How many online accounts do you have? Try counting them and you’ll find that it’s actually pretty difficult. A lot of us even use the same passwords for multiple accounts, which is a very risky bad habit!
With the rise of password managers such as LastPass, 1Password, and Dashlane in recent years, account security has generally increased. They enable people to use different and more complex passwords without needing to remember them.
There are still some caveats though as password managers are secured by one master password. This means that if hackers manage to crack your password for the password manager, you’re done for. But what if I tell you that you can go one step further? With hardware security keys, you can secure your online credentials physically.
What Are Hardware Security Keys?
Hardware security keys are tiny inexpensive devices that look like USB drives. These security keys use public-key cryptography to securely authenticate with the website or service that are being used. They are mostly used as a second factor of authentication. Which means when you log in, other than the username and password, it would require the security key to be plugged in or tapped through NFC.
You might have used authenticator apps that use time-based one-time passwords (TOTP) where a string of numbers is generated for you to enter when you log in to a website. Although they work well as a second factor of authentication, hardware keys are even more secure than that.
How is this more secure than TOTP? The answer is very simple, Phishing Attacks. With TOTP, you are still vulnerable to phishing attacks if you accidentally fall for one of the well-designed websites. With hardware security keys, the website/ service authenticates the key through your browser, making phishing basically impossible.
Types Of Hardware Security Keys
We won’t be getting into the authentication protocols such as FIDO U2F, CTAP, FIDO2, and WebAuthn as they are a little complex to get into. If you’re interested, let us know and we can have a dedicated article on those!
Let’s talk about the different types of hardware security keys. In general, there are three types – USB, NFC, and Bluetooth.
USB keys are the most common. You plug it into your device when prompted during login and tap the touch-capacitive sensor on it to verify your identification. Other than USB-A, there are also Lightning and USB-C variants for more compatibility. The most popular ones are made by Yubico, with the entry-level variant starting at just $20.
NFC keys usually don’t come as a standalone. They are usually paired with higher end USB keys and provide extra functionality. These NFC keys are designed to work primarily with smartphones. For example, once you set up a security key on your Google Account, it will prompt you to tap your NFC-enabled security key to authenticate when you log in on a new Android device. NFC-enabled keys will usually cost more than the basic keys but are still cheaper than Lightning or Type-C keys. These are great if you plan to use it on your computer using USB-A and utilize the NFC functionality on your smartphone.
Bluetooth security keys are usually the largest in size. They work with any device that supports Bluetooth so this will work regardless of whether your smartphone is Type-C or Lightning. It does so by transmitting data using Bluetooth Low Energy (BLE). But the downsides are that it needs to be charged and it’s also not the best experience to set up and use. If you want a more seamless experience, go for USB and NFC keys.
How Effective Are Hardware Security Keys?
Hardware security keys are currently the safest two-factor authentication (2FA) method that we have. According to Google, after they pushed for their employees to use security keys, they saw that it entirely neutralized phishing attacks on all of their 85,000+ employees. Pretty impressive!
Prior to that, the employees were using Google’s own TOTP solution, Google Authenticator. This shows just how much it improves account security even from a pretty secure method such as TOTP. After that, Google released its Advanced Protection Program to help its users secure their Google accounts to the highest standard. It’s no coincidence that Google requires hardware security keys as the second-factor authentication method for Google accounts with Advanced Protection enabled.
So, if you have 2FA enabled with security keys, you can technically publically announce your password and still won’t get hacked!
How secure do you think your online accounts are? If you are still using the same password across multiple accounts, please use a password manager! If you want top-notch security, it’s a good idea to purchase one of the hardware security keys and gear up for the future.