In August, the internet infrastructure company Cloudflare was one of hundreds of targets in a massive criminal phishing spree that succeeded in breaching numerous tech companies. While some Cloudflare employees were tricked by the phishing messages, the attackers couldn’t burrow deeper into the company’s systems. That’s because, as part of Cloudflare’s security controls, every employee must use a physical security key to prove their identity while logging into all applications. Weeks later, the company announced a collaboration with the hardware authentication token-maker Yubikey to offer discounted keys to Cloudflare customers.
Cloudflare wasn’t the only company high on the security protection of hardware tokens, though. Earlier this month, Apple announced hardware key support for Apple IDs, seven years after first rolling out two-factor authentication on user accounts. And two weeks ago, the Vivaldi browser announced hardware key support for Android.
The protection isn’t new, and many major platforms and companies have for years supported hardware key adoption and required that employees use them as Cloudflare did. But this latest surge in interest and implementation comes in response to an array of escalating digital threats.
“Physical authentication keys are some of the most effective methods today for protecting against account takeovers and phishing,” says Crane Hassold, director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “If you think about it as a hierarchy, physical tokens are more effective than authentication apps, which are better than SMS verification, which is more effective than email verification.”
Hardware authentication is very secure, because you need to physically possess the key and produce it. This means that a phisher online can’t simply trick someone into handing over their password, or even a password plus a second-factor code, to break into a digital account. You already know this intuitively, because this is the whole premise of door keys. Someone would need your key to unlock your front door—and if you lose your key, it’s usually not the end of the world, because someone who finds it won’t know which door it unlocks. For digital accounts, there are different types of hardware keys that are built on standards from a tech industry association known as the FIDO Alliance, including smart cards that have a little circuit chip on them, tap cards or fobs that use near-field communication, or things like Yubikeys that plug into a port on your device.
You likely have dozens or even hundreds of digital accounts, and even if they all supported hardware tokens it would be difficult to manage physical keys for all of them. But for your most valuable accounts and those that are a fallback for other logins—namely, your email—the security and phishing resistance of hardware keys can mean significant peace of mind.
Meanwhile, after years of work, the tech industry finally took major steps in 2022 towards a long-promised passwordless future. The move is riding on the back of a technology called “passkeys” that are also built on FIDO standards. Operating systems from Apple, Google, and Microsoft now support the technology, and many other platforms, browsers, and services have adopted it or are in the process of doing so. The goal is to make it easier for users to manage their digital account authentication so they don’t use insecure workarounds like weak passwords. As much as you might wish it, though, passwords aren’t going to disappear anytime soon, thanks to their sheer ubiquity. And amid all the buzz about passkeys, hardware tokens are still an important protection option.
“FIDO has been positioning passkeys somewhere between passwords and hardware-based FIDO authenticators, and I think that’s a fair characterization,” says Jim Fenton, an independent identity privacy and security consultant. “While passkeys will probably be the right answer for many consumer applications, I think hardware-based authenticators will continue to have a role for higher-security applications, like for staff at financial institutions. And more security-focused consumers should also have the option to use hardware-based authenticators, particularly if their data has previously been breached, if they have a high net worth, or if they are just concerned about security.”
While it may feel daunting at first to add one more best practice to your digital security to-do list, hardware tokens are actually easy to set up. And you’ll get plenty of mileage from just using them on a couple of, ahem, key accounts.