We recommend hardware security keys like Yubico’s YubiKeys and Google’s Titan Security Key. But both manufacturers have recently recalled keys due to hardware flaws, and that sounds a little worrying. What’s the problem? Are these keys still safe?
What Are Hardware Security Keys?
Physical security keys like Google’s Titan Security Key and Yubico’s YubiKeys use the WebAuthn standard, the successor to U2F, to help protect your accounts. They function as another type of two-factor authentication: Rather than a code you type in, it’s a physical security key you insert into a USB port—or it can communicate wirelessly via NFC (near-field communication) or Bluetooth.
You can use your key as a hardware security token to sign into accounts like your Google, Facebook, Dropbox, and GitHub accounts. With Google’s optional Advanced Protection program, you can even require a physical security key to log into your account.
RELATED: How to Secure Your Accounts With a U2F Key or YubiKey
Why Have Google and Yubico Recalled Keys?
Both Yubico and Google have been in the news lately. Each has had to recall some security keys due to hardware flaws.
Yubico’s issue only affects YubiKey FIPS Series devices—not any consumer devices. As Yubico’s security advisory explains, these keys have insufficient randomness after device powerup, which could make their encryption vulnerable. These devices are just for government agencies and contractors—we don’t recommend FIPS unless you’re legally required to use it. Yubico isn’t aware of any attacks that have abused this, but the company is proactively replacing affected devices.
Google’s Titan Security Key problem, which led to a recall and replacement of affected keys, was worse. The Bluetooth version of the Titan Security Key, which uses Bluetooth Low Energy to communicate wirelessly, was vulnerable to attack due to what Google called a “misconfiguration.” An attacker within 30 feet of someone using a security key to sign in could exploit the flaw to sign into their account. Or, the attacker could trick the person’s computer into pairing with a different Bluetooth dongle rather than the security key. The vulnerability also affects Feitan security keys—Feitan is the company manufacturing the Titan keys for Google.
Microsoft has also rolled out a Windows update that will prevent these vulnerable Google Titan and Feitan keys from pairing with Windows 10 and Windows 8.1 via Bluetooth.
Yubico never offered a Bluetooth key. When Google announced its Titan key, Yubico said that it had previously explored launching its own Bluetooth Low Energy (BLE) key but that “BLE does not provide the security assurance levels of NFC and USB.” Google’s struggles seemingly vindicated Yubico’s approach of focusing on USB and NFC rather than Bluetooth.
Read the remaining 7 paragraphs
Source : Hardware Security Keys Keep Getting Recalled; Are They Safe?
