Most systems require users to provide verification of their identities to log in. This is usually done with passwords that serve as a security key.

With Authentication, More Is More

Some situations call for two-factor authentication (2FA). That means that the system sends the user information and then requires the user to repeat it. Just how that information gets sent and repeated, however, has been under discussion for a while.

One-time passcodes (OTP) have traditionally done the trick. The system typically sends a six- or eight-digit code via short messaging service (SMS) to a phone. Then the user reads the message on the phone and re-enters it into a computer — if the message isn’t intercepted, that is.

The system could also send the OTP to a cryptographically aware dongle or smartcard. This usually requires drivers and other hardware, however, meaning that there is no guarantee a smartcard can be read by all the different machines in a network. Without the generated response from the device, logging in is impossible.

The Security Key Is Key to Security

Over the past two years, Ars Technica reported, Google has tried using a USB device called Security Key to help it go down the dongle-style cryptographic path without incurring the overhead of smartcard readers or drivers. Google’s engineers assumed that USB ports are ubiquitous.

The tech giant launched a study of 50,000 users and determined that this device is particularly well-suited for 2FA. The devices range in unit cost from $6 to $18, far below the total cost of ownership of a smartcard solution. The Security Key generates a “cryptographic assertion,” which is used for the additional authentication.

These devices are functionally based on the Universal Second Factor (U2F) protocol. While adoption of this protocol is far from universal, it appears that Google, Dropbox, GitHub and other major sites have implemented it to some degree. Chrome, Opera and Firefox browsers are also able to use it.

If you operate on Chromebooks exclusively, the Security Key may be able to provide some immediate benefits in 2FA situations. For a wider user experience, however, the underlying U2F protocol will be unreliable until it gains mainstream acceptance.

More from

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Abuse of Privilege Enabled Long-Term DIB Organization Hack

From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to an advanced cyberattack on a Defense Industrial Base (DIB) organization’s enterprise network. During that time frame, advanced persistent threat (APT) adversaries used an open-source toolkit called Impacket to breach the environment and further penetrate the organization’s network. Even worse, CISA reported that multiple APT groups may have hacked into the organization’s network. Data breaches such as these are almost always the result of compromised endpoints…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…