How Can Security Keys Help Authentication?
Here we go through a series of questions about the use of security keys and possible alternatives for authentication and security.
Join the DZone community and get the full member experience.Join For Free
Within corporations as well as consumers, the desire for strong authentication has never been more important. Online protection is at the front of everyone's minds and, with the variety of options available today, many people ask me the best choice to keep them safe. In this article, I will answer your questions about the best security key and devices to use.
Check out my article on making sense of the security alphabet soup if you become confused about any terminology in this post.
Yes, Get a Security Key
Security keys are the strongest practical authenticators today. They are simple to understand, durable, and portable. They can work cross-platform and can be used on any number of websites that support them.
Now, when I do tell my friends to go buy a couple of security keys, I tend to get a bit of pushback. Let’s address their top counter-arguments first!
How many security keys does one person need?
Why Not an Authenticator App?
How about both? You definitely want to use security keys when possible, because one-time passcodes from authenticator apps can be phished. Now, in my article on why WebAuthn & security keys are great, I attempted to add a security key to all websites important to me, but only 1 in 3 of the sites supported them. Of those sites where security keys weren’t an option, 1 in 4 supported authenticator apps. So, while authenticator apps aren’t as phishing resistant as security keys, they're certainly a lot better than nothing, which is why you’re likely to end up needing both.
How many authenticator apps does one person need?
Why Not a Password Manager App?
Yes, you should have a password manager, too! Passwords suck, but we’ll be stuck with them for a good while. I have hundreds of passwords, but using a password manager makes it easier and more secure. I’ve even gotten my family members—including my teenagers—to use password managers. Granted, there may have been some eye-rolling involved in the process.
As a bonus, you can use a password manager as an authenticator app, if you’d like! This helps limit the number of apps you have to shuffle, with the side benefit of better phishing resistance thanks to how autofill works in password managers.
Why Not Use Passwordless Webauthn?
Wouldn’t that be great! Just go to a site on your phone or computer, tap the fingerprint sensor or show your face, and you’re in! Unfortunately, despite the majority of browsers now supporting WebAuthn, very few websites have implemented the passwordless WebAuthn experience so far. Security keys give you most of the same security benefits and are more widely supported.
Why Not Just Use My Existing Device as an Authenticator?
It’s true; FIDO authenticators don’t have to be external security keys. They can be built into devices like phones and laptops and, when these on-device authenticators work, the user experience is great!
Unfortunately, not all browsers support these on-device a.k.a. platform authenticators yet (I’m looking at you, Safari). The same is true on mobile, so there are no FaceID logins to websites as of yet.
Finally, many websites don’t support these on-device authenticators, leaving you hanging with a prompt asking you to plug in your security key to USB. One day these platform authenticators may work great, but today security keys are more consistently supported.
Which Security Key Should You Get?
For the best experience do the following:
- Make sure your keys support both the new FIDO2 and the older FIDO U2F protocols. This gives you the ability to leverage the future greatness of WebAuthn while remaining compatible with all existing U2F security key implementations.
- Buy at least two of them. Most sites (and all good ones) support setting up multiple security keys; this way you can always have one on you, and keep one as a backup in a secure place like your fire safe.
After using more than a dozen different security keys over the last couple of years, the easiest to recommend are the YubiKey 5 and Security Key series from Yubico. They come in a variety of form factors, some of which are pretty indestructible (plus Yubico discloses any security advisories). Remember, any time you plug a new USB device into your computer, you implicitly trust the security processes of its manufacturer, from the factory to your hand.
Now, how do you choose which specific model is right for you? Turns out it can be very hard! I live in a relatively simple ecosystem: a number of different iOS, iPadOS, and macOS devices—nothing else.
My perfect security key would have two connectors, USB-A & USB-C for computers, as well as contactless support (NFC) for use with phones. But this device doesn’t exist! My next-best security key would be a small USB-C key with NFC. This doesn't exist, either!
My current compromise is to use a USB-C YubiKey 5 that I use along with my MacBook Pro TouchID platform authenticator as my main security keys.I also have two NFC-enabled USB-A keys as secondary and fire-safe backups. Yes, I am a little paranoid, why do you ask?
Securing Your Work Accounts
In the workplace, there is more potential for quick improvement and universal adoption of security keys and Web Authentication than in the consumer world. The majority of businesses are putting access to applications behind SSO (Single Sign-On), which makes deploying modern authentication like security keys and Web Authentication much easier since you’re introducing a single control point for identity and authentication. You can see how we at Okta do it in our Dogfooding Chronicles. Of course, the devil is in the details, but that’ll need to be a different article.
Room for Improvement
If a security solution is not very easy to use, it will never gain universal adoption the way SMS 2FA has—despite the many problems of using SMS for authentication.. I expect security keys to remain a great option for people like me and you—nerds who would read an article like this. A security key is yet another thing you have to buy, carry, and keep track of. Also, websites have their security settings all in different places with different names; it’s sometimes hard to even find them. Usability remains a challenge—one researcher found that when they tasked study participants to secure a Facebook login with a security key, 70% believed they succeeded, but half of them had actually failed without realizing it!
As an industry, it is our job to give users more secure defaults and easier to understand security controls, in a place where they can be found. If we want to replace SMS with something stronger, our best hope today is getting universal support for smartphone-based FIDO2 (looking at you, Apple and Google) and getting websites to enroll users to it as the default option. Let’s keep pushing!
And until then, we have security keys.
Thanks for reading and stay safe!
Published at DZone with permission of Sami Laine, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.