At least this solves the mystery of why Google's Titan security-key bundle was missing from the Google Play store for several months.
"This security issue does not affect the primary goal of security keys, which is to protect you against phishing by a remote attacker", said Google Cloud product manager Christiaan Brand in a blog post, noting that even flawed security keys are better than giving up on two-step authentication.
The security flaw affects the Bluetooth Low Energy (BLE) versions of the security key, hardware you must touch in order to log into supporting applications.
This flaw can be exploited by an attacker who is physically present (within approximately 30 feet) of a Titan user, and when users are using the key normally, or when they are first pairing it to their computer. When the security key is used to log into an account, an attacker could use their own device to connect to the user's computer and log into the account. "An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects", Google's cloud product manager Christiaan Brand explained.
This vulnerability is hard to exploit, the company said, and would require an outsider to already have obtained a victim's username and password to access their account. Though Google recommends that you continue using your keys while you wait for a replacement, it has outlined some steps you can take to better protect yourself in the meantime, which can be viewed in the security blog post linked above.
Once connected, hackers could manipulate your device by changing their device to appear as a Bluetooth keyboard or mouse.
To see if you qualify for a replacement Titan wireless key, go to https://myaccount.google.com/replacemykey on a browser on which you're signed into your Google account.
This flaw vindicates the somewhat controversial decision a year ago by rival security-key maker Yubico to not manufacture Bluetooth-enabled security keys.
After a pompous launch last July, Google announced today that it will replace Titan security keys due to a vulnerability the company discovered in the keys' Bluetooth pairing process. Android devices updated with the upcoming June 2019 Security Patch Level (SPL) and beyond will automatically unpair affected Bluetooth devices, so you won't need to unpair manually. Even more risky is the vulnerability to accounts. The attacker could communicate with the key or the device paired with the key.
In normal operation, you'd first register your BLE-enabled Titan key with the web service you're using, generating a secret that is stored on the key. Google is offering replacement keyfobs for free. That person could then intercept communications from the key and use them to sign in as you. Those already logged out have to follow account recovery instructions or use a non-iOS device to log in again. You can use your key in this manner again while waiting for your replacement, until you update to iOS 12.3.
Rival vendor Yubico has refrained from offering a Bluetooth security key, claiming the technology "does not meet our standards for security, usability, and durability". You will need to sign into your Google account when you access the site to claim your replacement. This has the unfortunate result of locking people out of their Google accounts if they sign out.
Article updated with Google comment regarding Feitian-branded keys.