Google is doing this because Microsoft reported a security vulnerability affecting these security keys. The company warned that if you're using the security key's Bluetooth pairing, you should make sure you're in a private place where a potential attacker couldn't be within 30 feet. "In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly", Google explained.
Google released the key-shaped Titan last August, offering the physical authentication tool as a remedy to phishing and other attacks. The matter doesn't affect the device's primary goal - thwarting phishing attempts - but could allow an attacker within physical proximity when it is used to gain access to it or its paired device.
Once connected, hackers could manipulate your device by changing their device to appear as a Bluetooth keyboard or mouse.
The bug can't be fixed with a security update so Google is asking users to check whether their key is affected and, if it is, to ask for a replacement one to be sent to them free of charge. The attacker could communicate with the key or the device paired with the key. "After you've used your key to sign into your Google Account on your device, immediately unpair it", Brand said in the blog post. Affected units can be identified by looking for T1 or T2 printed on the rear. Google advises those with affected keys who have installed the update to remain logged in to their Google Accounts until a replacement arrives. Google has a few suggestions for those who use the affected Bluetooth keys.
But even if your Titan Security Key has the bug, don't stop using it while waiting for a replacement.
"However, there is no such thing as flawless technology, so I'm glad Google is taking the initiative and recalling these keys".
Titan - the physical security Google rolled out previous year - was built to "protect high-value users". A Google spokesperson told ZDNet that non-US users can use the same google.com/replacemykey page to check if their Feitian keys are affected, but Feitian will handle the replacement process if users are impacted and eligible for a new key. Makers of NFC-enabled security keys recommend holding the key right up to your smartphone when using the key. Google has more specific instructions for iOS and Android devices, which you can read here.
As if the world isn't scary enough: According to Google, your most trusted security measures could actually be secret vulnerabilities.
Brand said that iOS 12.3, which Apple started rolling out on Monday, won't work with vulnerable security keys.
Security keys add another layer of authentication to a user's device, requiring users to have their physical key on their person in order to login to an account.
"After you've used your affected security key to sign into your Google Account, immediately unpair it". An Android update scheduled for next month will automatically unpair Bluetooth security keys so users won't have to do it manually. Note that you can continue to sign into your Google Account on non-iOS devices.