Account takeovers, even of high-profile people, has become a common occurrence in this era of sophisticated cyberattacks and hacks, but researchers think they’ve found a way to fight back against account takeovers: cryptographically based security keys.
According to a report, a two-year study of more than 50,000 Google employees by Google determined that cryptographically based security keys are better than smartphones and other two-factor verification forms when it comes to keeping the bad guys out of accounts. The report noted the security keys are based on the Universal Second Factor, which is an open standard that is easy for engineers to program into hardware and websites. When a user plugs it into a USB port, it provides a so-called cryptographic assertion that’s nearly impossible for the bad guys to breach. The key can be used in addition to a user password when logging on and is already being used by Google, Dropbox, GitHub and other websites, noted the report.
Security architects at Google have already claimed security keys is their favored two-factor authentication because of the ease of developing the keys and using them, the security they offer, and the absence of any privacy trade-offs that the report said can come with other two-factor authentication tools. For example, with some two-factor authentication methods, users have to have a cellphone to get a one-time password, which can be troublesome because the one-time passwords can be phished similar to how users are tricked into giving an email password. They can also be subject to malware attacks that would compromise the one-time passwords, noted the report.
“Security keys, by contrast to the alternatives, provide the best mix of security, usability and privacy. They sell for as little as $10, although some of the more popular brands — such as the U2F Security Key from Yubico — list for $18. They’re smaller than a door key, plug into a computer’s USB slot, and require no batteries,” noted the report.