Security keys
Hardware security keys are a strong second factor for authentication.
Select the image for a larger photo of my security key collection.
What is a security key?
- A second authentication factor embedded in a physical object
Why "hard" (physical) keys are better:
- When properly implemented, the "secret" key material is stored in a way that cannot be stolen without physical access to the device
- It is usually difficult to steal a key and extract its secrets without noticeable absence and/or visible physical damage
- When implemented as U2F/WebAuthn, very resistant to being phished!
- When they're not actively being used, they're out of reach of software attacks - they have to pick your pocket instead
Why using them is not as bad as you might fear:
- You're not usually prompted to insert them very often
- They're similar to a house or car key, so while you need to make sure you don't lose them, you already know how to do this
- Once you've authenticated with your key, you can remove it - no need to leave it in (unless that is convenient)
Multiple kinds of security keys:
Multiple physical interfaces supported:
- NFC - likely de-facto emerging standard for mobile
- USB-C - likely de-facto emerging standard for desktop/laptop
- USB-A - classic / universal, but being replaced by USB-C
- Apple Lightning - reportedly
being phased out
(but not being replaced by USB-C?)
- Bluetooth - still available, but likely to be supplanted by NFC
Multiple authentication protocols supported:
- Yubikey OTP - proprietary, but works on any device that supports a USB "keyboard". Sometimes the only protocol supported on some platforms
- U2F - Universal Second Factor (an early standard, being replaced by WebAuthn)
- WebAuthn/FIDO2 - the more full-featured, standards-based successor to U2F (and backwards-compatibile with it)
Tips for managing your security keys:
- Inventory management
- Treat one as a "daily driver"
- "Cross-register" another with a partner or friend - just like a spare car/house key
- Keep a third in a safe, secured location (so that you still have two if you lose one)
- If you lose one, get a replacement, register it, and then de-register the lost one
- When registering a key, give it a meaningful name
- For some "un"-due diligence, track which keys are used with which services
- When supported, use your mobile phone as security key!
- Some platforms (Google, etc.) allow you to create an "app password" for legacy apps (such as some mail clients, etc.) that don't support 2FA
- PINs:
- If a platform requires a WebAuthn PIN, that PIN is set key-wide, not per-site
- If you forget your key's PIN, you can reset it (but this will invalidate the key for all sites
- YubiKey PINs can be reset with
the YubiKey Manager
Popular supported services:
Manufacturers and brands
- Akisec
- Aktiv
- Authentikey
- Authentrend
- BENSS
- Bluink
- Century Longmai
- Chipnet
- Coinvest
- Cryptotrust
- Deepnet
- Digiflak
- Digital Bitbox
- Ensurity
- ExcelSecu
- Feitian (often rebranded by others)
- Goldkey
- Google
- HID
- Hideez
- Hushio
- HyperSecu
- Idenos
- Infineon
- Inverse Path
- Jacarta
- Keepkey
- Kensington Verimark
- Key-ID
- Keywallet
- Ledger
- MIRkey
- Neowave
- Octatco
- One Key
- OnlyKey
- Opendime
- Oseid
- Plug-Up
- QKey
- SafeKey
- Secalot
- Solo
- SurepassID
- Symantec
- Teensy
- Thetis
- Token2
- Tomu
- Trezor
- TrustKey (formerly eWBM)
- U2F Zero
- Umikey
- Vancosys
- WWPass
- WatchKey Fido
- Yubico
- eWBM (now TrustKey)
Other references
