You may have heard of security keys being mentioned somewhere, and maybe you even use them but don’t know how they work. Or you haven’t heard of them and then you’ll learn something new. Either way, I’m going to tell you how they work and what makes them the most secure option of two factor authentication.
There are many types of two factor authentication
Some are more secure than others. At the very bottom end there’s SMS codes, which does add a second factor but there are plenty of attacks in use to get a hold of SMS codes, and for a high profile person or a high profile system SMS codes may add an additional attack vector since your SIM card is now also the target of attacks. I won’t go into the specifics in this article, but SMS codes are not considered to be secure at all and should not be used.
Then there’s TOTP, Time-based One Time Password, which is what Google Authenticator, Authy, OTP Auth and similar apps use. This is supported by a wide range of services and is much more secure than SMS codes. For most people it is probably secure enough for now, but there are some issues. The codes are generated by a secret stored in an application usually on a smartphone. If this phone is stolen the codes are compromised. If the phone is infected with malware, or targeted for an attack it may be possible to extract the secret used to generate the codes. And if this phone is the only device set up for TOTP codes and it’s lost or breaks, the user may lose access to the services protected if they haven’t saved the secret in a safe place or have written down the backup codes.
Both SMS codes and TOTP are also sensitive to phishing attacks where the bad guys set up a copy of the website you’re trying to log in to but with a slightly different domain name like say gooogle.com instead of google.com for example. It may not be obvious at a quick glance and everything on the page looks the same, so you try to log in and the fake site captures your username and password, and forwards it and the SMS or TOTP codes to the real service to gain access.
Then there’s the better option
Security keys fix all of the problems mentioned above and they do it in a very clever way.
Security keys depend on asymmetrical encryption. There is a secure secret key stored inside the security key that should not be possible to extract from the key. Even the owner of the key can’t see the secret key if done right. This key is used to generate key pairs used for authentication.
When adding a security key using U2F to a new service, the key generates a random number, known as a nonce, and then uses a secure hash function to mix the random number with the domain of the website or service and the secret key that never leaves the security key. The security key then creates a public/private key pair for the resulting unique key which is sent to the server along with the nonce and a checksum.
Then when it’s time to authenticate a login the server generates a challenge, which is another random number. This is then sent to the browser along with the nonce and checksum which in turn sends it to the security key. The security key then generates the same service-specific key pair from the information received and the secret key and uses the checksum to check that the nonce matches what was generated on the key previously. The challenge is then signed with the newly generated private key and sent back to the server. The server now verifies the signature with the matching public key and if the verification is correct the authentication is complete.
But what if someone has made a phishing site with a similar domain name?
Since the domain is part of the key generation, the private/public key pair will be different if the domain is different, and as such verification will fail if a phishing site tries to forward the information between the real server and security key.
What if someone gains remote access to my computer and the key is inserted?
Every authentication has to be confirmed by pressing a button or touching a contact on the key on any security key worth using. Without doing this the key will not do anything. Having physical access to the key is necessary.
What if someone gains physical access to my unlocked computer with the key inserted?
Then you are doing it wrong. Hopefully they don’t have your password and can’t even get to the security key authentication part. But if they do, some websites and services require a PIN code to be set for the security key. The PIN is specific to that security key and the service never knows what it is. This PIN can be alphanumerical and acts like a second factor for the key itself. Before the key does anything the PIN has to be entered and the contact on the device has to be touched. Using this method it is even possible for services to implement passwordless logins, where only the key and its PIN is used for both factors for convenient and secure logins.
And also an attacker should only be able to access that one service anyways even if they know the password because you don’t use the same password for multiple services do you? There are password managers for a reason. Be sure to protect your email account really well, because it can usually be used to reset passwords for all your other services… Your computer and anything on it including already logged in services are however compromised if unauthorized access has taken place, so be careful not to leave your computer unlocked when unused.
My personal choice of security key is the Yubikey line of products by Yubico (https://www.yubico.com) if it wasn’t already obvious from the photos. They are excellent devices made in Sweden and the USA by a company that know what they are doing. For the sake of transparency: I am not in any way sponsored by Yubico. I paid for my Yubikeys out of my own pocket. I just happen to think they are great products.