Flaw found in Bluetooth Titan Security Keys but Google is replacing them for free

Titan Key
Titan Key (Image credit: Android Central)

What you need to know

  • This only affects the Bluetooth version of the Titan Key.
  • Google is offering a free replacement for every user.
  • The key will stop working with the iOS 12.3 update.
  • The key will stop working with the June 2019 Security Patch for Android.

Google has issued an advisory for users of the Bluetooth version of its Titan Security Key that says they all need to be replaced due to a misconfiguration in the pairing protocol. Users of the affected keys have received an email with full details, but if you're unsure the affected keys are marked at T1 or T2 on the rear.

This flaw can enable an attacker who is within 30 feet of you while you're using the key to communicate with it or with the device it is paired to. As scary as that sounds, there is a very limited potential for abuse because for it to happen:

  • The attacker already knows your username and password, and when you first pair the device they could connect after you press the pairing button, but before your device connects.
  • After pairing, the attacker could masquerade as your key at the exact time you are using it to authenticate, then configure his or her device as a Bluetooth keyboard or mouse and have access to your phone.

Regardless, a flaw is a flaw and when it comes to something like a two-factor authentication key, a prompt fix and replacement are in order. That's what Google is doing. If you use an iOS device with your key, it will stop working once you update to version 12.3. if you use an Android device with your key, it will stop working with the June 2019 Security Patch. That's plenty of time to get a free replacement, which you can do by visiting google.com/replacemykey.

In the meantime, Google has some suggestions for you. First of all, do not disable two-factor-authentication. Your backup method of authenticating will still work as it always did and NFC/USB keys are not affected in any way. Google has a few suggestions for those who use the affected Bluetooth keys. Always use it in a private place where nobody is within 30 feet of you, and once you've signed into your device with it, unpair it through the device settings. If you need to use it again, repair it and unpair when you're finished.

More: Two-factor authentication: Everything you need to know

While the scenarios where an attacker could get access via this flaw are very specific, security is paramount. these keys need to be replaced right away, and it's great to see Google eating the loss instead of trying to work around it. If you use a Titan BLE key, be sure to get your free replacement and follow the safe practices outlined above in the meantime. Stay safe out there.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.