Security keys are a beautiful idea. Physical devices that unlock entry to sensitive enterprise systems and networks, they avoid the need to rely on passwords and other, somewhat unreliable forms of authentication. Your common variety hacker, too, will grit their teeth in frustration, unable to slip their hands into your pocket and swipe your credentials from thousands of miles away in their Sverdlosk or Pyongyang basement.
Theory, however, doesn’t always translate well in practice. While many cybersecurity experts swear by security keys as one of the best methods to secure your systems out there, that advice disguises the medium’s reliance on the very forms of authentication these devices are designed to eliminate.
That begins with their setup. Security keys require the user to be registered with an organisation, a process that relies on the provision of usernames and passwords to create an account. These methods are easily compromised: for example, IDEE’s own research highlighted that 35% of UK businesses were breached using stolen credentials in 2023 – the most common attack vector that year.
Incredibly, security keys not only ask users to use phishable methods to set up their first security key but also suggest using a second key as a backup in case the first gets lost – effectively doubling the attack surface. Continuing to use passwords and relying on them to add a second authentication factor only prevents password-based attacks and, worse, creates a false sense of safety, which plays into the hands of cybercriminals and gives the upper hand.
Moreover, if a security key is lost or stolen, especially after being used with a password, that user’s account is immediately in danger. This is even more so if the criminals have already compromised that user’s credentials. The threat actor can then plug in the key to a new device and enter the password, and you would be none the wiser.
Additionally, many companies that produce security keys have also developed and now use in-house cryptographic libraries, software packages providing functionality for implementing cryptographic algorithms and protocols. These libraries are unlikely to be as secure compared to more established and better-rested varieties, such as Python. This is unbelievable: in this day and age, the cybersecurity industry and everyone who works in it should refuse to accept that a method of authentication that is ‘Phishing resistant’ is good enough – it’s not even close.
The additional price of implementing security keys
Unsurprisingly, the problems continue to mount when we consider the hardware of security keys. This cannot be upgraded to meet future requirements, meaning that whenever a new set of specifications are released companies must buy completely new hardware to meet these stipulations.
When we move from hardware to firmware, it will come as no surprise that there are problems there, too. There is a push for complex PINs to be used as an additional security measure, but yes, you guessed it, the current firmware can’t support them. Also, they have limited storage capabilities – which, again, cannot be upgraded to store more credentials. So, what’s the option when storage runs out? You guessed it, buy new ones!
As you can see, much of this ‘additional security’ only strengthens one part of a business: its spending.
Let’s talk money, then. A top-of-the-range security key typically costs €75, excluding VAT. Add to this the fact that they suggest you have two keys per person in case one gets lost and that ends up being an outlay of nearly €200 per person. That’s before you factor in having to ship them across countries, maybe even globally.
However, it’s not just the financial costs that rack up from using security keys. Their use also compromises other parts of a business’s day-to-day functionality.
When companies employ chief information and security officers (CISOs) they don’t do so with logistics in mind. But that is exactly what happens when a company chooses security keys as its security option. CISOs should put all their time and resources into doing what they do best: creating new and more secure ways of protecting their businesses from sophisticated cyber criminals and their evolving methods.
However, as the company’s accidental logistics manager, they spend a lot more of their time ordering and shipping keys than securing the business’s cybersecurity. What an incredible waste of expertise, and what a shame for the talented cyber professionals who are being wasted by countless businesses.
Embrace innovation and strive for better
Is all of this meant to enhance the user’s experience? It doesn’t. What’s the expectation for users whose laptops have blocked USB ports for security reasons? Must IT departments now open those ports up?
And how inconvenient it is to remember to take your security key when nearly everyone already carries around more capable devices every day. Speaking from my own personal experience, I’m sick of carrying around a set of keys every day – why would I want to add another one?
It doesn’t have to be this way. In our tech-savvy modern world, we have developed better, completely secure ways of protecting your cybersecurity – not just ‘phishing resistant,’ but ‘phish proof’.
Using the concept of transitive trust and strong identity proofing, there is a method that means we will never have to rely on security keys and deal with their constant problems. Transitive trust works by ensuring all transactions occur on a trusted service on a trusted device by a trusted user’s control. There is no more reliance on phishable factors such as passwords, one-time passcodes, or push messages.
In short, the cybersecurity industry needs to move with the times and embrace keyless technology if it is serious about unlocking the door to a completely secure future.