PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files.
The reader
is available for free
download.
Physical Security Keys
Copyright 2021, Faulkner Information Services. All Rights Reserved.
Docid: 00018003
Publication Date: 2111
Report Type: TUTORIAL
Preview
Both businesses and private citizens are under constant assault from hackers,
criminals, and nefarious parties that seek to invade users’ privacy by gaining
unauthorized access to their accounts. End users and service providers have
to constantly up their game in order to prevent these incursions. One of the
most effective methods employed today is two-factor authentication, a
technique that requires a second passcode of some kind in addition to the
user’s normal password in order to gain access to an account. These
single-use codes can be delivered in multiple ways, including via email and text
message, but they can also be handled, or replaced entirely, by a relatively new
piece of equipment: the physical security key. These devices take the job of handling the
second factor in a two-factor authentication. Methods can vary depending on the type of key
used, but the purpose remains the same – adding the requirement that the user and
their physical security key be present during any attempt to access a secured
account or device. This report details how physical security keys function, the
most common types, and the strengths and weaknesses of this security
method as a whole.
Report Contents:
Executive Summary
[return to top
of this report]
Related Faulkner Reports |
3D Printing Technology |
Physical security keys are designed to provide an extra layer of security
over the typical username/password combination that is used to secure nearly
everything in the average person’s online and at-home electronic life. While a
strong password remains paramount, it has become increasingly popular for users
to add a secondary security measure to any account or device that they wish to remain
private. The most common method of accomplishing this is with some form of
two-factor authentication. The first factor is the user’s
password; the second varies from instance to instance. This is where
physical security keys and other technologies come into play.
Most two-factor authentication systems currently in use rely on some form of
single-use passcode that can be generated on-demand each time the
user wishes to sign in to an online service or Web site, or to unlock a device.
This passcode can be obtained through a variety of methods, including email,
text message, or over the phone. However, there is yet another way for the code
to be generated: via
a security token. These tokens typically come in the form of a small,
keychain-sized device with a one-line display and a button. The button can be
pressed to generate a single-use code on the token’s display. It is then up to
the user to input this code into the two-factor authentication field on their
service or device of choice, gaining them access.
This method of adding security to one’s accounts or devices has been
successfully employed for many years by organizations such as high-powered banks to
online gaming companies. However, the need to manually enter an often very long
string of letters and numbers (in addition to already having entered the first
security factor of username and password), makes for a somewhat arduous sign-in process. To this end,
physical security keys have evolved to incorporate and adapt other
technologies. Keys now exist that only
need to be plugged into a USB slot in order to unlock a device. For users
wishing to prevent simple theft from being a factor, some also require
biometric verification of the user’s presence, making it theoretically
impossible for malicious parties to access the user’s property without their
knowledge and consent.
Ultimately, no security technology is perfect. However, physical security
keys add a requirement for the physical presence of an object that cannot be
circumvented by a bad actor situated in another part of the globe. This
requirement narrows the field of possible malicious parties that can pose a
threat, offering protections that a password and IP or
telecom-based two-factor authentication scheme cannot match. This is not to say
that physical security keys are superior to those methods of two-factor
authentication, but simply to illustrate that both methods have their own
inherent strengths and weaknesses that make them ideal
depending on specific circumstances.
Description
[return to top
of this report]
Physical security keys are designed to provide a secondary security measure
for an online or local account, or for an electronic device. This secondary
security method often works together with an existing or
custom-designed two-factor authentication system, taking the place of the text
or email-based code generation process that has become a familiar part of
logging into many accounts in our day-to-day lives. However, unlike these
systems, physical security keys must always be physically present at the time of
sign-in, adding another obstacle for would-be thieves and hackers to circumvent
before they can gain unauthorized access.
This new form of protection generally comes in one of two formats: a digital
token device that is capable of remotely producing a secondary passcode required
for each sign in, which must be manually entered by the user; or a connected key
device that is actually plugged into, connected to, or wirelessly scanned by
either the device the user is attempting to access or is
employing to visit the Web site/app/service her or she wishes to use. The latter
form can also provide a tertiary security measure in the form of biometric
verification of the user’s identity.
The reliance on a physical object to gain access to a digital device or
service may seem like a strange concept. After all, username and password
systems have been fairly successful at doing their jobs for the 30+ years they
have been in use on computer systems and online. Similarly, it must be said that
physical security keys come with their own inherent flaws, such as providing
another physical object a user may need to add to his or her "everyday carry,"
while also providing the potential threat of locking a user out of an account or
device if it becomes lost or stolen. However, as mentioned above, no security
system is without its drawbacks. By its nature, added security tends to come at
the cost of convenience. After all, the most convenient way to access any
digital asset is simply a single button press. But, one does not need to be a cybersecurity expert to know that such easy-access devices and services smell
like ambrosia to thieves and hackers looking to steal an innocent user’s
financial information.
Physical security keys provide another, different way for users to trade some
of that aforementioned convenience for a little more protection. While they may
not be the ideal solution in all scenarios, they can be a most well-suited option
to narrow the field of potential threats to those who can physically access their present location.
Physical Security Key Types
[return to top
of this report]
This section will describe the most common types of physical security keys in
use today, with the best applications for each, as well as the pros and cons of
each design.
Figure 1. A RSA SecurID Hardware Token
Source: RSA
Disconnected Security Tokens- This type of physical security
key relies on the "time-synchronous" generation of a single-use passcode to
allow entry via inputting that code into a service or device as a two-factor
authentication method.1 This technology does not rely on any form of
physical or wireless connectivity between the hardware token and the user’s
other devices. Instead, it uses a time-sensitive set of algorithms to generate a
unique code that will allow the user access to the device or service in question
during a very short window of time, typically between 30 seconds and one minute.
Once a key is registered to the user’s account, typically via a unique
identification number, it is then locked to the account until the user or issuer
replaces or removes the key, meaning it is required for all subsequent attempts
to access the device or account in question. The simplicity of this system and
its reliance on a basic timer mechanism allows the hardware tokens like the
one seen above to be produced cheaply, with only a very simple LCD display,
logic board, and button-cell battery typically required. Tokens can either
display the correct passcode for the given moment on a constant, rotating basis,
or can be designed to display a code only when a button is pressed.
While the actual generation and user-powered entry of the generated code
relies on a similar scenario as something like the Google Authenticator app or
Apple’s two-factor authentication for iCloud, it does so in a very different and
important way: an air-gapped, time-based mechanism. Where a user’s Google
Authenticator or Apple account can be breached remotely via a combination of
device cloning, social engineering hacks, or data breaches, the only way for a
malicious party to obtain the necessary time-sensitive codes in a disconnected
security token is by physically
stealing the device. While this is, of course, entirely
possible, it reduces the number of possible threats to the relative handful that physically
surround the user at any given moment and are willing to steal from them. Narrowing the pool of potential threats is one of the best forms of
risk mitigation a user can hope to accomplish, even if it still leaves an avenue
for thieves to employ.
- Pros
- Simple – These keychain-sized devices are barely any more advanced
that the digital watches dispensed by gumball machines for children.
Their simplicity allows them to be cheaply produced and issued, with
relatively little downside from being lost or needing to be replaced,
as long as the account they are connected to is promptly updated to use
the replacement token. Along similar lines, the lack of a need for a
physical or wireless connection removes another vector of possible
failure from the usage scenario, requiring only that the user knows how
to type in a string of number of characters as its difficulty ceiling. - Consistency – Devices of this type should always work. As long as
the number or passcode displayed on the token’s built-in screen is
entered correctly, the two-factor authentication process should succeed
and the user should gain entry. The same cannot always be said of the
connected key types that will be covered below. These devices can be
impacted by everything from pocket lint to wireless signal interference,
potentially derailing the user’s ability to sign in to their account
and requiring costly and time-consuming intervention by IT personnel.
- Simple – These keychain-sized devices are barely any more advanced
- Cons
- Inconvenience – One of the main reasons people continue to
secure their front door with a simple, physical key, despite the variety of
more high-tech options available, is the fact that it is easy to use.
Insert key, turn, gain entry … that’s it. Some forms of physical
security keys for digital devices are designed to provide an equal level
of simplicity, requiring only that they be plugged into a USB port or
held near the device to function. This type, however, requires the user
to enter an often lengthy string of numbers or characters manually
every time they sign in. The inconvenience is not only an
annoyance for the user, but may ultimately lead to the user abandoning
the two-factor authentication provided by the disconnected security
token due to irritation with the extra time required to gain entry into
an account or device. - Dead Batteries – Where some forms of connected physical security
keys can rely on the device they are being connected to for their energy
needs, disconnected security tokens must provide their own power. This
typically comes in the form of the type of button-cell battery typically
found in wristwatches. While the extremely low power consumption levels
needed by these simple tokens often allows these batteries to last
multiple years, there will eventually come a time when that battery
needs to be replaced. Some tokens allow for this while others are
factory sealed, requiring the entire token to be replaced. Either
scenario is, of course, doable. But, both scenarios mean that, at least
for a time, the user will be locked out of their account or device until
a new battery or token is secured. If this comes at just the wrong
moment, it could lead to massive problems for the user. - Theft – This is an issue, to varying
degrees, for all the physical security key types
discussed. While some other forms of security key can mitigate this
weakness, disconnected hardware tokens have
essentially no protection against being stolen and used by an
unauthorized third party. If a user’s disconnected hardware token does
make its way into the hands of a bad actor, they can disconnect and
replace the token. However, until that remediation task is complete, the
user’s account or device is essentially back to being protected by only
a simple password. If the hacker in question has access to that as well,
then the user’s private data is, unfortunately, an open book. - Parity with App-Based Solutions – While devices below that
electronically connect to the user's PC or external digital device can
directly serve as a digital key for the device in question, disconnected
physical security tokens require the user to manually input the
passcodes they generate. This means that they really offer nothing over
and above an app-based approach to tokenization, such as the one used by
the Google Authenticator app. While there are certain situations where a
user may be unable to have their smartphone with them, while still
requiring access to a security toke, the specificity of such scenarios
definitely limit the overall superiority of disconnected physical
security keys when compared to direct alternatives.
- Inconvenience – One of the main reasons people continue to
- Applications
- Banks – Hardware tokens, including the one seen above, have been
used and issued by banks around the world as an extra layer of
security for users to access their financial accounts. - Online Gaming – Although it has since switched to an app-based
solution, online gaming company Blizzard previously sold the Blizzard
Authenticator, a keyfob similar to the one seen above which provided a
single-use code whenever a button was pressed.2 The device
was created to instill an additional layer of protection against the
rampant theft of accounts and digital items that was being perpetrated
in Blizzard titles such as World of Warcraft and the Diablo series. - Others – Tokens of this type can also be used with physical keypads,
digital devices, and other material electronics that require single-use
entry restrictions.
Figure 2. A Yubico Yubikey 5 Nano
- Banks – Hardware tokens, including the one seen above, have been
Source: Yubico
Simple Connected Security Tokens – This category of physical
security key refers to the type that needs to be plugged into a given device in
order to unlock that device, or to access an account of service that it is being
signed into via that device. By far, the most common type of key in this
category uses a USB connection to complete its task. This could be the
well-known USB-A type connector, as seen above, or the newer USB-C type that
fits most newer PC and tablet devices as well as many brands and models of
smartphone. Unlike disconnected hardware tokens, these keys can
simply be plugged in for the device or account in question to unlock, making
them much like the mechanical keys most people use to secure their homes. While
there are proprietary interfaces used by some manufacturers, one of the most dominant protocols
– and the closest thing this product
category has to an industry standard – is the Universal 2nd Factor (U2F) standard
managed by the FIDO Alliance.3 The FIDO Alliance was founded in 2013
as an open industry association tasked with creating and maintaining
interoperable authentication standards.4 It currently manages the U2F
standard, which was original developed in collaboration with Google and Yubico
as an interoperable two-factor authentication standard for use with physical
security keys of various types.5 Regardless of the standard the key
in question uses, this method of providing additional security is so simplistic
that keys can be designed to be almost no larger than the USB port they are
intended to connect to. This makes it entirely possible to install the key in a
laptop or tablet and leave it in place for as long as the device is in use,
without being obtrusive. When the user’s work is done, they can simply remove
the diminutive key, locking the device.
- Pros
- Simple – Like the disconnected hardware tokens covered above, this
type of security key is also simple, but is a different way. It uses
what is essentially a secondary passcode that is unique to the
key, transmitting this passcode to the device it is connected to. This level of simplicity allows the key to be as
tiny as the one seen above and made relatively cheaply. Similarly, it
requires no more interaction than plugging in a thumb drive. - Discrete – As suggested in the description above, this type of key is often small enough to be left in
the USB port of a device for the long term. Not only does this make it
easier to slide the device into a bag or case, but it makes it less
obvious to potential thieves and hackers. - Flexibility – The ability for this type of key to use USB-A, USB-C,
or even something as unusual as a 3.5mm audio port to transmit its
security code allows it to be designed to slot into a wide variety of
devices, including desktops, laptops, tablets, and
even smartphones.
- Simple – Like the disconnected hardware tokens covered above, this
- Cons
- Simple – At the risk of sounding contradictory, the device’s
simplicity is also its greatest potential weakness. Unlike the
keys that will be covered below, the simple connected security
token only requires that it be plugged in to function. Meaning, should a
hacker get their hands on the key and associated password, the user’s
privacy is effectively breached. Of course, this can be mitigated by a
careful individual never letting the key out of their site, but theft
and loss remain an ever-possible disaster, even for the most careful and
security-minded individual. - Easy to Lose – This is a particularly problematic issue given the
previous point. If lost or stolen, its ability to protect
the user is gone. Unfortunately, the ever-decreasing size of simple keys
makes losing them an ever-more likely possibility.
Manufacturers have come up with several solutions, including slip cases
for the user’s keychain and digital leashes. But the fact remains that
the smaller something is, the more likely it is that it will be
misplaced.
- Simple – At the risk of sounding contradictory, the device’s
- Applications
- Hardware key – As mentioned above, these keys and their often tiny
designs make them ideal for installing in a laptop or tablet device and
leaving them installed until the user specifically wishes to secure that
device by removing the key. While these keys can use software to unlock
user accounts and apps just as easily, their most common purpose is
serving as a hardware-based locking mechanism for an entire device.
- Hardware key – As mentioned above, these keys and their often tiny
Figure 3. A Kensington Verimark Fingerprint Key
Source: Kensington
Complex Connected Security Tokens – These physical security
keys provide the same security measures as their simple brethren while
adding a tertiary obstacle that a hacker would need to overcome in
order to access the user’s device or account. One of the most common of these
additional security measures is a biometric verification such as the
fingerprint reader built into the example seen above. Plugging this type of
device into a system is not enough to unlock the device or account in question.
Instead, the user must also scan their fingerprint in order to prove that the
authorized owner of that device or account is truly the one attempting
to unlock it. This extra layer of security makes it nearly impossible for a
malicious third party to access the user’s device or account without their
knowledge, as they would theoretically need to be physically present in order for the unlocking process to be successful. Similar keys that
also fall into this category, and are closely related to the final category
below, also exist. These devices eschew biometrics in favor of wireless
communications as a tertiary security method. By verifying the nearby presence
of the user’s smartphone, tablet, or even smartwatch, these keys can also do the
job of providing an additional way to ensure the authorized user is actually
present at the time of unlock, typically through the use of NFC (Near Field
Communication) or Bluetooth technology.
- Pros
- Redundant Security – Whether using biometric verification or a
wireless signal, complex security keys provide one of the
highest levels of security a physical key can offer by making the user’s
physical presence an actual requirement for a successful unlock.
Although these keys can be stolen or lost as easily as their
simple counterparts, they become useless without the user’s biometric
signature of connected wireless device, making their theft significantly
less appealing for would-be hackers and thieves. - Flexibility – Security keys of this type can be designed to rely on
multiple protocols for maximum flexibility. A single key can provide the
option to use multiple tertiary unlock verification factors. This means
that, even if the user forgot his or her smartphone, they can still
provide a tertiary verification by fingerprint, preventing the user from
being locked out due to an unfortunate oversight.
- Redundant Security – Whether using biometric verification or a
- Cons
- Potential Technical Issues – As anyone who gives the topic a bit of
thought should be able to predict, the more complex a security measure
becomes, the more likely it is to accidentally lock out its authorized
user instead of an actual criminal. This is true of everything from
complex passwords to these highly technical devices. As biometrics and
the need for a second device to be present are added to the scenario,
the number of possible failure points expands. Everything
from greasy fingers to wireless interference to a dead smartphone
battery could lock the user out of a device. - Possible Circumvention – While complex physical security tokens are
more secure than their simple counterparts, they are by no means
impenetrable. The relatively simple fingerprint scanners included in
them can be fooled by many of the same methods that higher-end scanners
can fall victim to, while companion smartphones can be stolen and used
to achieve the necessary NFC or Bluetooth
factor required for an unlock. The additional complexity of the unlock
process in use here makes it a less likely scenario, but it is nonetheless possible.
- Potential Technical Issues – As anyone who gives the topic a bit of
- Applications
- Hardware Key – Like their simple cousins, complex connected security
tokens can serve a user well as a hardware key, providing all of the
same benefits while also adding the secondary security of a biometric
scanner or Bluetooth/NFC security factor. - One Key, Multiple Users – The presence of a biometric or NFC/Bluetooth
factor means that a single key can be programmed to provide access to
multiple users. While this would mean that the key in question would
need to be left connected, it could be without much fear that its
presence would eliminate a system’s security thanks to continued
requirement for a secondary factor.
Figure 4. A FEITIAN MultiPass K16 Security Key
- Hardware Key – Like their simple cousins, complex connected security
Source: FEITIAN
Contactless Tokens – Contactless tokens take the NFC or
Bluetooth based aspects of complex connected security tokens and make it the sole connection method. While they provide a form of connection with the system being unlocked, that connection is
purely electronic with no physical requirement involved aside from a proximity
of several feet. Aside from this difference in the method of connecting to the
user’s system, their behavior is essentially identical to the USB-based keys
mentioned above, providing successful unlocks simply by being present on the
user’s person.
- Pros
- Ease of Connection – Where the USB-based solutions require users to plug their physical security keys into the
notoriously tricky USB ports found on their devices, this type of token
only requires the user to be within range of the system. This also makes
it possible for the contactless token to unlock systems that are
difficult or impossible to physically access, such as a desktop computer
tucked away under a desk or secured in a cabinet. - Flexibility – With no requirement for a physical connector, these
tokens generally provide a method of connection that is supported by
almost every electronic device a user owns. Bluetooth is a nearly
ubiquitous protocol today, with full support found in everything from
desktops to laptops to smartphones and tablets to smart TVs. Any and
all of these devices can now use a physical
security key thanks to the introduction of contactless tokens. - Two-Way Connectivity – This pro goes a long way towards potentially
eliminating the risk of loss or theft of the user’s security token.
Essentially, the presence of Bluetooth and/or NFC technology provides a
way for the user to not only be notified if the key is taken out of
range, but also for them to find the key should it become lost. This
combination of a digital leash and tracking capabilities offers peace of
mind to the user that may be worried that they’ll misplace or drop their
key.
- Ease of Connection – Where the USB-based solutions require users to plug their physical security keys into the
- Cons
- Vulnerability to Man-in-the-Middle Attacks – Man-in-the-middle
attacks occur when a hacker intercepts the user’s data midstream,
between them and its ultimate destination. In this scenario, that would
mean a malicious party intercepting the Bluetooth or NFC data stream
being sent between the device being unlocked and the token unlocking it.
While encryption can ameliorate the situation greatly, it must be said
that it is a vulnerability that simply does not exist for keys that
require a physical connection. - Power – These are the most power-hungry type of physical security
keys, often requiring regular recharging for their continued operation.
While the amount of time a token can run on each charge varies greatly
between models, it will assuredly be much shorter than the months of
runtime provided by disconnected security tokens, and will obviously be
completely outstripped by the total lack of internal power requirements
found in both simple and complex connected tokens. - Reliance on Security of Wireless Transmission Technology – Where
man-in-the-middle attacks can impact a single user, weaknesses in an
entire wireless protocol can impact millions of users relying on
contactless security tokens. This refers to the possibility of
discovering a flaw in the protocol itself, most like an iteration of
Bluetooth or one of the dominant RFID technologies. While such
weaknesses are rare, and can potentially be ameliorated, they have
popped up from time to time. This would technically make it possible to
pull off easer man-in-the-middle attacks, while also potentially opening
the door to brute force attempts.
- Vulnerability to Man-in-the-Middle Attacks – Man-in-the-middle
- Applications
- Hardware Key – Thanks to the flexibility of Bluetooth and NFC, a
single key of this type can theoretically allow a user to access his or
her PC, smartphone, tablet, smart home devices, and more. This is
because its ability to automatically connect to the devices around it
and verify the authorized user’s presence is unmatched in ease and
flexibility by any of the other options listed here.
- Hardware Key – Thanks to the flexibility of Bluetooth and NFC, a
Outlook
[return to top
of this report]
At this point, readers may be wondering why any of the devices covered here
are even necessary. After all, can’t a smartphone serve all of the same
purposes? Can’t it be its own contactless security token? The answer is, of
course, that it can. So, why then, should devices like these continue to exist
or be used by anyone? The answer to that can be surprisingly complex and will
vary greatly depending on the specific scenario and the level of security
required.
Simply put, for most average users, physical security keys are not necessary.
Two-factor authentication can be handled very well via text
and email-based systems. Companies as massive as Google and Apple put these
systems to use millions of times per day to secure their users’ accounts, with
the number of failures remaining miniscule when compared to the much more easily breachable nature of the username/password credentials less secure services use.
However, for the users that want the highest level of security for
themselves, or, much more likely, for their business, physical security keys can
provide a very attractive option. Not only can a key be purchased for a fraction
of the cost it would require to supply an employee or family member with a
smartphone, but it can be programmed, issued, controlled, and maintained by a
central IT staff. This level of accountability is just
as important to overall security as the actual keys themselves. Incidences of
loss or theft can be tracked, mitigated, and corrected, all based on easily
replaceable, relatively cheap hardware provided by the company itself. Of
course, similar systems could be employed in a BYOD (Bring Your Own Device)
scenario using the end user’s smartphone. However, the number of additional
security holes added by employing third-party hardware is immense. Again,
physical security keys are designed to be used by those that feel even
traditional two-factor authentication methods are too weak … not for the average
user.
That said, even these ultra-high security measures can fail to completely
protect their users. One of the most high profile incidents involved a
company referenced several times within this report: Google. In 2019, the
company discovered that its first generation Titan Bluetooth
key had a vulnerability in its programming that could, under certain
circumstances, allow an unauthorized user to pair the key to their own device in
order to gain access to the authorized user’s secured hardware.6 A fix was
quickly issued in the form of a swap program, with Google offering free
replacement keys. However, the glaring failure on Google’s part damaged the
reputation of physical security keys as a whole, particularly the reputation
of keys based solely on contactless connection methods. That said, even a
potentially flawed layer of security provided greater protection than the
alternative absence of any form of two-factor authentication.
At the end of the day, the users and companies that would actually benefit
from the integration of physical security keys into their operations will most
likely know who they are. They are the individuals and organizations that
constantly fret over possible intrusions, worry about data privacy, and uphold
the highest levels of scrutiny when examining every new interaction point their
systems experience. While physical security keys are not the be-all and end-all
of cybersecurity, they can be a very important weapon in an ever growing arsenal
to be employed by IT staff, chief security officers, and even private users
interested in strong, yet convenient ways to bring additional security to their
systems.
References
- 1 “RSA SecurID Hardware Tokens.” RSA Security. Retrieved November 2019.
- 2 Torres, Robin. “The Truth About Authenticators."
Engadget.
June 2009. - 3 “FIDO U2F.”
Yubico.
Retrieved November 2019. - 4 “Alliance Overview.” FIDO Alliance. Retrieved November
2019. - 5 Krebs, Brian. "Google Accounts Now Support
Security Keys."
KrebsOnSecurity
. October 2014. - 6 Bohn, Dieter. "Google Is Replacing Bluetooth Titan Security
Keys Because of Vulnerability." The Verge. May 2019.
About the Author
[return to top of this report]
Michael Gariffo is an editor for Faulkner Information Services. He tracks and writes about
enterprise software and the IT services sector, as well as telecommunications
and data networking.
[return to top
of this report]