You may remember that I picked up a couple of different security keys last year and wrote about Firefox, Security Keys, U2F, and Google Advanced Protection. One of the keys that I got, the Feitian MultiPass FIDO Security Key, was recalled in over a security issue.
The product (shown above) was featured in a photo accompanying the article, but I didn’t recommend it. The Feitian MultiPass uses Bluetooth, and I’m not a fan of the Bluetooth user experience. The product is also sold by Google under the name Titan Security Key.
The security issue affects the non-plus variants of version 1, 2, and 3 of the Feitian MultiPass Security Key (as identified on the back of the device). The security issue is caused by an oversight in how the security key negotiated a secure connection to other devices over Bluetooth. If you’ve got one of these device, Feitian offers to replace it free of charge. The replacement process requires you to provide proof of purchase and about one month of patience.
This issue demonstrates the need to associate more than one security key as your second factor authentication token for your online accounts. Ideally, using different security key products from different vendors in case there’s an issue with one of them.
I’ve deliberately chosen not to use security keys with services that don’t allow me to register multiple keys. (I’ve even opted to use other services in place of services that have this limitation. ) I want to have at least two keys that can unlock my account in case I lose one key, or one is recalled or otherwise needs to be replaced. Services that don’t allow you to register at least two keys will need to have some other account recovery method available, in case you lose your one associated key, and this opens up your account to customer support phishing and social engineering, and other targeted attacks.
There are a number of online services that allow you to register only one security key. These services often don’t allow you to replace that one key with a new key either. You’ve committed to keeping it with you for life if you want to retain access to your account. You should always make yourself familiar with a particular online service provider’s security key implementation and limitations before you enable two-factor authentication with a security key (or any other second factor authentication method.)
If you’re looking to lock down your digital life with security keys, you can find some product recommendations in my original article.