Beyond Two factor Authentication - How a hardware security key implementing FIDO can improve online security
Remember the good old days, when using only a username and password (or, one-factor authentication) was considered secure? It was, in fact, not. Even before Julian Assange broke into the Pentagon, systems were compromised using brute-force password attacks. You can think of one-factor authentication as "something you know" which means that whoever knows your password, can access your account.
Then came two-factor authentication (2FA)
Then came two-factor authentication (2FA) codes, which was supposed to address security issues such as these. Explained simply, using the same analogy as above, it requires "something you know" (your password) and "something you have" (a physical device such as a mobile phone). Hackers now needed both your password and access to the physical device to take over your account. But, as it turned out, 2FA codes had its own vulnerabilities and challenges. For example, when your 2FA relies on a time-based one-time password (TOTP) sent via an SMS, or authenticator app, hackers gain access to it using the same phishing form when they ask for your password and username. So not much is gained using a 2FA code.
An alternative to 2FA codes: FIDO security keys
Luckily, an alternative second factor authentication method exists: the FIDO protocol standard developed by the FIDO Alliance, focused on adding public-key cryptography to existing password authentication mechanisms, offering high security with friction-less user experience. This standard has now been formalized by the World Wide Web Consortium as the WebAuthn specification and is built-in to most modern web browsers.
Hardware Security Keys
Hardware security keys such as the MIRkey, implements the FIDO protocol as explained above. It lets users securely and instantly access various online accounts using a single device. It also does not require any special drivers or software. Further benefits of a FIDO device like the MIRkey hardware security key is that no TOTP code needs to be typed in - just insert the key and log in. The hardware security key functions as a security token that lets the user login to multiple online services that support FIDO, including customised applications. Of course, there is a lot more to it, but this effectively solves the phishing problem by using public key cryptography, in which a private key resides on the MIRkey device that is never disclosed to the server.
FIDO is a critical step in driving the swift adoption of strong authentication technology, where the user will only have to use a simple password, which even if compromised, does not compromise the user's account. The sophistication of the FIDO protocol lies therein that the user in possession of the hardware security key can authenticate to any number of web-based services using only one hardware security key. An additional benefit of FIDO is the ease with which the protocol can be integrated into an existing password authentication model.
Conclusion
The FIDO authentication protocol combined with a hardware security key such as the MIRkey, is built with robust security in mind. FIDO hardware security keys are supported by websites and services such as Twitter, Facebook, Google, Instagram, GitHub, Dropbox, Epic Games, Nintendo, Okta, Reddit, Coinbase etc. The new FIDO2 standard (supported by the MIRkey) is now also enabled for Windows Hello and even allows password-less logins with Windows Hello for Business.
Robert Kellerman
Marketing consultant for ellipticSecure.Robert Kellerman is an engineer who specialises in technical marketing. He loves his family, making music, hiking and surfing. He is a bit of a coffee fanatic and roasts his own beans. He lives in Somerset West, Cape Town.