The USB-C/NFC Titan Security Key is the latest version of Google’s hardware security key, designed to keep the bad guys from taking over your online accounts. With an attractive design and price—at just $35—the Titan Key is an obvious choice for newcomers to multi-factor authentication (MFA). With both USB-C and NFC, you can be confident that it will work with just about all the devices you already have. Unfortunately, the Titan’s reliance on a slightly older technology means that it may not be as widely accepted among the sites and services you want to secure.
What is Multi-Factor Authentication?
Simply put, multi-factor authentication (MFA, or sometimes 2FA) is the best way to prevent bad guys from taking over an online account. When you have MFA enabled, you login using two factors from a list of a possible three:
something you know, like a password;
something you are, like a fingerprint; or
something you have, like the Google Titan Key.
Even if an attacker manages to get your username and password, they won’t have your second factor and won’t be able to take over your account. But simply using MFA is no reason to slouch on other security basics. You should also use antivirus software on your machines and use a password manager to create unique, complex passwords for each site and service you use.
While hardware security keys are probably the best way to protect your accounts, any MFA is better than none. Authenticator apps are an easy, secure, widely supported, and free way to secure your accounts.
A Titan of Industry
The USB-C Titan Security Key grew out of Google’s earlier Titan key series. Originally, Google offered a $50 bundle with both a USB-A key and a battery powered Bluetooth fob. At the time, Google’s documentation pushed the idea of having a backup MFA device, so selling two devices made sense. Google has since ditched the Bluetooth device, which is fine with me. I never liked the fob because of its reliance on batteries but it also turned out to be vulnerable to attack. Google also ditched its bundling scheme and instead offers the USB-C/NFC key for $35 or USB-A/NFC key for $30. This review focuses on the USB-C/NFC Security Key, which is out of stock—but only temporarily, I’m told—at the Google Store at the time of this review’s publication
The USB-C Titan Key is lozenge shaped and made of white polycarbonate with silver accents. It has no moving parts or batteries and doesn’t require a network connection. At one end is a standard USB-C connector, and at the other is a zinc alloy-reinforced hole where you can thread a key ring. Just above the connector is a small LED that flashes when connected to a device, and just above that is a silver, touch-sensitive circle. Although the Titan Key does not read fingerprints, you tap the circle to confirm while logging into sites. This is standard for all hardware MFA keys.
From left to right: Nitrokey FIDO2, USB-C Google Titan Security Key, and Yubico YubiKey Bio-C.
(Photo: Max Eddy)
At 0.3 by 0.7 by 2.0 inches (7 by 18.5 by 50.9 millimeters, HWD), the Titan Key is quite a bit longer than either the Yubikey Bio USB-A or -C keys ($80 and $85, respectively). The Titan is also thicker, with a rounded body that contrasts with the ultra-svelte look of Yubico devices. It’s a much more refined design than the $29 Nitrokey FIDO2, which, perhaps because of its open-source pedigree, looks more like a Flash drive from 2004.
Weighing about 0.2 ounces (7 grams), the Titan is a bit heftier than the 0.18 ounces (5 grams) Bio USB-C. The larger body makes the Titan feel very light in the hand, almost hollow. It’s tougher than it looks, however. The seams are all very tight, and twisting the Titan didn’t even make the plastic groan. Whether its pristine white finish will survive on your keyring is another question.
Under the Plastic Skin
Weirdly, I couldn’t find anything in Google’s documentation about what MFA standards the USB-C Titan key supports. Most key makers advertise these points proudly. They give a hint to consumers about the places that will accept the key and what features the key provides. I reached out to Google, which confirmed that it supports the FIDO U2F protocol. This is an older protocol, but one that should allow the key to be used as an MFA key in most contexts, with some limitations.
Still, it’s an odd choice for a product from a leading name like Google. All the keys we’ve reviewed recently support the newer FIDO2 protocol. Even the $29 Security Key C NFC, Yubico’s entry-level key, supports FIDO2.
(Photo: Max Eddy)
The USB-C Titan Key also lacks some of the more advanced features found in the Editors’ Choice winning Yubikey 5C NFC. This $55 device supports the latest authentication standards, and it can also double as a smart card and be configured to spit out static passwords. It also supports the proprietary Yubico OTP system and works with OpenPGP. When paired with a Yubico app, it can even generate time-limited one-time use passcodes (OATH-TOTP). That’s all impressive, but it’s beyond the needs of most people and especially the first-time users Google is clearly targeting with the Titan Keys.
In the past, Google reportedly partnered with manufacturer Feitian to produce its previous generation Titan keys. Feitian is based in Beijing, with a US branch in California. The manufacturer of the USB-C Titan key isn’t disclosed, but there are some clues. The packaging says the key is made in China and the back of the USB-C Titan key bears the number K40T, and the Key appears as “ePass” when connected to my Mac. This suggests some relation to the Feitian ePass K40, and the two devices do look quite similar. Weirdly, the Feitian K40 does support FIDO U2F and FIDO2.
(Photo: Max Eddy)
A Google representative would only confirm that the company’s keys are made by a third-party manufacturer. “All Titan Security Keys are built with a hardware secure element chip that includes firmware engineered by Google to verify the key’s integrity.”
For some, a security product from China is a nonstarter. At PCMag, we don’t believe we can make a judgment on a product’s quality based on its place of manufacture alone. The measures to protect the Titan keys are clearly good enough for Google. Those looking for a more transparent device should look to the Nitrokey FIDO2, which uses open-source hardware.
Hands-On With the Titan Security Key
The Google Titan Security Key doesn’t support biometrics, unlike the $69 Kensington VeriMark Guard. Fortunately, that also means the Titan doesn’t require any setup. To start using the Key, simply navigate to a site that supports hardware keys, find the Settings to add a key to your account, and follow the directions the site provides. I had no trouble enrolling the Titan Key with my Twitter account.
(Photo: Max Eddy)
Once enrolled, logging in with the Titan Key went smoothly. On my Mac, I logged into Twitter using Google Chrome, inserted my key, tapped the Titan Key when prompted, and was in. I had just as easy a time on my Google Pixel 3a, where I plugged in the Titan Key through the phone’s USB-C port and logged in through the official Twitter app.
NFC lets you use the key wirelessly with supported devices. In my testing, I used an iPhone 13. I logged in to the Twitter app as usual, and then placed my key against the top of the iPhone’s screen when prompted. After a few beats, the app accepted the Key, and I was in.
Where I ran into trouble was when I tried to enroll the Google Titan Key with my Microsoft account. Microsoft’s approach to MFA is very forward-looking, and the company has embraced passwordless authentication for some of its sites and services. To do this, it leverages the latest FIDO 2 and WebAuthn technology, which the Titan Key does not support. When I tried to enroll the Google Titan Key with my Microsoft account, it kicked up an error warning suggesting that the device was too old.
(Photo: Max Eddy)
I wanted to do a sanity check and try another FIDO U2F key with my Microsoft account. But of the dozen MFA keys in my possession, all of them used the newer FIDO2. At the bottom of a drawer, I found an old YubiKey NEO—which could be nearly a decade old at this point—that only supports the FIDO protocol (not FIDO 2, not FIDO U2F). Microsoft also rejected this key, but Twitter accepted it. That means the problem is not specific to the Titan, but it makes me wonder if other services will also reject the Titan, especially services that are just now introducing support for hardware security keys.
A Google representative explained that the USB-C Titan key will work with sites and services that implement WebAuthn “as a phishing-resistant second factor.” You may find similar incompatibilities with other sites and services.
A Slightly Flawed Titan
The Google USB-C/NFC Titan Security Key has a lot going for it beyond its Google branding. It’s small, well-made, and priced within impulse purchase territory. Its namesake NFC and USB-C support mean that it will work with most devices you already have, including smartphones and tablets. Although the Titan lacks biometric powers and the advanced authentication features of the high-end YubiKeys, it should be a great entry point for the average consumer.
It should be, but we have reservations. We were disappointed at how incomplete Google’s documentation is for the Titan Key. The confusion may make it difficult for consumers to judge whether the Titan Key will meet their needs. We were also disappointed that Microsoft rejected the Titan. Although the key worked with Twitter and will likely be broadly accepted, we’re worried about the long-term utility of the Titan key.
There are already too many barriers to MFA adoption, and the uncertainty Google introduces with the Titan doesn’t help.The entry-level Yubico Security Key series has newer technologies for less, and the broad capabilities of the Editors’ Choice winner Yubico 5C NFC an excellent choice for more experienced buyers.
(Photo: Max Eddy)
Google USB-C/NFC Titan Security Key
The Bottom Line
With NFC and USB-C, the latest Titan Security Key from Google works with nearly every device. Unfortunately, it uses an older multi-factor standard and might not work with every site and service.
Like What You’re Reading?
Sign up for Security Watch newsletter for our top privacy and security stories delivered right to your inbox.