As users log in to important accounts from a range of physical locations on a range of devices, ensuring only authenticated users have access is harder than ever before. With the implementation of MFA, you can ensure that the right people have access to the right accounts, no matter what device or where in the world they’re logging in from.
But not all MFA is created equal, and some methods of authenticating user access are more secure than others. Security keys, or hardware tokens, can be a very effective and secure means of verifying identity. By cross-referencing a hardware factor with a software factor, you make it much harder for hackers to find a way of fraudulently accessing your accounts, as they would need access to the physical key to gain access.
In this article we’ll consider the top five hardware keys for MFA. We’ll consider and compare key features including ease-of-use, security, compatibility, and integrations. Some MFA hardware providers offer a wrap-around service to keep your account safe, or additional built-in features – like encrypted storage – to protect your data as well as your identity.
What Is An MFA Key?
An MFA security key is a small hardware device that can be used as an authentication factor for logging in. The keys look much like a USB device. These keys must be presented when attempting to log in to confirm that a login attempt is made by a valid user.
To use a security key, you will have to plug it into your device – some devices use near field connection (NFC) – then log in. You will only be granted access to your account if you are in possession of this key and have the corresponding log in credentials. Some keys will have additional security features such as a pin code or a fingerprint sensor. This adds an additional layer of security to the login.
Hardware security keys will have a series of inbuilt features to prevent their misuse. The keys are often tamper-proof, with anti-duplication features built in. As this is a physical object, there are several practical concerns to consider when using a key: How portable and manageable is the key? Is it water and dustproof? Does your infrastructure support its means of connection?
Using hardware security keys is one of the most secure authentication factors. The fact that a user must be in possession of a physical device, that is, itself, highly secure makes it much harder for an attacker to access your accounts. In some use cases, the fact that you must be in possession of a physical device can be a drawback. This system will be much more time consuming to roll out than a OTPs for instance. It will also have a higher cost and be more complicated for admin to resolve issues. In the trade-off between ease and security, hardware keys are more secure, therefore having a greater impact on ease of use and productivity.
Who Should Use Hardware Security Keys?
In the perfect world – where security is the only factor – everyone should use hardware security keys, for everything they do. They are much more secure than traditional login methods, especially when paired with biometric authentication. It is far easier to obtain a password from a data breach, or social engineering, than it is to obtain a physical device that can only be used in conjunction with the correct fingerprint.
However, we do not live in the perfect world. Security is not the only factor to consider.
We must be mindful of the cost of these devices, as well as the limitations of needing to physically present the key to gain access.
These devices have three main use-cases: for gaining access to areas that need to be kept particularly secure; for employees who cannot use mobile devices; and workplaces where the hardware key can also act as physical ID.
1. Secure Areas. As hardware keys are much more secure than other types of authentication, they can be used to protect highly sensitive areas. As an organization, you will know exactly how many devices – and therefore users – have access to an account area. Unlike a password that can be shared infinitely, there is a maximum number of users who can have access at any one time. If an attacker does want to gain access, their attack will have to be physical, rather than a virtual cyber-attack. This escalation is one that most cyber-attackers are not willing to do.
2. No Mobile Devices. Depending on where and how your employees work, mobile phone authentication – be it OTPs or biometric – may not be viable. On oil rigs, or in certain manufacturing environments, having a mobile phone can pose a safety risk. Equally, in highly sensitive (governmental) organizations, mobile devices may be prohibited. In these cases, a security key can provide access for those who need it.
3. Physical ID. Hardware security keys can be packaged in a multitude of ways. Some companies opt to put a photograph and ID information on a hardware security key. This allows the key to be used as physical ID – to show to a security guard, for example – as well as allowing access to digital systems.
What Happens If A Hardware Key Is Lost?
The first thing to do is to notify your system administrator, or the company that manages your security cards. They will be able to deactivate the hardware key to ensure that it cannot be found and used by another user. Even though a hardware key on its own would not allow a stranger to access your systems, it is good practice to have the key deactivated.
You can then look to recovering or replacing the lost key, thereby restoring access for the users who need it. Some companies will provide additional keys with your subscription package for just this instance.