SecureMac, Inc.

What is key-based 2FA?

July 31, 2020

Standard 2FA has some important limitations, which is why many security experts believe that key-based 2FA is the wave of the future — especially now that Apple has made changes to make it much more accessible to iPhone and iPad users.

What is key-based 2FA?

Two-factor authentication (2FA) is an excellent way to enhance your digital security and privacy. However, standard 2FA has some important limitations, which is why many security experts believe that key-based 2FA is the wave of the future — especially now that Apple has made changes to make it much more accessible to iPhone and iPad users.

Why use 2FA?

Two-factor authentication helps to prevent account takeovers. When you’re using 2FA, and you’re trying to log in to a website or service, you need to provide a second authentication factor in addition to your normal login credentials before you’re allowed to access your account.

This is more secure than using a password alone, because bad actors get their hands on login credentials all the time, either through data breaches or via phishing attacks. If 2FA is enabled, they won’t be able to use your stolen credentials to log in to your account — because they won’t have the second factor required to gain access.

Limitations of 2FA

Two-factor authentication is a basic best practice for personal cybersecurity. But it isn’t perfect.

Many implementations of 2FA use one-time codes that are sent to the user’s mobile device. However, SMS messages are fundamentally insecure, and SIM swapping attacks mean that the bad guys may be able to hijack your phone number and receive your text messages. App-based 2FA using something like Google Authenticator or Authy is better, but is not completely safe. These tools can still be circumvented in some cases. For example, hackers may resort to social engineering tactics and use fraudulent websites in order to steal a user’s one-time code. 

What is key-based 2FA?

Key-based 2FA uses a physical hardware key as a second authentication factor. It’s a small USB device (roughly the size of a thumb drive) that the user keeps with them and uses to log in to their accounts.

The most popular options include the YubiKey line of hardware keys made by Yubico, and the Titan keys made by Google. For Apple users, Yubico now offers YubiKey models that can be plugged into USB-C and Lightning ports. Support for key-based 2FA is far from universal, but a growing number of websites and services offer it. 

How does key-based 2FA work?

Hardware keys use on-device cryptography to generate authentication codes. These codes are then used to authenticate the device to a website or service. 

Once you’ve set up key-based 2FA, you provide your account credentials as you normally would, at which point you’ll see a prompt to use your hardware key as the second authentication factor. To do this, you simply plug the key into your device’s USB port, tap a sensor on the key to prove that there’s an actual human being using it, and you’re in. If you’re using a mobile device, some hardware keys allow you to do the same thing by just tapping your device with the key.

To set things up, you’ll first have to enable key-based 2FA on any account you want to use it with, and then register the specific hardware key itself. The options to do this are generally found in the same account settings area where you manage other forms of multi-factor authentication. While the exact setup method varies by service, key vendors like Yubico offer walkthrough guides to make the process easier. If you’ve never used any kind of two-factor authentication for the account, you’ll probably be asked to turn on standard 2FA before you can enable key-based 2FA.

What if I lose my key?

The one main drawback of key-based two-factor authentication is that you have to keep the key with you, and you need to be careful not to lose it. For most people, this isn’t a huge issue — they just put their hardware key on their keychain with their car keys or house key.

If you enable key-based 2FA on an account, you may be able to leave some backup authentication methods available as well. That way, if you forget or misplace your hardware key, you’ll still be able to get into your account. However, be aware that if you leave these less-secure authentication methods in place (instead of disabling them when you set up your hardware key), they could be used as attack vectors by malicious actors.

People who want the full security benefits of key-based 2FA will often set it up as their sole two-factor authentication method. But the problem with disabling all of the other forms of 2FA is that you can get locked out of your accounts if you lose your physical key. While you can still regain access if this happens, it isn’t a quick or easy process. The good news is that you can register multiple hardware keys with your accounts, which lets you create a physical backup key that you can store in a home safe or bank safety deposit box — sort of the digital equivalent of a spare key!

Is this for everyone?

Before deciding to embrace the “next big thing” in cybersecurity, it’s always good to do a reality check, and ask yourself if you really want to! This starts by accepting that it’s impossible to eliminate all cybersecurity risk: The best we can do is mitigate our risks, and decide how much risk we’re willing to accept in our digital lives. It’s also important to remember that a solution that might work well for one user (or organization) might not be appropriate for others. Generally speaking, risk always has to be weighed against other considerations, like cost, ease-of-use, and accessibility. In a workplace setting, risk mitigation strategies should be balanced with operational impact — and with the likelihood of getting employees to comply with best practices!

Cybersecurity should never be an “all or nothing” proposition. And for those who aren’t ready to make the leap, using standard SMS or app-based two-factor authentication is still far, far better than nothing at all. That said, key-based 2FA is remarkably easy to use, and is arguably more convenient than other kinds of multi-factor authentication. And although it’s not yet available on all websites and services, even partial use can significantly improve your personal security posture: Key-based 2FA can be used to lock down your most sensitive accounts, or to harden your password manager.

We hope that this article has helped you learn a bit more about this important security tool. If you still have questions about how hardware security keys work, or about two-factor authentication generally, please feel free to write to us and ask.

Get the latest security news and deals