Are You Ready for Hardware Security Keys?
Are you tired of unlocking your phone or computer a hundred times a day? Would you like to login to all your favorite websites with a single tap, and never reemember another password? That's the promise of hardware security keys. Let's take a look at the current offerings, and you can decide if one is right for you... |
You Might Want One of These On Your Keychain
Last summer, “hardware authentication” was briefly buzzworthy thanks to Google’s announcement of the Titan Security Key. It was pretty impressive to read that 85,000 Google employees who used Titan went a whole year without a single compromised account. Google urged everyone to upgrade to hack-proof hardware authentication. Today, you can buy the Titan Security Key for $50 in the Google Store.
Unfortunately, it doesn’t look like many consumers are buying Titan, or any of its competitors. Whether the problem is cost, convenience (another thing on a keychain), or apathy to security concerns, hardware gadgets like Titan and the Yubico YubiKey just have not caught on among private citizens. But that hasn’t prevented the rise of many copycat products, some of dubious quality.
Yubico, the leader of this small, slow-moving pack, has at least seven YubiKey products for various applications. The classic YubiKey 4 ($40 on Amazon) gets a 4-star rating average from 286 customers, making it the most popular model by far among Amazon shoppers. The YubiKey works with Gmail, Facebook, Dropbox, Twitter, Dashlane, LastPass and "hundreds of other services." It's also touted as waterproof, and crush resistant. Just plug YubiKey 4 into a computer's USB port and tap the gold circle to activate. If you don't want something that big on your keychain, the $50 YubiKey 5 Nano, works the same and is about the size of a dime.
The EveryKey wants to replace not only your passwords but also the heavy, noisy mass of metal keys you carry everywhere. Everykey generates secure passwords for your website accounts, and will unlock them with one touch. It also promises to unlock your phone, laptop, and at some time in the future, your house and car, as long as they have Bluetooth capability. When your Everykey is close to one of your devices, you can access it without a password. When you walk away, your device locks back down.
And yes, that’s antivirus pioneer John McAfee on EveryKey’s home page and in its video. McAfee claims he founded EveryKey in 2015, but fundraising for the venture seems to have started as much as three years earlier. EveryKey’s original $99.99 price has eroded to $59.20 on Amazon, where it has a 2.5 star rating average from only 22 customers.
The Fetian ePass NFC FIDO U2F Security Key ($16.99 on Amazon) sounds like a mouthful of acronym soup, but it’s not hard to parse. “NFC” means it works with Near Field Communication, the protocol that enables tap-and-go payments via smart cards or phones. “FIDO” is the Fast ID Online set of security standards developed by nearly 300 members of the FIDO Alliance to ensure interoperability. “U2F” is the Universal 2-Factor authentication standard developed by Google and Yubico. Customers give the ePass 3.5 stars. Complaints among a total of 89 reviews include dead-on-arrival units, another that failed after five months, and no tamper-proof packaging.
The Thetis Security Key ($16.95 on Amazon, is also FIDO and U2F compliant, and gets an impressive 4.5 stars from 181 customers. Unlike pricier products that leave delicate gold-plated contacts exposed, the Thetis’ rugged, foldable design guards against mishaps.
A Thetis reviewer made an interesting observation: “Technically, very few sites supports U2F protocol, BUT Google and Facebook are INCLUDED. And, as you know, Google and Facebook provides authentication for millions of sites. So, using U2F for Google and Facebook and using them for authentication covers, literally, millions of sites.” I guess he’s OK with Google and Facebook tracking every site he visits.
The cheapest gadget definitely looks the part. The U2F Zero is no more than a bare circuit board, probably hand-made to order by a geek named “Conor” at his kitchen table. But it’s U2F compatible, gets 4.0 stars from 60 reviewers, and it’s only $9.86.
Even though they seem handy, I think it unlikely that hardware authenticators will ever catch on as aftermarket purchases. Even the bare-bones U2F Zero is ten bucks that most people won’t spend to replace free passwords. But these devices may find their way into OEM devices, becoming a standard “accessory” just like a phone charger.
Are you interested in a hardware security key that can manage your logins, and unlock your gadgets? Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 17 Jan 2019
For Fun: Buy Bob a Snickers. |
Prev Article: Geekly Update - 10 January 2019 |
The Top Twenty |
Next Article: [IRONY] US Postal Service Fosters ID Theft |
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Are You Ready for Hardware Security Keys? (Posted: 17 Jan 2019)
Source: https://askbobrankin.com/are_you_ready_for_hardware_security_keys.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Are You Ready for Hardware Security Keys?"
Posted by:
snert
17 Jan 2019
i was interested right up to the point you said, "the google store"...there's an untold reason for everything google does!!!
Posted by:
Mark H.
17 Jan 2019
I got a Yubikey 4 for free with a Wired magazine subscription. I now have 5. I bought them direct from Yubico and keep others as spares. I use it to log onto Lastpass, Google and Microsoft. Windows 10 also allows use of a Yubikey to log onto my laptop. One of my keys is a Yubikey 5 Nano that fits into the USB-C port on my laptop. I no longer need to keep my phone nearby to use authenticator apps or SMS codes. Convenient and easy to use.
Posted by:
kenny
17 Jan 2019
Not supporting the murderer McAfee for sure.
Posted by:
Steve
17 Jan 2019
I've had a Yubikey for at least 2 or 3 years. Actually I think I have about 3 of them. I don't use them. They seemed very complicated as I remember and they are a pain in the butt to use.
Posted by:
Bob K
17 Jan 2019
And what do these things do to keep the hackers out of the servers at the other end?
Posted by:
fbgcai
17 Jan 2019
Dumb question - what happens if you lose the key? can anyone else use it ?
Posted by:
CharlesH
17 Jan 2019
These hardware "security" keys seem especially insecure to me, since they can be lost, stolen, or simply taken from us, if we're robbed, and then the new owner both has access to our devices and knows whose devices they go with. Using a password manager seems a lot safer to me than an external product anyone might get access to. The idea sounds good on paper, but not so much in reality. Plus, it's one more "thing" to keep track of.
Posted by:
Diane
17 Jan 2019
Not that lazy. No cell phone, smartphone, whatever.
Posted by:
NiteCat
17 Jan 2019
Is it a pain in the butt remembering a million different passwords? Heck yes, But I'm not paying for security that Google, Facebook and every other tech manufacturer should automatically be providing.
Why is it up to only the consumer to provide security for their devices & information when these same companies harvest every bit of information they can from us due to their proprietary "lock" on their apps and devices?
Why is it after suffering unintended consequences of laxes in technology the only solution is to have the consumer pay more?
Here's my trade for them...you can have my info up to the point I can no longer stop you with MY preference settings using your products...you provide me with the protection of that information at no charge. You're already making bundles off of me.
Posted by:
JJ
18 Jan 2019
The reason these security devices have not caught on is not because of cost, convenience or apathy to security concerns. It's because they don't advertise the products, and very few people have ever heard of them. I've never seen these devices for sale anywhere online. I don't know how they can even stay in business without proper marketing.
Posted by:
Stephe
18 Jan 2019
"...ten bucks that most people won’t spend to replace free passwords." Indeed! I use KeePass password manager. One secure password, several backups of my database on different devices, unique random and highly secure password (that not even I know) for each situation that requires one, no physical key that can be lost, stolen or have its circuits fried, and one copy of the database on a nano-USB on my key-ring. Once open on my computer it's one click to bring up the program, one to summon a login page and a third click to login.
KeePass is freely available for pretty much any platform, I need only one of the copies of my password database to access everything and it only took about an hour to go through all my old passwords changing them to things like jLzXd7OAHvMMUcVx6RQ7 — a once-only hour that everybody should spend whatever solution they choose.
Do I sound like an evangelist? Why would anybody pay for something that's inferior and more trouble?
Posted by:
Mike Davies
18 Jan 2019
What if I want to use my front door key but not unplug the device from my laptop - fail.
And it's yet another thing to lose, get nicked, break (waterproof, crushproof, been there, done that) - fail.
Posted by:
Dean Forsyth
18 Jan 2019
I got my Yubikey as an incentive to subscribe to Wired same way as Mark H. mentioned above. It sat around in its package for over a month until I had some time to figure out how to use it. It was easy and hard at the same time. Hard because I expected it to do more than it does. Easy because once I got it working, it requires no more effort except when I want to log into an account from a new device.
Some wrote here that they expect Google and others to keep them safe. I think Google does a great job (others not so much), but it's still ultimately up to me to avoid getting pwned.
The only thing I use my Yubikey for is keeping my Google account safe. Oh mighty Google! I had 2-factor turned on before using my mobile number, now my second factor is the hardware key. If someone hacks the info they keep about me, it does them no good without access to my key. At the outset it seemed like extra work, yet it's really not. And kinda fun too.
For those asking what happens if it's lost: 1) there is a method of recovery provided when setting it up, )2 nobody else can use it without knowing your account information to start with. Very unlikely.
I'm keeping the Yubikey and letting the Wired subscription go. Bob does a much better job collating and commenting than they do imho.
Posted by:
Peter Whitlock
20 Jan 2019
Back in the 1980s, every software vendor had a dongle (hardware key); some had 1 for each software product (e.g. 1 for Excel, 1 for Word, etc.) Many dongles could be connected in series; some NOT - a real pain. One firm I worked for had at least 10 dongles per workstation. So they bought dongle towers. The tower connected to a special port and had up to 24 slots (1 per dongle). Worked really great until someone stole the towers - dongles and all. We had to wait from 3 days to a month to get replacements. Why hardware dongles went out of fashion!!!
Posted by:
Jerry Huller
25 Jan 2019
I considered getting a Yubikey, bit then found it required a web browser that I don't use. I'll wait for compatibility with Apple's Safari and Mozilla's FireFox browsers.
Posted by:
subwaybuff
30 Sep 2019
None of those work with Firefox or browsers other than Chrome