We use two-factor authentication (2FA) or multi-factor authentication (MFA) more than we realize. Before anyone heard anything about it, we were utilizing this method of security. MFA consists of three things. Something you have, something you are, and something you know. If you have two of these, it’ll give you your 2FA and if you have all three, it’ll give you your MFA. One of the first instances of 2FA I could think of is going to the ATM. Your debit card is considered the something you have, while your PIN is the something you know. But today, the 2FA that I think I use 100 times a day, is my phone. My phone is the something I have, while my FaceID is the something I am.
There are two types of 2FA, one uses a software token and the other uses a hardware token. A software token can be considered the authentication apps that we all see so frequently now (Google Authenticator, Microsoft Authenticator, LastPass, Authy). A hardware token is a key fob or USB-type device that can be inserted into a device or scanned by a device. The most common hardware token you may hear about is YubiKey. Although both can greatly improve your security, a hardware token takes the cake.
The downside to software 2FA is its vulnerability to phishing attacks. SIM swapping first appeared a few years ago, when a threat actor was able to transfer a phone number to their phone, providing them access to text messages at their fingertips. So when a threat actor is signing into a website using your credentials that they obtained through a phishing attack, they have the access code that was texted to your phone. Therefore, granting them full access to an account using software 2FA. This is kind of scary because originally SMS based 2FA seemed so secure because it seemed unlikely that anyone would ever have access to your phone number.
Hardware 2FA works differently. A person must have the physical token for access to be granted. A YubiKey is a security key known as Universal two-factor (U2F) authentication, simplifying the 2FA process. The device is manufactured with a unique key because it uses public-key encryption. When adding a YubiKey to your security arsenal, it’s a bit tedious because the key must be registered for each individual website/application for which you choose to use it. But this is all for good reason. The key is verifying the website's authenticity, and saving the secret key to the server so that when you log in to the website, the server will recreate the secret key.
Seeing your YubiKey in action.
Fill in your user name and password as you usually would, with the YubiKey inserted. The server will know that a security token has been registered with the account. The server will send two pieces of information back to the YubiKey, an AppID, and the secret key created during the registration process. The browser will ask you to lay your finger on the YubiKey and once authenticated, the YubiKey gathers the information from the server and will recreate the same key used during registration. If the keys match, you’re in. The most secure aspect of the YubiKey is that even if the website were malicious, it wouldn’t authenticate because all information generated during the registration of the YubiKey doesn’t belong to that server, at which point access will not be granted to that malicious website. Many organizations have been able to drastically reduce the number of phishing attacks after adopting the use of the YubiKey.
Decision-making is always a question of risk vs reward. Implementing YubiKeys as a part of your organization’s security may come at a cost, but a security breach will come at a much higher one. Giving your organization a near-zero window of opportunity for a phishing attack? Priceless.