Go to the replacement page: https://myaccount.google.com/replacemykey
If you qualify for the return, there will be a box displaying the key you purchased (in my case it says "Titan Security Key Bundle"). If you do not see this box and you have multiple Google accounts, make sure you've selected the one in which you placed the order (and is paired to your account—thanks programd) by clicking on your avatar in the top right. If you're not simply in the wrong account, Google doesn't think you qualify.
At that point, you'll end up on the shopping page. Add the replacement key (it will tell you the full price of the item but don't worry). Proceed to checkout. On the final checkout screen, you should find a promo applied which brings your total down to $0. If you don't, you're probably buying another one so don't confirm.
I emailed them to the contact address on that web page, but no reply just yet.
I hope they have a return/replace workflow for unused keys because obviously, why would you want to use one before you get it replaced? Obviously.
And yes, I'm using the current Chrome and script/ad-blockers are disabled.
First I had to chat with a representative, which wasn't terrible but still took time.
Now I need to place a "replacement order" for a new set of keys. And it's charging me $1.00 for the replacement key plus $0.07 tax.
And on top of all that I need to print labels for fedex, box up the old keys, and drive the ewaste box to a fedex/kinkos/whatever.
Maybe Yubikey wasn't so terrible after all...
Why is a bluetooth device allowed to spontaneously change its type and suddenly become an authenticated keyboard and/or mouise? Could this be done to insecure BT headphones or is something specific to a security key? Is the security key actually a keyboard?
The fact that paired devices are able to arbitrarily change their profile long after pairing seems to be the real issue here, and probably what was patched in yesterday's iOS/macOS releases.
There is nothing on this in the security notes to these updates, but my guess is that the CVEs will be disclosed in a bit.
This morning I received the "Update on your Titan Security Key" email from Google. I was able submit the $0 order for replacement using the Google replacement link.
So seems like Google can't tell different between the Feitian Multipass and their version.