Connected via Bluetooth and used as a method of two-factor authentication, Google’s Titan Security Key is found to have critical security loophole. If the vulnerability is found and exploited, it could allow a remote attacker to have access to accounts and even control devices that the Titan Key is linked to. There are two separate methods an attacker could use to penetrate a user’s device. The first method would require the unauthorized party to be within 30 feet of the user and connect to the key before the user has time to. The second method would involve the attacker disguising their device as the Titan Key when the potential victim attempts to pair the legitimate key to their device. If this is done successfully it could possibly lead to the attacker being able to obtain complete access to the users accounts and device. Although there is no direct mitigation at this time, Google is offering free replacements and advising users to still use the keys.
Users should take advantage of Google’s free replacement key offering. Although this poses a risk two-factor authentication is one of the best methods of mitigating phishing attempts and other security risks. Users are still advised to continue using the Titan Security Key until further updates are made by Google.