Some of my FIDO2 security keys |
Multi-factor authentication
Typically, when working with any computer resource, you first have to identify your (user) ID (authentication), so that privileges can be checked (authorization). Because passwords (which only you should know) can be leaked / lost / hacked, often the concept of of multi-factor authentication (MFA) is applied. It combines two or more of the following factors.what is it,
- Something you know: This is typically a password or (banking) PIN / TAN.
- Something you have: Anything reliably identifiable in your possession. This is where security keys set in or the TOTP codes. In banking, it is your credit card.
- Something you are: Typically, this is your fingerprint or eye iris, sometimes your voice.
- Somewhere you are: Sometimes, your location or an indicator of it such the network, a specific (identified) trusted computer or similar could be used.
FIDO2 security keys
Last year, I started to use FIDO2 security keys as second factor, in some cases even for passwordless logins. There are different FIDO2 keys available and I get questions on which to buy or use. Pictured above are four of my keys. Let me quickly introduce them and what they do:- The eWBM Goldengate G310 has a plastic housing, is FIDO2 L2 certified, allows to store 3 fingerprints for biometric authentication and has a USB-A plug.
- The FEITIAN BioPass FIDO2 K27 has a metal casing, is FIDO2 L1 certified, allows to store many fingerprints (I have 6 on them) and features a USB-A plug.
- The big black key is a FEITIAN BioPass / AllInPass FIDO2 (K33). It is FIDO2 L1 certified, features biometric authentication and has USB (via adapter cable), Bluetooth and NFC connectivity.
- Last but not least, the SoloKeys Solo USB-A is a PCB with changeable plastic case is based on Open Source firmware and hardware. It does not have a biometric sensor and is "tap-only". The Solo key is FIDO2 L1 certified and has a USB-A plug.
There are many other vendors and even those mentioned above have more models available. You can pick from button-only or biometric support, choose USB, Bluetooth or NFC connectivity, and different casings. Some of the keys have extra functionality on board or in form of additional software. You are spoilt for choice...
(My) Best practices
Once you have a FIDO2 security key, better two or three, you need to configure your accounts. Unfortunately, there are still many services which do not support FIDO2 or FIDO U2F or even any form of reasonable 2FA. Anyway, here is what I try to apply to important accounts.- Disable and remove any phone numbers. They can be faked and hacked.
- Enable TOTP and ideally configure it in two managers (devices). Store the printed backup codes in my fire-resistant and waterproof document vault (from my time in California).
- Configure two (or more) FIDO2 security keys.
When combining the account password with a USB key which I need to press or even activate using my fingerprint, I have two or three factor authentication at work.