Google Buries the Hatchet With Yubico, Brings Physical Security Keys With USB-C

Illustration for article titled Google Buries the Hatchet With Yubico, Brings Physical Security Keys With USB-C
Photo: Google

After launching its Titan Key last year, Google has returned with a new version of its two-factor security dongle featuring USB-C.


The inspiration behind the Titan Key came from a Google mandate in 2017 requiring all of the company’s 85,000 employees to use a physical two-factor security device when logging into any accounts. Once the system was implemented, Google claims not a single employee account got hacked, even after more than a year. After that, Google decided to make and sell its own security dongle to the public.

Adding a USB-C variant to the Titan key lineup makes a ton of sense—Google’s previous offerings were limited to a standard USB-A dongle and a Bluetooth version with a micro USB port. That meant even though Google’s Titan key supports Windows, Android, iOS, and macOS, you couldn’t actually plug the older Titan keys into a number of phones or modern MacBooks and iPads without an adapter.

However, unlike the previous models, the new USB-C Titan Key does not come with support for NFC like the other two models, which seems like a strange omission. But aside from that, you’re still looking at the same list of features including FIDO certification and a Google’s Titan security chip embedded inside.

Google’s new USB-C Titan Key is made in partnership with Yubico—which also makes its own line of two-factor authentication dongles—and even potentially signals that any disagreements between the two companies regarding the security of the Bluetooth protocol have been buried. That said, Yubico’s YubiKey products offer slightly wider compatibility thanks to a model with an Apple Lightning port and support for the WebAuthn protocol.

Last year, Yubico claimed that it had explored adding Bluetooth support to its security key products and even contributed to the development of the BLE U2F standard, only to end up axing that idea saying “BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.” The disagreement over the security implications of Bluetooth compatibility in security keys followed a test period in which Google worked on its Advanced Protection Plan internally and provided Yubico devices to its employees for security purposes.  

This later proved to be a wise decision by Yubico as the first run of Google’s Titan Keys contained misconfigured Bluetooth pairing settings, which made it possible for a potential hacker to gain access to the device at the time of its use, as long as they were within range (around 30 feet). This exploit was later addressed in subsequent revisions, with Google offering free replacements for the effected T1 or T2 Titan Key models.


The USB-C Titan Key goes on sale tomorrow from the Google Store for $40. Alternatively, Google is also separating its previous $50 Titan Key bundle, so you’ll be able to purchase the USB-A Titan Key for $25, with the Bluetooth model going for $35.

Senior reporter at Gizmodo, formerly Tom's Guide and Laptop Mag. Was an archery instructor and a penguin trainer before that.



This might be useful in a few years when all computers have multiple Type-C ports, but for now it will block a very important port on most peoples devices.

There is also another practicality issue... how are people expected to use this? I see a loop, I assume for a key ring. But if it’s supposed to be attacked to a keychain, now my keys need to be next to my computer. Depending on the computer, desk, keys, etc. this might mean keys laying where my mouse goes, keys hanging from my USB port, or keys awkwardly plugged into a hub of some kind.

It’s not that those things can’t be worked around, but they should design the device for its intended use case. Make it have a special disconnect or clip, and for gods sake don’t leave the USB plug sticking out like that.

It’s just not an especially practical solution. Fine for a big company like Google for their staff to use at work. But for everyday PC users? I think it’s too big a barrier to entry. The Bluetooth version is more reasonable, but also has a lot of its own security issues to contend with.

Probably the best way to go, for average users, would be to use their phone as the security key, unlock the phone to unlock the PC.