James Cridland

Review of the Google Titan Security Key / Feitian Bluetooth/NFC 2FA Security Key

I’ve been using two-factor authentication physical keys for a long while now. They act as an extra key for your account, so you sign in with a username and password as normal, then you insert the key into your computer, and then (and only then) will your account open. It effectively shuts off your account to anyone else.

I use mine for Google, a web host, some accounting software, and more.

Google released a 2FA key with Bluetooth and NFC in it: the one on the left in the image above. Its impossible to buy in Australia for some reason, but I tracked down a Feitian equivalent (which is physically and operationally identical) on eBay. The Google product comes with a separate physical USB-A key, and I already have one of those.

(USB-A is the old, full-size USB plug we used to use, which you invariably try to plug in upside down).

Why I bought one

My current 2FA key is great, but it is a USB-A key (as almost every 2FA key on the market is). All of my devices are now USB-C, so I also have to carry around a silly dongle.

This new key is Bluetooth and NFC. So theoretically, when it asks for the key, I can just hit a button, or wave it close to a device, and it’ll let me in. Much easier!

In theory.

But don’t bother because…

The Bluetooth/NFC functionality doesn’t work, at all, on a Mac. The only way of getting it to work is to plug the thing in via a wire. The wire has a USB-A connection, so I need to carry around a silly dongle for my Mac, since it only has USB-C. Sigh.

The Bluetooth/NFC functionality didn’t work, at all, on Chrome OS. Which surprised me, given this was Google and all. The only way of getting it to work is to plug the thing in via a wire. Which has a USB-A connection, so I need to carry around a silly dongle for my Chromebook, since it only has USB-C. Sigh. (Google added support in ChromeOS 72, I gather.)

Oh, it works okay on my Pixel 3a phone. Kind of. But I’m much less likely to use this key on my phone anyway, so that’s nice, but ultimately not very useful. Google keeps you logged in on your phone; the other services don’t accept a key on mobile anyway.

And even if I did use it for my phone, I’d occasionally need to charge it, and guess what? The key itself connects with a micro USB connector. Not USB-C. And I don’t always travel with that cable.

“Well, this is pretty useless,” I thought to myself, “but Google recommend I have two keys anyway, so I can’t lock myself out. I’ll set this up as a backup and leave it somewhere safe.” So, using the USB-A cable and a silly dongle, I went to add this key to be a backup for all the 2FA services I use.

Except, no, that won’t work either: since the service I use most often, AWS, only allows one physical key per user. Not two. And they’re not alone.

In short

Got a Mac? Got anything that uses USB-C? This key is an utter waste of time.

If you asked me “should I get one?” I’d answer: no. Go and buy a USB-C key instead.

So I did.