You Need Two-Factor Authentication Even If Google Screwed It Up

You know that I advise people to use 2FA. But Google’s token has a problem that might affect you.

Just this week Google announced that their two-factor authentication FOB, called Titan, has a vulnerability that allows it to be hacked by anyone who is within 30 feet of the device. It’s not a straightforward attack as the attacker would have to know the users’ name and password of the security device. But, any security problem with a security device can be dangerous.

How could that happen?  

It’s another example of over-using technology and taking technology designed for one purpose and then reusing it for another. In this case, the vulnerability is the result of a misconfiguration with 10-year-old pairing protocols used in the low energy Bluetooth connectivity.

This low power wireless communication protocol was designed to be used by personal devices such as your wireless headphones, smartwatch, medical devices, such as cardiac and blood pressure monitors. None of which demand current levels of security.

Without this standard being in place, IoT smart devices would require too much power.

More on the Google Titan…

The Titan two-factor authentication FOB is a hardware token device that supports the fast identity online (FIDO) standard for two-factor authentication. Each is assigned to a particular user to verify the user using a generated security key and address of a specific login page address. The device is designed to protect high-value users by providing a unique authentication code on a fixed interval.

The purpose of these two-factor hardware security authentication is to help to defend against account takeovers or business email compromise attacks that begin with a phishing attack. One of the best and most reliable methods of protection is through the use of these physical security keys.

Google is offering replacements to purchasers who have a Titan Security Key that has the vulnerability.  If you have one of these devices, check the back and see if there is T1 or T2 on the device. If there is you can return it for a replacement.

I use YubiKeys but Titan is a good alternative.