The volume and severity of phishing attacks are increasing daily with the most prevalent forms of phishing involving tricking users to visit and log into fake websites, where hackers steal your password to use on the actual website. The sophistication with which hackers execute their attacks makes it increasingly difficult to distinguish between real and fake websites.
Enter new-gen security keys
Business Insider reported that Google “have had no reported or confirmed account takeovers since implementing security keys at Google”. This means that for the last three years, none of Google’s 85 000+ employees was successfully phished on their work-related accounts.
Hardware security keys are the preferred alternative to two-factor authentication (2FA) OTPs. The problem with OTPs is that the code is still entered on the phishing website along with the user’s password – this allows the hacker to take over the account when using the correct credentials with the OTP on the actual website, as mentioned above.
How the MIRkey security key does it
The MIRkey security key performs a multi-factor authentication protocol known as FIDO, which allows users to complete their login process by simply inserting a USB device and pressing a button on the device to confirm user presence. Your security key is registered with a specific account service such as Gmail, Facebook or Dropbox using public key cryptography which means that without the physical presence of your security key, even if a hacker obtained your password, they won’t be able to gain access to your account.
Since most modern browsers support the authentication specification known as WebAuthn, you don’t require any special software or drivers to use the security key. This facilitates the rollout process across the enterprise while enabling strong multi-factor authentication with most known account services including Google, Coinbase, Facebook, GitHub, Amazon, SalesForce, LastPass etc.; and password-less login with Microsoft Hello for business accounts.
Because the MIRkey also fully implements the PKCS#11 standard, it complements existing software such as Adobe Reader DC (for document signing and encryption), VPN servers and clients (OpenVPN), Web servers (Apache), Database servers (Oracle), OpenSSH, Thunderbird (signing and encrypting emails), Firefox, Disk volume encryption (VeraCrypt), etc.
Further, integrating custom applications with the MIRkey can be done with a software development kit. This means that the MIRkey can be used to secure production lines, protect IoT server keys, sign software activations and assist with general key management. These keys are stored encrypted with master keys in tamper-proof silicon that can only be unlocked with the user password. The fact that it is hardware and operating system-free means it safeguards your keys from theft or being copied without your knowledge. It further protects your keys from ransomware, malware and viruses. Cryptographic operations are performed on the MIRkey itself and the keys never leave the secure module. This prevents access to the keys even when the system is compromised.
Robert KellermanMarketing consultant for ellipticSecure.
Robert Kellerman is an engineer who specialises in technical marketing. He loves his family, making music, hiking and surfing. He is a bit of a coffee fanatic and roasts his own beans. He lives in Somerset West, Cape Town.