Security & Privacy Archives - Page 11 of 13 - Chipp.in Tech News and Reviews

Bug or Intentional: Edge reportedly importing Chrome tabs automatically

Posted on January 30, 2024January 30, 2024 by Martin Brinkmann

At least for a year, some Chrome users reported that Edge imported data from their browser automatically. Back in May 2023, user Cerevox reported the issue on the official Microsoft Community website.

Cerevox claimed that Edge imported bookmarks and passwords from Chrome automatically. In November, another user claimed that Edge imported favorites and browser data from Chrome. Both said that Edge’s auto-import feature was turned off on their system.

Tom Warren, Senior Editor at The Verge, published an article today about the issue. He experienced the issue first hand according to the article:

Last week, I turned on my PC, installed a Windows update, and rebooted to find Microsoft Edge automatically open with the Chrome tabs I was working on before the update.

A post on Twitter by Tom Warren reveals that it was the KB5034204 update. It is uncertain if the update has anything to do with the issue. I ran two tests locally and could not replicate the issue.

Warren says that the Edge feature that powers the auto-import of Chrome data was never turned on by him. He decided to check on another laptop and experienced the issue there as well. After installation of the update and the obligatory restart, Edge opened with all tabs from Chrome.

Warren could not replicate the issue on any other device he tested though, which makes the issue puzzling.

There are two main explanations for this: it is a bug or it is a feature that is either in testing or rolling out to everyone over time.

Checking Microsoft Edge’s auto-import feature

Microsoft Edge includes a setting to import browsing data from Chrome automatically. The feature is off by default. Edge users may verify this by loading edge://settings/profiles/importBrowsingData/editImportConsent in the browser’s address bar.

If you see “Turn On” next to “Import browser data from Google Chrome on each launch” on the page, then it is disabled. Since turning on does not necessarily mean launching Edge, it is easy to accidentally launch Edge unless you have precautions in place.

There is a chance that the feature may turn itself on automatically. Things like these happened in the past and there is a good chance that they will happen in the future again.

The auto-import feature supports Google Chrome only. Even other Chromium-based browsers are not supported. The main idea behind the feature is to make the use of Edge more comfortable for Chrome users. It may be useful if you use both browsers.

This import is local-only according to Microsoft. However, Edge users who sign-in using a Microsoft account and enable sync in Edge will have the data synced to the Microsoft cloud. From there, it is synced back to any device on which the Edge feature is turned on.

Closing Words

Warren said that he noticed a window appearing and disappearing after installation of the update. He did not have time to notice anything or react to it.

It is quite possible that the auto import from Chrome to Edge is a bug. It is also perfectly reasonable to assume that this is being rolled out to all Edge users on Windows. The thing that makes me think it is the former is that the auto-import feature in Edge was turned off.

Microsoft Edge is not a terrible browser, but Microsoft is still pushing users around as if it was Internet Explorer in its prime. It is time that companies accept a “no” the first time.

The EU considers Edge to be insignificant in the world of browser, which is why Edge is not considered a gatekeeper at this stage. Windows on the other hand is a gatekeeper.

In closing, there is little that users can do if a bug or forced feature changes things on their devices. Complete removal of the offending app, in this case Edge, may be an option. This will soon be easier for users from the EU.

Now You: which browsers do you use?

Why you need to check any AI service before use

Posted on January 26, 2024January 26, 2024 by Martin Brinkmann

Barely a day goes by without another announcement that some form of AI has been added to a product. Operating systems, web browsers, Office programs ,devices such as smartphones, and yes, toasters, all get AI infusions these days.

These AI additions are disabled sometimes, at other times enabled. While it is tempting to try out the latest AI feature in a product that you use, it is even more important to understand how it works.

Most AI tools require an active Internet connection at the time. This is true for Windows Copilot, the AI that Microsoft has integrated into the Windows operating system, and also for many of the AI tools. Besides requiring an active Internet to work at all, Telemetry may also be collected by companies.

Google, for example, launched new AI features in Chrome this week. One of the features submits all URLs and page titles to Google when used. There is a policy that prevents the sending, but the default state submits the data to Google when the feature is used. Is Google warning users of the feature about this prominently? No, it is not.

Companies use the data to improve their AI tools. These Large Language Models eat data for breakfast. New data is used to train the AI and improve it further.

For ordinary people, it is almost impossible to find out if a system submits data, which data is submitted, and how it is processed.

Oh Transparency, where art though?

Companies should be transparent when it comes to AI. Does it require an Internet connection to work? In other words, does it communicate with a server and submit user data to it?

If it does, how is the data processed and stored? Is it deleted automatically? Is there an opt-out for the use of data for AI training or other purposes?

Companies need to be open about the use of Telemetry data to train AI. Which data is collected, how is it processed and stored? What options do users have to opt-out or get their collected data deleted?

It feels a lot like Wild Wild West currently when it comes to AI. The new data rush promises great returns in the short and long run.

Closing Words

AI has a novelty factor and some good uses. You could use it to create images for blog posts or something else. While all text-based returns require validation, as AI may hallucinate or return factually incorrect information, it can be useful.

Most users need to be aware that most AI tools submit data to servers. The premise may limit data leaks, which can be a real problem, especially if the AI uses the data for training.

It is good to be cautious about any new AI service that is added to a product because of that. Better, do not use it if you are unsure or if the company behind it does not make it clear.

Now You: do you use AI tools?

This Chrome AI tool submits all URLs and titles of open tabs to Google

Posted on January 25, 2024January 25, 2024 by Martin Brinkmann

It seems like some companies have entered into the “adding the most AI tools into products” competition. Microsoft seems to be winning, with its pushing of AI into lots of its products. The company introduced Copilot Toolbar for Android recently, and many future Windows devices will even feature a dedicated Copilot key on the keyboard.

Google launched Chrome 121 earlier this week and announced new AI tools that it included in the browser. These are limited to a small subset of users at the time but will roll out to more in the coming weeks and months.

One of the tools is called Tab Organizer. Google promises that the AI tool helps users bring order to their tabs. It does so by finding tabs suitable to be put into tab groups.

Tab groups is an excellent tab management feature. Open tabs may be placed into groups, or created there directly. A group can be collapsed, so that it occupies just a single tab on Chrome’s tab bar, even if it holds dozens or hundreds of tabs.

Tab Organizer

Google announced Tab Organizer on the official company blog The Keyword as part of three AI tools for Chrome.

Google writes: “With Tab Organizer, Chrome will automatically suggest and create tab groups based on your open tabs. This can be particularly helpful if you’re working on several tasks in Chrome at the same time, like planning a trip, researching a topic and shopping.”

The feature is available to a selection of users from the United States only at the time. These users need to be signed-in to Google Chrome and they need to enable the Tab Organizer feature first.

This is done by selecting Menu > Experimental AI > Try out experimental AI features > Tab Organizer and then selecting relaunch.

Tab Organizer is then accessible via the Tab Search icon in Chrome’s main toolbar, by right-clicking on tabs and selecting “Organize similar tabs”, or through the Chrome Menu.

Google’s AI will then suggest to put tabs into specific groups. Users may remove tabs from the list of suggestions and rename the tab group for better identification. A click on “create group” creates the tab group based on the selections.

The huge privacy issue

What Google’s announcement on The Keyword blog does not reveal is that Google collects all page titles and URLs when the feature is used.

This is confirmed on a Google Chrome Help page:

When you use Tab organizer, the page titles and URLs of open tabs in the active window and your feedback are collected. As described in our Google Privacy Policy, this information is used to improve this feature, which includes generative model research and machine learning technologies.

In other words, Google knows about any URL and page title open at the time. Since Tab Organizer requires to be signed-in, it could also link the information to the Google account.

Google says that human reviewers may look at the data as part of the review process.

A policy is available for Enterprise and Education users to block the data collecting from happening. No such option is provided for other users.

Closing Words

Most Chrome users may want to avoid the feature, unless they have no problems that it submits all URLs and page titles to Google.

While the feature can be useful, especially if hundreds of tabs need to get organized, it may be better in most cases to use the feature manually instead to avoid any leaks to Google.

With AI tools, it seems to become necessary to ask about privacy implications first before even considering using a tool.

Now You: what is your take on this?

Manage which Google Services may exchange your data (EU-only)

Posted on January 13, 2024January 13, 2024 by Martin Brinkmann

If you live in a European Union region, you will soon benefit from another privacy improvement. Google just announced a new control for users within the EU that allows them to manage links between Google services. Links refers to data that services may exchange between each other.

Google links many of its services by default, which gives it and its services access to user data across its services. This changes soon in the EU.

A search on Google Search may result in recommendations showing on YouTube or Google Play, and Google Ad services may use the information as well.

Google describes the functionality in the following way:

When linked, these services can share your data with each other and with all other Google services for certain purposes. All types of data described in Google’s Privacy Policy can be shared across linked Google services. This includes your activity data when you’re signed in, such as things you search for and the videos you watch and listen to.

Google says that the feature is a response to the Digital Markets Act of the EU. The new functionality is only available to users who live in the European Union.

Note: the functionality is rolling out currently. You may not see the “Linked Google Services” option yet, or only on some devices.

Note 2: The default seems to be that services are no longer linked. This means that they won’t share any data anymore from March 6, 2024 onward. It is still a good idea to verify this.

Manage your linked Google services

Google users may control the data sharing of the following Google services under the new system:

Search
YouTube
Ad services
Google Play
Chrome
Google Shopping
Google Maps

Here are step by step instructions to manage these.

First, for desktop users:

Open the Google Account website in your browser of choice.
Select Data & privacy on the page that opens.
Scroll down to “Linked Google Services” and select Manage linked services.
Select or deselect services. Any service that is selected will be linked when you select Next.
Review the selections made and select Confirm > Done > Got it.

For Android users:

Open the Settings on the Android device.
Select Google > Manage your Google Account > Data & privacy.
- If this is not available, open the Google app instead, tap on the account icon, select Google Account and then Data & privacy.
Under “Linked Google Services”, select Manage linked services.
Select or deselect services. Any service that is selected will be linked when you select Next.
Review the selections made and select Confirm > Done > Got it.

On iPhone and iPad:

Open the Gmail application on the device. If you don’t use Gmail, load http://myaccount.google.com/linked-services instead.
Select Menu > Settings > Your account > Manage your Google Account.
Under “Linked Google Services”, select Manage linked services.
Select or deselect services. Any service that is selected will be linked when you select Next.
Review the selections made and select Confirm > Done > Got it.

DNS Forge Review: privacy-friendly censorship-free DNS with ad-blocking

Posted on January 4, 2024January 4, 2024 by Martin Brinkmann

DNS Forge is a DNS provider based in Germany that promises censorship-free access to the Internet, and a secure and private DNS system with ad-blocking.

It looks to me as if news coverage of DNS and technologies associated with it have gone down considerably in recent time. DNS, Domain Name System, is an essential part of the Internet. It is used to translate domain names, which humans prefer, to IP addresses, which computers use.

DNS over HTTPS and other technologies designed to improve privacy and security are not really talked about that much anymore. Most browsers support DNS over HTTPS by know. You may check my guide on enabling DNS over HTTPS in your browser of choice if you need assistance.

DNS works automatically. If you don’t configure it, you use the DNS service of your Internet or network provider. Some of them collect the data and sell them to other companies.

DNS over HTTPS is one way of preventing that. Another is the switching to another DNS provider, preferably one that promises privacy and also supports DNS over HTTPS. DNS Forge is such a provider. There is one downside to using the provider, and that is that it operates servers in Germany only. The further away you live, the longer it will take to process your requests. There is also a 70 queries per 10 seconds limit on lookups.

There are alternatives. Mullvad, known for its private VPN service, operates public encrypted DNS servers as well.

Remember, there is more to security than strong passwords and two-factor authentication.

DNS Forge: the basics

The project website provides all information required to start using the service. DNS Forge supports a variety of DNS technologies:

DNS
DNS Clean (like DNS but with youth protection block lists and Safe Search)
DNS over TLS
DNS over HTTPS
DNS over Quic

All services include ad-blocking, DNSSEC and no logging by default.

Instructions on switching to DNS Forge are provided for mobile devices running Android and iOS, Firefox and Chromium-based browsers. You may also set up DNS Forge on desktop systems.

You could set up the DNS over HTTPS technology in the browser’s that you use on your devices and, depending on the operating system, the same or another to cover all bases.

DNS Forge works automatically after setup. Ads are blocked automatically. If you change to the DNS provider on the system level, you will benefit from ad blocking in all applications. Note that some browsers may use their own DNS servers and not the servers set up on the system level. This is why you may need to configure them in the browser separately.

Verdict

If you live close to Germany geographically, then you will get the best performance out of the service. Once set up, it works automatically. The only decisions you have to make is whether you want to use the additional youth protections and where you will add the DNS information on your devices / apps.

The service passed the DNS Leak Test, which is good. Running the leak test prior and after setting up a private secure DNS provider is a good idea.

If you live far away from the German server, you may want to consider using equally respected DNS solutions, such as the one from Mullvad.

Windows Protected Print Mode explained

Posted on December 18, 2023December 18, 2023 by Martin Brinkmann

Windows Protected Print Mode (WPP) changes printing on Windows significantly. The main idea is to improve security and make printing convenient. Modern printers work automatically under WPP so that third-party printer drivers are no longer required.

There are downsides, especially when it comes to printers that don’t support the functionality. Another downside is that printer apps by the manufacturer may be installed automatically.

Good news is that the new mode does not lock out printers that are not supported. There are still ways to use third-party drivers, but the default mode will be Protected Print Mode going forward.

Security improvements

Windows Protected Print Mode improves security significantly by eliminating third-party printer drivers. These drivers can’t even be installed anymore, which eliminates an attack vector and reduces driver related issues as well.

Microsoft says that about 9% of all Windows cases reported to the Microsoft Security Response Center are print bugs. The company’s Microsoft Offensive Research & Security Engineering team claims that about 50% of all Windows Print related vulnerabilities are mitigated by Windows Protected Print Mode.

To put these changes in some context, MORSE did an analysis of past MSRC cases for Windows Print to assess if these changes would help. What we found is that Windows Protected Print Mode mitigated over half of those vulnerabilities. Major vulnerabilities, including Stuxnet and Print Nightmare, used print bugs in their attacks.

To better understand how MPP improves security, it is necessary to look at the current state of printing on Windows.

The current security model relies on a shared approach. Both the native Windows printing stack and third-party drivers play a role here. While Windows’ print stack is maintained, the same can not be said for all third-party printer drivers. Drivers may no longer be supported or may be incompatible with modern security features of the Windows operating system.

Besides that, printer drivers run as SYSTEM on Windows, which gives them a wide range of permissions that even exceed those of a regular administrator account.

Manufacturers and publishers are responsible to address vulnerabilities. This becomes a problem when they do not.

Printing features, such as Internet Printing, may also introduce vulnerabilities, if the feature does get implemented. Microsoft estimates that printer drivers implement over 40 different Printer Document Languages, which can “result in vulnerabilities”.

Advantages

With Windows Protected Print Mode “normal spooler operations are deferred to a new Spooler” which implements the following improvements:

Limited/Secure Print Configuration — Certain types of attacks, such as tricking the print spooler into loading malicious code, are ineffective.
Module Blocking — APIs that allow the loading of modules will be modified to prevent the loading of new modules.
Per-User XPS Rendering — XPS rendering runs as USER and no longer as SYSTEM under WPP.
Lower Privileges for Common Spooler tasks — runs with restricted rights instead of as SYSTEM.
Binary Mitigations — Several security mitigations may be enabled thanks to the removing of third-party binaries.
Point and Print — no longer installs third-party drivers.
Better Transport Security — supports encryption and will recommend using encryption whenever possible.

Windows Protected Print Mode limitations

The mode supports so-called Mopria certified printers only. The creators of the standard describe it in the following way:

Mopria is a printer industry designed standard offering a simple and seamless way to print to millions of certified printers and multi-function printers. It eliminates the need to install any additional software or drivers allowing you to easily print, regardless of the printer’s brand.

Once the change lands in Windows, the default becomes WPP. This eliminates the need to install third-party drivers and will also limit the Print Spooler service to a restricted service. This alone will reduce

Older printers that are not certified won’t benefit from these improvements. Windows administrators may install third-party printer drivers in these cases to ensure that the printer and its functionality can be used.

Another issue is that manufacturers may define Print Support Apps (PSA). These may get installed automatically on devices to add custom features and support. Users may uninstall them, but this is a manual process.

Closing Words

Windows Protected Print Mode improves security on Windows once it lands. The first version of MPP landed in experimental builds and it may take a while before it lands in stable versions of Windows.

Old printers will continue to work, but they won’t benefit from MPP and its improvements.

Windows 10 and 11 will support the feature. Microsoft announced recently an extension of Windows 10 support.

Now You: which printers do you use?

Gmail launches improved text classifier to combat spam

Posted on December 5, 2023December 5, 2023 by Martin Brinkmann

Email spam is still a great problem on today’s Internet. Most users who have email accounts receive spam regularly. While most of the spam is detected by mail filters, at least when it comes to most providers, there is still enough spam that slips through the cracks.

Google launched a new text classifier on Gmail that promises better detection rates, less false positives and also improved performance. Called RETVec — Resilient & Efficient Text Vectorizer — it is improving spam detection on Gmail by 38% and reducing false positives by almost 20%.

Google says that RETVec achieves this “combining a novel, highly-compact character encoder, an augmentation-driven training regime, and the use of metric learning”.

Its architecture makes RETVec compatible with any language out of the box and all UTF-8 characters without the need for text processing.

Spammers and malicious actors use different methods to bypass spam filters. Frequent methods include the use of homoglyphs, characters that look very much alike, or the use of invisible characters.

Google claims that Gmail’s new anti-spam system is better suited to identify these tactics and deal with them accordingly.

The company trained the new model internally at Google for a time to better understand its effectiveness. Google says it found it “highly effective for security and anti-abuse applications” as a result of its internal tests.

RETVec in detail

RETVec is released as open source. You may visit the GitHub project website for access to the source. There, you will also find more information, including the paper and links to demos.

Google describes RETVec in the following way on GitHub to a development-focused audience:

RETVec is trained to be resilient against character-level manipulations including insertion, deletion, typos, homoglyphs, LEET substitution, and more. The RETVec model is trained on top of a novel character encoder which can encode all UTF-8 characters and words efficiently.

Google notes that RETVec may also be a choice for “on-device and web use cases”. The technology is supported natively in TensorFlow Lite and there is also a custom JavaScript implementation.

Closing Words

Gmail users benefit from the new anti-spam filter on the site. A reduction by 38% is a massive improvement, especially considering Gmail’s daily mail volume. Google benefits from the deployment as well, as performance improves significantly thanks to the lightweight nature of the new text vectorizer.

Now You: do you use Gmail?

This script deals with YouTube’s Adblock Popup and Ads

Posted on December 4, 2023December 4, 2023 by Martin Brinkmann

This year has seen a fundamental shift on YouTube regarding advertising and adblockers. Not only is YouTube showing popups to some users who use adblockers, to get them to uninstall them or buy YouTube Premium, Google is also working on making adblockers in Chrome less effective.

Without going into too many details. Chrome’s system for extensions will be updated in 2024 to only allow extensions that follow a new rule set. Called Manifest V3, Google claims that it improves privacy of users and combats rogue extensions. At the same time, it is also limiting legitimate extensions, many of which impact Google’s bottom line.

Most content blockers work fine right now. While you may get the “ad blockers are not allowed on YouTube” popup message, it is easily dealt with by updating the filter list of the extension.

The change impacts other Chromium-based browsers to a degree. Some, like Brave or Vivaldi, include native adblockers that will continue to work.

2024 changes everything, or maybe not

Come 2024, things may not be as straightforward anymore. Extensions need to be updated by their developers to support the new rules set. Those that are not updated can’t be used anymore.

Those that are updated need to follow the new rules. Besides imposing certain limits on extensions, Google is also enforcing all updates through its Web Store.

Content blockers rely on frequent updates to deal with an ever changing advertising landscape. Advertisers may rename scripts or move them, and content blockers need to update filters before these are blocked.

Most content blockers rely on filter lists. These lists are updated directly at the moment. Once support for Manifest V2 is dropped, these updates need to be pushed through the Chrome Web Store.

One problem here is that updates take anywhere from a few hours to days or even weeks. Google is in control of these updates, and the situation will worsen only if everything is forced through the Web Store’s review process.

Imagine the following scenario: Advertiser A makes a change on the site. Filter lists are updated. Updates are pushed through the Chrome Web Store. The review takes hours or days. Until it passes the review, ads may be displayed on the advertisers property.

Now imagine an advertiser that constantly changes scripts and tactics.

Remove Adblock Thing

Extensions are not the only option that users have to combat advertising and privacy invasions on the Internet. There are several other options, including DNS-based solutions and also userscripts.

Remove Adblock Thing is such a script. You need to install an extension in your browser of choice that supports scripts. A popular option is Tampermonkey, which is available for Chrome, Firefox and many other browsers.

The userscript blocks YouTube’s anti-adblocker popup. Besides that, it will also mute, skip or speed up ads on the site to improve its usability.

Here is how you install it:

Download Tampermonkey for your web browser. The official website has links to all stores.
Load https://github.com/TheRealJoelmatic/RemoveAdblockThing/blob/main/Youtube-Ad-blocker-Reminder-Remover.user.js next in your browser.
TamperMonkey should identify it immediately as a script and display its install option.
Select install to add it to the extension.

The script works automatically on YouTube and it includes an update URL as well.

Closing Words

The main benefit of the script is that it offers another option to skip or bypass ads on YouTube. Even if adblockers stop working temporarily or permanently, you may use Tampermoney with this script instead.

Now You: do you use adblockers or userscripts?

There is more to security than Strong Passwords and 2FA

Posted on November 22, 2023November 22, 2023 by Martin Brinkmann

You may have heard it a thousand times already, but here it comes again: protecting accounts with strong and unique passwords, and using a second form of authentication is essential to security.

While the main focus seems to be on this recommendation, many guides fail to mention other essentials. One example: while strong passwords and 2FA keep attackers out, they won’t help you if you get locked out of an account.

What happens to your data if you get banned? What if your desktop computer, laptop or mobile device gets stolen?

There is more to security than strong passwords. This guide looks at these, often neglected, security options.

Encryption is key

Encryption protects data against unauthorized access. Encrypt data on all of your devices to make sure that it is protected. Encryption helps when devices are turned off. While it is still possible to create a dump of the storage device or try to brute force the encryption, this is a futile attempt if the password is strong.

Encryption is enabled automatically on Android and iOS devices when you pick a PIN. It is important to select a strong PIN, not the four-digit number that is convenient to type. Yes, that makes unlocking the device painful, but it is essential when it comes to protecting data on it.

On Windows, data gets encrypted, but only for Microsoft account users. While you may use Bitlocker on Pro, Education and Enterprise devices to protect the entire system, I recommend using a different encryption software. VeraCrypt is open source and can encrypt the system drive and any other storage device.

Recovery Codes

Recovery codes help you get back into accounts or devices if you forget your password or lose access to something else that you need to sign-in. This can be a Titan security key, a hardware key used for 2-step verification, or access to an email account.

The main idea behind recovery keys is to use them in emergency situations. You lose access to the dedicated two-factor authentication method and can’t sign-in to your account anymore. Setting up multiple methods helps against this, but you may also use recovery codes instead.

Recovery keys may be used to regain access to the account. Many online services that support two-factor authentication support recovery keys.

These are highlighted most of the time when you set up two-factor authentication for the account. It is a good idea to keep these codes secure, for instance as notes in your password manager.

Backups are essential

Backups are a burden as long as you don’t require them. They help you recover data that may not be accessible anymore. If a device breaks or gets stolen, when you forget your password or delete something accidentally.

Creating local backups regularly is an essential security precaution. Whether you keep all backups in one place or spread them is up to you. It depends on the device as well.

If data is important, you may want to store backups separate from the actual device.

Computer users may want to use external storage devices to create backups. These come in different shapes and form factors.

I recommend the free Paragon Backup & Recovery software for the task on Windows, but there are lots of other options available.

Android and iOS devices support backups to Google’s or Apple’s cloud infrastructure. You may also connect your device to your PC or Mac, and transfer important data, which often means images and videos, to the device.

Content Blockers

Content blockers prevent certain types of attacks. Extensions such as uBlock Origin don’t just block advertisement, they may also block known malware sites, improve your privacy online and much more.

Advertisement is used regularly for attacks. This can be as simple as placing an ad for a program download to lure users to a site where malware is offered.

Using content blockers protects you while you are browsing the Internet. You may want to disable the blocker for sites that you value though, as they rely on the revenue and may shut down otherwise.

Antivirus and Firewall

On PC, you need to make sure that you have a proper antivirus solution and firewall installed. Most Windows users may find Windows Defender adequate.

Advanced users may install third-party antivirus solutions, such as BitDefender Free, to protect their PCs.

No antivirus solution is perfect. Thousands of new threats emerge daily and while most users will never notice most of them, there is always the chance that one slips through defences.

Common sense is important as well. The best antivirus solution can’t protect you if you allow malware to run on your devices.

Firewalls, when properly configured, control incoming and outgoing traffic. They may block certain threats outright, by refusing connections.

Windows comes with its own firewall, which is fine for most use cases. Most advanced antivirus solutions come with firewalls.

How to set up a Titan Security Key to protect your Google account (and others)

Posted on November 21, 2023November 21, 2023 by Martin Brinkmann

Google launched an updated Titan Security Key last week. The new hardware key supports FIDO2, which means that it is compatible with a wide range of services. While you may use it exclusively for Google accounts, you can store up to 250 entries using it.

Titan Security Key works similarly to other hardware keys, including latest generation YubiKey products. Google promises state of the art encryption and protections. For users, it is an option to protect their accounts with two-factor authentication. You’d use the hardware key instead of an authenticator app or other means to provide the second form of authentication.

I bought a Titan Security Key of the latest generation last week to check it out. This guide includes step-by-step instructions to set up the hardware key to protect your Google account and others. It includes important information also, for instance, how you can protect yourself to avoid locking yourself out.

Did you know that Google plans to delete inactive Google accounts?

Setting up the Google Titan Security Key

The box includes the selected hardware key — there are two versions that have different USB ports, USB-A or USB-C, but are functional identical otherwise. It also includes a small getting started booklet, which simply tells you to go to this Google website to get started. There is also a bigger Safety & Warranty booklet that no one reads. The USB-A version includes an USB-C to USB-A adapter, the USB-C version of the hardware key none.

Protecting the Google account with the key is a simple process that requires the following steps:

Open this Google Security page in a modern browser, e.g., Firefox, Microsoft Edge, Google Chrome, Safari, Vivaldi, Opera or Brave.
- If you prefer to go there manually, open this Google Account Help page instead and click on “Enroll your security key” under Step 2.
A prompt asks you to keep the key disconnected from the device for now. Select the Next button to continue.
A set up request is displayed as a prompt. Select OK to continue the process.
Another prompt explains that Google will see the make and model of the security now if you continue. Select OK to proceed.
Connect the security key to the device when prompted to do so.
Type a name for the key on the “Security Key registered” page and select Done.

This is the entire process.

Word of Caution

The Security Key becomes the default two-factor authentication option. It is advisable to make sure that there is at least one additional option enabled. This can be an authenticator app, voice or text message, another security key, Google prompts or backup codes.

If you lose the Titan Security Key and don’t have another option enabled in the account, you will be locked out of the account.

Signing-in with the Hardware security key

The first sign-in step is exactly the same as before. You need to supply your Google email address and password to continue.

The 2-step verification prompt lists the email address. Make sure it is the right one. There is a menu to switch to another email address; useful if you set up more than one account.

Select Continue to authenticate using the Titan Security Key. You may also select “Try another way”, which you need to do if you don’t have the hardware key with out. The option “Don’t ask again on this device” should only be used on personal devices.

You are now asked to touch your security key. It contains a small area that reacts to touch. This acts as local confirmation to proceed.

You should now be logged-in to the account.

The same option is also available on mobile devices. Just connect the security key to the mobile device and follow the instructions to sign-in.

Non-Google accounts

Non-Google accounts can be saved to the key. It supports up to 250 keys, e.g. passkeys, that you may add. Numerous services and companies support passkeys already and more will follow in the coming years.

Generally speaking, all you need to do is open the 2-step verification preferences at the service and follow the instructions to protect the account using a hardware key.

Other useful resources

Here is a list of Google resources that you may find useful:

Passkeys Management – this page lists all devices linked to the Google Account. You can edit or remove them, and create new passkeys on the page.
Security Keys Management — similarly, this page lists all security keys associated with the Google account.
Support page with information about lost security keys.

Google’s key or third-party keys?

There are other keys besides Google’s. I already mentioned Yubico keys as an alternative, but there are many more. To name a few: Onlykey, Feitian, or Thetis. All support FIDO2 and offer similar functionality.

Trust plays a role, but so may other factors, including price or the built-in security. There is no clear answer to that question. If you use a Google account and want to protect it, there is nothing wrong with using a Titan Security Key to do so. Similarly, you may use other hardware keys for the same protections.

Now You: do you use hardware keys?