
Google Titan Security Key - moviuro
https://cloud.google.com/security-key/
======
larkeith
Discussion (16 hrs ago):
[https://news.ycombinator.com/item?id=17610516](https://news.ycombinator.com/item?id=17610516)

------
raesene9
The thing that makes me a bit jumpy about hardware 2FA with things like this
or a Yubikey is around what happens if I lose it or it breaks.

It's not so much a problem in a corporate setup (like internally at Google)
where you could go to a central admin team to revoke/replace the key.

But if you're a home user using this for a wide variety of sites and the token
fails then the failure mode seems to be "go figure out the fallback for every
site you use and use that", which could be really painful.

I prefer the, possibly less secure but more flexible option of TOTP
applications that let me synch to multiple devices, so the loss of one device
isn't very painful.

~~~
chillydawg
With yubikeys, you can effectively clone them when setting them up initially.
So you carry one and keep another spare in a safe location. If your primary
fails, you can buy another and promote your hot standby to primary having set
the new one up to be a clone.

~~~
raesene9
Ahh that is interesting! Do you know is there a doc. on how that's done? Also
does that mean that once the clone is done you can effectively just register
once with your "live" key and if it fails seemlessly use the "backup" key or
do you need to register with both for that to work?

~~~
chillydawg
When you buy one and follow the basic setup steps it tells you how. Always buy
them in pairs.

------
mtgx
I think Google uses this same Titan chip for it:

[https://cloudplatform.googleblog.com/2017/08/Titan-in-
depth-...](https://cloudplatform.googleblog.com/2017/08/Titan-in-depth-
security-in-plaintext.html)

I'm not sure if this is the "hardware security module" they've been touting
for Pixel 2 devices, too.

I assume this project was spun-off from Project Vault, or at least they re-
used some of the ideas/code from that, but it's still a shame we won't be
getting the microSD "HSM" anymore. I guess that idea died when Google and
other manufacturers decided to kill support for microSD in their devices
altogether.

[https://techcrunch.com/2015/05/29/googles-project-vault-
is-a...](https://techcrunch.com/2015/05/29/googles-project-vault-is-a-secure-
computing-environment-on-a-micro-sd-card-for-any-platform/)

This is Yubico's response to the Titan Key announcement, if you care to read
it:

[https://www.yubico.com/2018/07/the-key-to-
trust/](https://www.yubico.com/2018/07/the-key-to-trust/)

~~~
moviuro
Meh... "open" [https://www.yubico.com/2016/05/secure-hardware-vs-open-
sourc...](https://www.yubico.com/2016/05/secure-hardware-vs-open-source/)

~~~
mtgx
Yeah, that stood out to me, too. It's kind of funny that they're using the
"open" as a competitive advantage against Google, when they _no longer_ have
that competitive advantage.

I bet they wish they had stayed open right about now.

------
zaarn
Quite neat. Though I'm still dissapointed in the U2F/Security Key market.

The Yubico's cost 50€ the piece or 20€ for the U2F key only. And to get NFC
usage you have to buy a worse variant of the other keys that doesn't support
4096bit RSA and some other features.

There is not much competition either, Nitro is just as expensive and doesn't
feature a good and cheap key either.

Open Source variants are also fairly rare, I would love to DIY some Yubikey
4-like stick with the same or similar/comparable function set. Only thing so
far I found is the U2F zero but that didn't offer RSA.

Quite annoying, maybe some competitor other than Yubikey and Nitro can solve
this. (It doesn't seem Google is selling the Titan, I see no pricetag)

~~~
dogma1138
To be fair for home usage a soft-token is just as good and you can back it up
by backing up the seed.

If your phone is compromised by someone who can exploit it then your
adversarial outlook is pretty dire to begin with.

~~~
zaarn
I'd rather have a hardware solution tbh, I don't think software U2F or
smartcard is what I want or fits my threatmodel.

------
moviuro
See also [https://www.cnet.com/news/google-made-the-titan-key-to-
tough...](https://www.cnet.com/news/google-made-the-titan-key-to-toughen-up-
your-online-security/)

------
aichi
Why Google 'sell' this as an advantage over 2FA over mobile phone? In this
case it works on computer only, or you have to be at some computer, with
mobile app, you can be anywhere? I see that as huge disadvantage.

~~~
simias
Security tokens are more secure and can't be as easily fished as phone-based
2FA solutions. It's not about using the key on a mobile phone, it's about
replacing phone-based 2FA.

You're right however that their key doesn't seem to have any interface other
than USB so it won't be practically usable on smartphones. Yubico has NFC
tokens[1] for that use case but it doesn't seem that Google's version offers
that yet.

[1] [https://www.yubico.com/products/yubikey-for-
mobile/](https://www.yubico.com/products/yubikey-for-mobile/)

~~~
rlac16
The page Using Security Key links to mentions that Titan supports Bluetooth &
USB, with NFC support in a future update.

[https://support.google.com/accounts/answer/6103523](https://support.google.com/accounts/answer/6103523)

------
lodyb
They need to do better at explaining what this is.

Is it a physical device like in the pictures, or a piece of software? It does
not make it clear. I can make a best guess, but from this landing page it is
uncertain.

~~~
ckocagil
My understanding is that it's a FIDO U2F key, like the ones from Yubico.

~~~
simias
Judging by the drawings it looks exactly like a yubikey[1]. Did they partner
in some way or did they just use the same design?

[1] [https://www.yubico.com/wp-
content/uploads/2015/12/YubiKey-4-...](https://www.yubico.com/wp-
content/uploads/2015/12/YubiKey-4-1000.png)

------
bdz
Will this be available to normal Google users?

