Skip to content

October 4, 2018

Google Titan vs. Yubikey 5: What’s different and which should you use?

by John_A

We’re a virtual company made up of tech experts from across the globe. We take online security seriously because it’s how we make a living. We know these products because we use these products.

Titan Security Key Bundle

Made by Google


$50 at Google


  • Bluetooth capable
  • Adapts for USB A and USB C
  • Google Titan secure element
  • Advanced phishing protection


  • Made in China
  • Expensive
  • NFC not enabled

Google’s Titan Security Key Bundle has the power of Google behind it to keep your Google account safe from phishing attacks as well as offer outstanding 2Fa through the FIDO standard. The downside is that they’re made in China and not available everywhere.

Yubico Security Key

U2F and FIDO2


$20 at Amazon


  • U2F and FIDO2 support
  • Made in USA
  • Inexpensive


  • No wireless support
  • USB A only

The second generation Yubico key is cheap and works great — as long as you have a USB type-A port to plug it into. That means it’s probably not going to work with your phone or your tablet.

It’s great to see more companies offering 2FA (Two-Factor Authentication) hardware keys, and the release of the FIDO2 standard is great news for us all — it will lead to the end of the password eventually. Yubico has been the pioneer in this sector and many of us use Yubico keys every day. They’re perfect for every laptop or desktop PC, and older models with NFC work great for Android phones.

Google Titan is the new kid on the block but it’s got a set of features that make it a great choice, especially for mobile. the bundle is more expensive, but you get a basic key like the Yubico and a wireless key that can use Bluetooth to authenticate. That makes it the only key you should ever use with an iPhone or iPad.

What you need to know

There are three differences here to consider (outside of the price). Connectivity, trust, and the FIDO2 standard.

Wireless support Yes No
Origin China USA
FIDO2 support No Yes

FIDO2 is a new standard that offers the same secure 2FA capabilities we’re used to seeing with the original FIDO (Fast IDentity Online) standard. You can read more about FIDO and FIDO2 here, but according to Yubico — a core contributor to FIDO2 — here’s the jist of it:

FIDO2 offers expanded authentication options including strong single factor (passwordless), strong two factor, and multi-factor authentication. With these new capabilities, the YubiKey can entirely replace weak static username/password credentials with strong hardware-backed public/private-key credentials. These credentials cannot be reused, replayed, or shared across services, and are not subject to phishing and MiTM attacks or server breaches.

FIDO2 is the future and will one day, hopefully, make a username and password obsolete. There are many companies working with the FIDO Alliance to push FIDO2 adoption, and it’s a thing you should want. But it;s not yet a thing you need.

Google does things differently, as they are prone to doing. Instead of using the FIDO2 standard to prevent MiTM (Man in The Middle) attacks and password phishing, the Titan firmware allows the URL of the requesting page to be sent along with the request. This makes sure that you’re really logging into the page you think you’re logging into. Right now this only works for Google sites and services, but it’s foolproof.

smartlock-iphone.png?itok=idClWInc The Google Smartlock app on iPhone X.

Bluetooth support is important but can be a security risk as Yubico is quick to point out. Bluetooth could be compromised by a MiTM attack that could get the session token, but the attacker would need to be right beside you. On the other hand, Bluetooth support is a must if you want to use a security key with iOS. For a key that’s to be used for mobile, it’s definitely needed.

A final bit of contention is the origin of manufacture. China is a lovely country filled with awesome people. But when it comes to security and security-related products, seeing China as the place of manufacture isn’t ideal, as the government and certain companies have been caught implanting “spyware” into products. That’s not tinfoil hat talk, either, it’s a real thing. Seeing Google’s Titan Keys manufactured in China bothers some people. In this case, though, there’s a difference.

Google writes the firmware and flashes it to the secure element and chip for each and every key themselves in the USA. These pre-programmed chips are sent to the manufacturer to be used for both models. These chips can only be written to once, and without the right firmware, they are inoperable. In other words, nobody is messing with the firmware on the Titan keys.

I love the simplicity and price of the Yubico key and have several of my own. I use them every day at my desktop, a MacBook Pro, and a Chromebook or two. But since the world is moving towards mobile, I’d have to recommend Google’s Titan keys right now. They don’t support FIDO2, but until it sees greater adoption that’s not a big enough drawback to make me lose the wireless option.

Titan Security Key Bundle

Made by Google


$50 at Google

Designed for mobile by the company that knows mobile

While FIDO2 support is absent, the Google Titan Security Key Bundle does one thing flawlessly — works with your phone or tablet. In a perfect world we wouldn’t need to care about security, but in this world we do. The Titan key makes it easier for everyone with a smartphone.

Yubico Security Key

U2F and FIDO2


$20 at Amazon

Yubico’s new generation of security keys are ready for the future with FIDO2 support, but the USB Type-A connection here means it’s not going to work with most phones.

Yubico does make USB Type-C keys with FIDO2 support, but they aren’t yet widely available. You can see all the options at Yubico’s website.

Read more from News

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

%d bloggers like this: