Stolen passwords account for 81% of security breaches. Authenticating with username and password alone is no longer sufficient. The number one method for stealing credentials is through phishing attacks. Even multi-factor authentication solutions like one-time passwords (OTP), temporary passwords sent via text message (SMS), and/or mobile push (notifications that look like text messages and alerts) are vulnerable to phishing attacks. The National Institute of Standards and Technology no longer recommends using SMS as a second authentication factor. The YubiKey 5 series offers superior security. But what is a Security Key?
Security keys, like other connected token authentication methods, are unique because they subvert the security paradigm. Instead of access being dependent on what you know, (an email and an 8-character password) it’s dependent on what you have – in this case, a small USB device.
The advantage of a physical token being required during the login process is that you’re protected from the most standard hacking attempts. A clever hacker might be able to pilfer your credentials, but it takes an entirely different set of skills to steal an object off your person.
So, calling the device a “security key” is a more apt description than you might expect. It is simultaneously a complex device that enables MFA on its own while also being a literal, physical key that requires your touch to operate.
The YubiKey 5 series offers superior security by combining strong hardware-based authentication and public key cryptography to effectively defend against phishing attacks and eliminate account takeovers. A correctly-configured security key makes a user almost invincible to classic phishing, which is especially important in high-stakes environments where Man-In-The-Middle attacks are prevalent. Google, using the Yubikey, went an entire year without a single successful phishing attempt on any of their 85,000 employees. And now with support for FIDO2 in addition to U2F, the YubiKey offers the broadest options for strong authentication, including not only two-factor authentication, but also support for single-factor passwordless backed by public-key cryptography.
If you would like to read more about the potential of security keys, click here.