Mark Risher adapts his viral Twitter thread about the security advantages of security keys like Ubikey and Google's Titan Security Key, and how they are game-changers for information security.
As Risher tells it, two factor authentication is supposed to require "something you know" (like a passphrase) and something you have (like a dongle, or a phone, etc). The problem is that most 2FA systems are actually about two things you know: your passphrase, and the six- or eight-digit code generated by your phone or security dongle. Wily hackers have figured out how to intercept your entry of that second factor and replay it into online authentication forms, and that's before we get into the intrinsic insecurity of SMS.
Don't take this as advice to give up on traditional 2FA! This man-in-the-middle business is generally reserved for targeted attacks (where someone specifically wants to compromise your security), and traditional 2FA is still a powerful disincentive to opportunity attacks (where someone just wants to compromise anyone's security). In that case, you don't need to be faster than the bear.
But for those who can use them, security keys — which engage in a complex protocol directly with the remote server — are game changing. As Risher puts it: "SKs basically shrink your threat model from 'anyone anywhere in the world who knows your password' to 'people in the room with you right now.' Huge!"
I agree, but there's an important caveat. Security keys usually have fallback mechanisms — some way to attach a new key to your account for when you lose or destroy your old key. These mechanisms may also rely on security keys, but chances are that they don't (and somewhere down the line, there's probably a fallback mechanism that uses SMS, or Google Authenticator, or an email confirmation loop, or a password, or an administrator who can be sweet talked by a social engineer).
So while the insight that traditional 2FA is really "something you know and something else you know, albeit only very recently," security keys are "Something you know and something you have, which someone else can have, if they know something you know."
Yes, no solution is perfect, and yes, security always relies on layers, but this particular layer is so strong it's hard to exaggerate. That's why we made Security Keys a required part of the Advanced Protection Program, and mandate SKs for all Google employees.
Earlier this month, the FIDO Alliance took things even further with a new standard called #WebAuthN, which allows this same game-changing technology to work across the web with fingerprints and biometrics.
It will take time to get rid of all the world's passwords, but these technologies — potentially combined with Federated Identity products like Sign-in with Google & Facebook Connect, which reduce the spread of weak credentials — are making it so users don't need to rely on them and hackers can't take advantage of them.
Phishing and Security Keys [Mark Risher/Medium]