PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files.
The reader
is available for free
download.

Physical Security Keys

by Michael Gariffo

Copyright 2021, Faulkner Information Services. All Rights Reserved.

Docid: 00018003

Publication Date: 2111

Report Type: TUTORIAL

Preview

Both businesses and private citizens are under constant assault from hackers,
criminals, and nefarious parties that seek to invade users’ privacy by gaining
unauthorized access to their accounts. End users and service providers have
to constantly up their game in order to prevent these incursions. One of the
most effective methods employed today is two-factor authentication, a
technique that requires a second passcode of some kind in addition to the
user’s normal password in order to gain access to an account. These
single-use codes can be delivered in multiple ways, including via email and text
message, but they can also be handled, or replaced entirely, by a relatively new
piece of equipment: the physical security key. These devices take the job of handling the
second factor in a two-factor authentication. Methods can vary depending on the type of key
used, but the purpose remains the same – adding the requirement that the user and
their physical security key be present during any attempt to access a secured
account or device. This report details how physical security keys function, the
most common types, and the strengths and weaknesses of this security
method as a whole.

Report Contents:

• Executive Summary
• Description
• Physical Security Key Types
• Outlook
• References
• Related Reports

Executive Summary

[return to top
of this report]

Physical security keys are designed to provide an extra layer of security
over the typical username/password combination that is used to secure nearly
everything in the average person’s online and at-home electronic life. While a
strong password remains paramount, it has become increasingly popular for users
to add a secondary security measure to any account or device that they wish to remain
private. The most common method of accomplishing this is with some form of
two-factor authentication. The first factor is the user’s
password; the second varies from instance to instance. This is where
physical security keys and other technologies come into play.

Most two-factor authentication systems currently in use rely on some form of
single-use passcode that can be generated on-demand each time the
user wishes to sign in to an online service or Web site, or to unlock a device.
This passcode can be obtained through a variety of methods, including email,
text message, or over the phone. However, there is yet another way for the code
to be generated: via
a security token. These tokens typically come in the form of a small,
keychain-sized device with a one-line display and a button. The button can be
pressed to generate a single-use code on the token’s display. It is then up to
the user to input this code into the two-factor authentication field on their
service or device of choice, gaining them access.

This method of adding security to one’s accounts or devices has been
successfully employed for many years by organizations such as high-powered banks to
online gaming companies. However, the need to manually enter an often very long
string of letters and numbers (in addition to already having entered the first
security factor of username and password), makes for a somewhat arduous sign-in process. To this end,
physical security keys have evolved to incorporate and adapt other
technologies. Keys now exist that only
need to be plugged into a USB slot in order to unlock a device. For users
wishing to prevent simple theft from being a factor, some also require
biometric verification of the user’s presence, making it theoretically
impossible for malicious parties to access the user’s property without their
knowledge and consent.

Ultimately, no security technology is perfect. However, physical security
keys add a requirement for the physical presence of an object that cannot be
circumvented by a bad actor situated in another part of the globe. This
requirement narrows the field of possible malicious parties that can pose a
threat, offering protections that a password and IP or
telecom-based two-factor authentication scheme cannot match. This is not to say
that physical security keys are superior to those methods of two-factor
authentication, but simply to illustrate that both methods have their own
inherent strengths and weaknesses that make them ideal
depending on specific circumstances.

Description

[return to top
of this report]

Physical security keys are designed to provide a secondary security measure
for an online or local account, or for an electronic device. This secondary
security method often works together with an existing or
custom-designed two-factor authentication system, taking the place of the text
or email-based code generation process that has become a familiar part of
logging into many accounts in our day-to-day lives. However, unlike these
systems, physical security keys must always be physically present at the time of
sign-in, adding another obstacle for would-be thieves and hackers to circumvent
before they can gain unauthorized access.

This new form of protection generally comes in one of two formats: a digital
token device that is capable of remotely producing a secondary passcode required
for each sign in, which must be manually entered by the user; or a connected key
device that is actually plugged into, connected to, or wirelessly scanned by
either the device the user is attempting to access or is
employing to visit the Web site/app/service her or she wishes to use. The latter
form can also provide a tertiary security measure in the form of biometric
verification of the user’s identity.

The reliance on a physical object to gain access to a digital device or
service may seem like a strange concept. After all, username and password
systems have been fairly successful at doing their jobs for the 30+ years they
have been in use on computer systems and online. Similarly, it must be said that
physical security keys come with their own inherent flaws, such as providing
another physical object a user may need to add to his or her "everyday carry,"
while also providing the potential threat of locking a user out of an account or
device if it becomes lost or stolen. However, as mentioned above, no security
system is without its drawbacks. By its nature, added security tends to come at
the cost of convenience. After all, the most convenient way to access any
digital asset is simply a single button press. But, one does not need to be a cybersecurity expert to know that such easy-access devices and services smell
like ambrosia to thieves and hackers looking to steal an innocent user’s
financial information.

Physical security keys provide another, different way for users to trade some
of that aforementioned convenience for a little more protection. While they may
not be the ideal solution in all scenarios, they can be a most well-suited option
to narrow the field of potential threats to those who can physically access their present location.

Physical Security Key Types

[return to top
of this report]

This section will describe the most common types of physical security keys in
use today, with the best applications for each, as well as the pros and cons of
each design.

Figure 1. A RSA SecurID Hardware Token

Source: RSA

Disconnected Security Tokens- This type of physical security
key relies on the "time-synchronous" generation of a single-use passcode to
allow entry via inputting that code into a service or device as a two-factor
authentication method.¹ This technology does not rely on any form of
physical or wireless connectivity between the hardware token and the user’s
other devices. Instead, it uses a time-sensitive set of algorithms to generate a
unique code that will allow the user access to the device or service in question
during a very short window of time, typically between 30 seconds and one minute.
Once a key is registered to the user’s account, typically via a unique
identification number, it is then locked to the account until the user or issuer
replaces or removes the key, meaning it is required for all subsequent attempts
to access the device or account in question. The simplicity of this system and
its reliance on a basic timer mechanism allows the hardware tokens like the
one seen above to be produced cheaply, with only a very simple LCD display,
logic board, and button-cell battery typically required. Tokens can either
display the correct passcode for the given moment on a constant, rotating basis,
or can be designed to display a code only when a button is pressed.

While the actual generation and user-powered entry of the generated code
relies on a similar scenario as something like the Google Authenticator app or
Apple’s two-factor authentication for iCloud, it does so in a very different and
important way: an air-gapped, time-based mechanism. Where a user’s Google
Authenticator or Apple account can be breached remotely via a combination of
device cloning, social engineering hacks, or data breaches, the only way for a
malicious party to obtain the necessary time-sensitive codes in a disconnected
security token is by physically
stealing the device. While this is, of course, entirely
possible, it reduces the number of possible threats to the relative handful that physically
surround the user at any given moment and are willing to steal from them. Narrowing the pool of potential threats is one of the best forms of
risk mitigation a user can hope to accomplish, even if it still leaves an avenue
for thieves to employ.

• Pros
  • Simple – These keychain-sized devices are barely any more advanced
    that the digital watches dispensed by gumball machines for children.
    Their simplicity allows them to be cheaply produced and issued, with
    relatively little downside from being lost or needing to be replaced,
    as long as the account they are connected to is promptly updated to use
    the replacement token. Along similar lines, the lack of a need for a
    physical or wireless connection removes another vector of possible
    failure from the usage scenario, requiring only that the user knows how
    to type in a string of number of characters as its difficulty ceiling.
  • Consistency – Devices of this type should always work. As long as
    the number or passcode displayed on the token’s built-in screen is
    entered correctly, the two-factor authentication process should succeed
    and the user should gain entry. The same cannot always be said of the
    connected key types that will be covered below. These devices can be
    impacted by everything from pocket lint to wireless signal interference,
    potentially derailing the user’s ability to sign in to their account
    and requiring costly and time-consuming intervention by IT personnel.
• Cons
  • Inconvenience – One of the main reasons people continue to
    secure their front door with a simple, physical key, despite the variety of
    more high-tech options available, is the fact that it is easy to use.
    Insert key, turn, gain entry … that’s it. Some forms of physical
    security keys for digital devices are designed to provide an equal level
    of simplicity, requiring only that they be plugged into a USB port or
    held near the device to function. This type, however, requires the user
    to enter an often lengthy string of numbers or characters manually
    every time they sign in. The inconvenience is not only an
    annoyance for the user, but may ultimately lead to the user abandoning
    the two-factor authentication provided by the disconnected security
    token due to irritation with the extra time required to gain entry into
    an account or device.
  • Dead Batteries – Where some forms of connected physical security
    keys can rely on the device they are being connected to for their energy
    needs, disconnected security tokens must provide their own power. This
    typically comes in the form of the type of button-cell battery typically
    found in wristwatches. While the extremely low power consumption levels
    needed by these simple tokens often allows these batteries to last
    multiple years, there will eventually come a time when that battery
    needs to be replaced. Some tokens allow for this while others are
    factory sealed, requiring the entire token to be replaced. Either
    scenario is, of course, doable. But, both scenarios mean that, at least
    for a time, the user will be locked out of their account or device until
    a new battery or token is secured. If this comes at just the wrong
    moment, it could lead to massive problems for the user.
  • Theft – This is an issue, to varying
    degrees, for all the physical security key types
    discussed. While some other forms of security key can mitigate this
    weakness, disconnected hardware tokens have
    essentially no protection against being stolen and used by an
    unauthorized third party. If a user’s disconnected hardware token does
    make its way into the hands of a bad actor, they can disconnect and
    replace the token. However, until that remediation task is complete, the
    user’s account or device is essentially back to being protected by only
    a simple password. If the hacker in question has access to that as well,
    then the user’s private data is, unfortunately, an open book.
  • Parity with App-Based Solutions – While devices below that
    electronically connect to the user's PC or external digital device can
    directly serve as a digital key for the device in question, disconnected
    physical security tokens require the user to manually input the
    passcodes they generate. This means that they really offer nothing over
    and above an app-based approach to tokenization, such as the one used by
    the Google Authenticator app. While there are certain situations where a
    user may be unable to have their smartphone with them, while still
    requiring access to a security toke, the specificity of such scenarios
    definitely limit the overall superiority of disconnected physical
    security keys when compared to direct alternatives.
• Applications
  • Banks – Hardware tokens, including the one seen above, have been
    used and issued by banks around the world as an extra layer of
    security for users to access their financial accounts.
  • Online Gaming – Although it has since switched to an app-based
    solution, online gaming company Blizzard previously sold the Blizzard
    Authenticator, a keyfob similar to the one seen above which provided a
    single-use code whenever a button was pressed.² The device
    was created to instill an additional layer of protection against the
    rampant theft of accounts and digital items that was being perpetrated
    in Blizzard titles such as World of Warcraft and the Diablo series.
  • Others – Tokens of this type can also be used with physical keypads,
    digital devices, and other material electronics that require single-use
    entry restrictions.

  Figure 2. A Yubico Yubikey 5 Nano

  

Source: Yubico

Simple Connected Security Tokens – This category of physical
security key refers to the type that needs to be plugged into a given device in
order to unlock that device, or to access an account of service that it is being
signed into via that device. By far, the most common type of key in this
category uses a USB connection to complete its task. This could be the
well-known USB-A type connector, as seen above, or the newer USB-C type that
fits most newer PC and tablet devices as well as many brands and models of
smartphone. Unlike disconnected hardware tokens, these keys can
simply be plugged in for the device or account in question to unlock, making
them much like the mechanical keys most people use to secure their homes. While
there are proprietary interfaces used by some manufacturers, one of the most dominant protocols
– and the closest thing this product
category has to an industry standard – is the Universal 2nd Factor (U2F) standard
managed by the FIDO Alliance.³ The FIDO Alliance was founded in 2013
as an open industry association tasked with creating and maintaining
interoperable authentication standards.⁴ It currently manages the U2F
standard, which was original developed in collaboration with Google and Yubico
as an interoperable two-factor authentication standard for use with physical
security keys of various types.⁵ Regardless of the standard the key
in question uses, this method of providing additional security is so simplistic
that keys can be designed to be almost no larger than the USB port they are
intended to connect to. This makes it entirely possible to install the key in a
laptop or tablet and leave it in place for as long as the device is in use,
without being obtrusive. When the user’s work is done, they can simply remove
the diminutive key, locking the device.

• Pros
  • Simple – Like the disconnected hardware tokens covered above, this
    type of security key is also simple, but is a different way. It uses
    what is essentially a secondary passcode that is unique to the
    key, transmitting this passcode to the device it is connected to. This level of simplicity allows the key to be as
    tiny as the one seen above and made relatively cheaply. Similarly, it
    requires no more interaction than plugging in a thumb drive.
  • Discrete – As suggested in the description above, this type of key is often small enough to be left in
    the USB port of a device for the long term. Not only does this make it
    easier to slide the device into a bag or case, but it makes it less
    obvious to potential thieves and hackers.
  • Flexibility – The ability for this type of key to use USB-A, USB-C,
    or even something as unusual as a 3.5mm audio port to transmit its
    security code allows it to be designed to slot into a wide variety of
    devices, including desktops, laptops, tablets, and
    even smartphones.
• Cons
  • Simple – At the risk of sounding contradictory, the device’s
    simplicity is also its greatest potential weakness. Unlike the
    keys that will be covered below, the simple connected security
    token only requires that it be plugged in to function. Meaning, should a
    hacker get their hands on the key and associated password, the user’s
    privacy is effectively breached. Of course, this can be mitigated by a
    careful individual never letting the key out of their site, but theft
    and loss remain an ever-possible disaster, even for the most careful and
    security-minded individual.
  • Easy to Lose – This is a particularly problematic issue given the
    previous point. If lost or stolen, its ability to protect
    the user is gone. Unfortunately, the ever-decreasing size of simple keys
    makes losing them an ever-more likely possibility.
    Manufacturers have come up with several solutions, including slip cases
    for the user’s keychain and digital leashes. But the fact remains that
    the smaller something is, the more likely it is that it will be
    misplaced.
• Applications
  • Hardware key – As mentioned above, these keys and their often tiny
    designs make them ideal for installing in a laptop or tablet device and
    leaving them installed until the user specifically wishes to secure that
    device by removing the key. While these keys can use software to unlock
    user accounts and apps just as easily, their most common purpose is
    serving as a hardware-based locking mechanism for an entire device.

Figure 3. A Kensington Verimark Fingerprint Key

Source: Kensington

Complex Connected Security Tokens – These physical security
keys provide the same security measures as their simple brethren while
adding a tertiary obstacle that a hacker would need to overcome in
order to access the user’s device or account. One of the most common of these
additional security measures is a biometric verification such as the
fingerprint reader built into the example seen above. Plugging this type of
device into a system is not enough to unlock the device or account in question.
Instead, the user must also scan their fingerprint in order to prove that the
authorized owner of that device or account is truly the one attempting
to unlock it. This extra layer of security makes it nearly impossible for a
malicious third party to access the user’s device or account without their
knowledge, as they would theoretically need to be physically present in order for the unlocking process to be successful. Similar keys that
also fall into this category, and are closely related to the final category
below, also exist. These devices eschew biometrics in favor of wireless
communications as a tertiary security method. By verifying the nearby presence
of the user’s smartphone, tablet, or even smartwatch, these keys can also do the
job of providing an additional way to ensure the authorized user is actually
present at the time of unlock, typically through the use of NFC (Near Field
Communication) or Bluetooth technology.

• Pros
  • Redundant Security – Whether using biometric verification or a
    wireless signal, complex security keys provide one of the
    highest levels of security a physical key can offer by making the user’s
    physical presence an actual requirement for a successful unlock.
    Although these keys can be stolen or lost as easily as their
    simple counterparts, they become useless without the user’s biometric
    signature of connected wireless device, making their theft significantly
    less appealing for would-be hackers and thieves.
  • Flexibility – Security keys of this type can be designed to rely on
    multiple protocols for maximum flexibility. A single key can provide the
    option to use multiple tertiary unlock verification factors. This means
    that, even if the user forgot his or her smartphone, they can still
    provide a tertiary verification by fingerprint, preventing the user from
    being locked out due to an unfortunate oversight.
• Cons
  • Potential Technical Issues – As anyone who gives the topic a bit of
    thought should be able to predict, the more complex a security measure
    becomes, the more likely it is to accidentally lock out its authorized
    user instead of an actual criminal. This is true of everything from
    complex passwords to these highly technical devices. As biometrics and
    the need for a second device to be present are added to the scenario,
    the number of possible failure points expands. Everything
    from greasy fingers to wireless interference to a dead smartphone
    battery could lock the user out of a device.
  • Possible Circumvention – While complex physical security tokens are
    more secure than their simple counterparts, they are by no means
    impenetrable. The relatively simple fingerprint scanners included in
    them can be fooled by many of the same methods that higher-end scanners
    can fall victim to, while companion smartphones can be stolen and used
    to achieve the necessary NFC or Bluetooth
    factor required for an unlock. The additional complexity of the unlock
    process in use here makes it a less likely scenario, but it is nonetheless possible.
• Applications
  • Hardware Key – Like their simple cousins, complex connected security
    tokens can serve a user well as a hardware key, providing all of the
    same benefits while also adding the secondary security of a biometric
    scanner or Bluetooth/NFC security factor.
  • One Key, Multiple Users – The presence of a biometric or NFC/Bluetooth
    factor means that a single key can be programmed to provide access to
    multiple users. While this would mean that the key in question would
    need to be left connected, it could be without much fear that its
    presence would eliminate a system’s security thanks to continued
    requirement for a secondary factor.

  Figure 4. A FEITIAN MultiPass K16 Security Key

  

Source: FEITIAN

Contactless Tokens – Contactless tokens take the NFC or
Bluetooth based aspects of complex connected security tokens and make it the sole connection method. While they provide a form of connection with the system being unlocked, that connection is
purely electronic with no physical requirement involved aside from a proximity
of several feet. Aside from this difference in the method of connecting to the
user’s system, their behavior is essentially identical to the USB-based keys
mentioned above, providing successful unlocks simply by being present on the
user’s person.

• Pros
  •  Ease of Connection – Where the USB-based solutions require users to plug their physical security keys into the
    notoriously tricky USB ports found on their devices, this type of token
    only requires the user to be within range of the system. This also makes
    it possible for the contactless token to unlock systems that are
    difficult or impossible to physically access, such as a desktop computer
    tucked away under a desk or secured in a cabinet.
  • Flexibility – With no requirement for a physical connector, these
    tokens generally provide a method of connection that is supported by
    almost every electronic device a user owns. Bluetooth is a nearly
    ubiquitous protocol today, with full support found in everything from
    desktops to laptops to smartphones and tablets to smart TVs. Any and
    all of these devices can now use a physical
    security key thanks to the introduction of contactless tokens.
  • Two-Way Connectivity – This pro goes a long way towards potentially
    eliminating the risk of loss or theft of the user’s security token.
    Essentially, the presence of Bluetooth and/or NFC technology provides a
    way for the user to not only be notified if the key is taken out of
    range, but also for them to find the key should it become lost. This
    combination of a digital leash and tracking capabilities offers peace of
    mind to the user that may be worried that they’ll misplace or drop their
    key.
• Cons
  • Vulnerability to Man-in-the-Middle Attacks – Man-in-the-middle
    attacks occur when a hacker intercepts the user’s data midstream,
    between them and its ultimate destination. In this scenario, that would
    mean a malicious party intercepting the Bluetooth or NFC data stream
    being sent between the device being unlocked and the token unlocking it.
    While encryption can ameliorate the situation greatly, it must be said
    that it is a vulnerability that simply does not exist for keys that
    require a physical connection.
  • Power – These are the most power-hungry type of physical security
    keys, often requiring regular recharging for their continued operation.
    While the amount of time a token can run on each charge varies greatly
    between models, it will assuredly be much shorter than the months of
    runtime provided by disconnected security tokens, and will obviously be
    completely outstripped by the total lack of internal power requirements
    found in both simple and complex connected tokens.
  • Reliance on Security of Wireless Transmission Technology – Where
    man-in-the-middle attacks can impact a single user, weaknesses in an
    entire wireless protocol can impact millions of users relying on
    contactless security tokens. This refers to the possibility of
    discovering a flaw in the protocol itself, most like an iteration of
    Bluetooth or one of the dominant RFID technologies. While such
    weaknesses are rare, and can potentially be ameliorated, they have
    popped up from time to time. This would technically make it possible to
    pull off easer man-in-the-middle attacks, while also potentially opening
    the door to brute force attempts.
• Applications
  • Hardware Key – Thanks to the flexibility of Bluetooth and NFC, a
    single key of this type can theoretically allow a user to access his or
    her PC, smartphone, tablet, smart home devices, and more. This is
    because its ability to automatically connect to the devices around it
    and verify the authorized user’s presence is unmatched in ease and
    flexibility by any of the other options listed here.

Outlook

[return to top
of this report]

At this point, readers may be wondering why any of the devices covered here
are even necessary. After all, can’t a smartphone serve all of the same
purposes? Can’t it be its own contactless security token? The answer is, of
course, that it can. So, why then, should devices like these continue to exist
or be used by anyone? The answer to that can be surprisingly complex and will
vary greatly depending on the specific scenario and the level of security
required.

Simply put, for most average users, physical security keys are not necessary.
Two-factor authentication can be handled very well via text
and email-based systems. Companies as massive as Google and Apple put these
systems to use millions of times per day to secure their users’ accounts, with
the number of failures remaining miniscule when compared to the much more easily breachable nature of the username/password credentials less secure services use.

However, for the users that want the highest level of security for
themselves, or, much more likely, for their business, physical security keys can
provide a very attractive option. Not only can a key be purchased for a fraction
of the cost it would require to supply an employee or family member with a
smartphone, but it can be programmed, issued, controlled, and maintained by a
central IT staff. This level of accountability is just
as important to overall security as the actual keys themselves. Incidences of
loss or theft can be tracked, mitigated, and corrected, all based on easily
replaceable, relatively cheap hardware provided by the company itself. Of
course, similar systems could be employed in a BYOD (Bring Your Own Device)
scenario using the end user’s smartphone. However, the number of additional
security holes added by employing third-party hardware is immense. Again,
physical security keys are designed to be used by those that feel even
traditional two-factor authentication methods are too weak … not for the average
user.

That said, even these ultra-high security measures can fail to completely
protect their users. One of the most high profile incidents involved a
company referenced several times within this report: Google. In 2019, the
company discovered that its first generation Titan Bluetooth
key had a vulnerability in its programming that could, under certain
circumstances, allow an unauthorized user to pair the key to their own device in
order to gain access to the authorized user’s secured hardware.⁶ A fix was
quickly issued in the form of a swap program, with Google offering free
replacement keys. However, the glaring failure on Google’s part damaged the
reputation of physical security keys as a whole, particularly the reputation
of keys based solely on contactless connection methods. That said, even a
potentially flawed layer of security provided greater protection than the
alternative absence of any form of two-factor authentication.

At the end of the day, the users and companies that would actually benefit
from the integration of physical security keys into their operations will most
likely know who they are. They are the individuals and organizations that
constantly fret over possible intrusions, worry about data privacy, and uphold
the highest levels of scrutiny when examining every new interaction point their
systems experience. While physical security keys are not the be-all and end-all
of cybersecurity, they can be a very important weapon in an ever growing arsenal
to be employed by IT staff, chief security officers, and even private users
interested in strong, yet convenient ways to bring additional security to their
systems.

References

• ¹ “RSA SecurID Hardware Tokens.” RSA Security. Retrieved November 2019.
• ² Torres, Robin. “The Truth About Authenticators."
  
  Engadget.
  June 2009.
• ³ “FIDO U2F.”
  
  Yubico.
  Retrieved November 2019.
• ⁴ “Alliance Overview.” FIDO Alliance. Retrieved November
  2019.
• ⁵ Krebs, Brian. "Google Accounts Now Support
  Security Keys."
  KrebsOnSecurity
  . October 2014.
• ⁶ Bohn, Dieter. "Google Is Replacing Bluetooth Titan Security
  Keys Because of Vulnerability." The Verge. May 2019.

About the Author

[return to top of this report]

Michael Gariffo is an editor for Faulkner Information Services. He tracks and writes about
enterprise software and the IT services sector, as well as telecommunications
and data networking.

[return to top
of this report]