Myth debunked - Password safes and security keys are not the same thing
Passwords managers (or password safes as they are also known) such as LastPass, Dashlane, and Enpass are often confused with hardware security keys. Of course, one can use a hardware security key to secure a password safe and, in this context, a hardware security key can complement a password manager. But before we get into the technicalities, let’s first define the concepts “password manager” and “hardware security key” whereafter we’ll delve into the differences between the two concepts in order to highlight why a hardware security key is the superior option.
The concepts and how they work: Password manager and hardware security key
Technopedia defines a password manager as “a software application that is used to store and manage the passwords that a user has for various online accounts and security features. Password managers store the passwords in an encrypted format and provide secure access to all the password information with the help of a master password”. A Hardware Security Key, on the other hand, is a physical device that prevents unauthorised access to accounts by using public key cryptography. Public key cryptography uses two related, but not identical keys in the encryption process – a public key and a private key. Unlike symmetric key algorithms that use the same key to encrypt and decrypt, with public key cryptography, the public key encrypts while the private key decrypts.
What is the difference?
One of the problems associated with passwords (even a master password as with a password manager) is that they are essentially “symmetric” keys. This means that even with a master password, you still have to type (or copy from a password manager) the actual password into the password form field of a browser or app. The password is then transferred from the form field to a server. This is exactly where the problem comes in: operating systems, browsers and even servers are not necessarily secure. Hackers can obtain a copy of this password using keyloggers and browser plugins posing as the real server or even hack the server itself.
Conversely, a hardware security key uses a private key to digitally sign a random portion of the data to prove to the server that it has ownership of the private key. The server verifies this signature by using the public key. The private key is never transferred out of the security key and there is no opportunity for the hacker to obtain the private key. The only way to obtain the private key is to get physical access to the security key and even then, it is very difficult, costly and time consuming to retrieve the private key from the device. The added benefit is that even if a hacker obtains physical access to the security key, the user will be more likely to notice the missing key than a compromised (master) password.
Conclusion
Using only a (master) password still leaves your password safe vulnerable to hacking attempts. Highlighting the difference between a password manager and hardware security key with the latter’s ability to work alongside your password manager to keep your passwords safe, it is clear that these two concepts are not the same or fulfil the same function.
EllipticSecure’s, MIRKey security key can provide an extra layer of security when logging into your password safe. This means that, without physical access to your security key, no-one else can access your list of unique passwords.
Robert Kellerman
Marketing consultant for ellipticSecure.Robert Kellerman is an engineer who specialises in technical marketing. He loves his family, making music, hiking and surfing. He is a bit of a coffee fanatic and roasts his own beans. He lives in Somerset West, Cape Town.