Most systems require users to provide verification of their identities to log in. This is usually done with passwords that serve as a security key.
With Authentication, More Is More
Some situations call for two-factor authentication (2FA). That means that the system sends the user information and then requires the user to repeat it. Just how that information gets sent and repeated, however, has been under discussion for a while.
One-time passcodes (OTP) have traditionally done the trick. The system typically sends a six- or eight-digit code via short messaging service (SMS) to a phone. Then the user reads the message on the phone and re-enters it into a computer — if the message isn’t intercepted, that is.
The system could also send the OTP to a cryptographically aware dongle or smartcard. This usually requires drivers and other hardware, however, meaning that there is no guarantee a smartcard can be read by all the different machines in a network. Without the generated response from the device, logging in is impossible.
The Security Key Is Key to Security
Over the past two years, Ars Technica reported, Google has tried using a USB device called Security Key to help it go down the dongle-style cryptographic path without incurring the overhead of smartcard readers or drivers. Google’s engineers assumed that USB ports are ubiquitous.
The tech giant launched a study of 50,000 users and determined that this device is particularly well-suited for 2FA. The devices range in unit cost from $6 to $18, far below the total cost of ownership of a smartcard solution. The Security Key generates a “cryptographic assertion,” which is used for the additional authentication.
These devices are functionally based on the Universal Second Factor (U2F) protocol. While adoption of this protocol is far from universal, it appears that Google, Dropbox, GitHub and other major sites have implemented it to some degree. Chrome, Opera and Firefox browsers are also able to use it.
If you operate on Chromebooks exclusively, the Security Key may be able to provide some immediate benefits in 2FA situations. For a wider user experience, however, the underlying U2F protocol will be unreliable until it gains mainstream acceptance.