Two-factor authentication, or 2FA, is a method that makes account takeovers much harder to pull off. Instead of using only a password to prove someone is authorized to access an account, 2FA requires a second factor, such as a one-time password, possession of a physical object, or a fingerprint or other biometric.
Physical keys are among the - if not the - most secure forms of 2FA because they store the long-term secret that makes them work internally, and only output non-reusable values. The secret is also impossible to phish. Physical keys are also more convenient, since they work on all major operating systems and hardware.
The Titan vulnerability
is one of the only weaknesses ever to be found in a mainstream 2FA key. However improbable, a successful real-world exploit would completely undermine the security assurances the thumb-size devices provide. The NinjaLab researchers are quick to point out that despite the weakness, it's still safer to use a Titan Security Key or another affected authentication device to sign in to accounts than not to.
The cloning works by using a hot air gun and a scalpel to remove the plastic key casing and expose the NXP A700X chip
, which acts as a secure element that stores the cryptographic secrets. Next, an attacker connects the chip to hardware and software that take measurements as the key is being used to authenticate on an existing account. Once the measurement-taking is finished, the attacker seals the chip in a new casing and returns it to the victim. Extracting and later resealing the chip takes about four hours. It takes another six hours to take measurements for each account the attacker wants to hack. In other words, the process would take 10 hours to clone the key for a single account, 16 hours to clone a key for two accounts, and 22 hours for three accounts.