Posted July 31, 2020
Two-factor authentication (2FA) is an excellent way to improve your digital security and privacy. However, the standard 2FA has some important limitations, which is why many security experts believe that key-based 2FA is the wave of the future ̵
Why use 2FA?
Two-factor authentication helps prevent account takeovers. When you use 2FA and try to log in to a website or service, you must provide a new authentication factor in addition to the usual login information before accessing your account.
This is more secure than using a password alone, because bad actors get their hands on login information all the time, either through data breaches or via phishing attacks. If 2FA is enabled, they will not be able to use your stolen credentials to log in to your account – because they do not have the other factor required to access.
Limitations on 2FA
Two-factor authentication is a basic best practice for personal cyber security. But it’s not perfect.
Many implementations of 2FA use one-time codes that are sent to the user’s mobile device. However, text messages are fundamentally insecure, and SIM swaps mean that crooks may be able to hijack your phone number and receive your text messages. App-based 2FA that uses something like Google Authenticator or Authy is better, but is not completely safe. In some cases, these tools can be bypassed. For example, hackers can resort to social tactics and use fake websites to steal a user’s one-time code.
What is key-based 2FA?
Key-based 2FA uses a physical hardware key as a second authentication factor. It is a small USB device (about the size of a thumb drive) that the user carries with them and uses to log in to their accounts.
The most popular options include the YubiKey line of hardware keys made by Yubico, and the Titan keys made by Google. For Apple users, Yubico now offers YubiKey models that can be connected to USB-C and Lightning ports. Support for key-based 2FA is far from universal, but an increasing number of websites and services offer it.
How does key-based 2FA work?
Hardware keys use cryptography on the device to generate authentication codes. These tags are then used to authenticate the device to a website or service.
Once you have set up key-based 2FA, enter the account information you normally want. At this point, you will see a message about using the hardware key as the second authentication factor. To do this, simply connect the key to the device’s USB port, press a sensor on the key to prove that it’s an actual human being using it, and that you’re in. If you’re using a mobile device, some hardware keys allows you to do the same by simply pressing the device with the key.
To configure things, you must first enable key-based 2FA on which account you want to use it for, and then register the specific hardware key. The options for doing this are usually located in the same account settings area where you manage other forms of multifactor authentication. While the exact configuration method varies from service to service, key vendors like Yubico offer walkthrough guides to make the process easier. If you have never used any two-factor authentication for your account, you will probably be prompted to turn on standard 2FA before you can enable key-based 2FA.
What if I lose the key?
The biggest disadvantage of key-based two-factor authentication is that you have to have the key with you, and you have to be careful not to lose it. For most people, this is not a big problem – they just put the hardware key on the key ring with the car keys or the house key.
Enabling key-based 2FA on an account may also allow some backup methods to be available as well. That way, if you forget or misplace your hardware key, you will still be able to access your account. Note, however, that if you leave these less secure authentication methods in place (instead of disabling them when configuring your hardware key), they can be used as attack vectors by malicious actors.
People who want the full security benefits of key-based 2FA will often set it up as their only two-factor authentication method. But the problem with disabling all the other forms of 2FA is that you can be locked out of your accounts if you lose the physical key. Although you can still regain access if this happens, it is not a quick or easy process. The good news is that you can register multiple hardware keys with your accounts, allowing you to create a physical backup key that you can store in a cash register or safe – a kind of digital equivalent of an extra key!
Is this for everyone?
Before you decide to embrace the “next big thing” in cybersecurity, it’s always good to do a reality check and ask yourself if you really want to! This starts with accepting that it is impossible to eliminate everyone cybersecurity risk: The best we can do is mitigate the risk and determine how much risk we are willing to accept in our digital lives. It is also important to remember that a solution that may work well for one user (or organization) may not be suitable for others. In general, risk must always be weighed against other considerations, such as cost, ease of use and availability. In a workplace, risk reduction strategies should be balanced with operational impact – and with the likelihood of getting employees to comply with best practices!
Cyber security should never be an “all or nothing” proposal. And for those who are not ready to make the leap, it is still far, far better than nothing to use standard SMS or app-based two-factor authentication. That said, key-based 2FAs are remarkably easy to use, and are arguably more convenient than other types of multifactor authentication. Although not yet available on all websites and services, even partial use can improve your personal security position: Key-based 2FA can be used to lock down your most sensitive accounts, or to make password processing more difficult.
We hope this article has helped you learn a little more about this important security tool. If you still have questions about how hardware security keys work, or about two-factor authentication in general, feel free to write to us and ask.