A customer recently asked me about the Krebs story on Google using Yubikeys and eliminating phishing attacks. They wanted to know if it was real and if it is a technology they should be using?
For starters, two-factor-authentication — or more generally, multi-factor-authentication — is absolutely important — no longer can you detect phishing attacks by broken English. Attackers are very good at getting our passwords, and even if you manage to use different passwords at every website (something made easy with a password manager — which everyone should have), you probably rarely change them unless you’re forced to. As the article points out, there are many types of multi-factor-authentication: SMS (short message service), OTP (one time password) fobs and applications, and hardware keys.
A few months ago, I would have dismissed concerns about the strength of SMS authentication — while it was true that high-value targets like Government systems and Google were at risk (and hence why NIST no longer considers it acceptable) — it seemed to be sufficient for the average user. In the wake of the Reddit breach, I have reevaluated this position. Perhaps it is still the resourceful attackers like nation states that are able to intercept SMS, but if that is the case, their net is getting wide enough to put even the average Sally and her small business at risk. It is important to note that you should still use SMS as your second factor if that’s your only option — it will still stop many attackers — but use a stronger solution if available.
The next step up in the authentication game is OTP fobs and apps — such as Google Authenticator. This is what I use anywhere I can — it costs nothing per user and has a relatively low development cost to add into applications. It limits attackers to those that can successfully pull off a Monkey-in-the-Middle (MitM) attack to intercept codes and masquerade as you to the app — again, this requires a fairly sophisticated attacker, but is not unheard of.
Hardware keys step up the MFA game even further, because they require the app authenticate itself to the key and vice-versa. But it is not as perfect as the article makes it out to be. The US Government — and DoD (Department of Defense) in particular — have been using this approach using smartcards for years. The DoD is on version 62 of the smartcards as of this writing, they’ve been using them for so long. Many of the changes have been to the card design, not the smartcard portion, but over the past 19 years the encryption standards used on the cards have been steadily upgraded. Given how long they have been around and the value of the DoD as a target, there are now numerous strains of malware that have been designed specifically to 1) collect smartcard PINs and 2) install on clients and secretly use the smartcards to allow an attacker anywhere in the world to access any smartcard-protected app using that client as the MitM.
Yubikeys are much newer. While they have been publicly available for nine years now, the predominate protocol they are used with now (U2F: universal second factor) is just four years old, only supported by the two most recent versions of the Yubikey. Chances are that there is malware out there targeted for these devices that just has not been detected yet. It should be noted that devices like the Yubikey have a distinct advantage over smartcards: they require the user to push a button on the device to authenticate — this physical action prevents malware from using the device just because its plugged in. Is it perfect security? No — there’s no such thing, but it ups the bar quite a bit.
Now for the economics: it might sound expensive to spend $20 for every employee, but lets consider that the Target breach cost them over $252M — and even with 350,000 employees, that’s only $7M — now I’m not saying that a Yubikey would have stopped that breach, but it gives you an idea of what the return-on-investment is for those devices. Unfortunately, that figure does not tell the whole picture: the bigger issue with hardware keys is there is a much higher cost adding support for them into all of your apps and setting your infrastructure (like application firewalls) up to support accessing those systems using the hardware key protections. This is fine for a large technology enterprise like Google, but is a major impediment to >99% of organizations out there, especially since most depend on off-the-shelf applications (cloud-based or otherwise) that probably do not include such support. That said, it’s a good play for SaaS vendors to add such support, as it can easily make a deal with any organization that has already invested in hardware keys.
In summary, hardware keys like the Yubikeys do provide a tangible security benefit. If your organization uses any services that support them (like G-Suite), they are well worth the $20/employee investment. Failing those, use a OTP solution like Google Authenticator, and use SMS as a last resort. If your service provider does not support any type of multi-factor-authentication, it’s probably time to look for someone who does.