Titan Security Key Explained

Titan Security Key
Manuf2:Yubico
Designfirm:Google
Introduced:October 15, 2019
Cost: -
Color:White

The Titan Security Key is a FIDO-compliant security token developed by Google which contains the Titan M cryptoprocessor which is also developed by Google. It was first released on October 15, 2019.[1]

Features

Depending on the features, the key costs $25-$35, but Google has provided them for free to high-risk users.[2] It is considered a more secure form of multi-factor authentication to log in to first-party and third-party services and to enroll in Google's advanced protection program. In 2021, Google removed the Bluetooth model due to concerns about its security and reliability.[3]

In November 2023, Google announced a model with passkey support.[4]

Vulnerabilities

The Bluetooth "T1" and "T2" models initially had a security bug that allowed anyone within 30 feet to make a clone of the key.[5] The security firm NinjaLab has been able to extract the key using a side channel attack.[6] In 2019, Google has put a bug bounty up to US$1.5 million on the Titan chip.[7]

Newer versions and model numbers include:[8]

1. USB-A/NFC (K9T)

2. Bluetooth/NFC/USB (K13T)

3. USB-C/NFC (YT1)

4. USB-C/NFC supporting U2F and FIDO2 (K40T)

While none of these included publicly disclosed security vulnerabilities, Google has discontinued selling Bluetooth versions of the keys in August 2021,[9] although Bluetooth keys continue to work with their warranties honored.[10]

Notes and References

  1. Web site: USB-C Titan Security Keys - available tomorrow in the US. 2022-02-03. Google Online Security Blog.
  2. Web site: Google to give security keys to ‘high risk’ users targeted by government hackers. 2021-10-09. TechCrunch. en-US . Carly . Page . 2021-10-08.
  3. Web site: Clark. Mitchell. 2021-08-09. Google’s new Titan security key lineup won’t make you choose between USB-C and NFC. 2022-02-04. The Verge. en.
  4. News: Newman . Lily Hay . Google’s New Titan Security Key Adds Another Piece to the Password-Killing Puzzle . en-US . Wired . 2023-11-15 . 1059-1028.
  5. Web site: Google recalls some Titan security keys after finding Bluetooth vulnerability. 2022-02-03. Engadget . 2019-05-15 . Amrita . Khalid. en-US.
  6. Web site: Goodin. Dan. 2021-01-08. Hackers can clone Google Titan 2FA keys using a side channel in NXP chips. 2021-10-09. Ars Technica. en-us.
  7. Web site: Porter. Jon. 2019-11-21. Google really wants you to hack the Pixel’s Titan M security chip. 2021-10-09. The Verge. en.
  8. Web site: Safety & Warranty Guides for Google Titan Security Key (Prior Versions) . Google Support . Google . 31 December 2022.
  9. Web site: Brand . Christiaan . Simplifying Titan Security Key options for our users . Google Online Security Blog . Google . 31 December 2022.
  10. Web site: Kovacs . Eduard . Google Discontinuing Bluetooth Titan Security Key . securityweek.com . Security Week . 31 December 2022.