Uncovering the cybersecurity industry’s senseless fixation with security keys
Exposing the flaws of cyber security keys
Industries worldwide are embracing keyless technology and relying on modern technology and biometrics to make life more convenient but, more importantly, eliminate unnecessary security options.
For example, companies such as SwitchBot and Tuya offer technology that allows customers to unlock their homes through biometrics on the lock itself.
Not the cybersecurity industry, however.
Consider this: The cybersecurity industry, the very one that should be leading the charge in innovation, is steadfastly advocating for the use of physical keys to fortify cybersecurity.
Let’s delve into the world of security keys, which, despite their name, can introduce a whole host of security issues.
Founder and CEO of IDEE.
Security keys leave cyber doors wide open
Authentication may just be one of many parts of the identity lifecycle, but it must be protected against credential phishing, password-based attacks and MFA bypasses. Indeed, the processes of registration, adding a second device and recovery provide criminals with multiple ways of carrying out an account takeover, so this is a critical area of a business’s cyber security that their solution must protect at all costs.
The issue with security keys such as Yubico’s YubiKey 5 series, however, is that they do not mitigate the risks that credential phishing, password-based attacks and MFA bypasses present.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
First off, login credentials and passwords are needed to register the security key for each individual account. But these security measures are easily compromised. Here at IDEE, for example, we recently ran a survey that showed that stolen credentials accounted for 35% of the cyber-attacks faced by the 61% of UK businesses that faced a cyber-attack in 2023. It was the most common reason, but security keys don’t stop them from happening.
To make matters worse, businesses that use security keys often hand out backup keys in case the first one is lost or stolen. More keys equal additional weaknesses and more attacks, but ‘responsible’ cyber security providers continue to stick their heads in the sand and pretend that they are improving – not impairing – security.
This approach may limit some password-based attacks, but the industry needs to wake up and realize that using passwords and multiple authentication factors makes the criminal's job easier. At the moment, they’re providing criminals with a supermarket pick and mix of attack vectors, and its businesses that are suffering the consequences.
Additionally, if the user has logged into their account with a password and then loses or has that key stolen, their account is at immediate risk. This risk is heightened if that user’s credentials have already been compromised. Cybercriminals can simply plug the key into a new device, enter the password, and gain access without anyone knowing.
Moreover, many companies that manufacture security keys, such as Yubico, have now developed their own cryptographic libraries to offer practicality for executing cryptographic algorithms and protocols. The problem is these new libraries are likely to be less secure than well-tested offerings, such as Python, creating an even broader attack surface.
Now, we must move on to another problem that arises from security keys: the hardware. New hardware requirements are released all the time; however, the hardware in security keys cannot be upgraded. The only answer businesses have to this is to buy completely new hardware every single time.
The firmware is no better. Complex PINs are now being rolled out as an extra security measure, but the fact of the matter is that security firmware can’t support them. Coupled with the fact that they have very limited storage capabilities, which, once again, cannot be upgraded, it is clear security keys do not provide the security, nor functionality, that businesses need to truly fortify their systems.
The extra costs of deploying security keys
The financial side of things, I’m afraid, does not make for easier reading either.
A Yubico 5 series security key costs €75, excluding VAT. Given the recommendation that each user has two security keys, businesses are looking at spending around €200 per person. That is just to purchase the keys; companies still have to ship them to employees worldwide, adding further costs to an ever-growing list.
This leads me onto another issue. Higher costs aren’t the only price for implementing security keys as your go-to cyber defense – it has a multitude of practical and logistical problems, too.
Chief Information and Security Officers (CISOs) have some of the brightest minds in our industry. They should be spending all their time putting their expertise to good use and focusing on developing impenetrable cyber defenses. However, for businesses that use security keys, that is not the reality.
The truth is that at these companies, CISOs become de facto logistics managers, spending a ludicrous amount of time ordering and shipping security keys to every single employee. This is an unforgivable waste of talent that businesses should be nurturing to ensure their cyber defenses are world-class.
If costs and wasted resources are additional prices to pay for using security keys, you’d hope that user experience would, at the very least, be improved. Not the case.
Many people use laptops that have blocked USB ports for security reasons. Must IT departments be expected to open up all of these ports?
From a more practical point of view, carrying around another set of keys is entirely unnecessary; we have devices that can do the same thing. I am deliberately trying to find ways to reduce, not increase, the number of items I need to take with me every day. Do I want to add another one? No, thank you.
Better options are available in the modern world
We can and must do better. The methods to secure your cybersecurity are out there; they are available right now. Transitive trust and identity proofing, for example, are groundbreaking developments that can remove all the issues that come from using security keys.
Transitive trust ensures that all transactions are conducted on a trusted service, using a trusted device, under the control of a trusted user. This removes the dependency on easily phished factors such as passwords, one-time passcodes, or push messages.
To finish, the cybersecurity industry must adapt to modern advancements and adopt keyless technology to open itself up to a truly secure future.
We feature the best business password manager.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Al Lakhani is the founder and CEO of IDEE.