Phish-resistant: Hardware Security Key
What are hardware security keys?
Hardware security keys are physical devices used for authentication. They are typically small, portable devices that connect to a device via USB, NFC, or Bluetooth. The most common example of a hardware security key are Yubikeys.
Why are hardware security keys considered "phish-resistant"?
Hardware security keys are considered phish-resistant due to their cryptographic communication protocols used during authentication challenges. The keys also must be registered with designated applications, ensuring they only respond to requests from approved domains.
Furthermore, physical possession of the keys are required, meaning an adversary cannot remotely access or duplicate the keys.
Should my organization implement hardware security keys?
Yes, hardware security keys are phish-resistant and should be a component of a multi-factor authentication system, complemented by other phish-resistant factors.
However, it's important to consider factors like cost and deployment complexities. There's an initial investment to purchasing keys for your organization and the potential setup can be complex, not to mention a challenge for your end users to use and adopt.
Beyond Identity's phish-resistant MFA uses the secure enclave within modern devices to create and manage cryptographic keys, effectively turning the device itself into a hardware security key. This approaches reduces overhead costs and simplifies deployment.