There are many varieties of authentication that you have the option to leverage. Today, we’ll discuss the fundamental differences between them, and examine the pros and cons of one option: the physical security key.
How Does a Security Key Work?
In order to understand security keys, we first have to understand the concept of multi-factor authentication. Multi-factor authentication (sometimes referred to as 2-factor authentication) is a method of making online accounts more secure by increasing the requirements for access. Instead of just requiring a password, one of your accounts may also request that you input a code generated by an application on your mobile device.
Technically, this doesn’t even count as true two-factor authentication, as they are technically both something you know - one factor, with multiple steps. True 2FA/MFA would require you to have different factors - something you know, accompanied by something you have, or something you are (in the form of biometrics). Using a security key in addition to your password would count as such - you simply have the security key, without any knowledge of what is on it that confirms your identity. Even when you use best practices to create passwords, there is a chance of human error which may place your data at risk of cyberattack.
Well, until now, at least.
By inserting it into a device, a security key leverages something called FIDO2 (Fast Identity Online 2) to create a cryptographic public key identification system. This system enables the user to activate the private key and access the associated account.
Why Should I Use a Security Key?
Simply put, it is a fairly effective way of securing an account. As a service tied to a security key will require that key each time it is accessed, someone trying to access that service without it will find themselves out of luck. Furthermore, it isn’t as though a user will require a unique physical security key for each account they’ve secured - multiple codes can be stored on one. If you happen to use G Suite applications or Microsoft’s solutions in your office, you can leverage a security key to access these solutions more conveniently. Security key technology has reached the level of maturity that even your smartphone can be used as a security key.
Are Security Keys Compliant?
Believe it or not, they are…. At least according to the General Data Protection Regulation. This is because the use of a hardware-based security key requires data to be initially encrypted, and (assuming the proper security measures are put in place) a physical key allows data access to be controlled within an organization. Furthermore, if a key does wind up lost, its access can be revoked by an IT administrator.
However, it is important to keep this in mind - you could potentially be put at risk if a user lost their key and failed to report it. This makes the decision between utilizing a security key or some other kind of authentication one that will take some deliberation.
Lean on the professionals at Dresner Group for help in deciding how to secure your business’ assets. Give us a call at (410) 531-6727 or contact us using the form to the right.