Lately, I’ve been getting a lot of questions regarding security keys. At Predica Group (place where I’m working), we’ve also been talking about passwordless a lot.
It’s mainly because phishing is still one of the most prevalent cyber threats out there. MFA, especially with the use of security keys, is the best way to protect yourself (and your business) from a breach. And yet, it’s still not implemented often enough.
This is why I decided to show you that implementing MFA can be really simple. I’ll also share some tips for keeping your credentials protected with security keys.
What is a security key?
Let’s start with the basics. A security key is a piece of hardware that you can connect to your computer (via USB, BLE, or NFC) or phone (via BLE or NFC) to verify your credentials when logging in online.
You can use one key for multiple services – unlike a password, it’s completely safe, because the configuration is different for each system.
There are many producers of such hardware, with the most popular being Feitian, TrustKey, and Yubico. When choosing a security key, it’s important to go with a verified manufacturer, such as one of those named above. Trusted producers are members of Microsoft Intelligent Security Association and FIDO Alliance.
Is it difficult to set up a security key?
Using a key for multi-factor authentication is very easy. Just follow the installation wizard in the service you wish to add the key to. All manufacturers provide applications for the keys that provide additional functionalities.
For Feitian you can use biometrics. Yubico enables you to manage your security key and PIV authentication. Installing additional software from the manufacturer’s website is necessary to use TrustKey, but it also enables biometric functions.
If you’d like to see what to expect when you set up your security key in Azure AD, check out my blog posts where I go through the process step by step:
10 things to know about FIDO2 devices
Having tested a number of security keys from the abovementioned manufacturers, I have some observations that you may find useful. Note that these are my recommendations based on my personal experience.
If you have any other insights or information on other keys, let me know, I’ll be happy to hear them.
- There’s no way to enforce PIN policy in Azure AD.
Essentially, every user can set up their own PIN to use their key. There is no centralized way to manage PINs, which means you can’t block simple codes like 1234.
Depending on the security policy at your organization, it may be a small obstacle.
With that being said, Windows Hello for Business blocks simple PIN codes by default. This can be one way of making sure the codes are a bit safer than 1111.
Still, if you add the key directly to your Azure AD account, these settings are overridden, and you can use any PIN you like – 1111 being one. This is the case with Feitian, Yubico, and TrustKey.
- Feitian and TrustKey offer biometric authentication.
You’ll need to install additional software for these keys, but you can use a fingerprint for identification with these devices.
Yubico doesn’t provide this functionality at the moment, and at the time of writing, they don’t have an availability date for it to be released.
- Yubico is the leader in terms of service integration.
With nearly 300 integrations, Yubico leads the way when it comes to working with other services. If you’re looking for a versatile key that you can use with multiple accounts, it’s the best choice.
TrustKey and Feitian are compatible with fewer services but are still sufficient for basic cloud, email, and productivity services.
- There’s a key for every connection type
Each manufacturer offers multiple options for connecting your key, so you’re sure to find one that works for you. Among the available connections are USB-A, USB-C, NFC, Bluetooth, PIN, biometrics, and more. Whether you need a key for your PC or your phone, you can find a compatible option.
- Biometrics require app installation
Feitian and TrustKey both offer biometric authentication. However, to use this feature, you need to download the manufacturers’ application that enables fingerprint scanning. It is quite easy to use, but keep in mind that it’s additional software you’ll need to add to the process.
- You can use some YubiKeys for local AD authentication
Certain models made by Yubico have additional space for security certificates. This means you can use them for Certificate Authentication (or smartcard-based authentication) to your Active Directory.
The list is continually updated on this page, and at the time of writing, includes 5 FIPS Series, 5 Series, 4 Series, and FIPS (4 Series), plus some legacy devices.
- For large-scale use, choose the full-scale keys
Yubico produces nano models that are very small. This is great for personal use when you want to keep your key always on hand.
However, for business use, I don’t recommend them. They are so small that most people won’t even remove them from the USB port (it’s quite difficult too, especially for USB-C). This would defeat the purpose of protecting your resources and would be the equivalent of having credentials written on a post-it note on a screen.
As a little bonus, here are some recommendations for each key brand, in terms of the available functionalities.
- Feitian – USB A BioPass FIDO Security Key K27
It’s a biometric model with solid metal chassis. Practical and convenient, it was my favorite by this manufacturer.
- TrustKey – G320H – USB-C
Another biometric model that works well with Windows Hello. Its compact size is practical for everyday use.
- Yubico – Yubikey 5C NFC/Yubikey 5NFC
Both of these models are compatible with cell phones, and the only difference between them is the USB port type.
Which security key is the best?
Here’s a quick summary of each brand, based on my tests. I’ve also included recommendations for particular scenarios. Your circumstances may vary, so feel free to contact me if you’d like more specific information.
|Pros||Cons||Recommended use case|
|Feitian||Reinforced construction||Not found||Rugged environments|
|TrustKey||Compact Shape||Software download necessary for operation||Everyday use|
|Yubico||Security certificate storage||No biometric options||Administrative access|
I hope you enjoyed this brief guide to security keys.