Google offers free 2FA Bluetooth Titan Security Key swaps after security flaw discovered Credit: GoogleSupplied Art
Business Management

Google offers free 2FA Bluetooth Titan Security Key swaps after security flaw discovered

If you use one of Google’s Titan Security Keys for two-factor authentication, you probably think your account was as secure as it can be. On its website, in fact, Google promises that Titan Security Keys “are the same level of security used internally at Google” and “keep out anyone who shouldn’t have access to your online accounts.”

Make that most people. In a post on its security blog, Google divulged Wednesday that it has discovered a “misconfiguration” with the Bluetooth Low Energy version of its Titan Security Key that could allow a nearby attacker to “communicate with your security key, or communicate with the device to which your key is paired.”

As Google explains, there are two ways an attacker can strike. While pairing the key with your PC or phone, someone could “potentially connect their own device to your affected security key before your own device connects (and) sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.”

Furthermore, if you are using the device to obtain authentication, an attacker “could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.”

What this means for you: While certainly a rare case—since it’s a Bluetooth key, an attacker would need to be with 30 feet of you when you press the button—it’s still likely to be alarming for anyone who purchased a key to secure the account. Rather than try to patch the vulnerability via software, Google will replace all affected security keys free of charge. To check if your key is among the affected units, look at the small number above the USB port on the back. If it reads T1 or T2, your key needs to be replaced.

Google recommends using the NFC- or USB-based security authentication until the replacement arrives, as these methods are not affected by the issue. Additionally, the upcoming June 2019 security patch for Android devices will automatically unpair affected Bluetooth security keys to eliminate the risk of attack.

All affected users can request a free replacement by visiting google.com/replacemykey.

PREVIOUS ARTICLE

« Valve's Steam Link app finally appears on the App Store almost a year after Apple's rejection

NEXT ARTICLE

Windows 10's latest Insider preview gives Task Manager a simple, stellar storage enhancement »
author_image
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail

Poll

Do you think your smartphone is making you a workaholic?