Google has announced the availability of its Titan Security Key, a hardware two-factor authentication (2FA) solution.
Before we get to the hardware, however, let’s take a quick security side-trip. Because Google refers to this key as a “two-step verification” solution, not a 2FA solution.
And security geeks will tell you, correctly, that these two terms are not interchangeable. I don’t really care, and I don’t really see the difference from the perspective of the user, but let’s go down the rabbit hole.
With 2FA, you use two mechanisms to authenticate your user account. This is usually a password (“something you know”) and your phone, either using a platform-based pop-up or an authenticator app (“something you have”). (It can also include “something you are,” which refers to biometric authentication.)
Two-step authentication is literally just two authentications, each of which could be the same type of authentication. So, for example, in that phone-based example where you’re asked to authenticate using a pop-up or an app, that is technically not “something you have,” but is often rather just a second password-like thing. (Microsoft, for example, often makes you match a number that is displayed where you are signing in to one in its authenticator app pop-up.)
That’s the theory. But like I said, whatever. For most people, the difference is largely theoretical, and you can’t perform the second authentication without something you have, e.g. your phone. And you (should) need to authenticate to get into the phone in the first place.
Yes, security is tedious.
Anyway, I’ve been preaching the need for 2FA/two-factor authentication in all online accounts for years, and in particular for your core online accounts, such as those from Amazon, Apple, Google, and Microsoft, and for any accounts for which you are saving payment information.
And Google supports a variety of 2FA/two-factor authentication solutions. You can use an authenticator app, receive SMS-based security codes, or, more recently, use your phone itself as the second factor via those handy platform-based pop-ups.
And now Google supports a new hardware-based 2FA solution via its Titan Security Key solution. Available now for $50 from the Google Store, the Titan Security Key works like other fob-based authenticators (Yubikey and so on) by providing its own onboard security firmware to ensure that the system is secure and safe from phishing attacks.
Titan Security Keys are compatible with Google accounts, of course, including consumer (Gmail) accounts, G Suite, Google Cloud Identity, and Google Cloud Platform. But because they are FIDO-compatible, they also work with other compatible account types, including Facebook, Dropbox, Stripe, Twitter, and many more.
The Titan Security Key is available in the U.S. today but will be shipping to additional regions soon, Google says.
Should you buy one?
No, probably not. For most individuals, the 2FA capabilities in your smartphone are enough to protect your online accounts. This is especially true if your phone has a secure fingerprint reader that’s been configured as a requirement for any authentication request.
But if you’re curious, you can learn more about this technology from the Google Cloud blog or from the Titan Security Key website.