The password is not dead yet. You need a hardware key

The password is not dead yet.  You need a hardware key

In August was Internet infrastructure company Cloudflare was one of hundreds of targets in a massive criminal phishing spree that succeeded in breaching a number of technology companies. While some Cloudflare employees were fooled by the phishing messages, the attackers were unable to dig deeper into the company’s systems. That’s because, as part of Cloudflare’s security controls, each employee must use a physical security key to prove their identity while logging into all applications. Weeks later, the company announced a partnership with hardware authentication token maker Yubikey to offer discounted keys to Cloudflare customers.

However, Cloudflare was not the only company high on the security protection of hardware tokens. Earlier this month, Apple announced hardware key support for Apple IDs, seven years after it first rolled out two-factor authentication to user accounts. And last week, the Vivaldi browser announced hardware key support for Android.

The protection is not new, and many major platforms and companies have for years supported the adoption of hardware keys and required employees to use them as Cloudflare did. But this latest surge in interest and implementation comes in response to a number of escalating digital threats.

“Physical authentication keys are some of the most effective methods today to protect against account takeover and phishing,” said Crane Hassold, director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “If you think of it as a hierarchy, physical tokens are more effective than authenticator apps, which are better than SMS verification, which are more effective than email verification.”

See also  FE News | Unlock the potential of your classroom. Join the Transforming Learning with Google event for teachers in Limerick, Ireland on February 22.

Hardware authentication is very secure, because you have to physically have the key and produce it. This means that an online phisher can’t just trick someone into giving up their password, or even a password plus a second factor code, to break into a digital account. You already know this intuitively, because this is the whole premise of door keys. Someone would need your key to unlock your front door—and if you lose your key, it’s usually not the end of the world, because someone who finds it won’t know which door it unlocks. For digital accounts, there are different types of hardware keys built on standards from a technical trade association known as the FIDO Alliance, including smart cards that have a small circuit chip on them, push cards or remote controls that use near-field communication, or things like Yubikeys that plug into a port on the device your.

You probably have dozens or even hundreds of digital accounts, and even if they all supported hardware tokens, managing physical keys for all of them would be difficult. But for your most valuable accounts and those that are a backup for other logins—namely, your email—the security and phishing resistance of hardware keys can mean significant peace of mind.

Meanwhile, after years of work, the tech industry finally took big steps in 2022 toward a long-promised passwordless future. The move is on the back of a technology called “passkeys” that is also built on FIDO standards. Operating systems from Apple, Google and Microsoft now support the technology, and many other platforms, browsers and services have adopted it or are in the process of doing so. The aim is to make it easier for users to manage their digital account authentication so that they do not use insecure solutions such as weak passwords. As much as you might want it, passwords aren’t going away anytime soon, thanks to their ubiquity. And amid all the buzz about passwords, hardware tokens remain an important protection option.

See also  Acxiom joins Salesforce AppExchange, the world's most trusted Enterprise Cloud Marketplace, to transform personalized experiences at scale for consumer brands

“FIDO has placed passwords somewhere between passwords and hardware-based FIDO authentications, and I think that’s a fair characterization,” says Jim Fenton, an independent identity privacy and security consultant. “While passwords will likely be the right answer for many consumer applications, I believe hardware-based authentication will continue to have a role for higher-security applications, such as for employees at financial institutions. And more security-focused consumers should also have the option to use hardware-based authentication , especially if their data has been previously breached, if they have a high net worth, or if they’re just concerned about security.”

While it may feel daunting at first to add yet another best practice to your digital security to-do list, hardware tokens are actually easy to set up. And you’ll get a ton of mileage just by using them on a pair of, ahem, key accounts.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *