Good bye passwords, hello security keys

The use of a password is an ancient concept. You can see in your mind’s eye a medieval guard at the door asking, slightly slurred, “what’s the password?” and then either letting you “pass” with the right “word” - or chopping off your head if you get it wrong.

Unfortunately this ancient concept has been transferred into the digital domain with dire consequences.

Thankfully, with the advent of Webauthn and hardware security keys we can see the end in sight.

The problem with passwords is that they can be seen, overheard, copied and guessed - most of the time without your knowledge. There are ways to mitigate this of course (generating random passwords and using a password manager etc.) but even so, a compromised browser (or browser plugin), OS with a key logger and phishing attacks can still get your password.

In a recent how-to we wrote how to use second factor authentication (2FA) to improve the situation a bit. Banks have been (and still are) using OTP codes as a second factor to improve security for their clients but still accounts are being hacked. Why? Because the same “phishing” website that asks for your account and password details also asks for your OTP code. So the attacker has all the information he needs to take over your account.

How does Webauthn and FIDO2 security keys like the MIRkey change all of this?

Without going into the technical details (which are available here), we can summarize it very briefly as follows:

• Both the service AND the user is cryptographically authenticated.

  You might say, “But how is this different from a TLS certificate verifying the server?” Well now - if servers were always “authenticated” by the user eye balling the little green icon in the browser the problem would be less severe - but we know this does not happen. And how does the server know that you are really you except by matching a password?

• Private keys are stored in hardware (or at least in a TPM) - and thus it’s difficult for an attacker to get to them.

  Even if an attacker does manage to copy the keys, signing counters built into the protocol make it easy to detect “cloned” keys on the server side.

• A hardware security key can be stolen… but you are more likely to notice this than a compromised password.

• Not only is security vastly improved with security keys, the user experience is better as well.

  Plugin key, and press the “I’m here” button when requested by the server.

  Done.

  No drivers, no extra software needed (just a recent browser). For example, see how easy it is to enable security keys on your Google account.

Microsoft has already enabled FIDO2, optionally completely doing away with passwords and Google is in the process of upgrading from U2F to FIDO2.

Exiting times…