Beyond Passwords: Physical Security Keys Are Ready for Prime Time

Password-based security comes with all sorts of weaknesses, including the threat of phishing. Fortunately for your association’s data, the hardware security key is mature enough that it’s worth a look. Case in point: Google now makes ‘em.

In an age when cybersecurity threats are basically everywhere in the news, two-factor authentication is starting to become table stakes. If you’re not already protecting your information with more than a single password, you might be doing your organization’s security a disservice.

But a question that might be worth asking here: How far should that second factor go? As I’ve written before, SMS-based authentication is increasingly seen as unsafe, and even phone numbers might prove dangerous security vectors. And while there are useful software tools out there for protecting your security—such as the subscription service 1Password, the open-source tool KeePass, and the Google-operated security tool Authenticator—each has its pluses and minuses.

(But those pluses can be quite helpful! I once had an issue with a tool that would only allow IP-based verification of accounts, which meant that if I wanted to use another machine or was on a VPN, I was on the phone with someone just to log in. The addition of Google Authenticator to the mix was a great way to cut back on a lot of those calls.)

But what if you deal with data so sensitive that not even a piece of software goes far enough? What if the best solution for your organization is giving your employees hardware keys for access to certain sensitive data?

The FIDO Alliance was brand-new in 2013; now the fruits of its hard work have the potential to benefit a whole lot of people.

The concept, while not new, may be about to go mainstream thanks to two companies, Yubico and Google. Yubico is the more mature option at this point; its YubiKeys, which have been on the market in one form or another for about a decade, are relatively inexpensive and can be had for as little as $20. (I got one for free by subscribing to Wired.) While the keys generally use USB-A or USB-C to plug into your desktop or laptop, many of YubiKey’s more expensive iterations also support near-field communication (NFC), allowing use with most current smartphones. The company even sells the keys in bulk and plays up their use in highly secured government environments.

Google is a new player to the market, announcing its Titan solution just last week, but it says the tool is so effective that that the company has gone a full year without facing a single phishing incident since requiring employees to use security keys. That’s no small feat for a company with 85,000 employees and much of the world’s data stored on its various services.

While using the same standards as Yubico, Google brings something fresh to the table: One version of Titan comes with Bluetooth support, meaning that it will work with numerous devices beyond just smartphones. (Yubico, for its part, says Bluetooth isn’t secure enough for regular use.)

No matter the solution you prefer, hardware keys have evolved greatly over the past few years, thanks in no small part to an organization called the FIDO Alliance, which created standards for the technology and has helped to shepherd it to the point where hardware keys are a more realistic option than they might have been when I wrote about them five years ago.

The FIDO Alliance was brand-new in 2013; now the fruits of its hard work have the potential to benefit a whole lot of people.

Not Perfect, But Pretty Effective

Of course, hardware-driven solutions can have their problems, too, if not implemented correctly or too tightly secured.

For example, the FIDO Alliance standards have gained uptake in the world of cryptocurrency thanks to the adoption of hardware wallets, which are often used to secure such currency in an offline form. The problem is the PIN numbers are so secure that if you forget the number, you might never be able to crack the wallet open again. That’s great if you’re trying to protect millions of dollars in bitcoin from thieves; it’s less great if your memory is simply foggy.

Sound far-fetched? Well, in one infamous example, Mark Frauenfelder, cofounder of the popular blog Boing Boing, revealed that he forgot the PIN to his hardware wallet at a time when the cost of bitcoin was reaching an all-time high. As he wrote in Wired, he spent thousands of dollars attempting to exploit the device that was supposed to keep his bitcoin safe. (He did eventually get it back.)

Another scenario: While you can use a YubiKey or similar mechanism without a password (arguably making it more convenient), people lose physical keys all the time. You’re not going to be able to call a locksmith to replace your a FIDO-compliant security key.

Recovering from a lost key isn’t always easy, especially if there isn’t a system administrator involved. Some password management providers, like 1Password, have held off on implementing support for YubiKey as a result.

But the standards for replacement and recovery are high for a reason. Just like every other form of security out there, a hardware key is still potentially fallible and susceptible to the same kinds of social engineering that make passwords problematic—although probably less so, and requiring a lot more work. Tough passwords are great; limiting the number of options available to log in to a service in the first place is even better.

The hardware key isn’t perfect. Nothing is. But it’s a lot closer than pretty much anything else on the market.

In an era when digital attacks are growing increasingly sophisticated and being blamed for everything from corporate hacking to election fraud, a physical key might be the best barricade between your association’s data and the wrong hands.

A pair of YubiKeys, seen as the market leader in the security key space. (Yubico/Flickr)

Ernie Smith

By Ernie Smith

Ernie Smith is a former senior editor for Associations Now. MORE

Got an article tip for us? Contact us and let us know!