
Google Titan Security Key now available - dgrove
https://store.google.com/us/product/titan_security_key_kit?hl=en-US
======
Someone1234
The wireless key is the "Feitian MultiPass FIDO Security Key" I'd caution
people to read the Amazon reviews (specifically people found it unreliable and
it would break if dropped/roughly handled).

They both seem to be re-branded Feitian, which cost less ($25 + $17 = $42)
when purchased under that brand from Amazon than the Google Titan moniker.

~~~
amelius
Given the recent amount of reports of counterfeiting on Amazon (not
specifically this product), I'd buy my security keys elsewhere.

~~~
Fnoord
That does not make sense in this case.

The key is made by a company called Feitian (Feitian Technologies Co., Ltd),
on Amazon. That's the original manufacturer selling _directly_ on Amazon [1].
That's the only one available. Its about as authentic as you can get on
Amazon. I'd rather buy it from Gearbest or Banggood but they don't sell this.
And Google just sells it rebranded.

Though I won't buy this (I could use the BLE part of it), since for one it
doesn't seem to be build strongly (overcome-able but still), it only seems to
work with Chrome according to reviews (I use Firefox), and I'm unsure if
Bluetooth is secure for this method, nor reliable. NFC should be fine, since
its much closer range, and I have a YubiKey NEO but my phone doesn't have NFC,
unfortunately.

[1] [https://www.amazon.com/Feitian-MultiPass-FIDO-Security-
Key/d...](https://www.amazon.com/Feitian-MultiPass-FIDO-Security-
Key/dp/B01LYV6TQM)

~~~
jonahhorowitz
The Feitian works just fine with the latest Firefox builds. The bluetooth
functionality is great if you have an iPhone.

------
spuz
$50 seems very expensive. The actual hardware probably does not cost more than
$10 and I can't see adoption of FIDO keys becoming widespread unless companies
are willing to sell keys at or below cost.

~~~
16bytes
Yubikeys are about the same cost:

[https://www.yubico.com/product/yubikey-4-series/](https://www.yubico.com/product/yubikey-4-series/)

What makes you think that the cost to produce the hardware is less than $10?
And what reason would companies have to offer keys below cost?

~~~
michaelt
The open-source U2F Zero claims ~$3 of parts and a ~$2 PCB [1] ordering a
single unit. Making a large volume, that price is only going to come down.

Admittedly you'd have to pay for a plastic case, assembly costs, an envelope
and stamps. But if I can get a 16GB flash drive for $8 with free shipping [2]
the plastic case, assembly etc can't be that expensive!

[1] [https://github.com/conorpp/u2f-zero](https://github.com/conorpp/u2f-zero)
[2] [https://www.amazon.com/SanDisk-Cruzer-Low-Profile-Drive-
SDCZ...](https://www.amazon.com/SanDisk-Cruzer-Low-Profile-Drive-
SDCZ33-016G-B35/dp/B005FYNSZA/)

~~~
watersb
Bulk procurement, certification, software all affect cost, of course.

When a flaw was discovered in 4096-bit RSA ley generation, Yubico sent me
replacements for all of my registered hardware tokens, no additional cost to
me.

Good thing about a standard like U2F is reducing software and certification
costs, and sure if you are clear to offer no post-sales support, then you
should be able to get legitimate hardware for maybe $10.

~~~
michaelt
Oh, absolutely! I was responding to the statement "The actual hardware
probably does not cost more than $10" which refers to the hardware
specifically. The retail price would be higher than the hardware costs to
cover software, support costs, returns, profit, shipping, credit card fees,
and so on.

------
therealmarv
1\. why not going from usb-c to usb A with adapter than the other way round
(this laptop photo looks so ugly with the usb-c->usb A adapter).

2\. this link does not work outside US

~~~
fredley
Can't see the page, but that there is not a USB C variant is bonkers. All
Google engineers I know use mac devices.

~~~
jrockway
I use a Mac at work. It has 0 USB Type C ports.

The only computer I own that has a USB Type C port is my homebuilt desktop,
and it's on the back, and I don't think the Windows driver actually works.

~~~
fredley
I'm not suggesting they should only produce a USB C variant, I'm suggesting
that they produce a USB C variant.

------
steven2012
I would prefer one from Apple. I don't trust Google as much as I do Apple,
simply because I know they don't make money from my data. The fact that the
FBI couldn't get into an iPhone makes me trust Apple much more. If I start
using this Google key, I'm not sure how far in bed they are with the
government and if they can crack my accounts.

~~~
guessmyname
I would prefer one from Apple as well, but mostly because my laptop _(which
was built by Apple)_ only has USB-C ports, so carrying an USB-A adapter, like
the one shown in the picture [1], would be a deal breaker for me and many
others. Something like the YubiKey 4C Nano [2] would be good.

[1] [https://i.imgur.com/79ojvAK.jpg](https://i.imgur.com/79ojvAK.jpg)

[2]
[https://www.yubico.com/product/yubikey-4-series/#yubikey-4c-...](https://www.yubico.com/product/yubikey-4-series/#yubikey-4c-nano)

~~~
jonahhorowitz
If you're clever about it, you can do U2F using the secure enclave built into
touchID. You don't even need a separate device.

~~~
daxelrod
I’ve been interested in setting something like this up. Are you aware of
software that exists for it already?

------
Operyl
Are both keys configured with the same underlying keys?

    
    
      Each key bundle comes with a physical USB security key and a Bluetooth security key—one for your primary use and one for safe keeping.

~~~
suprfsat
Each key is unique. You add both of them to your account.

------
h8trswana8
It’s so big. Couldn’t they have come up with a more subtle form factor?

~~~
craftyguy
TBF, it does have 'titan' in the name.

------
ekingr
The description doesn't say if the keys are compatible with FIDO2 / Webauthn,
which seem to be the new standard superseding FIDO (namely with password-less
and multi-factor auth). It would be disappointing if not...

------
nikolay
"Available" just like Google One is? I hate when people make things
"available" this way! Don't they know the meaning of the word?!

~~~
jamesgeck0
That's on the person who submitted, not Google. The word "available" doesn't
appear on the page in regards to this product.

~~~
nikolay
I already gave my email to Google that I'm interested and now I need to be
added to yet another waiting list? What's the point? All this buzz is actually
hurting Google as people become aware of these products and services and
because Titan is not immediately available, they will end up with alternatives
such as YubiKey.

------
scrrr
Isn't this the same as a code app like Authy? Why carry the extra dongle?

~~~
matharmin
Similar use case (2FA), but different implementation.

Instead of typing in a code, you press a button. It also protects against
phishing by validating the URL of the site you're authenticating on (with a
code-based 2FA you can still enter your code on a phishing site, which then
forwards it to the real one).

~~~
m_eiman
There are apps that also validate the source and can automatically sign you in
(or require a button press), e.g.
[https://www.kryptco.com](https://www.kryptco.com)

Seems like it might be useful, but haven't had the time to try it out yet.

~~~
tialaramex
AIUI Krypton is basically doing the same thing as these FIDO2 Security Keys,
but their software substitutes an app on your Phone for the Security Key. So a
web site offering WebAuthn can't tell the difference (unless you allow it to
interrogate the "Security Key" to ask who made it, which you probably
shouldn't)

I personally would rather have Security Keys, but a solution like Krypton is
definitely easier for a lot of users and obviously the price differential is
hard to argue with.

------
zaarn
For 50$ I don't really see the point in this, Yubikey already asks this much.

I'll probably wait out for the FIDO2 upgrade on the u2fzero...

------
jameskegel
How would Google Titan improve the 2F experience for someone who already uses
a dongle-key device like a Yubikey, for example?

~~~
amingilani
It won't. Stick with what you have, it's essentially a bundle to help non-U2F
owners start with their Advanced Protection Program.

------
anilakar
Is it possible to use the Bluetooth dongle with a desktop computer without a
cable? Having to carry both on your keyring kind of defeats the purpose,
because even Google's own guidelines tell you to store one in a safe place and
keep the other one in daily use.

~~~
hesdeadjim
Yea I was wondering this too.

------
locusm
What does this offer over Yubi?

~~~
ekingr
The wireless one has Bluetooth - which is the only way to go on iOS for now.

~~~
stephengillie
How secure is Bluetooth - how do we know snoopers aren't stealing keys
wirelessly?

~~~
mkj
The most likely snoopers are far far away, probably even a different timezone.
If you have local burglars around they'll just break your windows and doors to
get things anyway.

(And Bluetooth isn't that bad either?)

~~~
numbsafari
Or just sit down next to you for a few minutes until you use your device and
then walk away?

I'd rather force them to smash my windows and doors rather than just give them
what they want in passing.

~~~
SkyPuncher
Let's be real, how often does an attack like that happen?

Yes, a localized attack is still possible but you probably have a different
set of worries if attacks are going so far as to be within a short distance of
you.

These tools are about reducing the effectiveness remote attacks which are much
more logical to carry out.

~~~
stephengillie
How often do you work from a coffee shop? Ever wonder if anyone else in the
shop has a minimized wardriver or "blue-driver" sniffing wireless connections?
Or maybe their device is infected with a trojan, and a remote attacker is
using their device to sniff a random network, which you happen to also be
using.

------
amingilani
_Question for Advanced Protection and Mac users._

Have you managed to authenticate your Google account with your U2F keys on
your Mac?

If you have, please help the rest of us out, I get an error:

> You can only use your Security Keys with Google Chrome.

Here's a StackExchange question for some karma:
[https://apple.stackexchange.com/questions/327491/how-do-i-
us...](https://apple.stackexchange.com/questions/327491/how-do-i-use-
a-u2f-token-when-adding-a-google-account-to-my-macbook-pro)

------
amelius
Nice for humans, but these dongles don't solve the problem of automated
background services having to log in to machines to complete their tasks. How
do people solve this problem?

~~~
moviuro
Per-purpose passwords.
[https://support.google.com/accounts/answer/185833?hl=en](https://support.google.com/accounts/answer/185833?hl=en)

Per-purpose users (with very limited rights) on machines, inside per-purpose
VMs (with very limited network if any)... etc.

------
alecbenzer
What's the summary on how security keys compare to Google's tap-to-sign-in
flow?
[https://support.google.com/accounts/answer/7026266?co=GENIE....](https://support.google.com/accounts/answer/7026266?co=GENIE.Platform%3DAndroid&hl=en)

------
Postosuchus
The store page sucks balls - no details whatsoever!

Does anyone know how these keys could be used for TOTP? In case of Yubikey one
could use an app which effectively acted as a proxy between the TOTP-based
system and a hardware key. Does the Google key support the same functionality?

~~~
anilakar
These devices don't have a real-time clock, so TOTP is out of the question. A
Yubikey by itself is incapable of doing TOTP, too – it just acts as a hardware
authenticator for the actual password generator. HOTP/counter mode doesn't
have this requirement.

~~~
helper
Yubikey does support storing TOTP secrets. It requires you use their app
(desktop or android) which then provides the time component.

------
grepthisab
Pretty cool, I like that it comes with two keys at the start so you have a
backup, unlike Yubi where I have to buy two before I can even get started in
earnest. Still living the dongle life though, but it appears to come with its
own usb a -> c adapter at least.

------
Demoneeri
Excuse my ignorance (I'm trying to understand by googling). I know it's not
the same technology but is it the same concept (public/private key) as for
example the Estonian government uses for identity and accessing government
services?

------
mitchtbaum
I would rather use something like this:
[https://www.thingiverse.com/thing:1970583](https://www.thingiverse.com/thing:1970583)

------
Thriptic
Is it possible to set up advanced protection on the ipad using the camera
adapter and a yubikey, or a bluetooth key required?

------
extrapolate
Anyone able to actually purchase one? I'm just seeing a "Join waitlist"
button.

------
johntash
Just to make sure.. these don't provide GPG/PGP smartcard support, right?

------
amelius
Can I use it for my bank too?

~~~
jrockway
Vanguard lets you use a security key as a second factor. It is the only
finance-related website I've ever seen that does so. (And it's probably
because Google made them, as that's where my Google 401k was.)

~~~
the-peter
Vanguard? That's a laugh. There's a link on the login page "I don't have my
device with me, send me an SMS instead". This cannot be disabled.

------
kennydude
Is that a dongle to use it on the surface-style-thing? Whyyyyyyy

~~~
dewey
It's a USB C Adapter

------
estomagordo
Is it sort of a ubikey?

------
meanmartine
Yeah, no thanks

------
sschueller
I only see Chromecast and Chromecast Audio on this page.

~~~
desdiv
Same here.

Use this link to force-redirect to the US product page:
[https://store.google.com/us/product/titan_security_key_kit?h...](https://store.google.com/us/product/titan_security_key_kit?hl=en-
US)

(mods, can we please change the story URL to the above one? It should show the
correct item globally and thus leaving less people confused.)

------
throwawaymath
Am I correct in my understanding that this will only work for Google devices?
It states that, but at least for the physical U2F key I don’t see why that
wouldn’t also work on a non-Google device.

EDIT: Revisting, it states anything running Google Chrome should also work. So
I guess macOS should be fine, what about iOS?

~~~
Ded7xSEoPKYNsDd
(I got these at a Google thing at DEF CON.) Both work with Firefox on Linux,
without any Google software. Haven't yet found non-Google software on Android
(Lineage) that can talk to them.

~~~
__float
I asked at DEF CON about these, but they said they were _not_ the same as the
Titan. Hardware looks to be the same, but they may not have the Titan
firmware, but rather the original Feitian one. I...don't actually know how to
verify that claim though.

------
floor_
The countdown starts and runs until some 12 year old breaks it wide open.

