Taking multi-factor to the next level with hardware security keys
Today I am going to be tackling security, specifically multi-factor authentication (MFA) and more specifically still hardware security keys, and why I think they are a good idea.
MFA and the need for it!
In these days of cloud and zero trust, I would like to suggest that the principal attack vector for your organization is identity. We have long told users to adopt stronger and often incomprehensible passwords which change frequently. To this end, I quite like Randall Monroe’s take from his popular XKCD webcomic:
Users (and frankly I include myself in that) have a nasty habit of being a bit lazy when it comes to passwords, and often use the same password in multiple places. Only requiring one website to be breached for an entire online identity to be exposed (I was for example affected by the Adobe hack). My preferred solution for solving this is a password manager, there are several but I personally like KeePass.
However, this still doesn’t get over the fact that passwords by themselves are still only a single bit of information a threat actor has to know, and can be quite easily phished from users. So these days a lot of organizations mandate MFA this may take many forms, but I have personally used a range right from SMS messages and secure ID number generators (way back in 2013):
Through ‘soft’ tokens like Google’s and Microsoft’s authenticator apps:
And now hardware security keys, both Google’s titan key, and Yubico’s security key.
To pinch the Wikipedia definition of MFA it is:
more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is)
All the above devices when paired with a known password (knowledge) act as the possession. Inherence meanwhile, is typically focused on biometrics like fingerprint scanning or facial recognition. Interestingly Yubico's‘ Bio’ key actually does both possession and inherence by integrating a fingerprint reader into the key.
Anyway, getting back to the possession factor, we are principally looking at here some of the methods that are considered more secure than others. Notably, SMS is now not recommended by numerous organizations including Microsoft due to its ability to be spoofed. But what about one-time access (OTA) codes? These are on the whole pretty secure but still possible to be phished through social engineering or a well-crafted spoof website.
How FIDO2 compliance keys protected Cloudflare from being breached
The attack reported by Cloudflare was particularly interesting to me for two reasons. Firstly, my company also uses Okta for its identity management and secondly Cloudflare takes security extremely seriously. For example in one of their offices, they have a famous lava lamp wall in order to create sufficiently random encryption keys (I highly recommend Tom Scott’s excellent video on the wall).
For this attempted phishing attack they were largely protected by their use of hardware security keys:
This method would defeat most two-factor authentication implementations, according to Cloudflare, but the company was saved because it does not use TOTP codes, but instead uses a different system that requires each employee to have a FIDO2-compliant security key (Cloudflare mentions YubiKey) that implements origin binding.
Yubico’s own website has this to say on origin binding:
With the U2F-enabled Security Key, such as the YubiKey, user login is bound to the origin, meaning that only the real site can authenticate with the key. The authentication will fail on the fake site even if the user was fooled into thinking it was real.
This is potentially a powerful additional level of protection as you aren't relying on users to be able to determine if a site is spoofed, but rather the security key itself. Further to Cloudflare’s use I also know that Google issue’s its Titan keys to many, if not all their employees for additional security. Needless to say, I want this level of security for me and my users especially if it is good enough for the likes of Cloudflare and Google.
My experiences using security keys
So I like to feel I have extolled some of the benefits of using these keys, but how are they actually when used on a day-to-day basis? Well simply remarkably simple, my first encounter with a U2F key was with one of Google’s Titan Keys to protect a Google account I used to access one of our customer’s GCP platforms. After adding the key to the account it was just the case of plugging it in, and pressing it when prompted which would log me in within a couple of seconds. After I finished working on this platform I handed the key back to the customer, but with an interest in using these keys for my other accounts.
Fast forward a few months and after some discussions with some of my colleagues who use them and with Google in regards to security in general I decided to take the plunge and order two Yubi Security Keys (one for my keychain and one as a backup I keep somewhere safe) at £30 each plus a pack of USB C to A adaptors for the devices I have which are still USB A only. My total bill came to £64.89 which isn’t a lot considering what the cost of compromising my accounts could come to.
Once the keys arrived it was just the case of registering them against all my various different accounts, this took about 15 minutes per account due to the need to register both keys. There are lots of helpful guides and Youtube videos showing just how straightforward this process is though. Interestingly once I had registered both keys to my different Google accounts I was able to join their Advanced Protection Program which provides additional protection to my accounts against specific threats. I was also very easily able to register it against Okta and some other accounts which Yubico keep in their ‘works with’ database.
So after setting it up how has it been to use and carry with me? Well I put one of the keys on my keychain, my USB C variant is a touch thicker (the USB A variant is slimmer if that is a concern) than one of my normal keys but not in any noticeable way and it is about the same length if not a touch shorter than most of my keys. Having it on my keychain means it is nearly always with me as I won’t leave my house without my keys (not least because my house and car keys are on the same keychain!).
How did I choose which key to buy? Well, simply there are lots of different resources to help pick what is right for you. I personally found this video to be quite concise in explaining the options at the time I was looking (August 2022).
Conclusion
In all, I have found using hardware security keys a simple and straightforward way to add additional protection to my most prized accounts with minimal additional cost (certainly relative to the damage a breach could cause). I strongly believe businesses should look to leverage this level of protection for their most precious accounts and I will be suggesting them to all my customers going forwards.
Until next time keep it secure and may the threat actors stay well clear :)
About CTS
CTS is the largest dedicated Google Cloud practice in Europe and one of the world’s leading Google Cloud experts, winning 2020 Google Partner of the Year Awards for both Workspace and GCP.
We offer a unique full stack Google Cloud solution for businesses, encompassing cloud migration and infrastructure modernisation. Our data practice focuses on analysis and visualisation, providing industry specific solutions for; Retail, Financial Services, Media and Entertainment.
We’re building talented teams ready to change the world using Google technologies. So if you’re passionate, curious and keen to get stuck in — take a look at our Careers Page and join us for the ride!
