Google Buries The Hatchet With Yubico, Brings Physical Security Keys With USB-C

Google Buries The Hatchet With Yubico, Brings Physical Security Keys With USB-C

After launching its Titan Key last year, Google has returned with a new version of its two-factor security dongle featuring USB-C.

The inspiration behind the Titan Key came from a Google mandate in 2017 requiring all of the company’s 85,000 employees to use a physical two-factor security device when logging into any accounts. Once the system was implemented, Google claims not a single employee account got hacked, even after more than a year. After that, Google decided to make and sell its own security dongle to the public.

Adding a USB-C variant to the Titan key lineup makes a ton of sense — Google’s previous offerings were limited to a standard USB-A dongle and a Bluetooth version with a micro USB port. That meant even though Google’s Titan key supports Windows, Android, iOS, and macOS, you couldn’t actually plug the older Titan keys into a number of phones or modern MacBooks and iPads without an adaptor.

However, unlike the previous models, the new USB-C Titan Key does not come with support for NFC like the other two models, which seems like a strange omission. But aside from that, you’re still looking at the same list of features including FIDO certification and a Google’s Titan security chip embedded inside.

Google’s new USB-C Titan Key is made in partnership with Yubico — which also makes its own line of two-factor authentication dongles — and even potentially signals that any disagreements between the two companies regarding the security of the Bluetooth protocol have been buried. That said, Yubico’s YubiKey products offer slightly wider compatibility thanks to a model with an Apple Lightning port and support for the WebAuthn protocol.

Last year, Yubico claimed that it had explored adding Bluetooth support to its security key products and even contributed to the development of the BLE U2F standard, only to end up axing that idea saying “BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.”

The disagreement over the security implications of Bluetooth compatibility in security keys followed a test period in which Google worked on its Advanced Protection Plan internally and provided Yubico devices to its employees for security purposes.  

This later proved to be a wise decision by Yubico as the first run of Google’s Titan Keys contained misconfigured Bluetooth pairing settings, which made it possible for a potential hacker to gain access to the device at the time of its use, as long as they were within range (around 9 metres). This exploit was later addressed in subsequent revisions, with Google offering free replacements for the effected T1 or T2 Titan Key models.