Google's new hardware security key was made by a Chinese company

  • A Feitan employee confirmed it had worked with Google on its new Titan key.
  • Yubico, a U.S. company making similar products, has said it doesn't make the Titan key.
  • Google's employees are required to use hardware security keys to log in.

A new Google product for securely logging into web services is made by a company based in China called Feitian, CNBC has learned.

The arrangement is somewhat unusual given Google's continuing hardware push in recent years, as the company has sought to compete more directly with device makers like LG and Samsung. Google doubled down on hardware last year when it moved to acquire talent and intellectual property from HTC.

Meanwhile, China has recently been a hotspot for Google. CEO Sundar Pichai told employees earlier this month that the company was "not close" to launching a search product in China, following reports that Google was planning to return to the country.

Google announced Titan at its Next cloud conference in San Francisco last month, noting that it comes with "firmware developed by Google to verify its integrity," but the company did not identify the maker of the product. But the wireless key bears a resemblance to a wireless key product from Feitian, a security company based in Beijing that went public on the Shenzhen Stock Exchange in 2014.

An employee who answered CNBC's phone call to Feitian's office in Santa Clara, California, confirmed that Feitian is working with Google on Titan. Another source familiar with the project also confirmed the partnership. The Information separately reported the partnership earlier Thursday.

A Google spokeswoman told CNBC that Google is Titan's "manufacturer of record" and that an unnamed third party is the one that in fact makes the Titan keys. But the spokeswoman declined to specify whether Feitian made the keys.

The arrangement has precedent for Google. In 2016 Google emphasized that it was the "seller of record" of its first Pixel smartphones even though HTC was the contract manufacturer, as Wired reported.

Google's long advocacy

Google has been an advocate of technologies that can prevent unwanted attempts to log in to users' accounts, and it now requires employees to use physical security keys in addition to entering their passwords. The additional layer of verification is meant to prevent cases of phishing, whereby hackers obtain personal information through fraudulent messages.

Titan not only looks like Feitian's keys, but also bears a strong resemblance to USB keys from a U.S. company called Yubico, which can be used to log in securely to Google's Gmail service, as well as Dropbox, GitHub and other web services.

But Yubico's CEO, Stina Ehrensvard, made it clear in a blog post that Titan was not made by Yubico. Ehrensvard also criticized certain aspects of keys that use Bluetooth.

"While Yubico previously initiated development of a BLE [Bluetooth Low Energy] security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability," wrote Ehrensvard, whose company has offices in Sweden and California. "BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience."

In a blog post on Thursday announcing the availability of the Titan keys through Google's online store, product manager Christiaan Brand said that the Google firmware is sealed into special chips that are delivered to the manufacturing line. "The trust in Titan Security Key is anchored in the sealed chip as opposed to any other later step which takes place during device manufacturing," Brand wrote.

Feitian has shared some social media messages referring to Google since the Titan announcement but had not made a public statement about the Google collaboration.

Google's own website for enrolling in its "advanced protection" plan currently suggests that people who are in the U.S. buy a Feitian wireless key and a Yubico USB key through Amazon if they don't already own two security keys. But these keys are not specifically marketed under Google's Titan brand name.