Google Study Finds Best MFA Solution in a Tiny Package
By: Jim Stickley and Tina Davis
September 29, 2017
It’s becoming more the opinion of cybersecurity experts that using even a complex password for online accounts is no longer adequate to protect our information. Passwords continue to be reused across multiple sites and getting a text message with a one-time code isn't always an option. Google wanted to find out the best multi-factor authentication (MFA) method that covered these weaknesses and in a two year study of over 50,000 of its own employees found that using a tiny security key in addition to a password was the best option for this.
A U2F key (universal second factor) is a small device, about the size of a normal house key that is inserted into your computer’s USB slot. It provides a “cryptographic assertion” that is very difficult, if not impossible to crack or phish when it’s active. It’s better than text codes for various reasons, but one is because sometimes a text sent to a smartphone just isn’t an option. For example, if you travel you may not have access to receive text messages; your battery may be dead; or something else may prevent you from receiving a text code.
In addition, even these one-time codes can be phished or intercepted by cyberthieves. Smartcards are another MFA solution, but they require some additional hardware or a dedicated computer to work. That eliminates it for our “on-the-go” society as a reasonable solution. Google found the keys to be the best solution because they are easy for the end users to use, the technology is easy for developers to integrate into websites and hardware, and they are really small and lightweight. They fit on a keychain or in your wallet.
For $15-50, anyone can get one of these U2F keys. It just depends on what sites you use with them as to which works for you. Several manufacturers make them and more and more sites are supporting them all the time. Google, Dropbox, Salesforce, LastPass, and recently announced, Facebook all support it. Facebook is an important one. How many times do you create an account that allows you to log in using your Facebook account? Although, using that account to log into other sites is not normally recommended, if you have the security key as well, it’s much more secure if you do.
Chrome and Opera browsers have supported the U2F technology for a while and Firefox has been since the end of 2016. While there are keys available that do support near field communication (NFC) technology such as RFID, most mobile sites are not yet supporting U2F. This is soon to come, however.
Another bonus of using a security key to log into sites such as Facebook? If you don’t get the request to insert your key, it’s easier to see that it might be a phishing attack. That’s a good argument for these little devices. After all, phishing is still the most common way that credentials get stolen or malware lands on devices.