Tuesday, March 24, 2020

My best practices for 2FA and FIDO2 security keys

Some of my FIDO2 security keys
Since starting my journey (and blogs) with FIDO2 security keys, I got questions about how I use the keys and how I set up my various accounts for 2nd factor authentication. In this blog post, I am trying to address those questions and briefly discuss different types of FIDO2 keys. So let's get started...

Multi-factor authentication

Typically, when working with any computer resource, you first have to identify your (user) ID (authentication), so that privileges can be checked (authorization). Because passwords (which only you should know) can be leaked / lost / hacked, often the concept of of multi-factor authentication (MFA) is applied. It combines two or more of the following factors.
what is it,
  • Something you know: This is typically a password or (banking) PIN / TAN.
  • Something you have: Anything reliably identifiable in your possession. This is where security keys set in or the TOTP codes. In banking, it is your credit card.
  • Something you are: Typically, this is your fingerprint or eye iris, sometimes your voice.
  • Somewhere you are: Sometimes, your location or an indicator of it such the network, a specific (identified) trusted computer or similar could be used.
For security, we often only consider two factors (2FA) like a password and a key or time-based onetime passcode.

FIDO2 security keys

Last year, I started to use FIDO2 security keys as second factor, in some cases even for passwordless logins. There are different FIDO2 keys available and I get questions on which to buy or use. Pictured above are four of my keys. Let me quickly introduce them and what they do:
  1. The eWBM Goldengate G310 has a plastic housing, is FIDO2 L2 certified, allows to store 3 fingerprints for biometric authentication and has a USB-A plug.
  2. The FEITIAN BioPass FIDO2 K27 has a metal casing, is FIDO2 L1 certified, allows to store many fingerprints (I have 6 on them) and features a USB-A plug.
  3. The big black key is a FEITIAN BioPass / AllInPass FIDO2 (K33). It is FIDO2 L1 certified, features biometric authentication and has USB (via adapter cable), Bluetooth and NFC connectivity.
  4. Last but not least, the SoloKeys Solo USB-A is a PCB with changeable plastic case is based on Open Source firmware and hardware. It does not have a biometric sensor and is "tap-only". The Solo key is FIDO2 L1 certified and has a USB-A plug.
All keys need some setup to configure a PIN. That PIN is used as second factor for some operations. All the vendors with biometric support ship software to manage the imprinting, i.e., to "upload" fingerprints. The eWBM tool is available on Mac and Windows, the FEITIAN tool even supports Linux and works well on my Linux system.

There are many other vendors and even those mentioned above have more models available. You can pick from button-only or biometric support, choose USB, Bluetooth or NFC connectivity, and different casings. Some of the keys have extra functionality on board or in form of additional software. You are spoilt for choice...

(My) Best practices

Once you have a FIDO2 security key, better two or three, you need to configure your accounts. Unfortunately, there are still many services which do not support FIDO2 or FIDO U2F or even any form of reasonable 2FA. Anyway, here is what I try to apply to important accounts.
  • Disable and remove any phone numbers. They can be faked and hacked.
  • Enable TOTP and ideally configure it in two managers (devices). Store the printed backup codes in my fire-resistant and waterproof document vault (from my time in California).
  • Configure two (or more) FIDO2 security keys.
In terms of FIDO2 keys, I use button-only keys like the Solo only in my (home)office. I carry a security key with biometric authentication on my keychain. The reason is that if I loose that key(chain), it is still of no use because of the fingerprint protection.

When combining the account password with a USB key which I need to press or even activate using my fingerprint, I have two or three factor authentication at work.


I hope that write-up gave you a good overview of what types of FIDO2 security keys are available and how to apply them. If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.