Google Titan vs. Yubikey 5: What’s different and which shou…


Google’s Titan Security Key Bundle has the power of Google behind it to keep your Google account safe from phishing attacks as well as offer outstanding 2Fa through the FIDO standard. The downside is that they’re made in China and not available everywhere.

$50 at Google

Pros

  • Bluetooth capable
  • Adapts for USB A and USB C
  • Google Titan secure element
  • Advanced phishing protection

Cons

  • Made in China
  • Expensive
  • NFC not enabled

The second generation Yubico key is cheap and works great — as long as you have a USB type-A port to plug it into. That means it’s probably not going to work with your phone or your tablet.

$20 at Amazon

Pros

  • U2F and FIDO2 support
  • Made in USA
  • Inexpensive

Cons

  • No wireless support
  • USB A only

It’s great to see more companies offering 2FA (Two-Factor Authentication) hardware keys, and the release of the FIDO2 standard is great news for us all — it will lead to the end of the password eventually. Yubico has been the pioneer in this sector and many of us use Yubico keys every day. They’re perfect for every laptop or desktop PC, and older models with NFC work great for Android phones.

Google Titan is the new kid on the block but it’s got a set of features that make it a great choice, especially for mobile. the bundle is more expensive, but you get a basic key like the Yubico and a wireless key that can use Bluetooth to authenticate. That makes it the only key you should ever use with an iPhone or iPad.

What you need to know

There are three differences here to consider (outside of the price). Connectivity, trust, and the FIDO2 standard.

Google Titan Yubico 2
Wireless support Yes No
Origin China USA
FIDO2 support No Yes

FIDO2 is a new standard that offers the same secure 2FA capabilities we’re used to seeing with the original FIDO (Fast IDentity Online) standard. You can read more about FIDO and FIDO2 here, but according to Yubico — a core contributor to FIDO2 — here’s the jist of it:

FIDO2 offers expanded authentication options including strong single factor (passwordless), strong two factor, and multi-factor authentication. With these new capabilities, the YubiKey can entirely replace weak static username/password credentials with strong hardware-backed public/private-key credentials. These credentials cannot be reused, replayed, or shared across services, and are not subject to phishing and MiTM attacks or server breaches.

FIDO2 is the future and will one day, hopefully, make a username and password obsolete. There are many companies working with the FIDO Alliance to push FIDO2 adoption, and it’s a thing you should want. But it’s not yet a thing you need.

Google does things differently, as they are prone to doing. Instead of using the FIDO2 standard to prevent MiTM (Man in The Middle) attacks and password phishing, the Titan firmware allows the URL of the requesting page to be sent along with the request. This makes sure that you’re really logging into the page you think you’re logging into. Right now this only works for Google sites and services, but it’s foolproof.

Google Smart Lock on the iPhone X

The Google Smartlock app on iPhone X.

Bluetooth support is important but can be a security risk as Yubico is quick to point out. Bluetooth could be compromised by a MiTM attack that could get the session token, but the attacker would need to be right beside you. On the other hand, Bluetooth support is a must if you want to use a security key with iOS. For a key that’s to be used for mobile, it’s definitely needed.

A final bit of contention is the origin of manufacture. China is a lovely country filled with awesome people. But when it comes to security and security-related products, seeing China as the place of manufacture isn’t ideal, as the government and certain companies have been caught implanting “spyware” into products. That’s not tinfoil hat talk, either, it’s a real thing. Seeing Google’s Titan Keys manufactured in China bothers some people. In this case, though, there’s a difference.

Google writes the firmware and flashes it to the secure element and chip for each and every key themselves in the USA. These pre-programmed chips are sent to the manufacturer to be used for both models. These chips can only be written to once, and without the right firmware, they are inoperable. In other words, nobody is messing with the firmware on the Titan keys.

I love the simplicity and price of the Yubico key and have several of my own. I use them every day at my desktop, a MacBook Pro, and a Chromebook or two. But since the world is moving towards mobile, I’d have to recommend Google’s Titan keys right now. They don’t support FIDO2, but until it sees greater adoption that’s not a big enough drawback to make me lose the wireless option.

Made by Google


Titan Security Key Bundle

Designed for mobile by the company that knows mobile

While FIDO2 support is absent, the Google Titan Security Key Bundle does one thing flawlessly — works with your phone or tablet. In a perfect world we wouldn’t need to care about security, but in this world we do. The Titan key makes it easier for everyone with a smartphone.

U2F and FIDO2


Yubico Security Key

Yubico’s new generation of security keys are ready for the future with FIDO2 support, but the USB Type-A connection here means it’s not going to work with most phones.

Yubico does make USB Type-C keys with FIDO2 support, but they aren’t yet widely available. You can see all the options at Yubico’s website.

This post may contain affiliate links. See our disclosure policy for more details.

Algolia Custom Site Search

Leave a Reply

Your email address will not be published. Required fields are marked *