The power of security keys: A hardware security key is the strongest form of two-factor authentication an online account can have: unlike other forms of two-factor authentication, a key cannot be imitated or captured by phishing.
Google takes on Yubico and builds its own hardware security keys
The best way to understand how powerful and important security keys are is to look at the numbers. Google, which sells its own hardware key, published research this year showing that security keys stopping 100% of account takeover attempts. In 2018, Google said that since employees began using security keys the company had not suffered a single account takeover.
So Patrick decided to take the next step and develop a fully realized set of security keys for the general marketplace. Known as the Solo, there a couple of different versions of the key, but all of them use open source software and hardware designs. The line includes the Solo, which comes in both USB-A and USB-C versions, and the Solo Tap, an NFC-based key for use with mobile devices. Patrick and his collaborators set up a Kickstarter project for Solo, which the hopes of raising $5,000 to fund the manufacturing process. They met their goal in 20 minutes and so far have raised more than $50,000.
A hardware security key is essentially a physical device (usually a usb stick) that contains cryptographic keys that allow you to log into your accounts by just plugging it into your computer or device. There are also NFC versions that work with smartphones.
It has been reported that with the compulsory introduction of hardware security keys at Google the number of employee accounts that were compromised was. . .wait for it. . .ZERO. Google has 85,000+ employees and NONE of their work accounts were maliciously taken over, or used by unauthorised persons, after the introduction of hardware security keys. For more details please refer to this article over at krebsonsecurity.com.
There is also a new protocol that has just been released called FIDO2. At the time of writing I don't know of any company or website that actually uses FIDO2 for logins, but it is just a matter of time. There are hardware security keys available that work with FIDO2 now, so you can be prepared (for example the Yubico Secrity Key 2 and the Yubico 5 Series).
The absolute best solution is to have (at least) two hardware security keys. You can typically setup more than one hardware security key on the same account. This way you can carry one with you, and keep the other in a safe place for emergencies. This will allow you to get into your accounts should you lose the main hardware security key.
There are various hardware security keys available on places like amazon (I can't vouch for their credability), but the leader in the market is Yubico, which produces the Yubikey. The only other "big" player at the moment that I am aware of is Feitian if you really want an alternative.
Until now, however, I've held off recommending the general use of APP or even physical keys for 2FA on other sites. My reason: Apple's long-standing practice of tightly restricting access to the Lightning port, and until recently iPhone and iPad NFC, made using hardware-based keys on these devices prohibitively limited. It was hardly worth recommending an authentication method that was unpalatable or unsuitable to users of one of the world's most popular and influential platforms.
It was only with December's release of iOS and iPadOS 13.3 that Apple added native support for NFC, USB keys through an authentication standard known as FIDO2. These additions were a major improvement, but they came with their own limitations. Seven months later, only Safari and Brave for iOS and iPadOS can use authentication keys. A variety of sites that offer hardware-based 2FA don't work well or at all with Brave. While the browser works with Yubico keys, keys from Titan aren't supported at all.
While there is a variety of hardware security keys, our initial rollout is limited to a set of USB and NFC keys that are both certified by the FIDO alliance and have no known security issues according to the FIDO metadata service (MDS). Our demo only includes support for YubiKeys, which we had the chance to use and test; HyperFIDO keys; and Thetis FIDO U2F keys.
Thinking back to the Cryptographic Attestation of Personhood, you now know that your hardware key embeds a signing key. However, Cloudflare does not and cannot know the signing keys of all users of the Internet. To alleviate this problem, Cloudflare requests a different kind of proof. When asked if you are a human, we ask you to prove you are in control of a public key signed by a trusted manufacturer. When shipping devices with a secure module, manufacturers sign the associated attestation public key with a digital certificate.
While the Cryptographic Attestation of Personhood has a lot of upside in terms of privacy, it is not perfect. Cloudflare still needs to know your manufacturer to let you in. As WebAuthn works with any certificate, we need to make sure Cloudflare receives certificates from untampered hardware keys. We would prefer to not have that information, further preserving your privacy.
We also have to consider the possibility of facing automated button-pressing systems. A drinking bird able to press the capacitive touch sensor could pass the Cryptographic Attestation of Personhood. At best, the bird solving rate matches the time it takes for the hardware to generate an attestation. With our current set of trusted manufacturers, this would be slower than the solving rate of professional CAPTCHA-solving services, while allowing legitimate users to pass through with certainty. In addition, existing Cloudflare mitigations would remain in place, efficiently protecting Internet properties.
There are downsides to two-factor authentication though. If you lose your phone, or if it's breached by a hacker who's swapped your SIM or somehow gained access to your device, they'll obviously be able to retrieve your code and potentially use it to hack into your account (especially if they also know your login credentials). Luckily, that's where hardware keys come in handy.
Security keys connect to your device via USB-A, USB-C, Lightning, NFC, and Bluetooth, and they're portable enough to be carried on a keychain. Most of them use an open authentication standard, called FIDO U2F (or the improved FIDO2 standard), and some even feature hardware that's designed to resist physical attacks aimed at extracting firmware and material from the key itself.
All this sounds complicated. But it happens in the background without any input from you, other than you inserting the hardware security key into your device. Hardware security keys also use original domains of sites to generate its keys, which means it can't be tricked by phishing sites.
Many online accounts, apps, services, and websites support hardware security keys, including Twitter, Facebook, Google, Instagram, GitHub, Dropbox, Electronic Arts, Epic Games, Microsoft account services, Nintendo, Okta, and Reddit. Most web browsers do too, like Google Chrome.
All hardware security keys tend to work the same, as we've detailed above, but setting them up varies by app and device. To give you an idea of how one works with an online account, we've detailed the exact steps for pairing a security key with Facebook and signing into your account.
You can now use FIDO2 hardware keys and developers can integrate the WebAuthn standard into their applications, features that have long been in preview. Apple also officially deprecated legacy extension support, which is the change people are gnashing their teeth over.
But what if you deal with data so sensitive that not even a piece of software goes far enough? What if the best solution for your organization is giving your employees hardware keys for access to certain sensitive data?
No matter the solution you prefer, hardware keys have evolved greatly over the past few years, thanks in no small part to an organization called the FIDO Alliance, which created standards for the technology and has helped to shepherd it to the point where hardware keys are a more realistic option than they might have been when I wrote about them five years ago.
You've probably seen standard software-based 2FA systems that send you text messages or emails to confirm your identity. While these are fine (and better than no 2FA system), physical hardware-based security keys, like the ones featured here, are much better.
SANTA CLARA, Calif. & STOCKHOLM--(BUSINESS WIRE)--In light of recent phishing-based cyberattacks and in recognition of Cybersecurity Awareness Month, Yubico, the leading provider of hardware authentication security keys, today shared the results of its inaugural State of Global Enterprise Authentication Survey 2022 at a security thought-leadership industry summit hosted by the company in its San Francisco office. The survey, conducted for Yubico by Censuswide, polled 16,000+ employees across a variety of enterprises in eight countries* and asked about their perceptions and perceived challenges of MFA, security tools and internal security practices at their organization, and their recent experiences with cyberattacks.
You will find a number of brands offering such keys on the market. They are made according to the Universal 2nd Factor (U2F) standard that marries public key cryptography with hardware-based authentication. 2ff7e9595c
Comments