How do USB security keys work and should I get one?
This question was answered on December 6, 2018. Much of the information contained herein may have changed since posting.
Your online assets have long been one of the major targets of hackers and generally speaking, the only thing keeping them out of your accounts is your passwords.
Weak passwords are no match for today’s hacking technology as high-speed cracking systems can crack any 8-character password in just over 1 minute (https://goo.gl/Hu2sb3).
Even if you create a long complex password, they can be compromised through data breaches at any of the companies you do business with online.
The black market for ‘known passwords’ is thriving because hackers know that people tend to use the same passwords across so many of their online accounts.
Since a password alone provides very little security these days, the addition of a second form of authentication became popular years ago as smartphones became ubiquitous.
It’s akin to the 2-factors necessary when using your debit card at an ATM; you need the physical card AND the associated PIN.
Activating 2-factor authentication on all your online accounts means that whenever an online service detects that your username and password are used from a location or device that’s never been seen before, a special code is sent to the registered phone number that is required to access the account (the 2nd form of authentication).
This means that a cyber-thief needs to steal both your password and your smartphone in order to gain access.
The popularity of using 2-factor authentication with smartphones has led to various exploits to usurp this extra layer of protection including SIM swapping or SIM hijacking (https://goo.gl/ZBNmr2).
By taking over control of your phone number, hackers can have the special code sent to a phone that they have in their possession.
They’ve also become very good at fooling victims by calling them posing as an organization that claims to have detected a break in that wants to verify that the victim is the actual owner of the account.
They’ll tell the victim that they will be getting a special code on their smartphone that they need them to read back to ‘verify’ that they are the authentic owner. Of course, reading back the code allows the remote hacker into the account because they are at the screen that is asking for the code on their computer.
USB Security Keys
Since the bad guys have found easy ways to side step the security that smartphone based 2-factor authentication offers, another form of higher level of security has surfaced in the form of the USB key.
Instead of using a smartphone as the 2nd form of authentication, you would use a special USB key on your computer, smartphone or tablet that costs $20 to $50.
Once you set them up, a USB security key connected to your device is required in order to gain access to the protected accounts. There are backup methods to allow you in, should you lose your USB key, so be sure to set one up if you plan on using them.
About the author
Posted by Ken Colburn of Data Doctors on December 6, 2018