Not that long ago, I wrote an article complaining about two-factor authentication. You know what this is… it’s when you have to enter a code from your phone when you log in. I pointed out how this only really works if you aren’t already on the phone. If you’re hacking someone else’s phone and the app wants to send a code to that phone, well I guess the answer is “yes please!” But for now, the combination of two-factor authentication and biometrics (face and fingerprint ID) is the best we have.
Everything old is new again
In the late 1980s, I worked with a company that sold accounting software. That company’s preferred software required that the customer keep a floppy disk in the computer whenever the software was used. This was called “key disk security” and it was an early form of hardware security. As floppy disks started to go away, the same technology was applied to USB devices. In order to run certain apps, you needed a device that looked like a flash drive, inserted in the computer at all times. This was the late 1990s, and flash drives seemed futuristic. People didn’t mind, but it was still a pain sometimes. If you lost the little hardware dongle (as they were called) they were very expensive to get replaced.
Around the same time, I knew people in larger companies who carried around a hardware authentication device with them. This thing, which looked like a pager (again that seemed futuristic) gave you a different code every hour or so that you could use to log into the company network. It wasn’t unlike today’s authentication apps other than being a separate piece of plastic you needed to carry. And again, lots of luck if you lost it or broke it. Those things weren’t cheap.
And now, the hardware security key
That same idea has entered 2020s thinking as the “hardware security key.” Again this is a USB device that must stay connected to your PC in order for it to work at all. Individual apps from Google, Microsoft, and others can use it to make sure you’re actually you, to avoid your having to log in with an authenticator app or get a code. These keys look slick. They’re usually pretty small and often they’re shiny chrome or gold so you feel like they’re really awesome. They’re not expensive to make, but of course not everyone can get them because, what would be the point of that.
The big problem with hardware security keys is, of course, that they’re tied to the hardware. There are versions for PC, Mac, and Chromebook, but if you want to do work on your phone you’re kind of out of luck. The better apps also let you use an Authenticator app to bypass, but your company’s own intranet or VPN might not. That means you’re back to life in the 20th century, when the only time you could work was at your desk.
Will this tech take off (again?)
I think there are some employers who really like hardware security keys precisely because it does tie employees to their desks. After several years of allowing remote work, there are some folks who really want their workers at their desks. On the other hand, it seems like the real cutting-edge innovators aren’t using them, because they want their employees to be available all the time. I’m not sure who’s going to win that battle.
Having seen all this play out before, I have to tell you that I think that hardware security keys aren’t the answer. Yes, they are ultimately more secure than anything else we have. And there’s nothing saying you couldn’t have a key like this for your phone. But all it takes is one person to lose theirs. I imagine it would happen right when they need to be most accessible for the whole thing to fall apart. There only needs to be one time that the IT director can’t respond to a hack in progress because they’re out and about. When they can’t get into the network, hardware security keys go from a benefit to a big, big problem.
I’ve said before that I don’t know what the real answer is. Weird passwords aren’t it. Two factor authentication isn’t it. But, returning to a 1980s technology because we can’t figure out what else to do probably isn’t it either.
This article is sponsored by SolidSignal.com. We don’t sell security keys, but we do sell tens of thousands of parts to help you succeed in business. Shop now!
