If you use one of Google's Titan Bluetooth security keys to log in to all of your two-factor protected accounts, there's good news and bad news. The bad news is, as you can probably guess, that Google has announced the discovery of a vulnerability that could allow someone to potentially access your accounts. The good news is that Google has recognized the problem and is offering you a free replacement that closes the gap.
The Google Titan Bluetooth Security Key is a physical security token that, in conjunction with a phone or tablet, provides one of the two passwords required to unlock a two-factor authentication-protected account. It replaces the random password that you may receive from a two-factor authentication app or text message. As many, including Google, rightfully point out, using a physical token that automatically transmits these codes is far more secure than sending a random password to your device during the Bluetooth pairing process. During pairing, an attacker can intercept the device's signal from a distance of up to 1
For this reason, Google has issued a recall of the affected security keys. To check if your device needs to be replaced, look for a combination of letters and numbers on the back of the key at the bottom. If your key says "T1" or "T2," the key will be displayed and you should go to the Google Callback Administration website. You'll need to sign in to your Google Account when you access the site to claim your replacement. (Google checks if a key is synced to your account.) If that's not possible, you can email Google directly to [email protected] (To ensure a smooth process, I recommend having a serial number and a receipt handy.)
Until your replacement key arrives, recommends Google all users avoid using the Titan in public places where someone is able to approach and / or see when you use your key. If you have not connected your Titan to your Google Account, Google recommends doing so. Disconnect it immediately from your device. Google has determined that the affected Titan keys no longer work when paired with Apple devices running iOS 12.3, and that Android devices automatically decouple affected keys when they receive the June security patch.