One of the interesting developments in 2018 was the announcement by Yubico of their new Security Key (SK) – a hardware-based security key that can be used in place of passwords.
As you might have guessed from my previous post, I’m not a fan of passwords.
Disadvantages are abound with password authentication. Sharing and recycling of passwords are two of the most obvious drawbacks, magnified in today’s Internet environment.
Enterprises should not rely solely on password authentication for users, and the future is most definitely going to involve more than the limited security passwords can provide. It could be argued that end-user domain logon for instance, should always involve another factor.
The Security Key is based on FIDO2, and evolution of earlier efforts by Yubico working in collaboration with Google. FIDO is an authentication standard managed by the FIDO alliance.
FIDO consists of a specification for W3C authentication together with a protocol for client communication. Both work to communicate directly with a hardware authenticator, which in this case is the SK.
FIDO avoids a number of problems commonly encountered with passwords. Apart from re-use issues, by design password authentication schemes have other drawbacks – they can be replayed time and time again, and there is no inherent mechanism in password authentication to stop it. Passwords are also potentially vulnerable to interception.
Both of these two additional issues are addressed by the Yubico SK device. The SK is a hardware authenticator supporting passwordless authentication based on public key cryptography, second factor, and multi-factor as required.
As well as existing services such as Google accounts, the FIDO2 SK also supports Microsoft accounts on Windows 10. Enterprise users can integrate the SK via Windows Hello, as a smart card integrating with a Windows CA, using keys supporting the SP 800-73 PIV interface.
What I like particularly about the Security Key is support for multiple standards from one device, which makes it a slightly different offering to traditional second-factor solutions such as PIV smart cards implemented using credential providers in Windows domain logon. All while being able to service LSA-governed PIV MFA, in, I would argue, a better form factor.
It’s an interesting time at the moment for end-user security, and solutions like Yubico’s are likely to proliferate and grow as security awareness increases. Worth a look and given the price not difficult to try it out – but remember to enroll more than one device and keep a backup in a secure location!