The product is labeled as being “Produced in China,” meaning, like many consumer electronics, that the security key is manufactured there. Some security experts, such as Adam Meyers at the security firm CloudStrike who was interviewed by the Information, say that having production overseas leaves Google open to infiltration by hackers or even the Chinese government during the assembly process.
Google has said that the hardware that provides the keys' security is sealed before it heads to the manufacturer to guard against supply chain attacks. The company declined to comment further.
To use Google's key, you first set it up to work with your Google account or other supported service to act as a second security backstop when you log in. After you enter your user name and password, you’ll be asked to hit a button on your key to show that it’s really you. It's basically a physical version of what's called two-factor authentication — which uses two different steps to verify your identity.
Many companies, including Google, offer a couple of ways to add this extra step for security reasons, such as requiring some to enter a code from an app or a text message in addition to their password. But those codes, particularly when sent over text message, can be intercepted by a determined hacker. A key's signal can't be intercepted as easily because it works only at short range.
Some companies have been using security tokens or keys for years, most notably the “SecurID” system invented in 1993 and eventually bought by RSA and marketed to businesses that deal with sensitive information. As more of our lives have moved online, keys have found some popularity among the more security-conscious worried about weaknesses in other two-factor systems.
Google has tested the key with its 85,000 employees and said in a blog post that there has not been a successful phishing attack at Google since the company started using the process.
In addition to a Google account, the Titan key should work with Dropbox, Facebook, Twitter, Salesforce, Bank of America and any other account that uses the same security standard, which is called FIDO — short for Fast Identity Online. You can see a list of companies that use this standard on the FIDO Alliance website.
Getting a physical key is a high-security step to take, and many people may find it complicated. It may not be a must-have for everyone. But it’s not an unreasonable step to take, considering how much information we all keep online.
Those who buy the Titan key should protect it like any other key they own. If you should lose it, as with any other key, replacement will be a pain and could leave you locked out for a couple of days.
Google's Titan security key costs $50 and is available only in the United States.