Most systems require users to provide verification of their identities to log in. This is usually done with passwords that serve as a security key.

With Authentication, More Is More

Some situations call for two-factor authentication (2FA). That means that the system sends the user information and then requires the user to repeat it. Just how that information gets sent and repeated, however, has been under discussion for a while.

One-time passcodes (OTP) have traditionally done the trick. The system typically sends a six- or eight-digit code via short messaging service (SMS) to a phone. Then the user reads the message on the phone and re-enters it into a computer — if the message isn’t intercepted, that is.

The system could also send the OTP to a cryptographically aware dongle or smartcard. This usually requires drivers and other hardware, however, meaning that there is no guarantee a smartcard can be read by all the different machines in a network. Without the generated response from the device, logging in is impossible.

The Security Key Is Key to Security

Over the past two years, Ars Technica reported, Google has tried using a USB device called Security Key to help it go down the dongle-style cryptographic path without incurring the overhead of smartcard readers or drivers. Google’s engineers assumed that USB ports are ubiquitous.

The tech giant launched a study of 50,000 users and determined that this device is particularly well-suited for 2FA. The devices range in unit cost from $6 to $18, far below the total cost of ownership of a smartcard solution. The Security Key generates a “cryptographic assertion,” which is used for the additional authentication.

These devices are functionally based on the Universal Second Factor (U2F) protocol. While adoption of this protocol is far from universal, it appears that Google, Dropbox, GitHub and other major sites have implemented it to some degree. Chrome, Opera and Firefox browsers are also able to use it.

If you operate on Chromebooks exclusively, the Security Key may be able to provide some immediate benefits in 2FA situations. For a wider user experience, however, the underlying U2F protocol will be unreliable until it gains mainstream acceptance.

More from

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging.We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically.For this reason, 75% of organizations seek to…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How the FBI Fights Back Against Worldwide Cyberattacks

5 min read - In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve. In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake. Attributed to a unit of the Russian government Security Service,…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…