Exposing the flaws of cyber security keys
Industries worldwide are embracing keyless technology and relying on modern technology and biometrics to make life more convenient but, more importantly, eliminate unnecessary security options.
For example, companies such as SwitchBot and Tuya offer technology that allows customers to unlock their homes through biometrics on the lock itself.
Not the cybersecurity industry, however.
Consider this: The cybersecurity industry, the very one that should be leading the charge in innovation, is steadfastly advocating for the use of physical keys to fortify cybersecurity.
Let’s delve into the world of security keys, which, despite their name, can introduce a whole host of security issues.Security keys leave cyber doors wide open
Authentication may just be one of many parts of the identity lifecycle, but it must be protected against credential phishing, password-based attacks and MFA bypasses. Indeed, the processes of registration, adding a second device and recovery provide criminals with multiple ways of carrying out an account takeover, so this is a critical area of a business’s cyber security that their solution must protect at all costs.
The issue with security keys such as Yubico’s YubiKey 5 series, however, is that they do not mitigate the risks that credential phishing, password-based attacks and MFA bypasses present.
First off, login credentials and passwords are needed to register the security key for each individual account. But these security measures are easily compromised. Here at IDEE, for example, we recently ran a survey that showed that stolen credentials accounted for 35% of the cyber-attacks faced by the 61% of UK businesses that faced a cyber-attack in 2023. It was the most common reason, but security keys don’t stop them from happening.
To make matters worse, businesses that use security keys often hand out backup keys in case the first one is lost or stolen. More keys equal additional weaknesses and more attacks, but ‘responsible’ cyber security providers continue to stick their heads in the sand and pretend that they are improving – not impairing – security.
This approach may limit some password-based attacks, but the industry needs to wake up and realize that using passwords and multiple authentication factors makes the criminal’s job easier.
