Google released its Titan security keys in two different varieties: USB and Bluetooth Low Energy. But not Google alerted users to a rather peculiar flaw in its BLE Titan keys. The company says that there is a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols” that could potentially allow an attacker to get access to your account or device. So Google is replacing its security key because of vulnerability.
The idea behind Titan is the same as any security key, which was to give people a hardware two factor authentication method. Everything was all fine and excellent for a while.
Google’s Bluetooth Titan 2FA keys
According to the warning issued by the Google, it says that not all Titan Security Keys have the bug. It is only in the Bluetooth Low Energy (BLE) model is impacted. If your Titan Security Key has a “T1” or “T2” on the back of it, it means it has the security bug and is eligible for a replacement from Google.
As it turns out, some of those BLE keys have misconfigured Bluetooth pairing protocols. Thus it has potential to allow hijacking your login attempts. For instance, someone who already has your username and password could. And in theory pair their device to your security key at the moment you press the button on your Titan to validate your credentials. If they do that, then they’ve just been granted access to your account using the security key that was supposed to add another layer of protection.
Since both of these vulnerabilities require the attacker to have precise timing and be within 30 feet. It seems unlikely that it’s ever going to be a major cause for concern among BLE Titan owners.According to security expert, using the Bluetooth security key for two-factor authentication is far safer than turning it off altogether or relying on SMS authentication. Thus, Google is calling back its Bluetooth Titan 2FA keys.