Titan Security Key vs. YubiKey — which is more secure? Scott McDonald breaks down why Google’s Titan Keys are the better option for toughening up your online security.
With so much of our personal information stored online nowadays, we need more than a password to fully protect our online accounts. While digital two-factor authentication apps and biometric login features have helped fight against phishing, experts say physical security keys offer the highest level of security available.
Ultimately, my opinion is that Titan Keys are the best physical authenticators based on usability and security features.
Physical Security Keys: The Best Defense Against Phishing
First, let’s look at how physical authenticators work and why you should use them.
While you can make passwords strong — and digital authenticator apps are much more secure than using SMS — these security measures alone aren’t always enough to safeguard your data. Your account could still be at risk of that password being stolen.
A physical, hardware-based key — often in the form of a USB dongle — serves as an extra security measure for verifying your identity when logging into an online account with your password. You just plug the key into your device, and it’ll grant you access to your account. It’s the most effective defense against phishing. Even if someone were to discover your password, they wouldn’t be able to access your account without the physical key.
By adding an extra level of authentication with a physical key, you increase the security of your account with a verification method that’s nearly impossible for bad actors to obtain. Your online information is safe as long as your physical key is.
Titan Security Key vs. YubiKey
While many physical authenticators are out there, YubiKeys and the Titan Security Key are the two most popular physical security keys available today.
YubiKey, launched by Yubico in 2007, was made to protect access to computers, networks, and online services and eliminate account takeovers. They support FIDO2/WebAuthn and U2F. YubiKey is currently in its fifth generation.
Google introduced Titan Keys in 2018. They’re designed to help users prevent Google account takeover attempts using credentials stolen in data breaches or following phishing attacks. Titan Keys work with the most popular devices, browsers, and an increasing number of apps and services that come with FIDO standard support, like the 1Password manager.
Titan Security Key Advantages
As far as their differences, YubiKey may have been first-to-market, but Google’s Titan Security Key edges out its competitor with a couple of key features.
For starters, Google’s Titan Keys make everyday individual security easier and more accessible. In August 2021, Google added NFC support to its Titan Security Key offerings, which means users can now securely log into their accounts on smartphones and other smart devices using Titan Keys. It’s a big move that will allow users to ensure security across all of their devices.
Titan Keys support both USB A and USB C ports and have wireless authentication, and so does YubiKey.
Titan Keys Are Secure at the Firmware Level
All of Google’s Titan Keys come with the built-in Titan Chip. Many authenticators are FIDO-compliant, but the Titan Chip is an extra security measure unlike any other that ensures the firmware hasn’t been modified. Whenever a Titan Key is used, the chip checks that the tiny bit of code that runs the key is the right code. It makes sure it’s running the firmware it should be when it’s electrically activated before it authenticates the keyholder’s identity.
YubiKeys lack this level of technology. When comparing the shipping packaging between Titan Keys and YubiKeys, YubiKeys come in a thin package that could allow bad actors to interact with the NFC through the packaging. If you recall the 2012 Black Hat hack where hackers found they could take complete control of the phone via NFC, my concern is that this opens up the opportunity for supply chain attacks that could alter the firmware on YubiKeys and compromise them.
Google, on the other hand, went as far as to design the Google Titan Key packaging with a box so thick that it’d prevent anyone from interacting with the NFC through the packaging the security keys ship in. Bad actors wouldn’t be able to attack Titan Keys without opening the original manufacturer’s package as they could with YubiKeys.
While these might seem like minor details, it’s the little things that make a big difference in security.
Sadly, LastPass doesn’t currently support U2F for two-factor authentication, so it isn’t compatible with Titan Keys. (Although there’s always a chance they’ll add U2F support in the future.)
On the other hand, YubiKey is supported by LastPass. Since the Titan Security Key is manufactured in China, they might also be less readily available in the US and other countries, while YubiKey is US-made.
What About Side-Channel Attacks on Titan Keys?
You might’ve seen the news story about the hackers who cloned Google Titan 2FA keys using a side-channel in NXP chips.
Is it possible for a bad actor to hack and clone a Titan Key? Yes. Is there a plausible scenario where they’d be able to clear several complicated obstacles and do it successfully? Probably not. Even if someone somehow got a hold of your Titan Key and managed to clone it, Google already has a built-in feature to prevent them from using it.
Google offers key-based 2FA to use a feature baked into the U2F standard that counts the number of interactions a key has had with their servers. If a key reports a number that doesn’t match what’s stored on the server, Google will suspect it’s a clone. The original Titan Key and its clone could only be used once before Google detected the clone and disabled both keys.
Security Starts with All of Us
When you stop and think about all of the services and information encompassed by your Google account — email, browsing data, and so on — getting extra protection is a no-brainer. And the best way to secure your account is with a physical security key like Google’s Titan Security Key.
Using two Titan Keys to ensure you always have an account recovery path is also a good idea in case one Titan Key gets lost, stolen, or breaks.
You can purchase a Titan key to protect your Google account and other third-party accounts that support it online in the Google Store.