Industries around the world are embracing keyless technology and relying on modern technology and biometrics to make life easier, but more importantly, to eliminate unnecessary security options.
For example, companies like SwitchBot and Tuya offer technology that allows customers to unlock their home via biometrics on the lock itself.
But that doesn’t apply to the cybersecurity industry.
Consider this: The cybersecurity industry, which should be at the forefront of innovation, continues to advocate for the use of physical keys to strengthen cybersecurity.
Let’s dive into the world of security keys. Despite the name, these keys can bring a lot of security issues.
Security keys leave cyber doors wide open
Authentication may be just one of many components of the identity lifecycle, but it must be protected against credential phishing, password-based attacks, and MFA bypasses. The processes of enrollment, adding a second device, and recovery provide multiple avenues for criminals to execute an account takeover, so this is a critical part of an organization’s cybersecurity that must protect their solution at all costs.
The problem with security keys like Yubico’s YubiKey 5 series, however, is that they don’t mitigate the risks of credential phishing, password-based attacks, and MFA bypasses.
Firstly, login details and passwords are needed to register the security key for each individual account. But these security measures are easy to breach. For example, here at IDEE we recently conducted a study that found that stolen credentials were responsible for 35% of cyberattacks faced by the 61% of UK businesses affected by 2023. It was the most common reason, but security keys don’t prevent them.
To make matters worse, companies that use security keys often issue backup keys in case the first one is lost or stolen. More keys means more weaknesses and more attacks, yet “responsible” cybersecurity providers continue to bury their heads in the sand and pretend that they are improving security, not worsening it.
This approach can mitigate some password-based attacks, but the industry needs to wake up and realize that using passwords and multiple authentication factors makes the criminal’s job easier. Right now, they’re giving criminals a supermarket pick-and-mix of attack vectors, and their businesses are suffering the consequences.
Additionally, if the user is logged into their account with a password and then loses or gets that key stolen, their account is immediately at risk. This risk is greater if that user’s credentials have already been compromised. Cybercriminals can simply insert the key into a new device, enter the password, and gain access without anyone knowing.
Additionally, many security key companies, such as Yubico, have now developed their own cryptographic libraries to provide practical implementations for cryptographic algorithms and protocols. The problem is that these new libraries are likely to be less secure than well-tested offerings such as Python, creating an even wider attack surface.
Now we have to move on to another problem that arises from security keys: the hardware. New hardware requirements are released all the time; however, the hardware in security keys cannot be upgraded. The only answer that companies have is to buy completely new hardware every time.
Firmware is no better. Complex PIN codes are now being rolled out as an additional security measure, but the fact is that security firmware cannot support them. Combined with the fact that they have very limited storage capacities, which, again, cannot be upgraded, it is clear that security keys do not provide the security or functionality that companies need to truly harden their systems.
Unfortunately, the financial side of things doesn’t make it any easier to read either.
A Yubico 5-Series security key costs €75, excluding VAT. Given the recommendation that each user have two security keys, businesses are looking at spending around €200 per person. That’s just to buy the keys; businesses still have to ship them to employees worldwide, adding costs to an ever-growing list.
This brings me to another issue. Higher costs aren’t the only price to pay for implementing security keys as your go-to cyber defense – there are also a host of practical and logistical issues.
Chief Information and Security Officers (CISOs) are some of the brightest minds in our industry. They should be spending all their time putting their expertise to good use and focusing on building impenetrable cyber defenses. For companies that use security keys, that’s not the reality.
The truth is that CISOs at these companies are becoming de facto logistics managers, spending ridiculous amounts of time ordering and shipping security keys to every employee. This is an unforgivable waste of talent that companies should be nurturing to ensure their cyber defenses are world-class.
If the cost and wasted resources are the additional expense of paying for the use of security keys, you would hope that the user experience would at least be improved. It is not.
Many people use laptops with blocked USB ports for security reasons. Should IT departments be expected to open all of these ports?
From a more practical point of view, there is no need to carry another set of keys; we have devices that can do the same thing. I consciously try to find ways to reduce the number of things I have to carry every day, not increase them. Do I want to add another one? No, thank you.
There are better options available in the modern world
We can and must do better. The methods to secure your cybersecurity are here; they are available now. Transitive trust and identity proofing, for example, are groundbreaking developments that can eliminate all the problems that arise from the use of security keys.
Transitive trust ensures that all transactions are performed on a trusted service, using a trusted device, under the control of a trusted user. This removes the reliance on easily phished factors such as passwords, one-time passcodes, or push notifications.
Finally, the cybersecurity industry must adapt to modern developments and embrace keyless technology to prepare itself for a truly secure future.
We offer you the best password manager for businesses.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we showcase the best and brightest minds in the technology sector today. The views expressed here are those of the author and do not necessarily represent those of Ny BreakingPro or Future plc. If you’re interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro