Before you Get a Physical Security Token – What you Need to Know

Shimrit Tzur-David | August 2, 2018

Last week Google announced that it will create its own physical universal second-factor authenticator that leverages the FIDO Alliance (Fast Identity Online).

FIDO was designed to put an end to the tradeoff between fast, easy access on the one hand, and robust authentication security on the other. With the authentication scheme growing in popularity, several tech manufacturers like Yubico and Feitian have begun to produce devices utilize FIDO’s protocols.

Google’s new Titan security key provides a higher level of security by adding a real-world factor to the authentication process. It also makes authentication smoother and more user-friendly.

Despite the benefits of Google’s new solution and others like it, there are a few drawbacks to the system that organizations need to take into account.

Cost

Titan has the disadvantage of other hardware tokens in that each user needs to be provided with a personal device. The cost of setting up one employee with the Google system can cost between $20 and $50. Managers will also have to factor in replacing lost damaged devices over time.

Re-Enrollment

Independent user reviews have already pointed out that setting up the Titan system for their accounts can prove a serious liability in a case where the security key is lost or unavailable. This will be particularly problematic in a case where the user is incapable of re-purchasing an additional token. Mobile users especially run a higher risk of being blocked when not being in proximity to their devices. The need to re-enroll an employee who gets locked out will hurt productivity.

Usability

Google Titan, like other security keys on the market, use Bluetooth network technology to connect to a computer. Bluetooth, or BLE, is an active protocol that requires a device with its own power source. This means that keys will need to be recharged regularly and the user will need to be equipped with a USB-C cable for this purpose, why to google choose BLE instead of NFC remains a mystery.

Doesn’t Eliminate Passwords

Most solution based on FIDO protocols, do not eliminate the need for passwords completely, they fall under the category of Universal Second Factor (U2F). Titan’s scheme and that of similar tools use the security key the second factor only, and still require the user to remember a pin or personal code.

Proof of Presence

An attributes often toted as one of the main advantages of hardware tokens is that they provide proof of presence. Indeed, proof of presence is an essential component of efficient authentication for two very important reasons: From both a general security perspective, it proves that the user is in proximity to a trusted device and not a hacker trying to access remotely. For employers, it confirms that workers are on site and accessing information from a secure environment.

What is almost always overlooked is that users do not need hard tokens to achieve proof of presence. Other solutions including software tokens can carry this feature as well.

Security

One of the major vulnerabilities of all solutions harnessing FIDO, is that this mechanism still relies on Public Key Infrastructure or PKI. While portraying themselves as categorically more secure than standard authentication, Titan and other solutions are still plagued by weaknesses of other PKI based platforms including Man-in-the-Middle attacks.

You Already Own A Cryptographic Token – Your Phone

The method that achieves the security strength of hard tokens while circumventing all its deficiencies is mobile-based push authentication.

This password-free solution, implements bring-your-own-device (BYOD) protocols, by leverage the personal cell devices of users as mobile authenticators. The benefits of this system are two-fold. First off, BYOD eliminates the need to purchase additional hardware, saving both individual users and companies this heavy expense. Furthermore, while hard tokens increase the chance of loss or theft of the authentication device, push notification authentication significantly diminishes this risk, as users are much more likely to secure their own personal phones.

Perhaps the biggest plus of push is the impeccable user experience they provide. Push platforms execute the authentication automatically, requiring only that the user respond to a push notification from a secured server. This also gives push notifications their security edge, as they are leveraging the security infrastructure of tech giants like Google and Apple through which the notifications are being delivered.

These qualities have made push authentication one of the fastest growing authentication methods. The combination of usability and scalability in these platforms make them the most suitable for implementing in today’s enterprises.