large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

Oh goody! Google’s 2FA security keys have a security flaw

Physical security keys have been heralded as a cure for the ills of account hacking and phishing, providing a means for web users to add an extra layer of protection when logging in. However, what happens when those security keys are, themselves, vulnerable to attack?

Google has revealed one of its Titan security keys – designed to offer users two factor authentication on logins – has a security issue that leaves the device open to hacking.

The company says the Bluetooth Low Energy versions of the Titan key are saddled with misconfigured Bluetooth pairing protocols. That means, an attacker can use an additional security key to pose as your device, if they’re within 30-feet of you at the time.

It’s a peculiar flaw that seems unlikely to be executed given the need for such close physical proximity. However, it’s worrying in a “Who watches the Watchmen?” kinda way, isn’t it? Ironically, Google says it was altered to the issue by none other than Microsoft.

In a post on the Google security blog, Google points out the issue only affects the Bluetooth-based Titan rather than the USB-based version of the device. The company also explained the two ways the devices could be exploited by the weird little flaw.

Related: Best VPN 2019

In the blog post, Google wrote: “When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.

“Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.”

Affected users will receive replacement keys if they apply for them online at this website. The company maintains that this issue doesn’t mean owners shouldn’t use their device in the meantime.

“It is much safer to use the affected key instead of no key at all. Security keys are the strongest protection against phishing currently available,” the company added.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.