Though once considered one of the best security methods, the modern consensus is that passwords have none of the advantages and all of the disadvantages of the other available options. Passwords are a hassle to use, and are still vulnerable to hackers all over the world.
That’s why the tech industry is frantically searching for alternatives to the password, and why security keys have emerged as one of the leading contenders. The technology prevents someone from gaining access to an account unless they have a registered item, and in doing so effectively thwarts fraudsters that would try to attack a system remotely. Security keys are also easy to use, and can usually be plugged directly into a workstation to speed up the login process.
At the moment, however, security keys are making headlines because a new generation of biometric security keys is finally starting to hit the market. BIO-key’s new line of FIDO-keys included a biometric offering when it debuted in September, and Yubico followed suit with the launch of its own long-awaited YubiKey Bio Series earlier this month. The BIO-key and Yubico products come with a built-in fingerprint sensor, and suggest that fingerprint recognition is poised to be the most popular modality as more competitors arrive.
In any case, the biometric keys are landing in a security key market that is already flush with non-biometric options. The question, then, is whether or not the new keys are worth the expense. What do biometric keys do that more traditional keys don’t, and is it time to make the upgrade in your personal and professional life?
What Happens When You Assume?
In technical terms, a security key is a “what you have” authenticator, which is to say that it verifies your identity based on your ownership of a physical item. A system will register your security key and link it to your digital account, and will assume that you are present the next time anyone tries to log in with that key.
The problem, of course, lies in that assumption. While you are the person most likely to be in possession of your own key, the system ultimately only recognizes the key, and not the identity of the person holding it. In that regard, a security key operates much like a traditional house key that can be lost or stolen. Just as a burglar could swipe your key and use it unlock your front door, a cybercriminal becomes indistinguishable from a legitimate account holder if they manage to get their hands on the right security token.
That’s why many businesses do not rely on security keys as a sole authentication factor. Some will pair a key with a biometric (a “what you are” authenticator), though that often requires dedicated biometric hardware, such as a facial recognition camera or a fingerprint scanner. Others will still ask for a password (a “what you know” authenticator), which, though vulnerable, can serve as a backstop when a key goes missing.
Having said that, a password negates one of the primary benefits of a passwordless authenticator. People still need to remember dozens of passcodes, and still need to go through the trouble of typing them in whenever they want to access an account.
The Benefits of Biometrics
The new biometric security keys are designed to address that problem. They deliver the security benefits of multi-factor authentication without requiring any additional hardware, and while eliminating the inconvenience of passwords. End users get both a biometric scanner and a security key in one convenient package, and have access to two fully passwordless modalities.
The result is a strict security upgrade over a non-biometric key. A cybercriminal would not be able to use a stolen biometric security key because they would not be able to spoof the biometric scan (at least not without considerable cost and effort), so biometric keys close the one major security gap associated with physical security tokens.
The benefits are not quite as obvious when it comes to utility. Regardless of the intention, a biometric scan still adds a step to the authentication process. That means that logging in with a biometric key will take a bit more time (and is therefore less convenient) than it is when a non-biometric key is used as a sole authentication factor.
However, that disadvantage disappears if the non-biometric key is being supplemented with an additional authenticator like a password. A biometric scan is usually easier than remembering and typing a string of letters, numbers, and symbols, and a fingerprint cannot be bested with a brute force attack. That makes it more convenient than a traditional key in any situation that requires multi-factor authentication.
Just Looking for My Keys
That’s not to say that biometric keys are perfect. A biometric security key is still a relatively small piece of hardware. Such items have always been easy to misplace, and that doesn’t change when you add a fingerprint sensor to the design. There’s probably no way to fix that problem as long as human beings continue to leave things lying around.
Even so, biometric keys are a strong authentication option with a solid form factor that provide more security and a better user experience than many of the products currently on the market. The technology is not necessarily mandatory – there are other paths to cybersecurity – but there is plenty to recommend (and few downsides) if you are looking to make an upgrade. In all likelihood, biometric keys will eventually phase out their non-biometric predecessors, so a good security key should be able to help keep you safe for many years to come.
(Originally posted on FindBiometrics)