Google had egg on its face this week after it had to recall some of its Titan hardware security keys for being insecure.

Titan is Google’s name for its family of hardware security keys that provide two-factor authentication (2FA) for web users.

Launched in July 2018, they offer a level of physical authentication to complement website passwords. Google provides the Titan key for accessing your Google accounts, but you can also use it with other accounts that support the FIDO U2F standard for hardware keys.

When you switch on hardware key support in a website, it asks you to present your Titan key along with your password before it will let you in. This stops thieves who steal your password from accessing your web account.

How do you present your Titan key? It comes in two flavours: a USB key that you plug into your computer, and a Bluetooth-based key that connects wirelessly to your device. This works with computers and with your smartphone, giving mobile users extra protection for their web accounts.

The problem lies with the Bluetooth key, and in particular with its implementation of Bluetooth Low Energy (BLE). This is the protocol it uses to communicate wirelessly with the device it’s authenticating to.

In normal operation, you’d first register your BLE-enabled Titan key with the web service you’re using, generating a secret that is stored on the key.

Whenever you want to access the web-based service, you enter your username and password as you would normally, but the site also asks you to use your hardware key. You press a button on your Titan key. The key uses BLE to connect with your computer or mobile device and send it the secret. The browser on your device then sends the secret on to the web service, which verifies that you’re legit.