Google had an egg on its face this week after it had to recall some of its Titan hardware security keys because it was unsafe.
Titan is the name of Google for its series of hardware security keys that offer two-factor authentication (2FA) for website users.
They were launched in July 2018 and offer a level of physical authentication to supplement website passwords. Google provides the Titan key to access your Google accounts, but you can also use it with other accounts that support the FIDO U2F standard for hardware keys.
When you enable hardware key support on a website, you will be asked to present your Titan key along with your password before you let it in. This prevents thieves who steal your password from gaining access to your web account.
How do you present your Titan key? It comes in two flavors: a USB key that you connect to your computer, and a Bluetooth-based key that connects wirelessly to your device. This works with computers and with your smartphone, giving mobile users extra protection for their web accounts.
The problem lies with the Bluetooth key, and in particular with the implementation of Bluetooth Low Energy (BLE). This is the protocol used to communicate wirelessly with the device for which it is being authenticated.
In normal operation, you first register your BLE-compatible Titan key with the web service you use, generating a secret stored on the key.
If you want to access the web-based service, enter your username and password as you normally would, but the site also asks you to use your hardware key. You press a button on your Titan key. The key uses BLE to connect to your computer or mobile device and sends the secret. The browser on your device then sends the secret to the web service, which verifies that you are legitimate.
So far, so good.
However, the problem is that Google has incorrectly configured the BLE implementation, so it was unsafe. It makes a so-called Man in the middle (MiTM) attack where someone can get in between your Titan key and the device that is communicating with. That person can then intercept the communication of the key and use it to log in as you.
Fortunately, the attack cannot be carried out from the other side of the world: an attacker must be within a radius of about 10 meters; must launch their attack, just as you press the button on your Titan key; and must know your username and password in advance.
But everyone in the same coffee shop as you, for example, automatically meets the first two conditions, so this type of attack is certainly possible.
The problem only affects the Bluetooth enabled keys, not those that you connect to a USB port. To solve this problem, Google has recalled the affected keys and offered a free replacement offer.
The company also argued that the vulnerability makes the Titan keys even more secure than just based on your access password:
It is still safer to use a key that causes this problem, instead of disabling security key-based 2-step verification (2SV) on your Google account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts) sent to your device)).
Google has created its own Titan key instead of being a partner of key producer Yubico, who made the U2F standard with Google in 2014. Yubico cast a shadow on Google's Bluetooth choice last year and argued:
Although Yubico has previously started the development of a BLE security key and has contributed to the BLE U2F standards, we have decided not to launch the product because it does not meet our safety, usability and durability standards. BLE does not offer NFC and USB security levels and requires batteries and links that provide a poor user experience.
Google's Bluetooth misstep reinforces Yubico's point. It will also not provide any guarantee for the concept of hardware keys in general.
. (tagsToTranslate) 2-factor authentication (t) google (t) organizations (t) security threats (t) 2fa (t) bluetooth (t) fido u2f (t) google (t) man in the middle attack (t) mitm (t ) security deficit (t) titanium (t) titan key (t) two-factor authentication