Google Titan Security Key now available (opens in new tab)

(store.google.com)

176 pointsdgrove7y ago139 comments

139 comments

101 comments · 30 top-level

Someone12347y ago· 11 in thread

The wireless key is the "Feitian MultiPass FIDO Security Key" I'd caution people to read the Amazon reviews (specifically people found it unreliable and it would break if dropped/roughly handled).

They both seem to be re-branded Feitian, which cost less ($25 + $17 = $42) when purchased under that brand from Amazon than the Google Titan moniker.

amelius7y ago

Given the recent amount of reports of counterfeiting on Amazon (not specifically this product), I'd buy my security keys elsewhere.

Fnoord7y ago

That does not make sense in this case.

The key is made by a company called Feitian (Feitian Technologies Co., Ltd), on Amazon. That's the original manufacturer selling directly on Amazon [1]. That's the only one available. Its about as authentic as you can get on Amazon. I'd rather buy it from Gearbest or Banggood but they don't sell this. And Google just sells it rebranded.

Though I won't buy this (I could use the BLE part of it), since for one it doesn't seem to be build strongly (overcome-able but still), it only seems to work with Chrome according to reviews (I use Firefox), and I'm unsure if Bluetooth is secure for this method, nor reliable. NFC should be fine, since its much closer range, and I have a YubiKey NEO but my phone doesn't have NFC, unfortunately.

[1] https://www.amazon.com/Feitian-MultiPass-FIDO-Security-Key/d...

1 more reply

frockington7y ago

I assume everything on Amazon is a counterfeit and plan accordingly. Have you heard anything about Walmart? They have free two day shipping and I haven't heard any counterfeit horror stories (yet)

1 more reply

rahimnathwani7y ago

"Firmware for Titan Security Keys is engineered by Google, to verify the key’s integrity."

Someone12347y ago

That won't resolve many of the negative reviews of the MultiPass key, since they're complaints over the physical design and usage.

1 more reply

ecesena7y ago

I suspect these keys will be FIDO2, so even if they look the same, even Feitian might raise up its prices a little bit supporting the new standard. I don't know, just guessing.

Also, in Google's $50 there are also 2 cables usb-a2c and c2a. I guess they decided to go the way of the complete package with all you may need.

ecesena7y ago

BTW, we're working on an open source FIDO2 security key, Solo.

We're having a kickstarter soon, and if you're interested you can join the waiting list at https://solokeys.com/

mehrdada7y ago

I don't think this is true. Titan seems to be an in-house project. Are you basing this assumption on anything but the exterior looks?

amingilani7y ago

As a person enrolled in Google's Advanced Protection Program, Google recommended that I use the Feitian Multipass Key upon sign up. I bought a few of those, and it looks exactly like the key in that picture. I'm looking at my Feitian right now, and I can promise you it's the same.

Someone12347y ago

https://www.ftsafe.com/article/563.html

2 more replies

stephengillie7y ago

Feitan > Titan

It's only a syllable away.

spuz7y ago· 10 in thread

$50 seems very expensive. The actual hardware probably does not cost more than $10 and I can't see adoption of FIDO keys becoming widespread unless companies are willing to sell keys at or below cost.

16bytes7y ago

Yubikeys are about the same cost:

https://www.yubico.com/product/yubikey-4-series/

What makes you think that the cost to produce the hardware is less than $10? And what reason would companies have to offer keys below cost?

michaelt7y ago

The open-source U2F Zero claims ~$3 of parts and a ~$2 PCB [1] ordering a single unit. Making a large volume, that price is only going to come down.

Admittedly you'd have to pay for a plastic case, assembly costs, an envelope and stamps. But if I can get a 16GB flash drive for $8 with free shipping [2] the plastic case, assembly etc can't be that expensive!

[1] https://github.com/conorpp/u2f-zero [2] https://www.amazon.com/SanDisk-Cruzer-Low-Profile-Drive-SDCZ...

1 more reply

MikeKusold7y ago

The Yubikey 4 also provide more functionality such as PGP.

This is more like the Yubikey Security Key ($20): https://www.yubico.com/product/security-key-by-yubico/#secur...

spuz7y ago

If a bluetooth locator tag is only about £3.34 [1], then a tag with an encryption chip should not be 10x the cost. Google has an incentive for their keys to become widespread and well adopted because people will associate their brand with "high security". It also actually helps Google if they don't have to deal with support requests from users who've had their accounts compromised.

[1]http://amzn.eu/d/bMowBkS

sowbug7y ago

You are a web developer. Do you place any value on the cost of developing software?

spuz7y ago

Yes of course, but the reason I mentioned the hardware cost is because that scales linearly with demand and software cost does not. The market for these kind of security devices is tiny right now but has the potential to be huge in the future. It would make sense for Google to sell their hardware at the lowest price they can in order to get people on board, after which network effects will ensure people stick with Google's services.

kilo_bravo_37y ago

When selling hardware, unless you are extraordinarily dominant in a very large and highly competitive market (television manufacturing), care only about marketshare (lower-tier smartphone manufacturers), or have another revenue stream (game console sellers) generally speaking you should target 3x BOM as your final retail price at an absolute minimum.

That's just for hunks of plastic. For complex (not a hunk of injected-molded plastic) devices with high non-BOM costs, you should be targeting 4x-5x at a minimum.

Also, the 3x-5x rule is for bare-bones lean operations. If you actually want to make money, compensate your employees well, practice good environmental stewardship in the construction of your products, use a manufacturer that treats its employees with respect, and have a healthy business where you are prepared to weather future changes in the market, your BOM costs should be LESS THAN 20% of the MSRP.

The model is also different if you are a Shenzhen ripoff factory dumping goods onto the market through Marketplace Sellers or Drop-Shippers. But that is not a model compatible with long-term prosperity or worker satisfaction.

jiveturkey7y ago

the secure element alone is $5 at million quantity

michaelt7y ago

Do you think the chips they put inside smart cards and SIM cards cost that much?

spuz7y ago

That's a lot! Where did you get that information?

therealmarv7y ago· 7 in thread

1. why not going from usb-c to usb A with adapter than the other way round (this laptop photo looks so ugly with the usb-c->usb A adapter).

2. this link does not work outside US

fredley7y ago

Can't see the page, but that there is not a USB C variant is bonkers. All Google engineers I know use mac devices.

mikelward7y ago

Most of the Google engineers I know use Chromebooks and Linux laptops. Most Chromebooks also only have USB C.

jrockway7y ago

I use a Mac at work. It has 0 USB Type C ports.

The only computer I own that has a USB Type C port is my homebuilt desktop, and it's on the back, and I don't think the Windows driver actually works.

2 more replies

ryukafalz7y ago

>why not going from usb-c to usb A with adapter than the other way round

To my knowledge there are no such adapters that are compliant with the USB spec.

therealmarv7y ago

interesting, first time I hear that. There are definitely such adapters available on the market. So they are all violating the spec?

2 more replies

desdiv7y ago

This link should work everywhere:

https://store.google.com/us/product/titan_security_key_kit?h...

psychometry7y ago

Or just sell both form factors. Even if they sold a USB-C version, though, it's not really useless for all of us poor schmucks who are using Macbooks with only two ports.

sschueller7y ago· 7 in thread

I only see Chromecast and Chromecast Audio on this page.

desdiv7y ago

Same here.

Use this link to force-redirect to the US product page: https://store.google.com/us/product/titan_security_key_kit?h...

(mods, can we please change the story URL to the above one? It should show the correct item globally and thus leaving less people confused.)

buzer7y ago

Likely US only. I can access the page via https://store.google.com/us/product/titan_security_key_kit, but ordering would likely require US address.

squaredpants7y ago

US only, it seems.

ktta7y ago

Here's a wayback machine link: http://web.archive.org/web/20180830111650/https://store.goog...

jeeva7y ago

UK, same issue. Possibly only available on the US store, or similar?

breakingcups7y ago

I don't see them either, it might be region-bound.

pjmlp7y ago

Also not visible in Germany.

steven20127y ago· 6 in thread

I would prefer one from Apple. I don't trust Google as much as I do Apple, simply because I know they don't make money from my data. The fact that the FBI couldn't get into an iPhone makes me trust Apple much more. If I start using this Google key, I'm not sure how far in bed they are with the government and if they can crack my accounts.

guessmyname7y ago

I would prefer one from Apple as well, but mostly because my laptop (which was built by Apple) only has USB-C ports, so carrying an USB-A adapter, like the one shown in the picture [1], would be a deal breaker for me and many others. Something like the YubiKey 4C Nano [2] would be good.

[1] https://i.imgur.com/79ojvAK.jpg

[2] https://www.yubico.com/product/yubikey-4-series/#yubikey-4c-...

jonahhorowitz7y ago

If you're clever about it, you can do U2F using the secure enclave built into touchID. You don't even need a separate device.

1 more reply

toyg7y ago

Isn't it incredibly risky to leave it in-port? If the laptop is stolen, the thief also gets all your logins...

1 more reply

craftkiller7y ago

> The fact that the FBI couldn't get into an iPhone

You sure about that?

1. FBI unlocks iPhone without Apple's help

2. Snowden documents show 100% success rate against iPhones

3. Graykey device to break into iPhones

[1] https://www.npr.org/sections/thetwo-way/2016/03/28/472192080...

[2] https://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-rep...

[3] https://blog.malwarebytes.com/security-world/2018/03/graykey...

dirkgently7y ago

And here they are. Every time. Without fail. Without any data to backup FUD. The Apple fanbois. The Google haters.

antpls7y ago

We don't know if or when the FBI will be able to crack iPhones. There are news (maybe fake) on the internet about a machine that can be plugged into iPhones and dump data from it, and that machine is only sold to thieves or gov agencies.

When you look at the recent clashes with Google and the gov, for example stopped military project or Trump accusing Google of political bias, it doesn't seem Google is "in the same bed" than the gov.

To me, both Apple and Google are good trustable and competent entities. They both have high standards. I personally trust Google more about data security, but I guess everyone is different.

scrrr7y ago· 5 in thread

Isn't this the same as a code app like Authy? Why carry the extra dongle?

pg_bot7y ago

While both handle two factor authentication, Authy only assists with time based one time passwords (TOTP) which still leaves the end user open to phishing. These security keys are meant to be used with universal second factor (U2F) which prevents phishing entirely.

https://en.wikipedia.org/wiki/Time-based_One-time_Password_a...

https://en.wikipedia.org/wiki/Universal_2nd_Factor

matharmin7y ago

Similar use case (2FA), but different implementation.

Instead of typing in a code, you press a button. It also protects against phishing by validating the URL of the site you're authenticating on (with a code-based 2FA you can still enter your code on a phishing site, which then forwards it to the real one).

m_eiman7y ago

There are apps that also validate the source and can automatically sign you in (or require a button press), e.g. https://www.kryptco.com

Seems like it might be useful, but haven't had the time to try it out yet.

1 more reply

scrrr7y ago

Good reasons, thanks!

ZiiS7y ago

An app has a much larger attack surface (for instance from malware on the phone). TOTP has to use short easy to enter codes (six digit numbers), Titan is doing a full handshake using modern cryptography with sensable key lengths. In many use cases pushing the button on the key is quicker/easier then using the app.

amelius7y ago· 5 in thread

Can I use it for my bank too?

jrockway7y ago

Vanguard lets you use a security key as a second factor. It is the only finance-related website I've ever seen that does so. (And it's probably because Google made them, as that's where my Google 401k was.)

the-peter7y ago

Vanguard? That's a laugh. There's a link on the login page "I don't have my device with me, send me an SMS instead". This cannot be disabled.

moviuro7y ago

Haha, probably not[0].

[0] https://twofactorauth.org/#banking

mkj7y ago

Maybe in a few years time

Postosuchus7y ago

Not really if your bank doesn't support U2F and/or TOTP.

nikolay7y ago· 3 in thread

"Available" just like Google One is? I hate when people make things "available" this way! Don't they know the meaning of the word?!

jamesgeck07y ago

That's on the person who submitted, not Google. The word "available" doesn't appear on the page in regards to this product.

nikolay7y ago

I already gave my email to Google that I'm interested and now I need to be added to yet another waiting list? What's the point? All this buzz is actually hurting Google as people become aware of these products and services and because Titan is not immediately available, they will end up with alternatives such as YubiKey.

nikolay7y ago

And, for the record, Google sent me an email that Google One is available, but it is not.

jameskegel7y ago· 3 in thread

How would Google Titan improve the 2F experience for someone who already uses a dongle-key device like a Yubikey, for example?

amingilani7y ago

It won't. Stick with what you have, it's essentially a bundle to help non-U2F owners start with their Advanced Protection Program.

1 more reply

ecesena7y ago

It's pretty much the same.

One of these keys has bluetooth so it also works with iphone without any cable.

amingilani7y ago

The Feitan key's Bluetooth works with Android and iPhone but it won't work with your Mac or Windows. I own one, that bit was an unexpected pain for me.

1 more reply

locusm7y ago· 3 in thread

What does this offer over Yubi?

ekingr7y ago

The wireless one has Bluetooth - which is the only way to go on iOS for now.

carc1n0gen7y ago

You may be interested in some yubikey iOS news that came out in may https://www.yubico.com/2018/05/yubikey-comes-to-iphone-with-...

1 more reply

stephengillie7y ago

How secure is Bluetooth - how do we know snoopers aren't stealing keys wirelessly?

2 more replies

throwawaymath7y ago· 3 in thread

Am I correct in my understanding that this will only work for Google devices? It states that, but at least for the physical U2F key I don’t see why that wouldn’t also work on a non-Google device.

EDIT: Revisting, it states anything running Google Chrome should also work. So I guess macOS should be fine, what about iOS?

Ded7xSEoPKYNsDd7y ago

(I got these at a Google thing at DEF CON.) Both work with Firefox on Linux, without any Google software. Haven't yet found non-Google software on Android (Lineage) that can talk to them.

__float7y ago

I asked at DEF CON about these, but they said they were not the same as the Titan. Hardware looks to be the same, but they may not have the Titan firmware, but rather the original Feitian one. I...don't actually know how to verify that claim though.

dgacmu7y ago

The Bluetooth one works for iOS. I'm not sure about connecting a USB one in some way - haven't tried.

amelius7y ago· 2 in thread

Nice for humans, but these dongles don't solve the problem of automated background services having to log in to machines to complete their tasks. How do people solve this problem?

moviuro7y ago

Per-purpose passwords. https://support.google.com/accounts/answer/185833?hl=en

Per-purpose users (with very limited rights) on machines, inside per-purpose VMs (with very limited network if any)... etc.

jrockway7y ago

A persistent token like OAuth. Generally, you want these to be time-limited, scope-limited, and traceable to a human (probably issued by touching a security key).

Part of the idea behind the security key is to prove that a human is requesting access and that is why there is a button to press. If your application is designed to give privileges to robots, then a security key is completely orthogonal to that.

Postosuchus7y ago· 2 in thread

The store page sucks balls - no details whatsoever!

Does anyone know how these keys could be used for TOTP? In case of Yubikey one could use an app which effectively acted as a proxy between the TOTP-based system and a hardware key. Does the Google key support the same functionality?

anilakar7y ago

These devices don't have a real-time clock, so TOTP is out of the question. A Yubikey by itself is incapable of doing TOTP, too – it just acts as a hardware authenticator for the actual password generator. HOTP/counter mode doesn't have this requirement.

helper7y ago

Yubikey does support storing TOTP secrets. It requires you use their app (desktop or android) which then provides the time component.

Operyl7y ago· 1 in thread

Are both keys configured with the same underlying keys?

  Each key bundle comes with a physical USB security key and a Bluetooth security key—one for your primary use and one for safe keeping.

suprfsat7y ago

Each key is unique. You add both of them to your account.

h8trswana87y ago· 1 in thread

It’s so big. Couldn’t they have come up with a more subtle form factor?

craftyguy7y ago

TBF, it does have 'titan' in the name.

anilakar7y ago· 1 in thread

Is it possible to use the Bluetooth dongle with a desktop computer without a cable? Having to carry both on your keyring kind of defeats the purpose, because even Google's own guidelines tell you to store one in a safe place and keep the other one in daily use.

hesdeadjim7y ago

Yea I was wondering this too.

kennydude7y ago· 1 in thread

Is that a dongle to use it on the surface-style-thing? Whyyyyyyy

dewey7y ago

It's a USB C Adapter

ekingr7y ago

The description doesn't say if the keys are compatible with FIDO2 / Webauthn, which seem to be the new standard superseding FIDO (namely with password-less and multi-factor auth). It would be disappointing if not...

zaarn7y ago

For 50$ I don't really see the point in this, Yubikey already asks this much.

I'll probably wait out for the FIDO2 upgrade on the u2fzero...

amingilani7y ago

Question for Advanced Protection and Mac users.

Have you managed to authenticate your Google account with your U2F keys on your Mac?

If you have, please help the rest of us out, I get an error:

> You can only use your Security Keys with Google Chrome.

Here's a StackExchange question for some karma: https://apple.stackexchange.com/questions/327491/how-do-i-us...

alecbenzer7y ago

What's the summary on how security keys compare to Google's tap-to-sign-in flow? https://support.google.com/accounts/answer/7026266?co=GENIE....

grepthisab7y ago

Pretty cool, I like that it comes with two keys at the start so you have a backup, unlike Yubi where I have to buy two before I can even get started in earnest. Still living the dongle life though, but it appears to come with its own usb a -> c adapter at least.

Demoneeri7y ago

Excuse my ignorance (I'm trying to understand by googling). I know it's not the same technology but is it the same concept (public/private key) as for example the Estonian government uses for identity and accessing government services?

mitchtbaum7y ago

I would rather use something like this: https://www.thingiverse.com/thing:1970583

Thriptic7y ago

Is it possible to set up advanced protection on the ipad using the camera adapter and a yubikey, or a bluetooth key required?

extrapolate7y ago

Anyone able to actually purchase one? I'm just seeing a "Join waitlist" button.

johntash7y ago

Just to make sure.. these don't provide GPG/PGP smartcard support, right?

estomagordo7y ago

Is it sort of a ubikey?

meanmartine7y ago

Yeah, no thanks

floor_7y ago

The countdown starts and runs until some 12 year old breaks it wide open.

j / k navigate · click thread line to collapse

139 comments

101 comments · 30 top-level

Someone12347y ago· 11 in thread

The wireless key is the "Feitian MultiPass FIDO Security Key" I'd caution people to read the Amazon reviews (specifically people found it unreliable and it would break if dropped/roughly handled).

They both seem to be re-branded Feitian, which cost less ($25 + $17 = $42) when purchased under that brand from Amazon than the Google Titan moniker.

amelius7y ago

Given the recent amount of reports of counterfeiting on Amazon (not specifically this product), I'd buy my security keys elsewhere.

Fnoord7y ago

That does not make sense in this case.

[1] https://www.amazon.com/Feitian-MultiPass-FIDO-Security-Key/d...

1 more reply

frockington7y ago

I assume everything on Amazon is a counterfeit and plan accordingly. Have you heard anything about Walmart? They have free two day shipping and I haven't heard any counterfeit horror stories (yet)

1 more reply

rahimnathwani7y ago

"Firmware for Titan Security Keys is engineered by Google, to verify the key’s integrity."

Someone12347y ago

That won't resolve many of the negative reviews of the MultiPass key, since they're complaints over the physical design and usage.

1 more reply

ecesena7y ago

I suspect these keys will be FIDO2, so even if they look the same, even Feitian might raise up its prices a little bit supporting the new standard. I don't know, just guessing.

Also, in Google's $50 there are also 2 cables usb-a2c and c2a. I guess they decided to go the way of the complete package with all you may need.

ecesena7y ago

BTW, we're working on an open source FIDO2 security key, Solo.

We're having a kickstarter soon, and if you're interested you can join the waiting list at https://solokeys.com/

mehrdada7y ago

I don't think this is true. Titan seems to be an in-house project. Are you basing this assumption on anything but the exterior looks?

amingilani7y ago

Someone12347y ago

https://www.ftsafe.com/article/563.html

2 more replies

stephengillie7y ago

Feitan > Titan

It's only a syllable away.

spuz7y ago· 10 in thread

16bytes7y ago

Yubikeys are about the same cost:

https://www.yubico.com/product/yubikey-4-series/

What makes you think that the cost to produce the hardware is less than $10? And what reason would companies have to offer keys below cost?

michaelt7y ago

The open-source U2F Zero claims ~$3 of parts and a ~$2 PCB [1] ordering a single unit. Making a large volume, that price is only going to come down.

[1] https://github.com/conorpp/u2f-zero [2] https://www.amazon.com/SanDisk-Cruzer-Low-Profile-Drive-SDCZ...

1 more reply

MikeKusold7y ago

The Yubikey 4 also provide more functionality such as PGP.

This is more like the Yubikey Security Key ($20): https://www.yubico.com/product/security-key-by-yubico/#secur...

spuz7y ago

[1]http://amzn.eu/d/bMowBkS

sowbug7y ago

You are a web developer. Do you place any value on the cost of developing software?

spuz7y ago

kilo_bravo_37y ago

That's just for hunks of plastic. For complex (not a hunk of injected-molded plastic) devices with high non-BOM costs, you should be targeting 4x-5x at a minimum.

jiveturkey7y ago

the secure element alone is $5 at million quantity

michaelt7y ago

Do you think the chips they put inside smart cards and SIM cards cost that much?

spuz7y ago

That's a lot! Where did you get that information?

therealmarv7y ago· 7 in thread

1. why not going from usb-c to usb A with adapter than the other way round (this laptop photo looks so ugly with the usb-c->usb A adapter).

2. this link does not work outside US

fredley7y ago

Can't see the page, but that there is not a USB C variant is bonkers. All Google engineers I know use mac devices.

mikelward7y ago

Most of the Google engineers I know use Chromebooks and Linux laptops. Most Chromebooks also only have USB C.

jrockway7y ago

I use a Mac at work. It has 0 USB Type C ports.

The only computer I own that has a USB Type C port is my homebuilt desktop, and it's on the back, and I don't think the Windows driver actually works.

2 more replies

ryukafalz7y ago

>why not going from usb-c to usb A with adapter than the other way round

To my knowledge there are no such adapters that are compliant with the USB spec.

therealmarv7y ago

interesting, first time I hear that. There are definitely such adapters available on the market. So they are all violating the spec?

2 more replies

desdiv7y ago

This link should work everywhere:

https://store.google.com/us/product/titan_security_key_kit?h...

psychometry7y ago

Or just sell both form factors. Even if they sold a USB-C version, though, it's not really useless for all of us poor schmucks who are using Macbooks with only two ports.

sschueller7y ago· 7 in thread

I only see Chromecast and Chromecast Audio on this page.

desdiv7y ago

Same here.

Use this link to force-redirect to the US product page: https://store.google.com/us/product/titan_security_key_kit?h...

(mods, can we please change the story URL to the above one? It should show the correct item globally and thus leaving less people confused.)

buzer7y ago

Likely US only. I can access the page via https://store.google.com/us/product/titan_security_key_kit, but ordering would likely require US address.

squaredpants7y ago

US only, it seems.

ktta7y ago

Here's a wayback machine link: http://web.archive.org/web/20180830111650/https://store.goog...

jeeva7y ago

UK, same issue. Possibly only available on the US store, or similar?

breakingcups7y ago

I don't see them either, it might be region-bound.

pjmlp7y ago

Also not visible in Germany.

steven20127y ago· 6 in thread

guessmyname7y ago

[1] https://i.imgur.com/79ojvAK.jpg

[2] https://www.yubico.com/product/yubikey-4-series/#yubikey-4c-...

jonahhorowitz7y ago

If you're clever about it, you can do U2F using the secure enclave built into touchID. You don't even need a separate device.

1 more reply

toyg7y ago

Isn't it incredibly risky to leave it in-port? If the laptop is stolen, the thief also gets all your logins...

1 more reply

craftkiller7y ago

> The fact that the FBI couldn't get into an iPhone

You sure about that?

1. FBI unlocks iPhone without Apple's help

2. Snowden documents show 100% success rate against iPhones

3. Graykey device to break into iPhones

[1] https://www.npr.org/sections/thetwo-way/2016/03/28/472192080...

[2] https://www.forbes.com/sites/erikkain/2013/12/30/the-nsa-rep...

[3] https://blog.malwarebytes.com/security-world/2018/03/graykey...

dirkgently7y ago

And here they are. Every time. Without fail. Without any data to backup FUD. The Apple fanbois. The Google haters.

antpls7y ago

When you look at the recent clashes with Google and the gov, for example stopped military project or Trump accusing Google of political bias, it doesn't seem Google is "in the same bed" than the gov.

To me, both Apple and Google are good trustable and competent entities. They both have high standards. I personally trust Google more about data security, but I guess everyone is different.

scrrr7y ago· 5 in thread

Isn't this the same as a code app like Authy? Why carry the extra dongle?

pg_bot7y ago

https://en.wikipedia.org/wiki/Time-based_One-time_Password_a...

https://en.wikipedia.org/wiki/Universal_2nd_Factor

matharmin7y ago

Similar use case (2FA), but different implementation.

m_eiman7y ago

There are apps that also validate the source and can automatically sign you in (or require a button press), e.g. https://www.kryptco.com

Seems like it might be useful, but haven't had the time to try it out yet.

1 more reply

scrrr7y ago

Good reasons, thanks!

ZiiS7y ago

amelius7y ago· 5 in thread

Can I use it for my bank too?

jrockway7y ago

the-peter7y ago

Vanguard? That's a laugh. There's a link on the login page "I don't have my device with me, send me an SMS instead". This cannot be disabled.

moviuro7y ago

Haha, probably not[0].

[0] https://twofactorauth.org/#banking

mkj7y ago

Maybe in a few years time

Postosuchus7y ago

Not really if your bank doesn't support U2F and/or TOTP.

nikolay7y ago· 3 in thread

"Available" just like Google One is? I hate when people make things "available" this way! Don't they know the meaning of the word?!

jamesgeck07y ago

That's on the person who submitted, not Google. The word "available" doesn't appear on the page in regards to this product.

nikolay7y ago

And, for the record, Google sent me an email that Google One is available, but it is not.

jameskegel7y ago· 3 in thread

How would Google Titan improve the 2F experience for someone who already uses a dongle-key device like a Yubikey, for example?

amingilani7y ago

It won't. Stick with what you have, it's essentially a bundle to help non-U2F owners start with their Advanced Protection Program.

1 more reply

ecesena7y ago

It's pretty much the same.

One of these keys has bluetooth so it also works with iphone without any cable.

amingilani7y ago

The Feitan key's Bluetooth works with Android and iPhone but it won't work with your Mac or Windows. I own one, that bit was an unexpected pain for me.

1 more reply

locusm7y ago· 3 in thread

What does this offer over Yubi?

ekingr7y ago

The wireless one has Bluetooth - which is the only way to go on iOS for now.

carc1n0gen7y ago

You may be interested in some yubikey iOS news that came out in may https://www.yubico.com/2018/05/yubikey-comes-to-iphone-with-...

1 more reply

stephengillie7y ago

How secure is Bluetooth - how do we know snoopers aren't stealing keys wirelessly?

2 more replies

throwawaymath7y ago· 3 in thread

Am I correct in my understanding that this will only work for Google devices? It states that, but at least for the physical U2F key I don’t see why that wouldn’t also work on a non-Google device.

EDIT: Revisting, it states anything running Google Chrome should also work. So I guess macOS should be fine, what about iOS?

Ded7xSEoPKYNsDd7y ago

(I got these at a Google thing at DEF CON.) Both work with Firefox on Linux, without any Google software. Haven't yet found non-Google software on Android (Lineage) that can talk to them.

__float7y ago

dgacmu7y ago

The Bluetooth one works for iOS. I'm not sure about connecting a USB one in some way - haven't tried.

amelius7y ago· 2 in thread

Nice for humans, but these dongles don't solve the problem of automated background services having to log in to machines to complete their tasks. How do people solve this problem?

moviuro7y ago

Per-purpose passwords. https://support.google.com/accounts/answer/185833?hl=en

Per-purpose users (with very limited rights) on machines, inside per-purpose VMs (with very limited network if any)... etc.

jrockway7y ago

A persistent token like OAuth. Generally, you want these to be time-limited, scope-limited, and traceable to a human (probably issued by touching a security key).

Postosuchus7y ago· 2 in thread

The store page sucks balls - no details whatsoever!

anilakar7y ago

helper7y ago

Yubikey does support storing TOTP secrets. It requires you use their app (desktop or android) which then provides the time component.

Operyl7y ago· 1 in thread

Are both keys configured with the same underlying keys?

  Each key bundle comes with a physical USB security key and a Bluetooth security key—one for your primary use and one for safe keeping.

suprfsat7y ago

Each key is unique. You add both of them to your account.

h8trswana87y ago· 1 in thread

It’s so big. Couldn’t they have come up with a more subtle form factor?

craftyguy7y ago

TBF, it does have 'titan' in the name.

anilakar7y ago· 1 in thread

hesdeadjim7y ago

Yea I was wondering this too.

kennydude7y ago· 1 in thread

Is that a dongle to use it on the surface-style-thing? Whyyyyyyy

dewey7y ago

It's a USB C Adapter

ekingr7y ago

zaarn7y ago

For 50$ I don't really see the point in this, Yubikey already asks this much.

I'll probably wait out for the FIDO2 upgrade on the u2fzero...

amingilani7y ago

Question for Advanced Protection and Mac users.

Have you managed to authenticate your Google account with your U2F keys on your Mac?

If you have, please help the rest of us out, I get an error:

> You can only use your Security Keys with Google Chrome.

Here's a StackExchange question for some karma: https://apple.stackexchange.com/questions/327491/how-do-i-us...

alecbenzer7y ago

What's the summary on how security keys compare to Google's tap-to-sign-in flow? https://support.google.com/accounts/answer/7026266?co=GENIE....

grepthisab7y ago

Demoneeri7y ago

mitchtbaum7y ago

I would rather use something like this: https://www.thingiverse.com/thing:1970583

Thriptic7y ago

Is it possible to set up advanced protection on the ipad using the camera adapter and a yubikey, or a bluetooth key required?

extrapolate7y ago

Anyone able to actually purchase one? I'm just seeing a "Join waitlist" button.

johntash7y ago

Just to make sure.. these don't provide GPG/PGP smartcard support, right?

estomagordo7y ago

Is it sort of a ubikey?

meanmartine7y ago

Yeah, no thanks

floor_7y ago

The countdown starts and runs until some 12 year old breaks it wide open.

j / k navigate · click thread line to collapse