Google retrieves the Titan Bluetooth keys after a security error is found

Google had an egg on its face this week after it had to recall some of its Titan hardware security keys because it was unsafe.

Titan is the name of Google for its series of hardware security keys that offer two-factor authentication (2FA) for website users.

They were launched in July 2018 and offer a level of physical authentication to supplement website passwords. Google provides the Titan key to access your Google accounts, but you can also use it with other accounts that support the FIDO U2F standard for hardware keys.

When you enable hardware key support on a website, you will be asked to present your Titan key along with your password before you let it in. This prevents thieves who steal your password from gaining access to your web account.

How do you present your Titan key? It comes in two flavors: a USB key that you connect to your computer, and a Bluetooth-based key that connects wirelessly to your device. This works with computers and with your smartphone, giving mobile users extra protection for their web accounts.

The problem lies with the Bluetooth key, and in particular with the implementation of Bluetooth Low Energy (BLE). This is the protocol used to communicate wirelessly with the device for which it is being authenticated.

In normal operation, you first register your BLE-compatible Titan key with the web service you use, generating a secret stored on the key.

If you want to access the web-based service, enter your username and password as you normally would, but the site also asks you to use your hardware key. You press a button on your Titan key. The key uses BLE to connect to your computer or mobile device and sends the secret. The browser on your device then sends the secret to the web service, which verifies that you are legitimate.