Google Titan Security Key and the Advanced Protection Program

Google Titan Security Key and the Advanced Protection Program

– So maybe I’m just
getting a lot more paranoid as I get older or maybe it’s because my kids are now old enough to use phones or maybe it’s because we can’t go a day without hearing about some
website getting hacked. But I’ve been thinking a lot more about online security lately and basically how it’s kind
of backwards and broken for so many people. But I was really intrigued
by this headline recently. It said out of Googles 85
thousand some-odd employees, not a single one had been phished. Their accounts had not been compromised since they moved to using these. Physical hardware security keys. So their accounts are safe. I want my account to be safe. I want my kids accounts to be safe. So I went down a pretty deep rabbit hole. I’ve turned on Google’s
advanced protection program for my person Google account and that’s Google’s strongest
consumer level system that requires these hardware keys to work. So what are they? What can they do? How do you use them? Hang on, we’re gonna
have to get in the weeds just a little bit here. We’re gonna talk about hardware keys, we’re gonna talk about
advanced protection, and we’re gonna talk about
Google’s brand new Titan key. Yeah, we’re gonna nerd out a little. Here we go. (playful music) All right, first things first, Let’s talk about what the
hell I’m talking about. So look, we all know passwords, okay, and we all know that we should be using strong unique passwords. We all know that we should
be using password managers for those strong unique passwords and if you’re not doing
that already, go do it. I’ll wait. All right, good, you’re back. And we all also know about
two-factor authentication. That’s a second password
after your password but here’s the thing, it’s possible for someone to
hijack your text messages. It’s possible for them to
get into your phone account. It’s possible for them to intercept the one-time passwords you
get via an authenticator app. This isn’t necessarily tinfoil hat stuff I’m talking about, okay. I mean yeah, if you’re a target, it’s a lot more likely that
someone’s gonna try to fish you because that’s spearfishing but it’s also possible
that you could just blunder across a bad link that somebody sent you or you just didn’t know it and that’s why this
stuff is also important. And so, more secure than text messages and authenticator apps are
these physical hardware keys. So what are they? Look they’re little USB sticks. They look like thumb drives, yeah. And the way it works is this. You take your key and you
stick it in the computer and you register it with whatever service it is you’re using, Twitter and Facebook are two. Dropbox is another really good one. Google, obviously. Not every website and
service out there uses them. I really wish they did. There’s a good website
to use They have a huge database telling you what forms of two-factor
authentication websites use and whether or not they
take hardware keys. So I use my password, I stick this in the computer, I give it a little tap and that’s it. I’m logged in. Now there are several kinds of these physical hardware keys, okay. There’s this normal little USB type which is nice and easy and small, you can keep it on a keychain if you want or stash one in a drawer or a
safety deposit box or wherever as a backup. That’s not a bad idea but remember the more these you have laying around with your credentials on them the more it’s possible for somebody to get a hold of it, right? Trade-offs. Phil what about my phone? Well, okay, you have keys, little USB keys that also have NFC chips in them or you have these larger
fobs that have to be charged but they have little
Bluetooth radios in them and those work, as well. In fact, they work with the iPhone which doesn’t have wide open
NFC until iOS 12 comes out. Really, when it comes
to the keys themselves, there’s, kind of, no
one right way to do it. Fewer is obviously more secure but you’re gonna have to figure
out what works best for you. So also, hardware keys
are faster, actually, and when I really got to using
them it made total sense. So instead of waiting for
a text message to come in and then me copying that over and then pasting it into a website, I stick this in, I tap it, I’m done. Same goes for the authenticator apps, exactly the same deal. Now what about this Titan key that you’ve been hearing about? Yes, it’s all nerdy and sounds Titan key. That’s a great name for it. It’s actually named after part of what Google uses
on its enterprise servers for security stuff and really all it is is a physical hardware key, only it’s controlled by
Google from start to finish. Google controls the hardware, Google controls the firmware, and that’s really all it is. It’s the same kind of physical key you would get from, say Yubico, only it has Google’s name behind it. These are now on sale from Google directly in the Google store and for 50 bucks you get a Bluetooth fob that’ll work with pretty much everything, including the iPhone, and you get a slick looking USB key that also has NFC built in. Now one quick note on that, at launch, the NFC is not actually working
with Android phones. They have to do a
behind-the-scenes update on that so I’m not quite sure
when it’s gonna happen but it is coming. But let’s stick with Google for a second. So if you’re really worried about keeping your
Google account secure, there’s what’s called Google
Advanced Protection Program and here’s how Google explains that. – [Instructor] But if you’re an activist, journalist, thought-leader, business executive, or other public figure, or anyone who feels vulnerable to highly targeted online attacks, you might need a different
level of security to keep your data safe. That’s where the Advanced
Protection Program comes in. It’s Google’s strongest account security. – So here’s how I explain it. Once you turn advanced protection on, the only way to get
into your Google account is to first, have the password and second, have one of
the physical hardware keys attached to your account. No more text messages. No more authentication codes. No more using a second
trusted device, like a phone, to login. You have to use a physical key. And by the way, Google
also makes it harder, once you turn this on, for somebody to use the
account recovery process to actually get into your account. It includes you, by the way. So this will, kind of,
break some stuff initially. When you first turn on advanced protection it logs you out of every
single device you’re in because now you have to log back into it using a hardware key. It means every phone, every computer, every third-party app that you might have
used Google to log into, you’re now logged out and that means you can’t
use third-party email apps. I use Mailplane and Shift on my Mac. You can’t actually log
into your Google account from the Mac. You can’t use Apple’s mail apps anymore. And the one really weird one, and I think this is just broken, I can’t even use my NVIDIA shield TV box. I can’t log in with my
Google account on that. Whoops. And that actually brings
us to the question, do you really need Google’s
advanced protection? I’m thinking for the vast
majority of us out there, no. You have different options, anyway, when you log into Google accounts, right? You can use a hardware key
and not use text messages or not use authenticator apps. Advanced protection
really just takes things to the next level where you
have to have the password and you have to have a physical key and you can only use a
physical key to login. And I’m willing to bet that Google’s also doing some other
stuff in the background to keep an eye on things. So if you really think you’re a target, if you’re a journalist or
a politician or whatever, then yeah, it would be a really good idea. For the rest of us, probably gonna be a little more
of a headache than you need. All right, that was a lot. I get it. Let’s recap. You gotta have a good
strong password, right? You got to use a password manager. You gotta use a password manager. You have to use two-factor
authentication of some kind. Text messages are okay. Authenticator apps are okay. Physical hardware keys are better, much, much better. And remember, Google isn’t
the only company out there to use these things, okay? There’s a whole website, where you can look up services that use hardware keys for
two-factor authentication. And Chrome isn’t the only
browser out there that uses it. Firefox does and Microsoft just announced that it’s finally
bringing support, as well. Safari. Well, Apple’s gonna Apple. And finally, grab yourself
a key to use, okay? Maybe it’s one of these
really simple USB keys and that’s it, maybe you want one with NFC so you can use it with your phone, maybe you want one with
Bluetooth if you have an iPhone and that’s the best way to go. I can’t tell you which way
is gonna be best for you. You’re gonna have to
figure that out on your own a little bit but use it. Get a hardware key. Register it with these services and sleep a little better at night. So that’s it on hardware keys
and Google advanced protection and the new Titan key. Again, I’ve got links down
below for all this stuff, if we went a little fast. And I’ve got a link down below for that talk from
Christian Brand of Google at the Google cloud conference. I tell you, it really
opened my eyes to all this and made it make even more sense even as I was using it. Really good, it’s worth your time. So go get a key. If you got any more questions, ask them down below in the comments. That’s it, see you next. (playful music)

51 Replies to “Google Titan Security Key and the Advanced Protection Program”

  1. Hi, Phil. Because of your videos I've used password manager for almost two years now. And apart from LastPass sometimes refusing to display the password fill window, so far the experience is pretty seamless. One question though, if in case when I lost my phone and I have to log in to my account on new device to access Find my Device, how do I retrieve my password from LastPass? Thankfully it's not happened yet (knock on wood), but it's been in the back of my mind for a while.

  2. Awesome visual content with the simplest explanation!!! I really loved it! Looking for more simple kinds of stuff like this.

  3. Do any of these keys also authenticate that it's you putting the key into the machine? Fingerprint scan on the key would be an important authentication of the hardware key in my opinion

  4. remember that time the yubikey was hacked via google chome?
    heh good times 😛

  5. Can you use it on multiple gmail accounts though. I have a personal one and my employer's also use gmail. I can have multiple gmail accounts on the PC via multiple Chrome profiles and the Android app allows multiple gmail accounts too.

  6. Does advanced protection disable app passwords? If not all the things you can't login with 2fa app passwords should let you

  7. I was waiting for this one based on your tweets for the last month or so. Which password manager do you use and recommend ?

  8. Hey Phil. Glad to see the site is still working out for you. Love the video. Just picked up a YubiKey through a Wired subscription, so was looking to read up a bit on it. Take care. Maybe I'll catch you in NYC sometime.

  9. You might want to look at a product call MobiKEY its use by the and its available to the everyone

  10. So, are these simply re-branded Feitian ePass NFC FIDO U2F Security Key and Feitian MultiPass FIDO Security Key? I already use the former for my google/dropbox/github/etc accounts and really don't see the point of the bluetooth one at this time for my laptop/phone. I did test the NFC one to use a mobile browser to log into my gmail on my LG v20 and that works. FWIW price wise, once you add the adapter, the price is pretty close.

  11. Watching this video I was questioning how the heck is signing back to Nvidia Shield. You answered my question. That you! Not worth it for a normal civilian.

  12. You can always use App Passwords for devices that don't support 2 step verification.

  13. Only problem is it’s made by google. 3-5 years from now we’ll probably find out those keys are actually collecting your data like everything else with a google name.

  14. Please do a follow-up video on how these things will work with home gear like Smart TVs, set-top boxes, or smart speakers. I'm interested how Google will solve how to log onto devices like the Nvidia Shield with a hardware key.

  15. Google is now showing to the world in which people are more important to their market, that need more security than others. that's why they make this Titan Security key from Google for the American people, but later we in Europe will receive the same key but made by NSA. sorry I will use a different one, not the one made for Europe

  16. Thank you Phil for the awesome, I was wondering for a very long time about these U2F Security Keys, I do have a very strong passwords, and my passwords aren’t spilled in one basket, I’m using 1Password for business, Dashlane for personal, and LastPass for its awesome Authenticator app. All my emails are set with Strong Passwords, 2 Two Factor Authentication and a mobile Number; Plus they are all set to a recovery email, that email only, only for extremely personal use with a very Stronger password. It might sound complicated, but I guess this is how my brain works better, I cannot settle for easy equation. I’m protected (Amen), all my shopping accounts , social media, encrypted chatting apps, are set to be with a complicated passwords, lucky I don’t have to memorize them all, but my master password, is easy for me, and bloody hell for someone to figure it out. Yet I’m thinking about these Security Keys, I’m a normal person, not famous, I wonder if I should get it after all that protection I have!!

  17. Great explanations for all the different concepts. The Advanced Protection Program is definitely overkill for all but the most sensitive accounts. Almost no "average Joe citizen" should ever really need that level of paranoid security. But it's good to know it's there.

  18. If you have any tech skills, please check out the Yubi Key before ordering this. Don't get me wrong, I like Google Chrome. What I do not understand is why Google went to the trouble of creating something that already existed. It didn't even previously exist, it existed at a higher level of security, easy to use format. Possibly they created this since their MO is to have every single thing that is done on a Mac or Windows Laptop computer, work in a Chromebook, use their Google Docs, Google Drive, etc.. In fact I'm writing this note on a Chromebook, which I like a lot. What I'm getting to is the Yubi Key requires you use a little program that needs to be downloaded onto a Mac or Windows machine. Then you have the full advantage of the Yubi Key. Once you program the Yubi Key on a Mac or Windows machine, it will work fine on your Chromebook. It currently must be programmed on a Windows or Mac. If you want your account PW to be entered with a press of the button. The Titan will not enter your PW. The Titan is NOT programmable. The Titan costs the same as a Yubi Key.
    The advantage that Yubi key has is YUBI KEY is PROGRAMABLE. I repeat myself in saying I have been using Yubi keys for over 8 years. The Yubi Key has everything this Chrome Titan key has, except there are TWO Slots in the Yubi key. The First Slot in the Yubi Key is IDENTICAL to the Titan Key, it does not have to be programmed. The second slot is where the Yubi key excels over the Titan. It allows the owner to store a password that may be up to 38 characters long. There is a longer learning curve with the Yubi Key. The Yubi Key is not programmable on a Chromebook. Google elected to sell a DUMBED DOWN version of the Yubi Key.

    If anyone from Yubi Key is reading this, why isn't there a little app for Apple/Android store to program a Yubi Key, so a Mac/Windows machine would not be required? With Google coming out with this product, you are going to have some competition, even if your product is superior. If you purchase a Yubi Key, it may be used precisely as a Titan key, and no programming is required. However the Titan key will not enter your account PW, as a Yubi Key will, and the PW may be up to 38 characters. It is a given that many accounts do not require the security of a 38 character PW. Then again, many do.

  19. I'm not convinced that its better than 2FA. It sounds like your saying "Google says it is and its so secure its inconvenient so it must be so".

  20. yubikey are no longer open source, so i don't expect a lot from their security. Have you heard of something called botnet? how do you think they work? they target random people in the net, obviously they will go first for the people they find with less security. if you got better security but you got also better hardware they will invest more time to get your better hardware.

    also this security is to protect you from someone just not from the intelligence agency of your country.

  21. disagree that the physical key is better than the other 2fa options. In fact, it's a weak option because anybody who gets access to the physical key (snoop, crook, police, etc.) can use it without any form of authorization (the button on the key is just an activation not a fingerprint ID) – just like an old school door key, anybody can use it. Using an authenticator app or Google's device prompt system requires your established biometric or pin.

  22. You can still use 3rd party emails, I use Airmail on my mac with no problem. Just allow back up codes or authentificator app for a moment. Set up your 3rd party and when it is asking for your key click on "try another way". Put your codes. Done. Then you can deactivate the option for back up code or google auth

  23. DO NOT BUY THE TITAN SECURITY KEY BUNDLE. I did and great regret it. It shut me out of all of my computers. It appeared to work at first, but I soon discovered that something was amiss. Seriously, if this thing does not work correctly you simply lose all access to any and all Google accounts. To me, this is a dangerous technology. In order to get around certain aspects of the security so you don't have to always have a fob nearby Google wants all sorts of private information like location, sites visited, extra phone numbers, extra emails…. it is a great way to track you like you are in China.

    This is a good video. My experience has been awful and I am still waiting for Google to give me access to my accounts. Be leery of this kind of security.

  24. Not sure if you'll see this but I can't find any info online about it, are these keys both water resistant? That's the only thing I need to know before deciding whether to buy this or a Yubikey.

  25. Thks you might update the video review with

  26. These keys are stupidly expensive in Brazil. Rather people don't know what purpose the keys have or maybe think it's some niche technology.

    Fact that is Brazil's one of the most vulnerable country to phishing and spam stacks!

    Nice video!

Leave a Reply

Your email address will not be published. Required fields are marked *