A physical token is the best option when it really matters, although any form of multifactor authentication increases security.
The internet infrastructure provider Cloudflare was one of hundreds of victims in an extensive criminal phishing campaign that breached multiple IT organisations in august. Even though some Cloudflare personnel fell for the phishing scams, the attackers were unable to penetrate the company’s systems further. This is due to the fact that all employees are required to log into all applications using a physical security key as part of Cloudflare’s security procedures. A few weeks later, the business disclosed a partnership with Yubikey, a manufacturer of hardware authentication tokens, to provide Cloudflare users with subsidised keys.
However, Cloudflare wasn’t the only business that valued the security that hardware tokens offered. After introducing two-factor authentication for user accounts seven years ago, Apple last month unveiled hardware key support for Apple IDs. Additionally, the Vivaldi browser revealed support for Android physical keys two weeks ago.
The security is nothing new, and several well-known platforms and businesses have long encouraged the use of hardware keys and mandated their use among staff members, much like Cloudflare did. But this most recent uptick in awareness and adoption is a response to a number of growing digital risks.
According to Crane Hassold, director of threat intelligence at Abnormal Security and a former digital behaviour analyst for the FBI, “Physical authentication keys are some of the most efficient ways available today for protecting against account takeovers and phishing.” Physical tokens are superior to authentication apps, which are superior to SMS verification, which is superior to email verification, if you conceive of it in a hierarchical fashion.
Hardware authentication is extremely secure because the key must be physically held and produced. In other words, a phisher online can’t just coerce someone into providing their password, or even a password plus a second-factor code, to access a digital account. This is something you already know intuitively because it is the fundamental idea behind door keys. To unlock your front door, someone would need your key; nevertheless, if you lose your key, it’s typically not the end of the world because the finder won’t know which door it unlocks. There are many hardware keys for digital accounts that are based on the FIDO Alliance’s standards. These include smart cards, which have a tiny circuit chip on them, tap cards or fobs that employ near-field communication, and things like Yubikeys, which plug into a port on your device.
You probably have dozens or even hundreds of digital accounts, and managing actual keys for each of them would be challenging even if they all supported hardware tokens. But the security and phishing resistance of hardware keys can bring you a lot of piece of mind for your most important accounts and those that serve as a backup for other logins, such as your email.
After years of effort, the tech sector finally made significant advancements toward the long-promised passwordless future in 2022. The action is supported by a system known as “passkeys,” which is also based on FIDO standards. Numerous more platforms, browsers, and services have already adopted or are in the process of adopting the technology, which is already supported by operating systems from Apple, Google, and Microsoft. Users should be able to control their digital account authentication more easily so they won’t resort to unsafe workarounds like using weak passwords. Despite your best efforts, passwords won’t go away any time soon because of how commonplace they are. And despite all the talk about passkeys, hardware tokens remain a crucial security measure.
According to Jim Fenton, a freelance identity privacy and security consultant, “FIDO has been positioning passkeys somewhere between passwords and hardware-based FIDO authenticators, and I think that’s a reasonable assessment.” “While passkeys will certainly be the best option for many consumer applications, hardware-based authenticators will undoubtedly still be necessary for higher-security applications, such as those involving employees of financial institutions. Additionally, customers who are more concerned with security should have the option to employ hardware-based authenticators, especially if their data has previously been compromised, if they have a high net worth, or if they are merely worried about security.
Hardware tokens are actually simple to set up, despite the fact that it may initially seem intimidating to add another best practise to your list of digital security tasks. And even if you use them on a few, ahem, important accounts, you’ll get a lot of use out of them.