Security keys and zero trust
Max Saltonstall
Senior Developer Relations Engineer, Google Cloud
Priyanka Vergadia
Staff Developer Advocate, Google Cloud
A security key is a physical device that works alongside your username and password to verify your identity to a site or app. They provide stronger login protection than an authenticator app or SMS codes, and the same device can be used for many services, so you don't need to carry around a necklace of dongles and fobs.
Security Keys provide the highest level of login assurance and phishing protection.
In this issue of GCP Comics we are covering exactly that. Think of a Security Key as a way to protect yourself–and your company–from bad passwords and tricked users, as it stops fake sites from tricking people into logging in. Here you go!
A password alone turns out to be fairly minimal protection for an account, so we've seen many new options for 2-Step Verification (also called multi-factor authentication), a phrase meaning "more than just your username and password" to log in.
Getting a code by SMS or voice call is a little better than just a password, but you can still be fooled into feeding that code to a fake site, giving up your account credentials to an attacker. Backup codes and authenticator apps fall prey to the same malicious strategies, where an attacker harvests your info and then uses it to perform their own multi-factor authentication, gaining access to your account.
Only a security key can stop the cleverest of phishing attacks.
Why a security key over other multi-factor methods?
- A key must be registered in advance to a specific account, an action you take once to enhance the level of security for your sign in.
- The security key and the website perform a cryptographic handshake, and if the site doesn't validate the key's identity, including matching a previously registered URL, the login is stopped.
- Using open standards (FIDO) the same security key can be used for multiple sites and devices. You only need to carry one around, and they can be used for both personal and work accounts and devices.
- The firmware of Google Titan Security Keys is engineered to verify integrity, preventing any tampering.
- They come in all kinds of shapes and sizes, so you can get USB-A, USB-C, or NFC to match the use case that fits you best!
- In our experience deploying security keys to replace older forms of 2-Step Verification, we’ve seen both faster logins and fewer support tickets raised.