If you've got a Titan Security Bundle from Google, you might have to replace the wireless Bluetooth/NFC keyfob device that came as part of the package. Google is offering replacement keyfobs for free.
That's because a flaw in some of the keyfobs' Bluetooth Low Energy (BLE) software could let an attacker within about 30 feet of you hijack the key-registration or device-pairing processes, Google warned in a blog post today (May 15). If so, the attacker's own wireless security key, not yours, could be used to log into your Google and other online accounts. (The USB security key that is other half of the Titan bundle is not affected.)
To see if you qualify for a replacement Titan wireless key, go to https://myaccount.google.com/replacemykey on a browser on which you're signed into your Google account. You can also check the back of the keyfob, at the bottom, to see if a tiny "T1" or "T2" is printed into the plastic; if so, you qualify and should email firstname.lastname@example.org for further instructions.
At least this solves the mystery of why Google's Titan security-key bundle was missing from the Google Play store for several months. It's back in the store today for the same price of $50.
Google's security keys are a part of two-factor authentication, the system whereby you are asked for an additional form of authentication when logging into an online account from a device you haven't used before.
The security key is the second factor; without it, even someone who has your username and password won't be able to log in. Physical security keys are much more secure than texted temporary codes, which can be intercepted over the air. Users can also be tricked into divulging codes by phishing websites.
Who's affected and why
If you use an iPhone and have a vulnerable wireless Titan keyfob, it will no longer work once you update to iOS 12.3, so don't log out of your Google account on your iPhone until you get a replacement key.
For Android users and anyone using iOS 12.2 or earlier, Google recommends not using an affected Titan wireless security key in any location where strangers could be within Bluetooth range — about 30 feet. That rules out most offices, cafes, libraries and other crowded places.
Google also recommends that you immediately unpair your wireless Titan security from your Bluetooth-enabled device after using the key.
Yubico was right about Bluetooth
This flaw vindicates the somewhat controversial decision a year ago by rival security-key maker Yubico to not manufacture Bluetooth-enabled security keys.
"We decided not to launch the [BLE security key] product as it does not meet our standards for security, usability and durability," Yubico co-founder Stina Ehrensvard wrote in a blog posting in July 2018. "BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience."
Google's keyfob uses NFC (near-field communications) as well, which is stronger and safer than BLE, but iOS devices don't work well with NFC-based security keys, with the exception of Yubico's latest keys. Google's use of Bluetooth is a way around that.
NFC has a much shorter range than Bluetooth, on a scale of a few inches rather than 30 feet. Makers of NFC-enabled security keys recommend holding the key right up to your smartphone when using the key. Most Yubico USB-based security keys also include NFC, and you can get a combination USB-NFC security key from Amazon for less than $20.