We recommend hardware security keys such as Yubicos YubiKeys and Google's Titan Security Key. Both manufacturers have recently recalled keys because of hardware failures, and that sounds a bit worrying. What is the problem? Are these keys still safe?
What are Hardware Security Keys?
Physical security keys such as Google's Titan Security Key and Yubicos YubiKeys use the WebAuthn standard, the successor to U2F, to protect your accounts. They act as another type of two-factor authentication: Instead of a code you enter, it is a physical security key that you insert into a USB port, or it can communicate wirelessly via NFC (near field communication) or Bluetooth.
You can use your key as a hardware security token to sign in to accounts such as your Google, Facebook, Dropbox, and GitHub accounts. With Google's optional extended protection program, you can even request a physical security key to log in to your account.
RELATED: How to Back Up Your Accounts with a U2F Key or YubiKey
Why Have Google and Yubico Called Key Back?
Both Yubico and Google have been on the news lately. Both had to recall some security keys because of hardware errors.
Yubicos issue only affects devices of the YubiKey FIPS series, not consumer devices. As explained in the Yubico Security Advisory, these keys have insufficient randomness after powering on the device, which could make their encryption vulnerable. These devices are intended for government agencies and contractors only. We only recommend FIPS if you are legally required to do so. Yubico is unaware of any attacks that have abused it, but the company proactively exchanges affected devices.
Google's Titan Security Key Issue, which resulted in the recall and replacement of affected keys, was worse. The Bluetooth version of the Titan Security Key, which uses Bluetooth Low Energy for wireless communications, was vulnerable to an attack that Google described as a "misconfiguration" attack. An attacker who logs on with a security key can use this error to log into their account. Or the attacker could trick the person's computer into mating with a different Bluetooth dongle than the security key. The vulnerability also affects Feitan security keys – Feitan is the company that makes the Titan keys for Google.
Microsoft has also released a Windows Update that prevents these vulnerable Google Titanium and Feitan keys from being paired with Windows 10 and Windows 8.1 over Bluetooth.
Yubico has never offered a Bluetooth key. When Google announced its Titan key, Yubico stated that it had previously investigated the introduction of its own Bluetooth low-energy key (BLE). "BLE, however, does not provide the security level of NFC and USB." USB and NFC instead of Bluetooth.
Both Google and Yubico have recalled and replaced affected keys for free.
Are we still recommending these keys?
Despite the shortcomings and recalls, we still recommend physical security keys. Yubico has identified a problem with the randomness in a product line specifically for the government and replaced it. Google had problems with Bluetooth, but even this problem could only be exploited by attackers within 30 feet of you. Even a faulty Bluetooth Titan key has definitely protected you from attackers remotely.
These keys still meet high security standards. The fact that both Yubico and Google proactively detect bugs and offer free replacement for affected hardware is encouraging. The issues never affected a standard USB or NFC-based security key for ordinary consumers.
The biggest problem with these keys is the problem with two-factor authentication. For most online services, you can simply use a less secure method, such as SMS, to remove the security key. An attacker who has committed a phone port-out fraud can access your account even if you have a physical key. Only high-security services like Google's Advanced Protection program can protect you from this.
RELATED: What is two-factor authentication and why do I need it?