SecureWorld News

Adding Security Keys to Your Authentication Toolbox

Written by Ahanu Boyle | Wed | Jan 10, 2024 | 1:37 PM Z

I have always known about physical security keys, also called hard tokens, but never actually used one despite my curiosity. So, I was kind of excited when I got my hands on two cool things: a YubiKey 5 and a Google Titan security key.

Now that I have two kinds of security keys, I tested both on some platforms people use regularly to see what the fuss is about.

A quick intro to security keys: A security key can work in place of other forms of two-factor authentication such as receiving a code through SMS or pressing a button in an authentication app. Most keys are about the size of a thumb drive and can either be used by plugging into a computer or, in some cases, communicating over NFC (Near Field Communication) with a mobile device.

When logging into an account, you can simply plug the security key into your computer or mobile device and it will act as your second form of authentication. Then, you enter your password and that's that. Alternatively, with both the Google Titan and the YubiKey, you can hold the key against the back of your mobile phone and that provides the same authentication as plugging it into the device.

The platforms I tested with these two security keys are Microsoft 365 (M365), Google, and Twitter. I looked into trying these out with some more platforms, but, unsurprisingly, services that support security keys are still the minority. Let's hope to see some change in this department in 2024.

A quick caveat is that I tried to do my testing while having a password manager as an extension in my browser (Mozilla Firefox). I found that having the password manager enabled messed up the key registration process occasionally because it will try to store the key as it would a password.

For example, when I tried to register both the Google Titan and the YubiKey on M365, I would get an error if I rejected the password manager's prompt to save the key.

I also got this lovely error when trying to name either security key, even if I accepted the password manager's prompt:

After I identified the password manager as the issue, I tried registering the YubiKey in a private browser and was successful. Smooth enrollment process all around.

On my Windows machine, though, I was required to set a PIN for the YubiKey so that I would have to enter the PIN whenever I tried to authenticate with it. Part of me wonders if that's redundant, but it's not. This PIN protects against the physical key being stolen and used to login as me.

When I tried registering the Google Titan in M365 using a private browsing session, I was met with a slap in the face:

Oh, come on now. Really? That's so petty.

I'm assuming that Microsoft is rejecting the Titan because it's a Google product, but it's not like they have their own proprietary security key that they're selling. They could have an agreement with Yubico, perhaps?

Taking the competition over to a Google account, I got a little confused. I had the choice to add both a "passkey" and a "security key." I could not tell you the difference between them, and even after doing some research, it seems that a passkey is something completely different than a physical security key (according to Google's own documentation). So, I went ahead and registered both keys.

The YubiKey was categorized under "passkeys" and the Titan under "security keys." Okay, whatever the heck that means. Seriously, if anyone knows, please comment on this article about it.

When it came to authenticating, both keys worked just fine.

Moving on, the last platform I looked at was Twitter. This was actually the easiest platform to add security keys to. It was also the only one to provision me a back-up code in case I lost the keys; kudos to them for that.

On top of that, you can add multiple security keys to your account without any weird differentiation like on Google. Both the Titan and YubiKey worked seamlessly.

Let's look at the two keys' price points.

You can order a Google Titan with either a USB-C connector or a USB-A connector, with the USB-C coming in at $35 compared to $30 for USB-A.

I think this is a pretty fair price, and it's much less than the YubiKey 5, which will cost you $50 for the most basic model with a USB-A connector.

For $25, you can get a USB-A YubiKey that only authenticates FIDO protocols, but that is a lot less compatibility than the series 5.

Before I wrap this up, there were some things that I need to tell you about. Both the Titan and YubiKey 5 have NFC capabilities as I mentioned in the beginning, but I did not test if it works or not.

Additionally, I have not gone out-and-about to work at a café or something to see if the keys would be a pain to keep track of all the time. I'm assuming if you keep them on whatever ring your key to your home is on, losing it won't be so easy. Both the Titan and YubiKey have keyring holes in them. Someone else told me you can also get credit card sized holders for them, which can be stored in a wallet.

Conclusion

While both security keys were fine to use for the most part, in terms of platform compatibility, the Titan lost by not being supported on M365. I know that it's probably because of some corporate competitive issues, but the fact of the matter is that if someone can't use their Titan on M365, which could be their most-used platform at work and have the most sensitive secrets, then why would they care about the Titan? I sure wouldn't.

Additionally, not everyone is going to trust Google enough to use a hard token that they designed and produced. Plus, Google also tends to drop products more frequently than other providers. The especially security conscious folks will probably stray away and prefer a third-party with a better track record, making the YubiKey the better choice in that arena.

Price wise, you're going to get a better deal with the Titan, though, so if you use Google Workspace on a daily basis and don't mind not being able to use it for M365, it becomes the obvious choice.

For me personally, I'll suffer the higher price tag for the YubiKey 5. I'm a heavy user of M365, am not a huge fan of Google as a company, and would prefer a third-party that won't get caught in the middle of corporate product wars.

It's my obvious choice.