Use A Security Key for Multi-Factor Authentication
Using a physical device like a security key for multi-factor authentication will greatly enhance your security. See more on multi-factor authentication.
What is a security key and what does it do?
A security key is a small device that looks a lot like a USB flash drive. It used in addition to your password on accounts that support it.
It can be used to protect access to computers, networks, and online services.
It’s extremely secure and durable. Many are manufactured to be tamper-resistant, water-resistant, and crush-resistant.
How to use a security key
To use your security key, you will first need to login and configure your account(s) to use a security key.
Most services and online accounts have the options to enable this and will have instructions on how to do it. Below are some examples of services that support it:
- Email (Google, Microsoft, Yahoo, Fastmail, etc…)
- Social media (Facebook, Twitter, Instagram, YouTube, etc…)
- Password managers (1Password, Bitwarden, LastPass, Dashlane, etc…)
- Gaming (EA, Epic, Xbox, Nintendo, etc…)
- Computer access (Windows, macOS, Linux)
- Developer tools (Bitbucket, GitLab, Unity, etc…)
- Cloud storage (Dropbox, GoogleDrive, OneDrive, etc…)
- Cryptocurrency (Binance, Bitfinex, Kraken, etc…)
Once configured, you simply do one or more of the following actions:
- Plug it into a USB port
- Hold it near your phone with NFC
- Connect it with Bluetooth
- Touch the fingerprint sensor
Security Specifications
Your online accounts and services will support a variety of authentication standards.
FIDO is based on free and open standards from the FIDO Alliance and is the industry standard for security keys.
FIDO2
Comprised of the W3C Web Authentication specification and corresponding Client-to-Authenticator Protocols (CTAP). It supports passwordless, second-factor, and multi-factor authentications. Along with various combinations with external authenticators.
FIDO UAF
Allows for a passwordless experience. Examples of this authentication mechanism are: Swiping a finger, looking at a camera, speaking into the mic, entering a PIN. It also allows for combining multiple authentication mechanisms such as fingerprint + PIN.
FIDO U2F
Allows for a second-factor experience. You log in with your username and password. Then service can prompt you to present the second-factor device (the security key). Since the security key is a strong second factor, the service can simplify its password (e.g. 4-digit PIN) without compromising security.
More details on the specifications can be found on the FIDO Alliance site.
Brands / Models
Yubico
YubiKey 5 Series works with the most web services and includes feature-rich security keys that prevent account takeovers and offer one-tap login. They come in a USB-A, USB-C, Lightning keychain, and nano form factors.
Security Key NFC is a budget friendly option, but has less security functions that are supported.
YubiKey FIPS complies with FIPS 140-2 Validation. Mainly for government agencies to meet the highest authenticator assurance level 3 (AAL3) requirements from the new NIST SP800-63B guidance.
Feitian
ePass FIDO security keys come in a variety of interfaces and offer customization options for casing, packaging, and related service to enable the ability to create your very own ePass FIDO security key.
MultiPass FIDO is the next generation FIDO U2F security key, supporting USB, NFC and BLE communications.
BioPass FIDO2 is Feitian’s biometric security key that uses your fingerprint to authenticate you.
Titan Security Key is Google’s version of the Feitian MultiPass FIDO. It uses the same hardware, but has Google firmware.
Thetis
U2F Keys come in two options (BLE U2F & FIDO U2F).
FIDO2 Keys come in three options (FIDO2, FIDO2 BLE, FIDO2 Fingerprint).
Conclusion
If you want to protect against malicious websites that try to steal login credentials or just prevent anyone from using your account, use two-factor authentication with a security key. Adding this additional layer of a security key makes it practically impossible for anyone but you to log in.
I recommend the YubiKey 5 Series, as it supports the most security specifications and is the most durable.
