In recent years, many Web services/applications have increasingly introduced MFA (multi-factor authentication) to protect users from risks such as phishing attacks. In the future, MFA using smartphones and security keys may become the standard when logging in to the service. In this article, I will briefly introduce security keys, reasons, features, and how to use them. It is not a technical commentary article for those who want to know general information about security keys.
Table of Contents
What is a security key?
The security key is an external hardware device used for MFA (multi-factor authentication). Based on the new authentication technology "FIDO (Fast Identity Online)" (*1), which replaces the password. It is resistant to phishing and man-in-the-middle attacks and can prevent account hijacks.
※ Since then, the security key introduced in this article has been compatible with FIDO2 (new specification of FIDO).
(*1) There is no technical explanation here, but what is called "FIDO / FIDO2 / WebAuthn / Passkeys" can be understood as a "new authentication technology instead of password".
Why use security keys?
In many Web services and applications, "ID/password" is commonly used in user authentication. However, as attack methods such as phishing evolve, the risk of IDs and passwords being illegally obtained is increasing. Under these circumstances, it is becoming difficult to ensure sufficient security using only traditional authentication methods. That is why MFA using security keys is attracting attention as a means to protect users from such attacks. By using a security key, you cannot log in unless you have a physical key. This mechanism is expected to reduce the possibility of unauthorized access by cybercriminals significantly.
Features of security keys
Phishing resistance To briefly explain phishing, it is the act of "Redirecting people to a fake site with a similar URL, forcing them to enter their authentication information, and stealing their account, information, money, etc.". When authenticating using a security key, a mechanism automatically checks the domain name (URL) and passes the authentication information (result) only to sites that match. Therefore, if you access a fake URL, your authentication information will not be handed over and a third party will not steal your information.
Convenience Authentication is completed by inserting the security key into the USB port and "entering the PIN code" or "verifying the biometrics" preset in the security key. Strong authentication is possible without compromising usability. (The details of the authentication method will be explained later in the section on how to use security keys.)
Robustness
Where can I use the security key?
Security keys can be used with any service that supports MFA for security keys. To check whether the service you are currently using supports MFA, please check the MFA compatibility page for each service. You can easily find it by searching for "<name of service you are using> MFA" in the search field of your browser.
※ Please check whether it is listed as compatible with "Security Key, FIDO2 or WebAuthn". Please note that MFA that can be used is not limited to the new authentication technologies "FIDO2 and WebAuthn" that we have introduced so far. Some MFAs also support SMS, one-time password, etc.
If you want to use a security key to log on to a Windows device, we recommend our solution.
Buy a security key
Our company, SoftGiken, is a security key distributor. Regarding the FIDO2 security keys that I have explained so far, I would like to introduce some of the some of the security keys that we handle.
During authentication, there are security keys that require you to enter a PIN code (no biometric verification) and security keys that require biometric verification. Please choose whether to use the PIN entry or biometric verification type depending on the usage situation. We have a variety of USB types, and we also sell models that support NFC and BLE. Please purchase from Amazon or contact us when purchasing in large quantities.
How to use security keys
You may be surprised for the first time when purchasing security keys, but many security key products do not come with detailed manuals, which can be confusing. Here I will explain everything from initial setup to starting use.
The following environment is used for explanation.
Device: Windows 11
※ This does not mean that it will not work unless you are using Windows 11.
Browser: Chrome
※ You can use any other major browser such as Edge, Firefox, Safari, etc. as long as you use the latest version.
Security key: Yubico's "YubiKey 5 NFC" ※ Similar operations are possible with other FIDO2-compatible security keys.
Here are the steps to get started using your security key:
Security key initial setup
Before we get into setup, I will explain why initial setup is necessary. Authentication using a security key requires "PIN code entry" or "biometric verification" to confirm your identity. The PIN code and biometrics required for this operation must be set in advance.
※ If you have not set it up, you will be prompted to set it up when using it.
※ If you want to use biometric functions, you will need to buy a biometric-compatible security key.
No PIN code or biometric information is set on the security key by default. Both security keys, "PIN code entry type security key" and "biometric verification type security key", require a PIN code to be set first.
Please refer to the blogs below to set the PIN code.
※ If you are using a biometric verification type security key, please register your biometric information after setting the PIN code.
For those who have a Windows machine:
For those using using macOS or Linux (GUI) machines:
Register your security key
To use a security key with your service, you need to register the security key as part of your MFA settings. This time, I will use the demo site "webauthn.io" to explain the registration process.
※ When registering a security key for a service that you will use, please follow the settings instructions for each service. I think the registration and authentication process itself is the same as the demo site above.
Access "webauthn.io", enter your username, and click the "Register" button.
If the screen below appears, click "Use another device".
You will be asked where to save the passkey, so select "Security key" and click "Next".
Click "OK" on the Security key setup screen.
Click "OK" on the Continue setup screen.
※ If you can use the function to remember your ID information in the security key, this pop-up will be displayed. (Whether or not it supports storing ID information depends on the service you are using.)
You will be asked to insert the security key, so insert it into the USB port.
※ This pop-up will not appear if it is already inserted into the USB port.
On the PIN entry screen, enter the PIN code set for the security key and click "OK".
※ You can also proceed to the next step by pressing Enter in the input field.
※ For biometric verification type security keys, biometric verification is required instead of PIN input.
You will be asked to touch the security key, so touch the flashing part.
Security key registration is complete when the following pop-up appears.
Supplement:
There is a time-out period for security key registration operations, and if the registration operation takes too long, registration may fail. In that case, please try again.
To prevent you from being unable to access the service due to forgetting or losing your security key, we recommend that you register another security key as a backup. (Only if the service you are using allows you to register multiple security keys.)
Authenticate with a security key
Following registration, authenticate using the demo site "webauthn.io" with the security key. With your username entered, click "Authenticate".
A pop-up will appear that says Sign in using a passkey, select "Security key" and then click "Next".
You will be asked to insert the security key, so insert it into the USB port.
※ This pop-up will not appear if it is already inserted into the USB port.
On the PIN entry screen, enter the PIN code set for the security key and click "OK".
※ You can also proceed to the next step by pressing Enter in the input field.
※ For biometric verification type security keys, biometric verification is required instead of PIN input.
You will be asked to touch the security key, so touch the flashing part.
If authentication is successful, login is complete.
Supplement:
There is a time-out period for security key authentication operations, and if the authentication operation takes too long, authentication may fail. In that case, please try again.
If you fail to enter your PIN 8 times in a row, the security key will become blocked (does to accept PIN entry) and will become unusable unless you reset it. Also, when you reset, your authentication information will be cleared and you will need to re-register with the services you are using. For details, please refer to "How to reset the security key".
FAQ
Q1:
What characters and length can be set for the PIN code?
A1:
The characters and length that can be set for the PIN code are as follows:
Available characters: Unicode characters including half-width alphanumeric characters.
PIN length: Can be set from 4 to 63.
Q2:
Can I change my PIN?
A2:
Yes, the blog below will be helpful.
For those who have a Windows machine:
For those using using macOS or Linux (GUI) machines:
Q3:
My PIN code has been blocked. What should I do?
A3:
If you fail to enter your PIN 8 times in a row, the security key will become blocked (does to accept PIN entry) and will become unusable unless you reset it. Also, when you reset, your authentication information will be cleared and you will need to re-register with the services you are using. For details, please refer to "How to reset the security key".
Q4:
I lost my security key. What should I do?
A4:
Please visit the support page of the service you are using to find out how to recover your account if you lose your security key.
※ If you are using it in an organization, please perform account recovery according to the rules within your organization. If there are no rules, please contact the person in charge of your organization.