In August, the Internet infrastructure company Cloudflare was one of hundreds of targets in a massive wave of criminal phishing that successfully penetrated many tech companies. While some Cloudflare employees were tricked by phishing messages, attackers couldn’t dig deeper in business systems. Indeed, as part of Cloudflare’s security controls, each employee must use a physical security key to prove their identity when logging into all applications. A few weeks later, the company announcement a collaboration with hardware authentication token manufacturer Yubikey to offer discounted keys to Cloudflare customers.
However, Cloudflare was not the only company to live up to the security protection of hardware tokens. Earlier this month, Apple announced support for hardware keys for Apple IDs, seven years after first rolling out two-factor authentication to user accounts. And two weeks ago, the Vivaldi browser announcement hardware key support for Android.
Protection isn’t new, and many large platforms and companies have been supporting the adoption of hardware keys for years and requiring employees to use them like Cloudflare did. But this latest surge in interest and implementation comes in response to an array of growing digital threats.
“Physical authentication keys are among the most effective methods of protecting against account takeovers and phishing today,” says Crane Hassold, director of threat intelligence at Abnormal Security and former behavior analyst digital for the FBI. “If you think about it as a hierarchy, physical tokens are more efficient than authenticator apps, which are better than SMS verification, which is more efficient than email verification.”
Hardware authentication is very secure because you must physically own the key and produce it. This means that an online phisher cannot simply trick someone into giving their password, or even a password plus a second factor code, to break into a digital account. You already know this intuitively, because that’s the whole principle of door keys. Someone would need your key to unlock your front door – and if you lose your key, it’s usually not the end of the world, because someone who finds it won’t know which door it unlocks. For digital accounts, there are different types of hardware keys based on the standards of a technology industry association known as the FIDO Alliance, including smart cards with a small circuit chip, touchscreens or keyfobs that use near-field communication, or things like Yubikeys that plug into a port on your device.
You probably have dozens or even hundreds of digital accounts, and even if they all supported hardware tokens, it would be difficult to manage physical keys for each one. But for your most valuable accounts and those that are a fallback for other logins, namely your email, the security and phishing resistance of hardware keys can mean great peace of mind.
Meanwhile, after years of hard work, the tech industry has finally reached important milestones in 2022 towards a long-promised password-free future. This decision is based on a technology called “passkeys” which is also based on FIDO standards. Operating systems from Apple, Google and Microsoft now support the technology, and many other platforms, browsers and services have adopted it or are in the process of doing so. The goal is to make it easier for users to manage their digital account authentication so they don’t use insecure workarounds like weak passwords. Even if you want them to be, passwords aren’t going away anytime soon, thanks to their ubiquity. And amid all the buzz around security keys, hardware tokens are still an important protection option.
“FIDO has positioned passkeys somewhere between passwords and hardware-based FIDO authenticators, and I think that’s a fair characterization,” says Jim Fenton, independent identity privacy and security consultant. “While security keys will likely be the right answer for many consumer applications, I believe that hardware authenticators will continue to play a role for higher security applications, such as financial institution personnel. And consumers more Security conscious should also have the option of using hardware authenticators, especially if their data has been hacked before, if they have a high net worth, or if they are simply concerned about security.
While it might seem daunting at first to add another best practice to your digital security to-do list, hardware tokens are actually easy to set up. And you’ll get a lot of mileage just by using them on a few, ahem, key accounts.
0 Comments