In August Internet infrastructure company Cloudflare was one of hundreds of targets in a massive criminal phishing campaign that hacked numerous technology companies. While some Cloudflare employees have been deceived by phishing messages, attackers couldn’t dig deeper into company systems. This is because as part of Cloudflare’s security measures, each employee must use a physical security key to verify their identity when logging into all applications. A few weeks later the company announced working with hardware authentication token maker Yubikey to offer discounted keys to Cloudflare customers.
However, Cloudflare was not the only company to secure hardware tokens. Earlier this month, Apple announced support for hardware keys for the Apple ID, seven years after it first rolled out two-factor authentication for user accounts. And last week the Vivaldi browser announced hardware key support for Android.
Security is not new, and many major platforms and companies have supported the adoption of dongles for years and required employees to use them, as Cloudflare did. But this latest surge of interest and adoption has come in response to a host of growing digital threats.
“Physical authentication keys are some of the most effective methods available today to protect against account hijacking and phishing,” says Crane Hassold, director of threat intelligence at Abnormal Security and a former digital behavior analyst at the FBI. “If you think of it as a hierarchy, physical tokens are more efficient than authentication apps, which are better than SMS verification, which are more efficient than email verification.”
Hardware authentication is very secure because you need to physically own the key and create it. This means that a phisher on the web cannot simply trick someone into giving up their password, or even their password plus a second factor code, in order to hack into a digital account. You already know this intuitively, because that’s the whole point of door keys. Someone will need your key to open your front door, and if you lose your key, it’s usually not the end of the world, because whoever finds it won’t know which door it opens. There are various types of hardware keys for digital accounts, based on the standards of the tech industry association known as the FIDO Alliance, including smart cards with a small chip, touch cards or key fobs that use near field communications, or things like Yubikeys that connect to a port on your device.
You probably have dozens or even hundreds of digital accounts, and even if they all supported hardware tokens, it would be difficult to manage the physical keys for all of them. But for your most valuable accounts, and those that are the backup for other logins, namely your email, the security and resistance to phishing of hardware keys can mean considerable peace of mind.
Meanwhile, after years of work, the tech industry has finally taken major steps towards a long-promised password-free future in 2022. This step is based on a technology called “access keys” which are also based on the FIDO standards. Operating systems from Apple, Google and Microsoft now support this technology, and many other platforms, browsers and services have adopted it or are in the process of adopting it. The goal is to make it easier for users to manage their digital account authentication so they don’t use insecure workarounds like weak passwords. However, as much as you might like it, passwords aren’t going away anytime soon thanks to their ubiquity. And despite all the hype around access keys, hardware tokens are still an important security tool.
“FIDO positions access keys somewhere between passwords and FIDO authentication hardware, and I think that’s a fair characterization,” says Jim Fenton, an independent privacy and identity security consultant. “While passkeys are likely to be the right answer for many consumer applications, I think hardware authenticators will still play a role in higher security applications such as financial institutions. And more security-conscious consumers should also be able to use hardware-based authenticators, especially if their data has been previously compromised, if they have a large net worth, or if they are simply concerned about security.”
While adding yet another best practice to your digital security to-do list may seem daunting at first, hardware tokens are actually easy to set up. And you’ll get a lot of use just by using them on a couple, um, key Accounts.