With malicious actors continually breaching websites and dumping login details it is essential your personal security regime goes beyond a username and password combination. Even if your password is highly complex, if your email account is compromised it’s a simple feat to use a website’s “forgot password” feature to reset it. So, that's where two- and multi-factor authentication comes in; now your login involves two pieces of fixed information (username and password), and one variable piece of information (a one-time code).
Sending a text message to your mobile phone is convenient, yet much as your email can be breached, so too attackers using “SIM swapping” exploit social engineering to transfer your mobile service to a new SIM card, and thus receive all your one-time codes themselves. This is covered in the Reply All podcast episode, “The Snapchat Thief” where the very attack is used by hacking groups who steal social media accounts with valuable usernames.
What can a mere mortal do? You simply want to browse the Internet and do your job and your organisation’s password policies are likely already hard to manage as-is. Then you’re told to have a different password for every application, to remember it, but you can’t be sure your email or mobile phone is secure anyhow. This is where FIDO2 comes in; a joint effort between the FIDO ("Fast Identity Online”) alliance and the World Wide Web Consortium (W3C), with the goal of creating strong authentication for the web.
FIDO supports a full range of authentication technologies, including biometrics like fingerprints, iris scanners, voice, and facial recognition, as well as existing standards and solutions such as USB security tokens, smart cards, Near Field Communication (NFC), Trusted Platform Modules (TPM), and others. The FIDO2 specifications emphasise a device-centric model, meaning a simple hardware device you carry performs the authentication and dramatically simplifies your access to online services while enhancing your security.
The user's device is registered with a public key, while the device holds a private key. The key is unlocked by the user’s gesture such as a biometric or pressing a button. So, that's FIDO2, and if you're not using it, you should. If your organisation doesn’t support it, then it should. In fact, Google lists FIDO compliance as a factor in giving yourself the most advanced protection. They go so far as to say you ought to have two FIDO2 security keys; one as your master, and one as a backup. This is Google's advice for journalists, whistle-blowers, and people living in oppressive regimes, and it's solid advice for anybody who wishes to protect their online identity.
FEITIAN Technologies began in 1998 in China and is now the world's leading provider of digital authentication hardware with customers in over 100 countries. Their products are used to support and strengthen industries such as financial, healthcare, government, enterprise, and payment.
FEITIAN provided iTWire samples of three of its products - the BioPass FIDO2 security key, iePass FIDO security key, and the AllinPass FIDO2 security key. The company has also made a generous 20% discount available to iTWire readers.
They all provide hardware-based security, but with different connectivity options ranging from USB, biometrics, NFC, and Bluetooth, to suit your needs whether tethered to a desk or on the go. The company has other products, and can also brand any of its products with your organisation’s logo, helping you roll out an aesthetic fleet of secure authenticators to protect your company’s data and reputation.
Each device comes in a durable and compact design and gives you a single authenticator for multiple applications. They protect your online accounts against unauthorised access such as phishing, man-in-the-middle attacks, and hijacking.
BioPass FIDO2 security key
The BioPass FIDO2 security key comes with either a USB-A or USB-C interface and uses your fingerprint to securely sign you into websites and applications. It supports the FIDO U2F, FIDO2 and HOTP protocols. It carries an RRP of $USD 60.
iePassFIDO security key
The iePassFIDO security key includes USB-C and Lightning interfaces together, one on either end. This makes it a great fit for your iOS devices, and your Android devices, PCs and laptops, MacBooks and more. A USB-C to USB-A adapter is included. It supports U2F, FIDO2, HOTP and PIV protocols. It carries an RRP of $USD 78.
AllinPass FIDO2 security key
The AllinPass FIDO2 security key provides embedded fingerprint verification, and supports USB-C, NFC and Bluetooth, allowing you to share the one key across all the devices you own. It supports FIDO2 and carries an RRP of $US 130.
Which one is right for you?
Whichever security key you opt for, the setup is simple and straightforward. They work with all FIDO-compliant applications and services on Windows, macOS or Linux such as Google Chrome, Gmail, Facebook, and Dropbox.
Computer users have long been told of the importance of having complicated passwords that are unique for every site and service we work with, but managing such a mass of credentials is a huge mental endeavour. With a security key like those in the FEITIAN range, your mind can rest; you can make up any random password at any time and once it’s registered with your security key you can dismiss the password from your mind. Let the hardware do the work and protect your data, your finances, your precious memories, and your intellectual property.
For IT departments, deploying hardware-based FIDO2 security keys can be the difference stopping your company's name from being on the front page of the newspaper due to a data breach. It's certainly a lot better to contain reputational data and restore customer confidence when you don't have a breach at all because your users are employing the best security they can.
Ultimately, the choice you have to make is simple. it's not a matter of whether you ought to be using a hardware authenticator, but which model suits your situation best.
Get your own FEITIAN security key at a special price
FEITIAN has kindly made a special offer for iTWire readers; buy one or more security keys from the following link and enter promo code David-20 for 20% off.
You can also contact FEITIAN Technologies for any product enquiries, including personalisation and bulk orders.
Watch FEITIAN Technologies' BioPass FIDO2 security key in use with Windows Hello, on Windows 10.
Listen to "The Snapchat Thief" here, for the devastating effects of SIM swapping.