.
It is increasingly rare for an online service that does not use two-factor authentication methods, which in some cases considerably increases its security.
However, for some reasons, it is not enough or it is necessary to go a little further and that is when an alternative has presented itself as suitable. We’re talking about physical security keys.
What is a physical key, what are its uses, how do they work and who should use it, is what we intend to answer in this post.
What is a physical or hardware security key?
For those who don’t know anything about it, from the question it is already possible to deduce that it constitutes a physical device and, therefore, a hardware component that works as a security element in the authentication procedure of a service or even another device, such as For example, a notebook with Windows.
Physically speaking, a security key – as it is also sometimes referred to – is nothing more than a small object that often resembles a pendrive, and depending on the manufacturer, it can have very small dimensions and look like tiny USB receivers. wireless mice and keyboards.
Therefore, you can deduce that they are inserted into the USB connections of your notebook or desktop, or even your smartphone, in the case of models available for this type of use.
As a hardware component, inside there is a chip responsible for the routine of storing the private keys that are required in the authentication process. That is, instead of providing a second information in addition to the traditional username and password to log in or authenticate to a service, when using the key, the release occurs using the process recorded on the device for the account in question.
It is therefore a second authentication method.
Email services like Outlook, social networks like Facebook, e-commerce apps, cryptocurrency exchanges, password managers (eg LastPass or Bit Warden) and many other online services, or as we already mentioned, even Windows , allow using a physical key as the second factor in 2FA / TFA (Two-Factor Authentication) methods.
It is possible to use the same hardware key for a multitude of services and accounts on them.
In practice, this means that when the second factor is requested, it is not necessary to enter a code received by SMS or generated by an authenticator app, such as Microsoft Authenticatorbut just insert the key into your device’s USB and that depending on the model and manufacturer, it may require a touch of a button or the reading of your fingerprint (biometrics).
How does a security or hardware key work?
As a hardware component, it is necessary to make the connection, which can be in a physical way and depending on the model and manufacturer, it is via conventional USB (USB-A), USB-C, micro USB or Lightning (Apple), or also because it is wireless, using NFC (Near Field Communication) technology, in which data exchange occurs by approximation and is the same present in smartphones, smartwatches and payment cards.
Inside the key there is a chip that is responsible for having the system that manages the transactions and the algorithm involved, as well as the stored data, such as encrypted public keys.
When the connection is established with the service and/or with the device (eg notebook), the authentication process is initiated and which may require additional steps, such as, for example, placing the finger whose fingerprint was registered in the biometric sensor.
Therefore, it is used as a second possession-based factor.
As for the keys themselves, they work offline and don’t need to be loaded.
When is it possible to use a physical key for authentication?
It is only possible to use a physical or hardware key for authentication, in services / devices that accept MFA, that is, they give the user the possibility of choice in determining which will be the second factor, among different options.
More than that, even some services of this type, among the available alternatives, do not include physical keys.
However, most popular ones already offer this method.
It is also important to point out that those that allow you to select them as an option may have limitations as to the type, since there are different standards, the most recent and used being FIDO2 (Fast Identity Online) and which is nothing more than a set of basic guidelines and standard requirements, such that every manufacturer that creates a key must be compatible with services that use this authentication method.
FIDO2 is considered the safest today and is an evolution of the previous one – the Universal 2nd Factor (U2F). It is encrypted, private and anonymous.
Who should use a physical (hardware) security key?
All those for whom access to systems or services requires high levels of security or for whom compromised authentication can generate significant losses.
This is because, despite not being a 100% effective method in terms of security in the digital world, it strengthens it a lot compared to the others.
For example, if the second factor is an SMS, cell phone cloning is one way to gain access. Or even, some digital trail that has allowed to discover secret questions / challenges.
In the case of the physical key, only its theft / theft allows access to be made. In other words, only physical access allows access to advance, making the other causes of vulnerabilities, such as phishing or malware, not have the desired effect for cyber criminals.
However, it should be noted that there is another vulnerability and that it occurs not because of the key itself, but on the part of the service that uses it. Some MFA options allow you to choose, at the time of authentication, which second factor to use and in this case, the attacker can choose one that is not the key and that he has managed to circumvent (eg SMS).
What are the disadvantages of using a physical (hardware) security key?
Nothing is just an advantage and it is no different with security keys and therefore it may not be the best solution for everyone and all situations:
1. Cost
It is not the most affordable solution in terms of cost. That’s because there is still no national manufacturer or authorized dealer here. And it is not recommended to purchase them other than directly from the producer or official dealer of the brand.
When purchasing outside an official channel, there is no way to guarantee that the security key is legitimate or that it has not been tampered with that compromises its security and the expected performance.
Outside, prices are affordable and the simplest can be purchased from US$ 20.00.
Buying on the Internet, the values converted according to the exchange rate and added to any fees (eg shipping), rarely cost less than R$ 400.00 and depending on the model, it can be much more expensive.
And there is yet another factor that can make the cost truly prohibitive and that is related to the next downside.
2. Have 2 or more physical security keys
In the event of loss, misplacement, theft or physical damage, and therefore when for whatever reason the key is no longer available, the services in which it is used and which have been configured to accept no other factor will be permanently inaccessible.
This is circumvented by having at least two keys, the second of which must be kept in a safe place.
Therefore, it is not uncommon that especially companies or those who cannot take such a risk, have two, three or even more keys, with the additional ones serving as a security backup of the main one.
So at least double the cost.
3. Few manufacturers
There aren’t many manufacturers, at least among the most accepted and recommended, which ends up adding to what we’ve seen so far as disadvantages.
THE Yubico emerges as the main provider of solutions in the segment, but among other names that also constitute reliable alternatives in the market, there is the Thetisa SoloKeys and the Google Titan.
4. Not universally available
Although it is not a disadvantage related to the security key, in a way it is an obstacle to its widespread use.
Even though there are few cases, there are still services and devices that do not allow using them to reinforce security, as is the case with WordPress, which only allows 2FA by plugins or even older or simpler smartphones that do not have NFC, or in Apple devices, which require a reasonably more expensive key.
Conclusion
Physical security keys are one of the best alternatives in terms of security when enabling two-factor authentication methods.
.
