Hardware Security Keys Keep Getting Recalled; Are They Safe?

2 min


We recommend hardware security keys like Yubico’s YubiKeys and Google’s Titan Security Key. But both manufacturers have recently recalled keys due to hardware flaws, and that sounds a little worrying. What’s the problem? Are these keys still safe?

What Are Hardware Security Keys?

Physical security keys like Google’s Titan Security Key and Yubico’s YubiKeys use the WebAuthn standard, the successor to U2F, to help protect your accounts. They function as another type of two-factor authentication: Rather than a code you type in, it’s a physical security key you insert into a USB port—or it can communicate wirelessly via NFC (near-field communication) or Bluetooth.

You can use your key as a hardware security token to sign into accounts like your Google, Facebook, Dropbox, and GitHub accounts. With Google’s optional Advanced Protectionprogram, you can even require a physical security key to log into your account.

Why Have Google and Yubico Recalled Keys?

Yubico FIPS keys

Both Yubico and Google have been in the news lately. Each has had to recall some security keys due to hardware flaws.

Yubico’s issue only affects YubiKey FIPS Series devices—not any consumer devices. As Yubico’s security advisory explains, these keys have insufficient randomness after device powerup, which could make their encryption vulnerable. These devices are just for government agencies and contractors—we don’t recommend FIPS unless you’re legally required to use it. Yubico isn’t aware of any attacks that have abused this, but the company is proactively replacing affected devices.

Google’s Titan Security Key problem, which led to a recall and replacement of affected keys, was worse. The Bluetooth version of the Titan Security Key, which uses Bluetooth Low Energyto communicate wirelessly, was vulnerable to attack due to what Google called a “misconfiguration.” An attacker within 30 feet of someone using a security key to sign in could exploit the flaw to sign into their account. Or, the attacker could trick the person’s computer into pairing with a different Bluetooth dongle rather than the security key. The vulnerability also affects Feitan security keys—Feitan is the company manufacturing the Titan keys for Google.

Microsoft has also rolled out a Windows update that will prevent these vulnerable Google Titan and Feitan keys from pairing with Windows 10 and Windows 8.1 via Bluetooth.

Yubico never offered a Bluetooth key. When Google announced its Titan key, Yubico said that it had previously explored launching its own Bluetooth Low Energy (BLE) key but that “BLE does not provide the security assurance levels of NFC and USB.” Google’s struggles seemingly vindicated Yubico’s approach of focusing on USB and NFC rather than Bluetooth.

Both Google and Yubico recalled and replaced affected keys for free.

Do We Still Recommend These Keys?

Despite the flaws and recalls, we do still recommend physical security keys. Yubico experienced an issue with randomness in one line of products specifically for the government and replaced it. Google ran into trouble with Bluetooth, but even that problem could only be exploited by attackers within 30 feet of you. Even a flawed Bluetooth Titan key definitely protected you from remote attackers.

These keys still meet high standards of security. The fact that both Yubico and Google are proactively disclosing flaws and offering free replacements of affected hardware is encouraging. The problems have never affected any standard USB or NFC-based security keys for regular consumers.

The biggest problem with these keys is the problem with all two-factor authentication. With most online services, you can simply use a less-secure method like SMS to remove the security key. An attacker who pulled off a phone port-out scam could gain access to your account even if you have a physical key attached. Only very high-security services—like Google’s Advanced Protection program—can protect you against that.

Like it? Share with your friends!

Sande Kennedy

Sande Kennedy is the founder of SandeKennedy.com & Kenyans247.com He is a Kenyan-based Internetprenuer,blogger Political Activist,informer who has an interest in politics, governance, corporate-fraud and human-interest. Kindly drop me a note if you feel aggrieved on any matter that you would want to be highlighted. Twitter @itssandekennedy , Instagram @itssandekennedy WhatsApp: +254791890826 Read More about me here


Would you like to get published on this Popular Blog? You can now email Sande Kennedy any breaking news, Exposes, story ideas, human interest articles or interesting videos on: info@sandekennedy.com. Videos and pictures can be sent to +254 791890826 here on WhatsApp by clicking this send button
Powered by