What you need to know
- This only affects the Bluetooth version of the Titan Key.
- Google is offering a free replacement for every user.
- The key will stop working with the iOS 12.3 update.
- The key will stop working with the June 2019 Security Patch for Android.
Google has issued an advisory for users of the Bluetooth version of its Titan Security Key that says they all need to be replaced due to a misconfiguration in the pairing protocol. Users of the affected keys have received an email with full details, but if you're unsure the affected keys are marked at T1 or T2 on the rear.
This flaw can enable an attacker who is within 30 feet of you while you're using the key to communicate with it or with the device it is paired to. As scary as that sounds, there is a very limited potential for abuse because for it to happen:
- The attacker already knows your username and password, and when you first pair the device they could connect after you press the pairing button, but before your device connects.
- After pairing, the attacker could masquerade as your key at the exact time you are using it to authenticate, then configure his or her device as a Bluetooth keyboard or mouse and have access to your phone.
Regardless, a flaw is a flaw and when it comes to something like a two-factor authentication key, a prompt fix and replacement are in order. That's what Google is doing. If you use an iOS device with your key, it will stop working once you update to version 12.3. if you use an Android device with your key, it will stop working with the June 2019 Security Patch. That's plenty of time to get a free replacement, which you can do by visiting google.com/replacemykey.
In the meantime, Google has some suggestions for you. First of all, do not disable two-factor-authentication. Your backup method of authenticating will still work as it always did and NFC/USB keys are not affected in any way. Google has a few suggestions for those who use the affected Bluetooth keys. Always use it in a private place where nobody is within 30 feet of you, and once you've signed into your device with it, unpair it through the device settings. If you need to use it again, repair it and unpair when you're finished.
While the scenarios where an attacker could get access via this flaw are very specific, security is paramount. these keys need to be replaced right away, and it's great to see Google eating the loss instead of trying to work around it. If you use a Titan BLE key, be sure to get your free replacement and follow the safe practices outlined above in the meantime. Stay safe out there.
Made by Google
In a perfect world, we wouldn't need to care about security, but in this world we do. The Titan key makes it easier to go the extra mile that 2FA brings for everyone with a smartphone.
5 ways Google could beat Apple One at its own game with a better bundle
Apple One could shake up the digital landscape, but Google has the power and potential to make bigger waves thanks to how much it has on offer right now and the myriad of ways it could combine it into a killer combo.
Galaxy S20 FE appears in real-life images ahead of September 23 launch
YouTuber Jimmy is Promo has posted the first real-life images of Samsung's upcoming Galaxy S20 FE. The phone is slated to be launched at Samsung's virtual Unpacked event on September 23.
The new iPad Air reminds us just how bad most Android tablets really are
A platform lives and dies based on its app catalog. Just ask Microsoft. This is where Android tablets are in a world of hurt.
The best replacement bands for your 46mm Galaxy Watch
The strap included with the Galaxy Watch is fine, but these offer much more customization. Not only do these straps offer you the chance to change up the style of your watch, but you also get materials that bring added durability for a strap that can take what you throw at it.