Hardware security keys are about to become the next big thing in online personal security. They provide a simpler, and more secure, way to protect your important online accounts. . .and no more passwords (at least eventually)!
As with all things new it is a bit mysterious and scary sounding to begin with, but for the majority of people it really is very simple and easy to implement. Let's get started. . .
What is a Security Key? #
A hardware security key is essentially a physical device (usually a usb stick) that contains cryptographic keys that allow you to log into your accounts by just plugging it into your computer or device. There are also NFC versions that work with smartphones.
Sounds simple, but this method is a LOT more secure than password based access to your accounts.
Do I need a hardware security key? #
Of course not, but you really, really should consider getting one. It will give you peace of mind that your accounts and data are REALLY secure.
Google has 85,000+ employees and NONE of their work accounts were maliciously taken over, or used by unauthorised persons, after the introduction of hardware security keys.
Just to give you a solid example of how effective this technology is at combating account hacks and stolen data, consider this:
It has been reported that with the compulsory introduction of hardware security keys at Google the number of employee accounts that were compromised was. . .wait for it. . .ZERO. Google has 85,000+ employees and NONE of their work accounts were maliciously taken over, or used by unauthorised persons, after the introduction of hardware security keys. For more details please refer to this article over at krebsonsecurity.com.
Consider also that these companies all use hardware security keys currently to secure their work systems:
How do I use it? #
Simple application #
You can actually use hardware security keys for many applications, but the one most people will want is to log into an account. For example your gmail account or Facebook account.
FIDO U2F #
At the moment the protocol used is called FIDO U2F, which is also referred to as second factor authentication.
Let's say you have a gmail account that you currently log into with a password. That will not change, you will still use your password as normal, but after you enter your password you will also be requested to plug in your hardware security key. Once that is done you will be logged in. Simple!
The setup process is very straight forward. You log into your account and go to the privacy and security section of your account in settings. Go to the section that is called Second Factor Authentication, and you will be guided through adding your key. It will literally ask you to plug it in at the appropriate moment. Very simple. This video shows how simple the process is:
FIDO2 #
There is also a new protocol that has just been released called FIDO2. At the time of writing I don't know of any company or website that actually uses FIDO2 for logins, but it is just a matter of time. There are hardware security keys available that work with FIDO2 now, so you can be prepared (for example the Yubico Secrity Key 2 and the Yubico 5 Series).
The main difference between FIDO U2F and FIDO2 is that FIDO2 does not need a password at all, just the key!
Not only will you not have to remember passwords anymore, but it will be more secure and faster as well. You really can't lose. . .but you will have to wait a little until it becomes mainstream.
More complicated applications #
If you are very tech savvy and have requirements beyond FIDO U2F and FIDO2, then some hardware security key devices also have the ability to use the following protocols:
- OpenPGP
- OATH-TOTP
- OATH-HOTP
- Challenge-Response
- Storage of long password strings
This can allow you to achieve many things such as sending files and emails more securely, log into remote servers, log into windows, the list goes on...
Can I use it on all my devices? #
Yes you can, but this depends on how you connect the key to your device.
Most keys use a standard USB Type A interface like this:
Therefore you wouldn't be able to use it with a smartphone, or a device that only has a USB Type C port. Although there are a range of different devices available to cover those needs as well, including a NFC interface and USB Type C.
If you want an in depth view of the different types of hardware security key devices available check out my related article here.
What makes it so secure? #
The process it uses to confirm the key is yours, and only yours, is what makes it so secure.
In basic terms, it uses something called private-public key cryptography using the method of challenge-response.
What you effectively have is a private key (which is a long string of random letters and numbers) on the hardware security key, and a public key (a different long string of random numbers and letters) on the hardware security key. You "send" the public key to the service (e.g. gmail) when you register the hardware security key.
When you try to log into your account using the hardware security key, the website recognises which device it is (based on the public key, which is unique to your hardware security key) and sends a "challenge" to the device, which is created from a calculation made with your public key. The hardware security key then "solves" the challenge internally and returns the result, which the website checks against the public key. If the public key says the response is correct then you pass, otherwise you fail.
There are a couple of items to note during this process which make it secure:
- Your private key is on your hardware security key and NEVER leaves the hardware security key. Your hardware security key only sends a "response" back with the solution to the challenge, never the private key. That means there is (practically) no way for someone to know what your private key actually is. Not even you will know! That means it can't be compromised, ever.
- The correct response to the challenge can only be generated by your private key, nothing else.
- The challenge is different every time, so even if someone intercepts the response, they can't use it later to get into your account.
Are there any downsides? #
There are a few things to consider.
Where you can use it #
At the moment you cannot use FIDO U2F everywhere, for all your accounts. It is widely used by a lot of major websites and companies, but not universally. This means you won't be able to make everything very secure just yet. Some of the places I use it at the moment (there are more than this available):
- Dropbox
- all google accounts
- personal email accounts
- github
Browser Support #
U2F is only supported by certain browsers at the moment, which limits its use if you don't want to use one of these:
- Chrome
- Firefox
- Opera
Although others are likely in the pipeline.
What if I lose it? #
Ah yes! this is a good point. If you setup a hardware security key on an account, then lose it, you will be in a bit of a pickle. However, it is common practise (i.e. it is forced on you by the website you are trying to activate the hardware security key with) to insist on having a backup second factor authentication method setup.
I recommend one of the following:
Setup two hardware security keys #
The absolute best solution is to have (at least) two hardware security keys. You can typically setup more than one hardware security key on the same account. This way you can carry one with you, and keep the other in a safe place for emergencies. This will allow you to get into your accounts should you lose the main hardware security key.
Alternative two factor authentication method #
If you don't have this option, you should setup a different two factor authentication method which uses a TOTP (time based one time password). This is typically available as an option of two factor authentication wherever a hardware security key is accepted. If you decide to go down this route you will need an app or program that generates the passwords, which are typically 6 digit numbers, and change every 20 seconds or so.
I recommend Authy as it is available on android, ios and desktop. It will also keep things backed-up should you lose your phone / laptop which the app is installed on.
Which hardware security key should I buy? #
Brands #
There are various hardware security keys available on places like amazon (I can't vouch for their credability), but the leader in the market is Yubico, which produces the Yubikey. The only other "big" player at the moment that I am aware of is Feitian if you really want an alternative.
However, being one of the initial members of the FIDO Alliance, who set the standards for U2F, I would say Yubico are a solid bet when it comes to hardware security keys.
Their main products are also high quality in terms of build, with the standard hardware keys featuring waterproof and crush-proof designs.
If you want a more in depth look at the Yubico hardware security keys, and also recommendations on which one you should buy to suit your needs, then check out our Yubikey article.
Conclusion #
Hardware security keys for securing your accounts are the future. They effectively eliminate account takeovers, and will eventually make keeping track of your numerous online accounts manageable, without the hassle of remembering passwords.
I think FIDO U2F and FIDO2 protocols have achieved what a lot of previous attempts have failed to, and that is to make the system simple for the average user.
Currently FIDO U2F requires a password AND the physical key, and I expect that is just too much hassle for the masses, but FIDO2 represents a noticeable (and welcome) change to the process by eliminating passwords completely. I think it is the removal of passwords that will eventually see this technology accepted by everyone.
Bring on FIDO2!
🙏🙏🙏
Since you've made it this far, sharing this article on your favorite social media network would be highly appreciated. For feedback, please ping me on Twitter.
...or if you want fuel my next article, you could always:
Published