Google has discovered a serious flaw in a Chromebook security feature which allows owners to press their device’s power button to initiate U2F two-factor authentication (2FA).

Known as the ‘built-in security key’, the experimental feature was first enabled for Google PixelBooks last summer. Since then, it has quietly been embedded on numerous Chromebooks that have the necessary H1 CR50 chip inside them, including many made by Dell, HP, Acer, Samsung, Asus and Lenovo. A full list of affected devices is available on Google’s website.

We say ‘quietly’ because it’s unlikely many owners beyond developers have even heard of the feature, let alone used it to authenticate themselves when logging into a website.

For those who have, the feature is appealing – instead of waiting for an SMS onetime 2FA code, or generating one using an app, or even plugging in a hardware security key such as Google’s own Titan, Chromebook users can achieve the same with a short press of the power button.

Unfortunately, a vulnerability has been discovered in the system that makes this work, specifically the generation of an Elliptic Curve Digital Signature Algorithm (ECDSA) signature by H1 chips running v0.3.14 firmware and earlier. Google said:

We confirmed that the incorrect generation of the secret value allows it to be recovered, which in turn allows the underlying ECC private key to be obtained.

Which means that an attacker could work out the private key, completely undermining what is supposed to be a fundamental security feature.

Google believes the chances of this happening when users have logged into real websites is small given that communication with the website should have happened over HTTPS. However, that doesn’t rule out that weakly generated signatures might have been stored in a vulnerable state on Chromebooks themselves.

Ironically, Google thinks that the one thing that stands in the way of such a second factor compromise is the security of the first factor, namely the password and username.

While true, it’s hardly a ringing endorsement of Google’s technology that it can be rescued by passwords.