Google, Yubico Security Keys May Lead to End of Passwords

Swedish-based Yubico, in business for 10 years, debuted its latest online security product, YubiKey 5, a device that plugs into a computer to authenticate the user with a “handshake” that is more secure than a password or authentication code. Google has come out with a similar device, the Titan Key. Both devices can also be used with some smartphones, by plugging into a port or via a wireless communication. These keys are the first arrivals in an Internet security strategy that might displace the password.

The Wall Street Journal tested both keys, which are known as a “second factor” in Internet security. The first factor is always the password, with the second authentication usually a code “sent to or generated by your phone.” Second factor authentication has been necessary because “passwords are a disaster.” Google researchers estimated that “3.3 billion credentials were exposed by breaches between March 2016 and March 2017.” Since so many users re-use passwords, “any breach can ripple across your entire Internet life,” which is why secondary authentication is so widely recommended.

But, says WSJ, “a security key is the most secure two-factor device you’ll find, though it’s probably overkill for most people.” Its reviewer gives a thumbs-up to both the YubiKey 5 and Google Titan Key, which cost between $20 and $60, come “in multiple sizes and USB types,” and “work most seamlessly with computers.”

They are also compatible with Android smartphones, although “Yubico is working on a product for Apple’s Lightning port.” Security keys use public-key cryptography to verify the user’s identity and “don’t send anything sensitive over the Internet.” Gmail, Dropbox and Facebook already support security keys.

The way it works is that, “the app sends a secret code only you can identify, when your ‘private key’ decrypts it and then encodes a reply message and sends it back — a thumbs-up that you are who you claim.” Such keys also can help protect users from phishing, with the key not allowing you to log in if the page isn’t official. If a key is stolen, “hackers can’t turn it against you unless they know your passwords, too.”

FIDO (Fast Identity Online) Alliance executive director Brett McDowell said that passwords are “too entrenched” to go away soon, but they are “losing their value as a credential with every passing year.” The future’s device for better security will likely not always be a key, however, but rather “any device that works over USB, NFC or Bluetooth [and] is currently supported by FIDO’s technology,” from a chip inside the phone or laptop to fingerprints or facial recognition.