishingemailthattricksyouintohandingoveryourpassword.Butwith2FA,thatsameattackerwouldhavetosomehowgettoyou,personally,andstealyourTitankeys(orfingerprint)inadditiontoyourpassword.Itcouldbedone,butit'smuchharder,whichprotectsyoufromthevastmajorityofattacksthatrelyonleakedoreasilyguessedpasswords. SimilarProducts 3.5 Good DuoMobile $0.00 SeeIt atDuo (Opensinanewwindow) ReadOurDuoMobileReview 4.0 Excellent TwilioAuthy $0.00 SeeIt atTwilio (Opensinanewwindow) ReadOurTwilioAuthyReview 4.5 Outstanding Myki       ReadOurMykiReview 3.5 Good LastPassAuthenticator(foriPhone) $0.00 SeeIt atLastPass (Opensinanewwindow) ReadOurLastPassAuthenticator(foriPhone)Review 4.0 Excellent LastPass   CheckPrice   (Opensinanewwindow) ReadOurLastPassReview 3.5 Good Dashlane   CheckPrice   (Opensinanewwindow) ReadOurDashlaneReview Therearemanyotherwaystogettheprotectionaffordedby2FA.Signinguptoreceiveone-timepasscodesviaSMSisperhapsthemostcommonway,butusingGoogleAuthenticatorandserviceslikeDuo($0.00atDuo)(Opensinanewwindow)arepopularalternativesthatdon'trequirereceivinganSMSmessage. ButphonescanbestolenandSIM-jackingisapparentlyathingweneedtoworryaboutnow.That'swhyphysicaldevicesliketheTitankeysaresoattractive.They'resimpleandreliable,andGooglehasdiscoveredthatdeployingtheminternallycompletelywipedoutphishingattacksandaccounttakeovers. What'sintheBox? InsidetheTitanSecurityKeyBundleisnotonedevice,buttwo:aslim,USBkeyandaBluetoothpoweredkeyfob.Botharecastinsleekwhiteplasticandhaveapleasant,sturdyfeeltothem.TheUSBkey,inparticular,makesaverysatisfyingsoundwhentossedonatable.Ihavedonethisseveraltimesjustforthejoyofit. TheBluetoothkeyhasasinglebutton,andthreeLEDindicatorstoshowauthentication,Bluetoothconnection,andthatit'seitherchargingorinneedofacharge.AsinglemicroUSBportonthebottomisforchargingand/orconnectingtheBluetoothkeytoyourcomputer.TheUSBkeyisflatwithagolddiskononeside,whichdetectsyourtapandcompletestheauthentication.TheUSBkeydevicehasnomovingparts,requiresnobatteries.AccordingtoGoogle,bothdevicesarewaterresistant,soyoumightwanttokeepthemoutofthepool. Bothareintendedtobeputonakeychainandkeptonyourperson(orcloseathand),whichmeansthatnicewhitefinishmayprovealiability.RattlingaroundonakeyringissuretoputsomenoticeablewearandtearonthepristineTitandevices.I'vebeenusingaYubicoYubiKey4forseveralyears,andit'sstartingtolookprettyworndespitebeingcastinblackplastic.InmyshorttimetestingtheTitankeys,theUSB-Aconnectorwasalreadystartingtolookalittlescrapedup. Alsointheboxaresomestylishlydesigned—ifabitvague—instructions,alongwithamicroUSBtoUSB-Acable,andaUSB-CtoUSB-Aadapter.TheMicroUSBchargestheTitanBluetoothkey,which,unliketheUSBkey,canrundown.Abatteryindicatorflickersredwhenit'stimetorecharge.TheTitanUSBkey,liketheYubiKey,doesnotrequireabattery.YoucanalsousethemicroUSBadapteristoconnectyourBluetoothkeytoacomputer,whereitcanfunctioninthesamemannerastheTitanUSBkey. BoththeBluetoothandUSB-AkeysarecompliantwiththeFIDOUniversalTwo-Factorstandard(U2F)(Opensinanewwindow).Thismeanstheycanbeusedasa2FAoptionwithoutadditionalsoftware.ThisistheonlyprotocolsupportedbytheTitankeys,meaningtheycan'tbeusedforotherauthenticationpurposes. WhentheTitankeyswerefirstannounced,ajournalistdiscoveredthatthecomponentsofatleasttheBluetoothkeywerefromaChinesemanufacturer(Opensinanewwindow).Googleconfirmedtomethatthecompanycontractsathirdpartytoproducethekeystothecompany'sspecifications.Someinsecuritycirclesviewedthisasapotentialrisk,consideringthatChinahasbeenaccusedofcarryingoutdigitalattacksonUSinstitutions.Tomymind,however,ifyoudon'ttrustGoogletoproperlyvetitshardwarepartnersthenyouprobablydon'ttrustGoogleenoughtouseitssecurityproductsinthefirstplace,andyoushouldlookelsewhere. TurningtheKey BeforetheTitankeyscanbeused,theymustfirstbeenrolledwithasiteorservicethatsupportsFIDOU2F.Googleobviouslydoes,butsodoDropbox,Facebook,GitHub,Twitter,andothers.SincetheTitankeysareaGoogleproduct,IstartedbysettingthemuptosecureaGoogleaccount. SettinguptheTitankeyswithyourGoogleaccountisstraightforward.HeadovertoGoogle's2FA(Opensinanewwindow)page,orvisityourGoogleaccountsecurityoptions.ScrolldowntoAddSecuritykey,click,andthesitepromptsyoutoinsertandtapyoursecurityUSBkey.That'sit!EnrollingtheBluetoothkeyonlyrequirestheadditionalstepofattachingittoyourcomputerviatheincludedmicroUSBcable. Onceenrolled,IwenttosignintomyGoogleaccount.Afterenteringmypassword,Iwaspromptedtoinsertandtapmysecuritykey.PluggingtheUSBkeyintoaportpromptsthegreenLEDtoflashonce.TheLEDglowssteadywhenyou'representedwitharequesttotapthekey. WhenItestedusingafreshaccountthathadneverused2FA,GooglefirstrequiredthatIsetupSMSone-timepasscodes.YoucanremoveSMScodesifyouprefer,butenrollinginGoogle's2FAprogramrequiresthatyouuseatleastSMScodes,ortheGoogleAuthenticatorapp,oraGoogleauthenticationpushnotificationsenttoyourdevice.That'sinadditiontowhateverother2FAoptionsyouselect.PleasenotethattheGoogleTitankeydoesnotrequireSMSoranyotherservicetofunction,butmanyservices(Twitterincluded)encourageyoutoverifyaphonenumberinordertoproveyou'rearealperson. Ifyouselectmultiple2FAoptions,youcanchoosetheonethatworksforyouinagivenscenario.It'salsoagoodideatohaveaback-upauthenticationmethod,incaseyouloseyourkeysoryourphonebreaks.SMSnotificationsarefine,butIalsousepaperkeys,whichareaseriesofone-timeusecodes.Thesecodesarewidelysupportedandcanbewrittendownorstoreddigitally(buthopefullyencrypted!).However,Ididnoticethattomakechangestomy2FAsettingsafterIenrolledmyTitankey,onlyitandpushnotificationstomyphoneviatheGoogleappwereacceptableauthenticators. Accordingtothebox,theTitankeyandBluetoothkeyarebothNFCcompatible,butIwasn'tabletogetthemtoworkthatway.Whenpromptedtousea2FAdeviceonmyAndroidphone,Ifollowedtheinstructionsandslappedthekeyonthebackofthephone,buttonoavail.GoogleconfirmedtomethatthedevicesareNFCcapable,butthatsupportwillbeaddedtoAndroiddevicesinthecomingmonths. IhadnosuchtroubleloggingintomyGoogleaccountonanAndroiddeviceusingtheBluetoothkey.Again,Iwaspromptedtopresentmykeyafterenteringmypassword.AnoptionatthebottomofthescreenletmeselectusinganNFC,USB,orBluetoothauthenticator.WhenIselectedBluetooththefirsttime,IwaspromptedtopairtheBluetoothkeywiththephone.MostofthiswashandledautomaticallybyGoogle,althoughIdidhavetoentertheserialnumberonthebackoftheBluetoothkey.Enrollingthedeviceinthiswaythisonlyneedstobedoneonce;everyothertimeyoujustneedtoclicktheBluetoothkey'sbuttontoauthenticateyourself.Interestingly,Ididn'tseetheBluetoothkeyinthephone'slistofrecentBluetoothdevices,butitstillworkedjustfine. Justfortheheckofit,IalsotriedlogginginusingtheincludedUSB-CadapterandtheUSBsecuritykey.Itworkedlikeacharm. Inadditiontoits2FAloginscheme,GooglealsooffersAdvancedProtectionProgram(Opensinanewwindow)toindividualsthatmaybeatparticularriskforattack.Ididn'ttryoutAdvancedProtectioninmytesting,butitnotablyrequirestwosecuritykeydevices,sotheTitanSecurityKeyBundleisreadytoworkwiththisloginschemeaswell. TheTitankeysshouldworkwithanyservicethatsupportsFIDOU2F.Twitterisonesuchexample,andIhadnotroubleenrollingtheTitanUSBkeywithTwitter,orusingittologinlater. HowtheGoogleTitanSecurityKeyCompares There'sagrowinglistofhardwareauthenticationdevicesthatcomparewiththeTitanSecurityKeys,buttheindustryleaderislikelyYubico'slineofYubiKeyproducts.ThesearenearlyidenticaltotheTitanUSB-Akey:slim,ruggedplasticanddesignedtositonakeyringwithasmallgreenLEDandagolddiskthatregistersyourtouchwithnomovingparts. WhileYubicodoesn'tofferanythingliketheTitanBluetoothkey,itdoeshaveseveraldifferentformfactorstochoosefrom.TheYubiKey4series,forinstance,hastwokeysofcomparablesizetotheTitanUSBkey:theYubiKey4andYubiKeyNEO,thelatterofwhichisNFC-enabled.YubicoalsooffersUSB-Ckeys,whichworkwithanydevicethatsportsthatparticularport,noadapterrequired. Ifkeysaren'tyourstyle,youcanoptfortheYubiKey4NanooritsUSB-Csibling,theYubiKey4CNano.TheNano-styledevicesaremuchsmaller—just12mmby13mm—andaredesignedtobeleftnestledinsideyourdevice'sports. AlloftheYubiKey4devicesabovecostbetween$40and$60,andthat'sjustforonekey.However,theseareallmulti-protocoldevices,meaningyoucannotonlyusethemasFIDOU2Fdevices,butalsotoreplaceasmartcardforcomputerlogin,forcryptographicsignatures,andforanarrayofotherfeatures.SomeoftheseareavailablethroughtheoptionalclientsoftwareprovidedbyYubico.ThisletsyouchangewhattheYubiKeydoesandhowitbehaves,whichissuretotickleanysecuritywonks'fancy.TheTitankeysjustsupportU2FandtheW3CWebAuthnstandard,andhavenoassociatedclientsoftwaretochangetheirfunctionality. TheleastexpensiveYubiKeyisalsotheonethatappearstobeclosestinfunctionalitytotheGoogleTitankey.TheblueSecurityKeybyYubicoworksanywhereU2Fisaccepted,butdoesn'tsupporttheotherprotocolsastheYubiKey4series.ItalsosupportstheFIDO2protocol.Itdoesn'thavetheBluetoothkeyincludedintheGoogleTitanbundle,butitalsocostslessthanhalfatamere$20. WhileYubico'sproductsareatleastastechnologicallycapableanddurableastheTitankey,thecompany'sweaknesshasbeenexplainingwhichofitskeysdowhatandwheretheyaresupported.TheYubicowebsitehasseveraldizzyingchartsfilledwithacronymsthatmakeevenmyeyesglazeover.TheTitankeys,ontheotherhand,favoranalmostApple-likesimplicityandout-of-the-boxusability. Therearesoftwaresolutionsto2FAaswell.I'vementionedtheDuo,andbothGoogleandTwilioAuthyalsoofferone-timecodesviaapps,asdoesLastPassthroughadedicatedapp.Softwareauthenticatorsareuseful,andperhapsmoreconvenientifyoualwayshaveyourphonehandy.Buthardware2FAdevicesliketheTitankeyaremoredurablethanaphone,neverrunoutofpower,andrequirejustatapinsteadofenteringone-timecodesgeneratedbyanapp.Ahardwarekeyisalsohardertoattackthananappthatlivesonyourphone,thoughphonesareprettysecurethesedays.Intheend,choosingbetweenahardwareorsoftware2FAsolutionwilllikelycomedowntopersonalpreference. TheProblemofSupport Despitethename,FIDOUniversalTwo-Factorstandardsupportisfarfromuniversal.TouseyourTitankeyswithyourGoogleorTwitteraccounts,youneedtologinthroughChrome.NoluckwithFirefox(forthemoment).ThesamewastruewhenIusedtheTitankeywithTwitter. I'veusedaYubiKeytoprotectmyLastPass(Free30-DayPremiumTrialatLastPass)(Opensinanewwindow)accountforyears,andwassurprisedtoseethatmypasswordmanagerofchoicedoesn'tsupporttheTitankeys.EvenwithmyYubiKey,IcanonlyuseitasmysecondfactorauthenticatorformyGoogleaccountviaChrome. DevelopersandthepeoplebehindFIDOneedtoworkclosertobringbroadersupportforTitan,YubiKey,andU2Fgenerally.Ihaveyettofindabankthatacceptsahardware2FA,forexample.It'sfrustratingtotryandenrollyoursecuritykeyforaservice,onlytofindyou'reinthewrongbrowser,orthatthisspecificsecuritykeyisn'tsupportedbytheservice.Withoutbroadersupport,thesedeviceswon'tgetusedformuchandwilllikelydomoretoconfusetheuninitiatedthanhelp. AnIndustryTitan TheGoogleTitanSecurityKeyBundlehaseverythingrequiredtosecureyourGoogleaccountfrompasswordtheft,phishing,andavarietyofotherattacks.Setupiseasy,andplugginginakeyortappingaBluetoothdeviceisofteneasierthanlookingup(andpossiblymistyping)aone-timecodefromanapp.TheBluetoothkeypresentsasmall,theoreticalsecurityliabilityinthatittransmitswirelessly,butofgreaterconcernisthatitsbatterycouldsimplydie. Withthesetwodevices,you'rereadytosecureyourGoogleaccountandanyothersupportedservice.The$50pricetagiswellearnedwithtwosmart,durabledevices.Youwon'tgowrongwiththese.Ittakesatopscore,butwe'rewithholdinganEditors'Choiceawardforthiscategoryuntilwecanreviewmorecompetingproducts. GoogleTitanSecurityKeyBundle 4.0 (Opensinanewwindow) SeeIt $25.00atGoogleStore (Opensinanewwindow) MSRP$50.00 Pros Twodevicesforfastandsecuretwo-factorauthentication. USBkeyrequiresnobatteries. BluetoothkeyconnectstobothphoneandPCs. EasyintegrationwithGoogle. Increasingsupportonotherplatforms. ViewMore Cons Notyetwidelysupported. RequiresChromeforsomeservices. Battery-poweredBluetoothkeyispointoffailure,requiresmicroUSB. Nocohesiveon-boarding. ViewMore TheBottomLine Google'sTitanSecurityKeyBundleisapairofsmallUSBdevicesthataddsupersecuretwo-factorauthenticationtoyouraccounts.Thepricemayseemsteep,buttheextrasecurityisworththecost. LikeWhatYou'reReading? SignupforSecurityWatchnewsletterforourtopprivacyandsecuritystoriesdeliveredrighttoyourinbox. Email SignUp Thisnewslettermaycontainadvertising,deals,oraffiliatelinks.SubscribingtoanewsletterindicatesyourconsenttoourTermsofUseandPrivacyPolicy.Youmayunsubscribefromthenewslettersatanytime. Thanksforsigningup! Yoursubscriptionhasbeenconfirmed.Keepaneyeonyourinbox! Signupforothernewsletters Advertisement DigDeeperWithRelatedStories TheBestPasswordManagersfor2022 By KimKey TheBestPasswordManagersforBusinessesin2022 By KimKey WhenShouldYouChangeYourPassword?NotasOftenasYouThink By KimKey HowtoPassOnYourPasswordsAfterYouDie By KimKey PCMagStoriesYou’llLike {X-htmlReplaced} Editors'Choice AboutMaxEddy SeniorSecurityAnalyst Sincemystartin2008,I'vecoveredawidevarietyoftopicsfromspacemissionstofaxservicereviews.AtPCMag,muchofmyworkhasbeenfocusedonsecurityandprivacyservices,aswellasavideogameortwo.Ialsowritetheoccasionalsecuritycolumns,focusedonmakinginformationsecuritypracticalfornormalpeople.IhelpedorganizetheZiffDavisCreatorsGuildunionandcurrentlyserveasitsUnitChair. ReadMax'sfullbio ReadthelatestfromMaxEddy SurfsharkVPNReview AvastSecureLineVPNReview ProtonVPNReview MozillaVPNReview NordVPNReview MorefromMaxEddy Advertisement TableofContents GoogleTitanSecurityKeyBundle $25.00atGoogleStore GoogleTitanSecurityKeyBundle $25.00atGoogleStore SeeIt (Opensinanewwindow) ReturntoTheTop HowItWorks What'sintheBox? TurningtheKey HowtheGoogleTitanSecurityKeyCompares TheProblemofSupport AnIndustryTitan