Ambient backscatter communication (AmBC) enables ultra-low-power communications by backscattering ambient radio frequency (RF) signals and harvesting energy simultaneously. It has emerged as a cutting-edge technology for supporting a variety of Internet of Things (IoT) applications. However, existing research lacks effective secret key sharing schemes for safeguarding communications between resource-constrained backscatter devices (BDs) in AmBC systems. In this paper, we present, Tri-Channel, a novel physical layer key generation scheme between two BDs by multiplying downlink signals and backscatter signals to obtain the information of a triangle channel as a shared random secret source for key generation. In particular, we analyze the security of our scheme under both passive and active attacks, concretely Eavesdropping Attack (EA), Control Channel Attack (CCA), Signal Manipulative Attack (SMA), and Untrusted RF-Source Attack (URSA). Through theoretical analysis and simulations by comparing with a traditional scheme (named Tradi-Channel), we found that our scheme consistently outperforms the Tradi-Channel under the EA and two active attacks (CCA and SMA). In addition, it shows better security performance under URSA, which is proposed based on the unauthenticated characteristic of BDs in Tri-Channel, even though URSA is more vital than SMA. Concretely, Tri-Channel’s secret key rate (SKR) outperforms Tradi-Channel’s under the above four passive and active attacks. This implies that our scheme is advanced in terms of both security and efficiency of key generation. Numerous extensive simulations further prove our theoretical analysis results.