Google Titan Security Key review

A great concept, but disappointing execution

Google Titan

Our Verdict

Titan Security has an excellent premise, and is an effective way to protect yourself against phishing attacks when using a desktop browser, but the mobile implementation really lets the key down, which surprised us considering it has already been available in the US for a year.

For

  • Verifies URLs and user identity
  • Bluetooth and USB keys included

Against

  • Not detected by Android phone
  • No NFC capability yet
  • iOS requires additional app

The Google Titan Security Key first launched in the US in 2018, and has now rolled out to security-conscious users in the UK, with an Australian launch expected soon. The key costs $50 in the US, and £50 in the UK (the Australian price has yet to be announced).

It works to provide an additional layer of security for your online accounts (known as two-factor authentication, or 2FA). Google recommends the Titan Security Key for anyone who has admin access to sensitive systems, or is particularly likely to be the subject of a targeted phishing attack. The company has equipped its own employees with the keys, and claims there have been no successful phishing attacks against its workers since.

How it works

A password alone only provides a limited degree of security. If your login details are leaked in a data breach, not only could a would-be criminal access that particular account, if you happen to use the same password for multiple services (as many people do), they’ll all be vulnerable to attack.

However, the biggest threat to password-protected accounts is phishing – when you’re tricked into clicking a link in an email and entering your details into a fake login page. Sometimes the emails are generic, and relatively easy to identify, but occasionally criminals will target a specific individual with a personalized message so specific, it seems genuine.

Google Titan

(Image credit: Future)

Two-factor authentication is the best way to combat phishing. One method involves using a separate mobile app or standalone device to generate a unique one-time key, which is entered in addition to the password and verified server-side. Unfortunately, if this is entered into a phishing page, a criminal can simply enter the same code, username and password into the real login page, gain full access to your account and deactivate two-factor authentication.

A hardware key is different, verifying both the URL of the site you’re trying to log into, and your identity. The Google Titan Security Key also has firmware that checks the device’s integrity to make sure it hasn’t been tampered with.

Setup and use

The Google Titan Security Key bundle includes one USB/NFC key, and one Bluetooth key. You also get a short charging cable for the Bluetooth key, plus a USB-A to-USB-C adaptor. Both keys are designed to slip onto a regular keyring, though the Bluetooth device’s chunkier design means you’ll have to pry your keyring open quite far, at risk to your fingernails.

To register the keys with your Google account, you first need to visit Google’s setup page in a desktop browser (there are different options depending on whether you’re an ordinary security-conscious person, or someone at particularly high risk) and follow the instructions. This is a simple process, and will only take minute to complete.

Google Titan

(Image credit: Future)

Unfortunately, we ran into difficulty with the Bluetooth key on our Android phone; despite being in pairing mode, the key simply couldn’t be found. My colleagues at Tom’s Hardware had similar trouble getting it to connect to an iPhone.

It’s not yet possible to use the NFC capability with an Android device, so we weren't able to try this as an alternative, but Google says the feature will be coming later this year.

We were able to set up the key to protect our Twitter account on a desktop, but again ran into trouble on mobile. The Twitter app apparently doesn’t support security keys, so we tried logging in through a browser. The Bluetooth key was actually detected this time, and we got as far as entering the PIN (a six-digit number printed on the back of the key), but the process then ground to a halt and the key refused to connect

Google Titan Security Key works brilliantly with desktop browsers, but the mobile implementation so far seems to be lacking. Hopefully things will improve once NFC support arrives in the coming months.