Can Security Keys Prevent Phishing?
Look out, phishermen, there is a hot new cybersecurity tool on the market called a security key, and it aims to foil the plans of nefarious hackers everywhere.
This Tuesday, Google revealed that since they issued company-wide security keys in 2017, they haven’t had a single phishing incident. Which is great considering just how much of the internet runs on Google these days, but then, I would hope that Google’s employees are smart enough to recognize phishing scams when they encounter them. But what are security keys? How do they work and what makes them more secure than two-factor authentication?
To begin with, security keys are devices roughly the size and shape of a USB stick that transmits a Universal 2nd Factor (U2F) authentication code when users push a button on the device. There are even instances where these devices can be linked to a website with U2F authentication enabled and completely eliminate the need for a password. Unfortunately, not many websites have U2F authentication enabled, but now that Google is singing its praises, I’m sure many other websites soon jump on the bandwagon.
Here’s the thing: having a security key doesn’t prevent you from falling for phishing schemes. Your password data can still be stolen. What it does is act as a roadblock so that if a malicious party does get ahold of your password, they are unable to access your accounts, just like two-factor authentication. What makes U2F authentication and security keys different is that the code authorizing access comes directly from a device in your possession, and is not sent by the website itself.
You see, in recent years, hackers and other malicious parties have developed work arounds for two-factor authentication, whether that’s by intercepting the code as it is sent to a device or email, or by exploiting password recovery systems.
The thing is, this technology isn’t really all that new. For example, the video game company, Blizzard, has been offering security keys for $5 since 2008, and Google itself has been offering a security key since 2014. Back then, it only worked on the Chrome browser, so the technology has definitely improved, but if they’re so good at protecting online accounts, why don’t more people have them? Is it a lack of advertising? Perhaps, but I think the answer is a lot more simple.
It’s a physical device, and a small one at that. On their own they’re easy to lose, and while many purveyors of security keys recommend attaching them to your keychain, just think about how many hours you spend a week, wandering around your house, looking for your keys. Yes, there are systems in place to recover your account in the event you lose a key or it gets stolen, but they vary from site to site, and can take up quite a bit of time as you attempt to prove your identity.
An actual picture of me and my friends, trying to find my keys.
Personally, I am not all that inclined towards purchasing a physical product to solve a problem that can be avoided by employing a little bit of due diligence and being suspicious of strange links. Luckily, there are a number of phone apps such as the Google Authenticator available that work in a very similar fashion. They’re a little less secure than the USB stick variety of security keys, but I am a lot less inclined towards losing my cell phone.
Either way, black hat hackers are going to have a harder time getting into your personal accounts, whether you chose to invest in a USB security or take the phone app route. The state of cybersecurity is changing, and it looks like it’s in our favor. So take that, hackers! Your days of terrorizing the internet are nearly over!