How important are security key in zero trust?

Security keys and zero trust

GCP Comics #6 Security keys in Cybersecurity

A security key is a physical device that works alongside your username and password to verify your identity to a site or app. They provide stronger login protection than an authenticator app or SMS codes, and the same device can be used for many services, so you don’t need to carry around a necklace of dongles and fobs.

Security Keys provide the highest level of login assurance and phishing protection.

In this issue of GCP Comics we are covering exactly that. Think of a Security Key as a way to protect yourself–and your company–from bad passwords and tricked users, as it stops fake sites from tricking people into logging in. Here you go!

Security keys and zero trust

A password alone turns out to be fairly minimal protection for an account, so we’ve seen many new options for 2-Step Verification (also called multi-factor authentication), a phrase meaning “more than just your username and password” to log in.

Getting a code by SMS or voice call is a little better than just a password, but you can still be fooled into feeding that code to a fake site, giving up your account credentials to an attacker. Backup codes and authenticator apps fall prey to the same malicious strategies, where an attacker harvests your info and then uses it to perform their own multi-factor authentication, gaining access to your account.

Only a security key can stop the cleverest of phishing attacks.

Why a security key over other multi-factor methods?

  • A key must be registered in advance to a specific account, an action you take once to enhance the level of security for your sign in.
  • The security key and the website perform a cryptographic handshake, and if the site doesn’t validate the key’s identity, including matching a previously registered URL, the login is stopped.
  • Using open standards (FIDO) the same security key can be used for multiple sites and devices. You only need to carry one around, and they can be used for both personal and work accounts and devices.
  • The firmware of Google Titan Security Keys is engineered to verify integrity, preventing any tampering.
  • They come in all kinds of shapes and sizes, so you can get USB-A, USB-C, or NFC to match the use case that fits you best!
  • In our experience deploying security keys to replace older forms of 2-Step Verification, we’ve seen both faster logins and fewer support tickets raised.

Resources

Want more GCP Comics? Visit gcpcomics.com & follow us on medium pvergadia & max-saltonstall, and on Twitter at @pvergadia and @maxsaltonstall and to not miss the next issue!

--

--

--

A collection of technical articles and blogs published or curated by Google Cloud Developer Advocates. The views expressed are those of the authors and don't necessarily reflect those of Google.

Recommended from Medium

How to unblock your Paytm account?

What is the problem with IoT security?

THE INTERNET

The Internet

How Alibaba Cloud SMS Provides Enterprise-level Security Awareness

Under starter’s orders … it’s the hash race

Can Data Loss Occur On the Cloud?

Magento Hosting: How to Choose It?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Priyanka Vergadia

Priyanka Vergadia

Developer Advocate @Google, Artist & Traveler! Twitter @pvergadia

More from Medium

Google Cloud: Managed Microsoft Active Directory

Programmatically Create a Scheduled Query in BigQuery with Terraform

Google Cloud Disaster Recovery 2022: Choosing the Right DR Pattern

But InfoSec Won’t Let Us Use the Cloud