We recommend hardware security keys like Yubico’s YubiKeys and Google’s Titan Security Key. But both manufacturers have recently recalled keys due to hardware flaws, and that sounds a little worrying. What’s the problem? Are these keys still safe?
What Are Hardware Security Keys?
Physical security keys like Google’s Titan Security Key and Yubico’s YubiKeys use the WebAuthn standard, the successor to U2F, to help protect your accounts. They function as another type of two-factor authentication: Rather than a code you type in, it’s a physical security key you insert into a USB port—or it can communicate wirelessly via NFC (near-field communication) or Bluetooth.
You can use your key as a hardware security token to sign into accounts like your Google, Facebook, Dropbox, and GitHub accounts. With Google’s optional Advanced Protection program, you can even require a physical security key to log into your account.
Why Have Google and Yubico Recalled Keys?
Both Yubico and Google have been in the news lately. Each has had to recall some security keys due to hardware flaws.
Yubico’s issue only affects YubiKey FIPS Series devices—not any consumer devices. As Yubico’s security advisory explains, these keys have insufficient randomness after device powerup, which could make their encryption vulnerable. These devices are just for government agencies and contractors—we don’t recommend FIPS unless you’re legally required to use it. Yubico isn’t aware of any attacks that have abused this, but the company is proactively replacing affected devices.
Google’s Titan Security Key problem, which led to a recall and replacement of affected keys, was worse. The Bluetooth version of the Titan Security Key, which uses Bluetooth Low Energy to communicate wirelessly, was vulnerable to attack due to what Google called a “misconfiguration.” An attacker within 30 feet of someone using a security key to sign in could exploit the flaw to sign into their account. Or, the attacker could trick the person’s computer into pairing with a different Bluetooth dongle rather than the security key. The vulnerability also affects Feitan security keys—Feitan is the company manufacturing the Titan keys for Google.
Microsoft has also rolled out a Windows update that will prevent these vulnerable Google Titan and Feitan keys from pairing with Windows 10 and Windows 8.1 via Bluetooth.
Yubico never offered a Bluetooth key. When Google announced its Titan key, Yubico said that it had previously explored launching its own Bluetooth Low Energy (BLE) key but that “BLE does not provide the security assurance levels of NFC and USB.” Google’s struggles seemingly vindicated Yubico’s approach of focusing on USB and NFC rather than Bluetooth.
Both Google and Yubico recalled and replaced affected keys for free.
Do We Still Recommend These Keys?
Despite the flaws and recalls, we do still recommend physical security keys. Yubico experienced an issue with randomness in one line of products specifically for the government and replaced it. Google ran into trouble with Bluetooth, but even that problem could only be exploited by attackers within 30 feet of you. Even a flawed Bluetooth Titan key definitely protected you from remote attackers.
These keys still meet high standards of security. The fact that both Yubico and Google are proactively disclosing flaws and offering free replacements of affected hardware is encouraging. The problems have never affected any standard USB or NFC-based security keys for regular consumers.
The biggest problem with these keys is the problem with all two-factor authentication. With most online services, you can simply use a less-secure method like SMS to remove the security key. An attacker who pulled off a phone port-out scam could gain access to your account even if you have a physical key attached. Only very high-security services—like Google’s Advanced Protection program—can protect you against that.