As expected, our post on passkeys was a hit. If you missed it, you can read it here:

The Truth About Passkeys

Feb 14

After a long delay, we’re finally publishing a post on passkeys. This is probably the #1 topic requested by the Secrets of Privacy community, so we expect it will be a popular one.

Read full story

The post has kicked off a larger discussion about passwords and account authentication in general. We mentioned hardware keys in a few spots in the passkey post. We mistakenly assumed everyone was familiar with those. This post is to fill in that gap.

Probably the best place to start is with a story from one of our readers from a few months back. Let’s call her Jenny (not her real name). Jenny thought she was following best practices for securing her Instagram account, but turned out that wasn’t the case and she paid a steep price.

Jenny’s Instagram Nightmare

Long story short, Jenny lost access to her Instagram account one random night. She should have been a low risk target. She had a strong, unique password and even used two-factor authentication (2FA) via text messages. Turns out, hackers bypassed both by simply tricking her into entering her login details on a fake website.

This is unfortunately not a unique story and happens quite frequently. So much so that Meta has a dedicated “hacked” page for Facebook and Instagram (see here for Instagram).

Jenny was able to get her account back, but it was painful. It took around three months and all the while hackers were ruining her reputation by posting scams on her page. At one point they tried to ransom the account.

Jenny’s mishap is your opportunity though. You have the ability to learn from her mistake to make yourself a harder target. A hardware key is one way to do that.

Regular readers know that we are fans of strong, unique passwords combined with at least two-factor authentication (2FA a/k/a MFA) via an authenticator app. Most of the time that combo works great. Especially for lower risk apps and accounts.

The problem is, as Jenny’s story illustrates, if you get tricked into providing your credentials to a fake site, your strong password won’t save you. And social media accounts are extremely high risk because of the reputational harm if a hacker uses your social media accounts to promote scams or blackmail you.

This is where hardware keys are useful. Unlike passwords or SMS codes, they can’t be phished, intercepted, or guessed. One confusing aspect about hardware keys is that in some ways they are competing authentication methods with passkeys while also complimentary. More on that later.

Here’s how hardware keys work in plain English:

1. Physical Proof: You need to physically touch or connect the key to your device to log in.

2. Domain Lock: The key only works on the exact website you registered it with. This is the website binding concept we mentioned in the passkey post.

3. No Secrets Shared: It uses unbreakable math (cryptography) instead of passwords.

Share

The “Magic” Behind the Key

We’re the first to admit that hardware keys are not as convenient as password managers. They’re especially not as convenient as using the same password on every website. In fact, they feel like a huge PITA. But their inconvenience brings objectively greater security, which may be important for your situation. Here’s how:

1. Phishing-Proof by Design

Imagine a hacker creates a perfect replica of your bank’s login page. You enter your password, but when prompted to tap your hardware key… nothing happens. The key recognizes the fake site’s URL and refuses to authenticate. This “domain binding” feature alone will stop nearly every phishing attack.

2. No More “Oops, I Shared My Code”

Text message codes can be intercepted via SIM swaps or you can be tricked into willingly revealing the code. Recall Jenny’s story up above. Authenticator apps are better but still vulnerable to phishing. Hardware keys? They stay silent unless you physically insert the key into your device or tap using the NFC feature. Even if a hacker steals your password, they’d need your actual physical key to access your account.

Hardware Key Limitations

The most immediate concern is the risk of losing or misplacing your key - and given their small size, this is a real possibility. If you forget your key at home or lose it entirely, you could face temporary access issues to your accounts. Some services offer backup authentication methods, but policies vary by platform, and recovery processes can be complex.

Cost is another consideration. A single key will set you back $25, $50 or more (more on that later). That’s not much money in the scheme of things, but we’ve all been conditioned to preference free solutions when it comes to the internet. Paying for authentication solutions will be too much for most to overcome.

There's also a compatibility challenge to consider. Not all websites and applications support hardware keys yet, which means you'll still need to maintain alternative authentication methods for some services. Some keys may only work with specific devices or connection types (USB-A, USB-C, NFC), so you'll need to ensure your chosen key matches your device ecosystem.

A less obvious but significant risk involves account sharing. If you share accounts with family members or need to grant access to colleagues, hardware keys can make this more complicated since physical presence is required for authentication. There's also the matter of theft - if someone steals your key along with your login credentials, they could potentially access your accounts before you can deactivate the key.

Despite these challenges, the benefits of hardware keys generally outweigh their drawbacks, especially when you consider the high costs and headaches of dealing with a compromised account.

Share Secrets of Privacy

Hardware Security Keys and Passkeys: A Perfect Match?

We noted earlier that hardware keys and passkeys have a confusing relationship. Hardware security keys are evolving to become powerful tools in the passkey ecosystem. While passkeys can be stored in the cloud or on your device, hardware security keys offer a unique advantage by providing device-bound passkeys - meaning the cryptographic credentials never leave the physical key itself.

The YubiKey 5 Series has supported device-bound passkeys since 2019, making them pioneers in this area. When you register a passkey to your hardware key, it creates a secure, unique cryptographic key pair. The private key remains safely stored in the hardware key's secure element, while the public key is registered with the website or service you're accessing. This approach offers superior security since the passkey cannot be synced or transferred to other devices - it physically lives on your security key.

Authentication with a hardware-bound passkey is fairly straightforward. When logging into a service, you insert or tap your security key, and it communicates with the website. The key performs the necessary cryptographic operations to prove your identity without ever exposing the private key. This process makes it virtually impossible for attackers to steal or replicate your credentials.

For organizations and security-conscious individuals, hardware-bound passkeys offer several distinct advantages:

• Highest security assurance among all passkey implementations

• Complete control over credential lifecycle management

• Simplified account recovery across devices and platforms

• Compliance with stringent industry requirements

The trade-off for this enhanced security is that you must have physical access to the specific hardware key used during registration. However, this limitation can be mitigated by registering multiple hardware keys as backups, ensuring you maintain access to your accounts even if one key is lost or damaged.

We recently set up a hardware security key with a legacy Gmail account. Google sent a confirmation email of the action. Below is an excerpt, which never mentions the hardware key portion, only the passkey that was created with the hardware security key.

The Role of Hardware Keys for Two Factor Authentication (2FA)

Hardware security keys represent the strongest form of two-factor authentication (2FA) available today, offering significant advantages over traditional methods like SMS codes or even authenticator apps. Unlike other 2FA methods that rely on transmitted codes which can be intercepted or phished, hardware keys require physical possession of the device to authenticate. When you log into an account, you'll first enter your username and password, then physically interact with the security key - either by inserting it into a USB port or tapping it against your device for NFC-enabled keys.

What makes hardware keys particularly effective is their ability to nullify common attack vectors. Even if cybercriminals manage to steal your password through phishing or social engineering tactics, they cannot access your accounts without physical possession of the key. This physical requirement eliminates vulnerabilities associated with traditional 2FA methods, such as SIM swapping attacks or intercepted one-time passwords. The convenience factor also sets hardware keys apart - instead of waiting for and typing in temporary codes, users simply tap or insert their key to authenticate.

Backup Codes and Hardware Keys: Your Safety Net

Even with the robust security offered by hardware keys, it’s essential to have a backup plan in case your key is lost, damaged, or temporarily unavailable. This is where backup codes come into play. Backup codes are one-time-use, pre-generated strings of characters provided by many online services during the setup of two-factor authentication (2FA). These codes act as a fallback option, allowing you to access your accounts without the need for your hardware key.

When you first set up a hardware key for an account, most platforms prompt you to download or print a set of backup codes. Each code can be used only once, ensuring that even if one is compromised, it cannot be reused by an attacker. For example, if you lose your hardware key while traveling or it gets damaged unexpectedly, entering a backup code will grant you temporary access to your account.

To maximize their usefulness, store these codes in a secure location, such as a password manager or a fireproof safe. Avoid keeping them digitally on unsecured devices or in places where they could be easily accessed by others. Never take screenshots or photos of your backup codes – those can be stolen if the photos are hacked or leaked.

It’s important to note that the security of your account is only as strong as its weakest link. If you rely on backup codes but store them carelessly, they could undermine the protection offered by your hardware key. For this reason, treat backup codes with the same level of caution as you would your hardware key itself.

Privacy Friendly Photo Storage

Secrets of Privacy

·

November 15, 2024

Read full story

Choosing A Hardware Key

Yubico is the leader in the hardware key space. Here’s an overview of their lineup:

• YubiKey 5 NFC ($50): The “Swiss Army knife” for most users. Works with USB-A and phones (via NFC).

• YubiKey 5C NFC ($60): Same features, but with USB-C for modern laptops. This is the hardware key that we use.

• Security Key Series ($25): Budget-friendly but still blocks 99.9% of attacks.

There are a few alternatives to Yubikey:

• Google Titan Key ($30): Simple, affordable, and integrates well with Google accounts.

• OnlyKey ($50): Open-source. James Bond vibes—it self-destructs after 10 wrong PIN attempts.

• Nitrokey ($30+): Multiple versions and flavors available (see here). Open-source, if you prioritize that.

Using a hardware key is a high privacy IQ move. A next level move is to grab or upgrade to a paid subscription to Secrets of Privacy and get full access to our posts and content. To help you out, we’re offering a free 60 day trial.

Get 60 day free trial

Real-World Hardware Key Use Cases

Passkeys are not a theoretical security

• Google’s 99.9% Phishing Drop: After mandating keys for employees, phishing-related breaches nearly disappeared. (source)

• Healthcare Heroes: Hospitals now use keys to protect patient records, replacing more easily stolen passwords. (source)

Your Action Plan (No Tech Degree Required)

So you’re ready to give a hardware key a try. Maybe you want to avoid Jenny’s fate. Or maybe you’re looking to get our of your comfort zone and press your privacy IQ boundaries. Here are some recommendations and things to keep in mind.