Insights

Why you should consider using a security key

Written by Zero Trust | Sep 6, 2022 12:49:00 PM

Sometimes it can feel almost impossible to keep your information private. When using the internet, you never know how safe you really are when downloading something - you’re seemingly just one click away from downloading or accessing something you think is safe, and then all of a sudden, your own private information has subsequently been compromised.  

So, how can you keep your data secure in case you ever find yourself in this situation? Well, using a security key is a great solution.  

What is a security key?  

 

By this point, you might think that a security key is only for people who take their security too seriously or are up to date on the latest tech and gadgets - but that’s not the case. While the design of it might be complex, using it for yourself is very simple.  

A security key is a physical object you can take wherever you go that can keep your data locked away from others, just like the key that locks your house when you’re heading out.  

The easiest way to imagine its function is to consider it as an actual key but in USB form. The device has security built in, so it can uniquely identify itself – and therefore prove that you and only you have possession of it. This means that when you connect to online systems, you can verify yourself, not just with something you know, like a password or pin, but also with the key because only you have it. So, it works the same as a real key.  

Security keys don’t always look like physical keys though. They don’t even come in USB format all the time. Sometimes the key can be a simple near-field communication (NFC) tag – i.e. more like an employee ID card or a credit card. This form factor typically makes it more portable and useful. Your USB key may even have an NFC tag included, giving you the best of both worlds.  

Likewise, some keys also support Bluetooth, so that they can uniquely identify themselves to other devices over Bluetooth.  

Know the difference  

If you’re unfamiliar with the flaws of other security formats, you may not see the point in investing in a security key and making your security process more complicated. So, let’s go through them:  

Weak passwords  

If you aren’t taking password security seriously, it’s time you started. Keeping your business information secure should be one of your top priorities. Having weak passwords leaves you completely vulnerable. A weak password is a short password – regardless of if it looks complicated to type.  

Multi-factor authentication (MFA)  

If you’ve never used MFA before, it’s a system that requires more than just something you know (a pin or password) to access an account. When verifying your identity, you’ll need to give your password and a follow-up proof of who you are. This can come in many forms, and you can set it up so that your MFA relays to your phone or email. While this may work in most cases, more sensitive data could still be safer with a security key.  

Security keys  

Like traditional MFA where you enter a one-time pin/password that’s sent to you, using a security key as a means of verifying your identity also works by sending a one-time unique string of (seemingly random) characters to the application or device you are authenticating to. 

The difference is that:  

  1. With a key, you often don’t need to type the one-time pin, therefore it is faster and the pin can be a lot longer (and longer means more secure).  

  2. The one-time password is not sent to you but computed on the key itself, meaning that an attacker cannot intercept the key as it’s sent to you via SMS or email, or a network-based attack. Likewise, it’s nearly impossible for a remote attacker to compromise the key itself since it’s running on tamper-resistant firmware rather than a phone or computer which are vulnerable to malware. 

  3. You can’t get bombarded with push notifications on your phone. This is a relatively new strategy attackers are using (with lots of success) against one-time access requests that are pushed to an app on your phone. The idea is to send many push notifications to your phone so that at some point you just click ‘yes’ just to get rid of it - even though you may know it’s not you. 

As you can always keep the key on a keyring and safely carry it with you, this is one of the most secure forms of authentication. Even if you lose the key – the person who finds it is likely not an attacker. And even if they are, the chances are that they wouldn’t know which account it unlocks. But if this is something you are worried about, you can also get security keys with in-build fingerprint readers now.  

The main disadvantage  

Whilst security keys have many advantages, there is, however, one major issue with using them. Once you’ve set them up to be used to access all your accounts, you cannot afford to lose them. Misplacing or damaging your key can prevent you from being able to access those accounts easily - and if set up that way, you may not be able to gain access again without the key.  

This however, is not a hard problem to solve. Most systems allow you or force you to keep a copy of the “recovery codes” when you set up a security key. These are long strings of one-time codes that you should write down on paper in a secure physical location where you know where they are in case you lose your security key. Inputting the recovery key will allow you to access the account again, and disable the security keys. For this reason they should be stored offline. 

Another way to solve this problem is the same way you do for your house keys - set up multiple security keys! 

Once setup, security keys are typically: 

  • More secure 
  • Faster 
  • Convenient 

Contact us today if you need to learn more about using security keys or how you want to buy some to better protect your business’ accounts.