Today we take a look at FIDO security keys and their role in a passwordless future of online security.
FIDO security keys are often seen as more of a pro-user or enterprise mechanism to securely carry your identity from one device to another, e.g., from you notebook to your phone. Their most important benefit over traditional 2FA is that they work without any additional hardware or drivers. Security keys are simply plugged in to an USB port or can be tapped against the NFC antenna of your phone (the same that you use for mobile payments like Apple Pay).
In many large organizations, security keys have already replaced smart card authentication. But unlike smart cards, anyone can buy a security key and instantly use it to protect their accounts at services like Google, Microsoft, Twitter, Facebook, and many more already. The reason for that is that security keys use the WebAuthn API that is supported by all major browsers and operating systems. That is the beauty of web standards (and the reason why it took a while to get here).
Today, security keys are mostly used as a second factor alongside a password. You secure your accounts by requiring knowledge of a password and proof-of-possession of the key. But most security keys also support passwordless 2FA and, even better, also “usernameless” authentication. This is where things get even more interesting and where security keys play their role in the future of authentication.
At Hanko, we’re big fans of security keys and urge anyone with a sense for their online security to get one and enroll it at their email provider or social media accounts to be protected against phishing and other common attacks. Popular security key brands are Yubico, Solokeys, FEITIAN Technologies Co., Ltd., TrustKey Solutions, Nitrokey, and others.
If you’re building a (password) login, you should strongly consider adding support for security keys. The fastest way to get a login that supports security keys is our authentication product Hanko that is build around WebAuthn and FIDO technology.