Google Titan vs. Yubikey 2: What's different and which should you use?

Titan Security Key Bundle

Google's Titan Security Key Bundle has the power of Google behind it to keep your Google account safe from phishing attacks as well as offer outstanding 2Fa through the FIDO standard. The downside is that they're made in China and not available everywhere.

Titan Security Key Bundle

Made by Google

Bluetooth capable
Adapts for USB A and USB C
Google Titan secure element
Advanced phishing protection
NFC on the USB key
Made in China
Expensive

Yubico Security Key

The second generation Yubico key is cheap and works great — as long as you have a USB type-A port to plug it into. That means it's probably not going to work with your phone or your tablet.

Yubico Security Key

U2F and FIDO2

U2F and FIDO2 support
Made in USA
Inexpensive
No wireless support
USB A only

It's great to see more companies offering 2FA (Two-Factor Authentication) hardware keys, and the release of the FIDO2 standard is great news for us all — it will lead to the end of the password eventually. Yubico has been the pioneer in this sector and many of us use Yubico keys every day. They're perfect for every laptop or desktop PC, and models with NFC work great for Android phones.

Google Titan is the new kid on the block but it's got a set of features that make it a great choice, especially for mobile. the bundle is more expensive, but you get a basic key like the Yubico and a wireless key that can use Bluetooth to authenticate. That makes it the only key you should ever use with an iPhone or iPad.

What you need to know

There are three differences here to consider (outside of the price). Connectivity, trust, and the FIDO2 standard.

Swipe to scroll horizontally
Header Cell - Column 0 Google TitanYubico 2
Wireless supportYesNo
OriginChinaUSA
FIDO2 supportNoYes

FIDO2 is a new standard that offers the same secure 2FA capabilities we're used to seeing with the original FIDO (Fast IDentity Online) standard. You can read more about FIDO and FIDO2 here, but according to Yubico — a core contributor to FIDO2 — here's the jist of it:

FIDO2 offers expanded authentication options including strong single factor (passwordless), strong two factor, and multi-factor authentication. With these new capabilities, the YubiKey can entirely replace weak static username/password credentials with strong hardware-backed public/private-key credentials. These credentials cannot be reused, replayed, or shared across services, and are not subject to phishing and MiTM attacks or server breaches.

FIDO2 is the future and will one day, hopefully, make a username and password obsolete. There are many companies working with the FIDO Alliance to push FIDO2 adoption, and it's a thing you should want. But it's not yet a thing you need.

Google does things differently, as they are prone to doing. Using the FIDO2 standard to prevent MiTM (Man in The Middle) attacks and password phishing, the Titan firmware also allows the URL of the requesting page to be sent along with the request. This makes sure that you're really logging into the page you think you're logging into. Right now this only works for Google sites and services, but it's foolproof.

Google Smart Lock on the iPhone X

The Google Smartlock app on iPhone X.

Bluetooth support is important but can be a security risk as Yubico is quick to point out. Bluetooth could be compromised by a MiTM attack that could get the session token, but the attacker would need to be right beside you. On the other hand, Bluetooth support is a must if you want to use a security key with iOS. For a key that's to be used for mobile, it's definitely needed.

A final bit of contention is the origin of manufacture. China is a lovely country filled with awesome people. But when it comes to security and security-related products, seeing China as the place of manufacture isn't ideal, as the government and certain companies have been caught implanting "spyware" into products. That's not tinfoil hat talk, either, it's a real thing. Seeing Google's Titan Keys manufactured in China bothers some people. In this case, though, there's a difference.

Google writes the firmware and flashes it to the secure element and chip for each and every key themselves in the USA. These pre-programmed chips are sent to the manufacturer to be used for both models. These chips can only be written to once, and without the right firmware, they are inoperable. In other words, nobody is messing with the firmware on the Titan keys.

I love the simplicity and price of the Yubico key and have several of my own. I use them every day at my desktop, a MacBook Pro, and a Chromebook or two. But since the world is moving towards mobile, I'd have to recommend Google's Titan keys right now. They don't support FIDO2, but until it sees greater adoption that's not a big enough drawback to make me lose the wireless option.

Yubico does make USB Type-C keys with FIDO2 support, but they aren't yet widely available. You can see all the options at Yubico's website.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Threads.