Titan Security Keys are marketed as phishing-resistant two-factor authentication (2FA) devices that help protect high-value users such as IT admins. They have been around for quite some time and have been largely promoted as the most secure second-factor device ever, both by Google itself and media.

However, a particular model of Titan ( BLE) turns out to be not very secure, as today, Google has sent out a message to G Suite administrators with users supposedly using the affected devices, recommending to replace the devices.



While the details of the vulnerability are not disclosed and it is even not clear whether this is severe security at all, this incident shows again that there can never be a 100% secure method, and as usual, security-savvy users should be keeping abreast of the latest reports. So, if you happen to use any Google Titan Keys or Feitian MultiPass BLE U2F keys (both appear to be the same product), it is recommended to replace it with something more reliable (a TOTP token, for example).

UPDATE: Regular users (non G-Suite) were also informed
UPDATE2: This appears to be a security issue indeed
UPDATE3: Feitian launches a replacement program

Комментарии (3)


  1. Zsam112
    15.05.2019 21:34
    +2

    If google security key is not secure then what can we trust


    1. Token2 Автор
      15.05.2019 21:38
      +1

      This is not really Google's device. Only the “firmware is developed by Google to verify its integrity”, which appears to have been just a phrase for media — as a result, the same vulnerability affecting Feitial MultiPass affects Titan as well.


      1. Zsam112
        15.05.2019 21:55

        Ладно, я понял