The kinds of second-factor security keys for which the FIDO Alliance advocates are valuable tools for securing user devices, suggests a new report from Google. A research team with the company has just concluded a two-year study on the devices and published its findings in a report entitled Security Keys: Practical Cryptographic Second Factors for the Modern Web.
The team’s research revolved around the use of small USB dongles, but their findings apply just as well to wireless dongles based on NFC or Bluetooth Low Energy. Basically, they gave these security keys to 50,000 Google employees and assessed how easy they were to use, and how effectively they worked in terms of providing secure authentication.
Summarizing their results in a post on the FIDO Alliance website, the researchers conclude that compared to authentication based on passwords, mobile OTP systems, and two-step verification via SMS, “Security Keys provide the strongest security with the best mix of usability and deployability.” The researchers found “zero authentication failures” with the security keys; and on the ease-of-use front, they “received many instances of unsolicited positive feedback.”
The researchers say that Google’s work is guided by an ethos of making “data-driven decisions based on statistical and empirical verification,” and it looks like that analytical rigor will push the company to a deeper embrace of FIDO-based security keys, given their findings.