As multi-factor authentication (MFA) becomes a more widespread industry security standard, IT admins need to find the most effective MFA method for keeping their organizations safe. When it comes to preventing account takeovers, one method stands out among the rest: hardware/U2F keys. Let’s dive into what hardware MFA keys are and how they can benefit your organization.
What are Hardware MFA Keys?
Before we talk specifically about hardware-based MFA, let’s first talk about MFA in general.
What’s MFA?
Multi-factor authentication is a security practice that requires authentication factors beyond the traditional set of credentials (usually username and password) used to access the majority of today’s IT resources. MFA requires presentation of “something you know,” which is the username and password, along with “something you have,” a personal identifier, or factor, that is completely unique to the user. Secondary authentication factors can include SMS- or TOTP-based codes from a smartphone, push notifications, or even biometric data.
Hardware MFA keys also fall under this category. Also known as universal second factor (U2F) or physical security keys, hardware keys can either plug into a user’s system via USB or utilize a physical code generator that is unique to the user. Some examples of hardware-based MFA keys include:
- Yubikey
- Google Titan
- Thetis
- RSA SecurID
Hardware MFA keys work similarly to other MFA methods in that, after a user presents their credentials upon login, they are then directed to input their additional factor. The user inputs their generated code or touches their USB hardware key, and is then granted access to the service.
Benefits of Hardware MFA Keys
Hardware MFA keys have shown to be more effective at securing an identity than their software-based counterparts, and offer a simplified workflow for end users.
In a Google Security blog study, physical security keys were found to be up to 100% effective at preventing account takeovers due to automated bots, bulk phishing, and even targeted attacks. With such purported perfect prevention rates, a set of compromised credentials has significantly less weight when leveraged against an identity backed by hardware MFA.
The efficacy of hardware MFA makes a lot of sense practically. Bad actors not only need a set of compromised credentials to attack a user’s identity, they also need access to a physical device that end users keep with them. This requirement makes hardware MFA very difficult to work around compared to SMS-based MFA, which can be digitally intercepted.
Beyond their impressive security benefits, hardware MFA keys also offer a simple end user interface. USB-based keys embody the term “plug and play” — an end user slots one into their system and presses a button, fulfilling MFA requirements and gaining access to their resources in seconds.
Code-based hardware keys have a similar end user experience to methods like TOTP or SMS, requiring a code to be entered in a timely fashion. Unlike other methods, however, hardware keys offer a unique tool for MFA, separating critical organization security measures from the user’s personal smartphone.
Learn More
Hardware MFA keys provide tight security to your organization while making it as easy as possible for your end users to authenticate. If you’d like to learn more about hardware MFA keys and MFA in general, check out this webinar or contact us to learn how we can help you implement hardware MFA keys for apps and IaaS.