One of the greatest threats against your personal security is an attacker taking control of an online account. With it, the bad guy can do all sorts of nefarious deeds in your name, and if they get control of your email account they can use password recovery features to take control of even more of your accounts. Fortunately, multi-factor authentication (MFA) can protect against account takeovers. While there are many ways to do MFA, one of the best (and definitely the coolest) is with a security key—a tiny device that fits on a key chain.
What Is Multi-Factor Authentication?
The authentication method most of us are familiar with is being required to enter a username and password. But passwords have a lot of problems. For one thing, we’re bad at remembering them and even worse at picking unique, complex passwords that can stand up to attackers. For another, people tend to reuse passwords, meaning that if one account is compromised, all the others with the same password are also at risk.
Multi-factor authentication, sometimes called two-factor authentication or 2FA, seeks to change that by using more than one authentication factor. That doesn’t mean a second password, but at least any two from a list of three possible factors:
- Something you know;
- Something you have; and
- Something you are.
Something you know is typically a password. It lives in your head and should really be known only to you. Something you have could be a security key such as we are rounding up here, or it might an authenticator app your phone. Ideally, it’s something that’s not easy for a stranger to access or obtain. Finally, something you are is a physical characteristic that can be read with a biometric scan. That could be a fingerprint scan or facial recognition, although using the latter ranks among the worst mistakes in technology.
Because it’s extremely unlikely an attacker will have more than one of these forms of authentication, MFA makes it much harder for bad guys to take over accounts. This has been proven in the real world. When Google required employees to use hardware MFA keys, account takeovers effectively vanished.
What Is a Security Key?
While they can take many forms, most security keys are small, key-sized devices that can uniquely identify themselves to sites and services. Remember, they are something you have.
To use a security key, you first have to enroll it with each site or service you want to protect. There’s increasing support for security keys, but don’t be surprised if they’re not accepted at every site you try. Enrolling a key is slightly different for each key and site, but it usually goes something like this: Somewhere in the site or service settings you’ll find an option to enroll your security key. Click it, insert the key, tap the key’s button when prompted, and then give the key’s record a name so you know which is which. Some sites and services limit you to just one key, others allow many more.
In practical terms, you’re usually prompted to present your security key after entering your username and password for an account. You connect the key through some kind of data transfer connection—typically USB-A or USB-C—and then press a button on the device to verify that you’re a real person and not a clever malware attack impersonating a key. If both the password and the key check out, you log in as normal.
Some hardware keys include wireless communication capabilities, usually through near field communication (NFC), to interact with mobile devices. Other keys have biometric authentication for an added layer of protection.
Not All Factors Are Created Equal
While two factors are always better than one, each MFA scheme has potential advantages and drawbacks.
Receiving one-time-passcodes via SMS text message is one of the oldest and most widespread forms of MFA. It’s easy to understand, and since many sites and services already have your contact information, you may not even need to enroll in it. While convenient, SMS codes have two major drawbacks. First, they require a functioning phone. If your phone is dead or you can’t afford your own phone, you can’t log in.
Second, it’s been proven that attackers can intercept SMS codes through a process called SIM jacking. As such, we advise readers to avoid SMS MFA wherever possible. Hopefully the FCC will be able to address this threat.
Another common form of MFA is to use an app that generates time-limited login codes. While there are many examples of authenticator apps, most people are probably familiar with Google Authenticator. This type of MFA is more secure than SMS codes and lets a single app provide codes for any number of sites and services.
While authenticator apps don’t require a network connection, your phone does need to be available and powered. Mobile phones aren’t purpose-made authenticators; they are highly connected devices that do all kinds of tasks. This means it’s possible, although unlikely, that a malicious attack could get at your security codes.
Hardware-based security keys solve most of the problems of the other MFA schemes. Hardware keys have no batteries and require no network connection. They also have no moving parts, making them difficult to break. Because they work on purpose-made hardware, they’re much harder to attack. Finally, it can be kind of fun to have a special tool for logging in.
There are downsides to using hardware keys for MFA, too. Unlike other types of MFA, hardware keys cost money—usually $20-$50. Hardware keys can also be lost and aren’t as widely supported as app-based MFA codes.
If you’re new to MFA, we recommend starting with app-generated codes. These are free, secure, and easy to use and understand. But if you’re already familiar with MFA and are interested in upping your security game, hardware security keys are the next step.
That said, it’s important to remember that MFA of any kind can’t protect against all the dangers the modern world presents. We strongly recommend using antivirus software as well as a password manager to create unique and complex passwords for each site and service you use.
How Do Security Keys Work?
The most widespread means of hardware security key authentication is based on the standards from the FIDO Alliance. All these standards do fundamentally the same thing: use asymmetric key cryptography to authenticate you to a site or service.
Each device can generate any number of public keys from its private key, without exposing the private key. That allows a single key to be used for multiple sites and services but most importantly, it means that a failure or change at any one site or service won’t affect the other. You can easily remove and reenroll your key as many times as you like.
When shopping for a security key, you should look for at least FIDO U2F certification because it means the key will work in just about every basic security key context. FIDO2/WebAuthn are the next generation standards, which support additional types of authentication. If you want to use a device for biometric MFA or passwordless login, you’ll need FIDO2/WebAuthn.
Are Security Keys Safe?
Going from a password that (ideally) is a complete secret to a little bauble like a security key can sometimes feel like being less secure. After all what happens if your key is stolen? Or you lose your key?
To the first point, it’s extremely unlikely that someone would have the means to track down an individual user and steal their security key. Most cybercrime is committed en masse with thousands or millions of compromised accounts. One security key isn’t worth the effort. Still, it’s not impossible and a determined attacker could use a stolen key to access your accounts. That’s why it’s important to keep your key safe, but also to use strong passwords secured in a password manager. If the thief gets the key but can’t crack your password, they’re still not getting in.
It’s far more likely that you will lose your key, and that can be an issue. Yubico recommends enrolling a second key and storing it as a secure backup. Many services that support security keys also allow (and some require) you to enroll multiple MFA factors, so you could set up an authenticator app as a backup MFA option. Services often let you generate backup codes that you can write down offline or secure in a password manager, which grant you access in emergencies. If none of that works, find a device where you are still logged in and unenroll the key or add a new MFA factor you do have. The bottom line is that losing your security key is not the end of the world.
How to Choose a Security Key
The first thing to look at when choosing a security key is how the key literally fits with the rest of your devices. If you don’t have any devices with USB-C, you should stick to keys with a USB-A connector. If you intend on using your key with mobile devices (and you should) you should select either a key with a connector that fits your phone or a key with NFC, if your phone supports NFC.
You also need to consider your budget. The most expensive keys we’ve reviewed cost up to $85, which is a significant chunk of change. If you’re new to hardware security keys, we strongly recommend starting with a cheaper key and upgrading later. The Security Key NFC from Yubico works just as well for MFA as a more expensive key, offers NFC for mobile devices, and can fit USB-C with a cheap dongle. It’s a great choice for first-time buyers.
Most security keys just authenticate you, and that’s enough. But some go further with additional features. Kensington has a line of biometric keys that require the correct fingerprint to authenticate you. High-end YubiKeys have numerous additional features: the ability to playback a static password, working with a desktop or mobile app to provide app-generated passcodes, PGP key management, and its own form of one-time-passcodes.
More obscure facets of each key may be significant to the most discerning buyer. NitroKeys and SoloKeys use all open-source code and hardware, making them a strong choice for a particular crowd. Yubico locks down all its devices from firmware changes to protect them from tampering, while NitroKey celebrates its updatable firmware.
The Key to Security
Hardware security keys are the best, most secure method of MFA and we highly recommend them. But for some, the idea of paying for a key or having to fetch it each time they login is too much and that’s just fine. What’s most important is that you find an MFA scheme that works for you and that you actually use it. The best security doesn’t work if it’s ignored.