2018-07-26

Thoughts on the Google Titan token

The tech press so excited about Google's "Titan" hardware token, and the breathless statement that they have "never had an account takeover" since rolling it out internally. They are excited about the wrong things, and are being taken for a ride by G's marketing and PR departments.

It's only a FIDO U2F token. I've had one for almost 2 years now, and my current employer issued me one on my first day of work, over a year ago. Mandating 2FA across an enterprise is hardly a new thing.

The actual stories here are:
* why did Google decide to cut out YubiCo?
* Was it price?
* Was it not-invented-here?
* Did Google not trust YubiCo to not backdoor the YubiKey tokens?
* Did Google want to put their own backdoor into the Titan tokens?
* Did Google license YubiCo's manufacturing patents? (If they did not, it will be really hard to manufacture them cheaper.)