Questions are being raised about the security of Google LLC’s recently launched Titan Security Key because it’s manufactured in China.

The key, which offers phishing-resistant two-factor authentication login capability into secure sites, went on sale Thursday. Differentiating itself from 2fa keys such as RSA Security LLC’s SecurID fobs that generate a challenge number for a login, the Titan Security Key comes in two forms: one a USB key that’s plugged into a computer to confirm a login and the other that uses bluetooth and Near Field Communication for authorization on a mobile device.

The concerns arise because Google is not making the device itself but is using a third-party company called Feitian Technologies Co. Ltd. that has its own range of 2fa and security pass products. Feitian already sells its own products in the West, but like many technology manufacturers in 2018, it’s Chinese and therein allegedly lies the problem.

China, in 2018, has become the favorite whipping boy of paranoid xenophobes, U.S. congressmen and some security researchers alike.

Despite absolutely no evidence so far, some critics have raised concerns about the security of the Google device. Motherboard reported that several senior security experts, including Alex Stamos, the former chief information security officer of Facebook Inc., are expressing concerns about the devices.

“The supply chain in China often is dictated by government policy,” a source described as the head of a security team based in a global, multibillion-dollar company told the publication. “One concern is that the Chinese government could potentially force Feitian to introduce some form of backdoor into the devices, or intercept the keys themselves and tamper with them, allowing the government to then access accounts of targets, for instance,” the unnamed person added.

Google responded to the report, noting that it adds the firmware for the device in “trusted environment” and then ships that to the producer, meaning that Google itself controls the device’s functions.

“The secure element hardware chip that we use is designed to resist physical attacks aimed at extracting firmware and secret key material,” product manager for Google Cloud Christiaan Brand said in a blog post Thursday announcing they keys’ debut in the Google Play store. “These permanently-sealed secure element hardware chips are then delivered to the manufacturing line which makes the physical security key device. Thus, the trust in Titan Security Key is anchored in the sealed chip as opposed to any other later step which takes place during device manufacturing.”

Images: Google