Summary
- FIDO security keys use strong RSA ECC asymmetric encryption
- Protects the owner/user from phishing attempts
- The first version of the Google Titan Key was subject to a physical attack.
- Thought there are cons to security keys, provided protection out weight the risks.
What is a FIDO Security Key?
A FIDO security key, or U2F security key as it is also known, is physical key shaped device that acts as a “digital key” to unlock access to social media accounts, email accounts, even bank accounts. It has a special, un-copyable code that works with your password, PIN, or your fingerprint. Hackers sometimes build fake versions of your favorite websites to steal your passwords, but your security key is too smart for that – it can recognize the real deal. This means even if a hacker manages to steal your password, they still can’t get into your account without your physical key. Using it is easy: it’s a tiny device, kind of like a USB stick you store with your house or car keys. You register it with your important accounts, and when you log in, you simply insert the key and tap it after typing in your password, PIN, or using your fingerprint. It’s an extra layer of protection that makes it way harder for the bad guys to mess with your online stuff.
How Does the Security Key Know it’s Me?
Imagine you have a secret handshake that only you and your best friends know. The FIDO security key uses something similar to make sure it’s really you trying to access your account. This could be a password, PIN, or even your fingerprint. It’s an extra step to ensure that even if someone gets their hands on your U2F security key, they still can’t pretend to be you and access to your online accounts will be denied.
How Does My Security Key Protect Me?
Imagine your FIDO security key as a tiny, ultra-secure vault for your online accounts. It leverages the power of public key cryptography, where it holds a unique private key (e.g. debit card PIN) that never leaves the device and a public key (e.g. debit card number) shared with online accounts. When you register with a website, a matching public key (e.g. debit card number) is stored on the registering website, creating a secure password-less login.
You’ve probably heard about people getting tricked into giving away their passwords through fake websites (phishing). The cool thing about FIDO security keys is they’re smart enough to recognize the real website from a fake one. So, even if you accidentally land on a fake look-alike site, your FIDO security key won’t unlock your account since the fake look-alike site does not have your public key! (e.g. debit card number) How does this happen? Well, when you plug your security key into a USB-A or USB-C port on your computer the legit website will recognize it because it has your “public” key (e.g. debit card number). Remember, if you will, your “public key” is a code your security key automatically give the legit website when you enroll in password-less authentication.
This key comes in a convenient physical form, typically with both USB-A and USB-C connectors for maximum compatibility across your computers and devices. Inside, strong RSA ECC encryption safeguards your private key, making it impossible to expose.
The beauty of FIDO/U2F keys is their cross-platform nature. They work seamlessly with various operating systems (Windows, macOS, Linux), popular browsers, and devices with support for Near Field Communication (NFC). Both the Google Titan and Yubico Yubikey 5 provide the ability to interface with NFC compatible devices (e.g. Samsung, Google, and Apple phones) just by holding the key up to the phone.
Here’s the bottom line: A FIDO/U2F security key adds a robust layer of protection by combining public key cryptography, certificate attestation, hardware-based encryption, and cross-platform flexibility. It makes phishing attacks significantly harder and provides a strong defense even if your passwords are compromised.
What Are the Cons of Using FIDO Security Keys?
FIDO/U2F security keys offer a robust layer of protection for online accounts, making them incredibly resistant to phishing and other common hacking attacks. However, it’s crucial to acknowledge some potential drawbacks associated with their use. One of the most significant concerns is the risk of losing or damaging the physical key. If misplaced, you could be temporarily locked out of your accounts until you have a replacement key. For this reason, it’s wise to register a backup security key, ensuringseamless access should you lose your primary one. Additionally, although the adoption of FIDO/U2F is expanding, there are still websites and services that don’t yet support hardware-based authentication. This might necessitate the continued use of alternative two-factor authentication methods in certain cases.
Furthermore, FIDO/U2F security keys come at a cost, potentially becoming an obstacle when needing to protect numerous accounts across individuals or organizations. For some users, the physical act of plugging in the key during every login might be perceived as a slight inconvenience compared to password-only or app-based authentication methods. It’s important to also consider compatibility issues. Your chosen security key must have the appropriate connector (e.g., USB-A, USB-C, NFC) for your devices, and older web browsers might not offer full support for FIDO/U2F standards.
One additional area of concern lies in physical attacks against the security key. While extremely difficult, sophisticated attackers with physical access to a key and specialized equipment could attempt to extract the private keys stored on the device. This was demonstrated in a complex attack against the Google Titan Key, highlighting the importance of choosing keys from reputable manufacturers that prioritize secure key storage. Additionally, some theoretical side-channel attacks might be possible, but their practical execution is often challenging.
Another category of vulnerabilities involves firmware and implementation flaws. If a security key has a weak random number generator, it could produce predictable keys, compromising security. Moreover, if the key’s firmware is compromised, it could lead to malicious key extraction or usage. To mitigate this, opt for keys from manufacturers who invest in secure firmware design and regularly provide updates. Additionally, it is up to the user to download firmware updates from the vendor website or through the supplied app that comes with the security key.
Client-side malware poses a risk as it could manipulate the security key. Malware might trick the key into signing authentication requests for fake websites or relay authentication communications between machines. Vigilance against malware, through antivirus software, and careful attention to the website you’re logging into are crucial defenses. It’s worth noting that FIDO2 has mechanisms to mitigate replay attacks, where an attacker tries to reuse previous authentication data.
Despite these drawbacks, it’s essential to remember that the heightened security benefits provided by FIDO2/U2F security keys significantly outweigh the potential downsides for the majority of users. When considering the prevalence of phishing and account takeover attempts, a physical security key vastly improves your online security posture.
Where Can I Buy Security Keys?
There are not many FIDO/U2F security key vendors to choose from. The top vendor two vendors are Google and Yubico, with the Yubikey taking the top spot.
Maker | Website | Approximate Cost | Security key image |
---|---|---|---|
Yubico | https://www.yubico.com/ | $25 – $70+ | Opens in a new window yubico.com |
https://store.google.com/(search for “Titan Security Key”) | $30 – $40 | Opens in a new window store.google.com | |
Kensington | https://www.kensington.com/(search for “VeriMark”) | $50 – $70 | Opens in a new window www.amazon.com |
Feitian | https://www.ftsafe.com/ | $20 – $50+ | Opens in a new window www.ftsafe.com |
HyperFIDO | https://www.hypersecu.com/hyperfido | $20 – $30 | Opens in a new window www.amazon.com |
Websites Supporting FIDO2, U2F, Password-less Authentication
Website | FIDO2 Support | Authenticator Types | FIDO2 Setup URL | Sector | ||
Microsoft Accounts | Yes | Security Keys, Platform Authenticators, Passkeys | (within your account security settings) | Technology | ||
Google Accounts | Yes | Security Keys, Platform Authenticators, Passkeys | https://myaccount.google.com/security (within your account security settings) | Technology | ||
Apple Accounts | Yes | Platform Authenticators, Passkeys | (within your account security settings) | Technology | ||
Dropbox | Yes | Security Keys, Platform Authenticators | https://www.dropbox.com/account/security (within your account security settings) | File storage | ||
GitHub | Yes | Security Keys, Platform Authenticators | https://github.com/settings/security (within your account security settings) | Software development | ||
Yes | Security Keys, Platform Authenticators | https://twitter.com/settings/security (within your account security settings) | Social media | |||
Yes | Security Keys, Platform Authenticators | https://www.facebook.com/settings?tab=security (within your account security settings) | Social media | |||
eBay | Yes | Security Keys (Limited support) | https://www.ebay.com/ (within your account security settings) | E-commerce | ||
Okta | Yes | Security Keys, Platform Authenticators | Setup likely within the Okta administration or management portal | Identity and access management | ||
Cloudflare | Yes | Security Keys, Platform Authenticators | https://dash.cloudflare.com (within account security, look for “My Profile”) | Content delivery network | ||
1Password | Yes | Security keys, Platform Authenticators | (within security settings) | Password Management | ||
Fastmail | Yes | Security Keys | (within your account security settings) | |||
ProtonMail | Yes | Security Keys | (within your account security settings) | |||
Binance | Yes | Security Keys | (within your account security settings) | Cryptocurrency Exchange | ||
Kraken | Yes | Security Keys | (within your account security settings) | Cryptocurrency Exchange |