After a two-year study, Google is lauding the use of USB cryptographic keysticks as a way to authenticate identity online, preventing phishing and man-in-the-middle attacks and securing both individual accounts and the enterprise to which they belong.
The keys provide so-called second factor ID, or strong authentication — something in addition to a password and log-in to prove the users identity online.
“While no option is perfect, we found that Security Keys provide the strongest security with the best mix of usability and deployability,” wrote Google researchers in a newly published white paper reporting and analyzing the results of the two-year deployment of the keys for the company’s 50,000-plus workforce.
“The devices are simple to implement and deploy, simple to use, privacy preserving, and secure against strong attackers,” add the researchers — Juan Lang, Alexei Czeskis, Dirk Balfanz, Marius Schilder, and Sampath Srinivas.
They note that the security benefits are difficult to quantify, since they involve a benefit that “can only be measured in terms of what did not happen” — i.e. phishing and other account-takeover attacks that were unsuccessful.
Even before the study was finished, Google liked the keys so much it wrote code to let its customers add them to the logon process for email and other online services the company offers.
The keys, they found, “lead to both an increased level of security and user satisfaction.” The devices have been deployed not only by Google, but by Dropbox and GitHub, as well.
The researchers compared the keys with alternative second factors — including one-time passwords, or OTPs, sent to mobile phones through SMS text messages.
The keys were quicker and more reliable, researchers found. Total average time spent logging on with security keys dropped nearly two-thirds compared to using an OTP with SMS
“Virtually all of this time savings directly benefits users, which may account for the overwhelmingly positive reaction,” write the researchers.
The keys also suffered no authentication failures — when the user does everything right but the login still fails. The failure rate for OTP-based authentications was 3 percent.
Finally, the researchers say, Google saved money through the deployment, despite the additional costs of the hardware.
“Our [IT] support organization estimates that we save thousands of hours per year by using Security Keys instead of OTPs for authentication,” they write. Google issued one key per computer or about two per employee. “With the associated boost in user productivity and lower support cost, we felt this was worth the extra hardware cost,” the researchers say, noting that “multiple vendors provide Security Keys at different prices – some as low as $6.”
The keys’ design has been standardized by the FIDO Alliance, an organization with more than 250 member companies spanning the internet industry.
The FIDO alliance promotes two open standards that use hardware devices to either replace or supplement passwords. The device can be a USB keystick or a smartcard; a specially secured chip in a smartphone or tablet; or even a fingerprint reader or iris scanner attached to a laptop.
FIDO-enabled devices employ cryptographic keys to guarantee security: The private key is physically bound to the specially secured chip, inside the smartphone, keystick or other hardware — and never leaves. The only way for an attacker to login as the user is to get physical possession of the device, according to FIDO.