Hardware Keys Improve Account Security
Hardware Keys Improve Account Security

Hello fellow readers, it has been some time since I posted.  I hope you all have been staying safe and healthy.  Thank you for coming back.

In the last article I described the weaknesses with passwords and practices we can take to improve account security.  This article will focus on some new technology to help you strengthen your on-line account security.  Sadly, there is no silver bullet or easier way than passwords, but a little additional effort and some new technology increase security multi-fold and can prevent one minor compromise from becoming a substantially bigger and costlier problem.

A couple years ago I was asked about a text someone received on their phone.  In the text was a link from a supposed airline to a recipient to click on to get their flight details.  When receiving an unsolicited text or email with a link or attachment, you should never click the link or open the document as undesirable surprises typically await. 

To investigate this link, I took some appropriate precautions with a test computer.  I put the link in my browser bar and away I went.  The link took me to the website of an airline.  It was an auto-generated link to a web page with details of an upcoming flight for two individuals (with no authentication), which included personal information including names, locations, flight information, email addresses, some credit card information, etc.  (for the record, I did contact both parties to disclose that there had been a leak of personal information).

This information is a hacker’s dream; I have Personally Identifiable Information (PII), which can then be used to begin an attack.  If I were to attempt to compromise these individuals, I would have attempted to log into their email account.   Although I don’t have a password, I have sufficient details that could go a long way, should they not be using multi-factor authentication.

Multi-Factor Authentication (MFA) is a method which uses more than one way to authenticate you to your account.  It is the best tool in the arsenal today; however, as indicated, there is no silver bullet.  I say this because there are many MFA methods.  The principle behind MFA is something you know, your password, and something you have (a special key only you possess).  Despite the additional complexity that MFA brings to security, your online security posture will be significantly improved and an adversary compromising additional accounts from a single account is nearly zero.

I use hardware keys, Yubico YubiKeys, and a password manager to help with account security management.  There are arguments for and against these technologies and they typically are;

– You protect your password manager with a password, what if that password is compromised then all account passwords are compromised.

– If you lose your hardware key, you may lock yourself out of your account permanently or give someone the ability to more easily log into your account.

Although these arguments are true, they do not deal with the problem that the technologies work to solve.

I use an extraordinarily complex password to protect my password manager.  I’m less worried that someone could crack the password and more concerned that I may one day forget it.  This is where you may need to write it down and lock it in a safe along with your other valuables.  However, the password manager allows me to have a different complex password for each account.

Password managers are not a panacea.  If an attacker compromises, say your Google email account, then they may be able to reset passwords for other sites, including your bank accounts (this is far harder to do today than say, but the risk is there).  This is where hardware keys really increase security.

If a hardware key is used to secure the Google account and an adversary attempts to log in without having physical access to the key and the password to the account, there is no entry for them.  Its best analogy is having a key-code for a door and a physical key for access.  Without both, you cannot get in.

I do worry that I may lose my YubiKey; however, this device takes security to a whole new level.  I will have a backup key, but then this is two keys to manage.  It’s a great solution, but has a cost with the purchase of the keys and not every website or account uses hardware keys.  I use the keys for accounts where I feel just a password will not do.  Although many accounts use Text messages to send a one-time token for access, if an adversary has access to the proper account, they can get access to that token.  They hardware key requires them to physically have it. I covered a couple technologies that I use to protect my accounts.  Ultimately, protecting your accounts needs to be based on your work methods and needs.  There are many solutions out there.  If you are struggling with identifying a best solution for your personal or business needs, please reach out to me at Arcane Cyber for help.