Using a computer security key is the best way to authenticate your identity, but not all security keys are created equal. USB, NFC, and Bluetooth security keys all have their benefits and drawbacks.
What Is a Security Key?
It may seem pretty odd to use a physical key to log into a device or gain access to a program, but that’s exactly what a security key is. Computer security keys are pocket-sized keys that provide encryption, authentication, and authorization services. After logging into an account with your username and password, you’ll use the security for multi-factor authentication.
| Feature | FIDO U2F | FIDO2 (WebAuthn + CTAP) |
|---|---|---|
| Authentication Type | Second-factor authentication (requires password + security key) | Passwordless authentication (supports both second-factor and passwordless logins) |
| Primary Use Case | Enhance security by adding an additional layer (2FA) | Passwordless login, strong multi-factor authentication, and enhanced security across multiple devices |
| Cryptographic Method | Public-key cryptography with ECC (NIST P-256) | Public-key cryptography with ECC (NIST P-256) or RSA (2048 bits or longer) |
| Hash Function | SHA-256 | SHA-256 |
| Encryption | Primarily uses ECC for signing challenges | Uses ECC/RSA for signing challenges and AES for encrypting communication (in some implementations) |
| Device Attestation | Not explicitly supported | Supported for proving device authenticity |
| Supported Protocols | FIDO U2F | FIDO2 (WebAuthn for browsers, CTAP for authenticators) |
| Backward Compatibility | N/A | Backward compatible with FIDO U2F keys |
| Authentication Flow | Challenge-response (signs the challenge with private key) | Challenge-response (supports both challenge-response and attestation) |
| Supported Devices | Primarily desktop browsers and some mobile devices | Wide range of browsers, mobile devices, platforms, and applications |
| Security Benefits | Protection against phishing and man-in-the-middle attacks | Protection against phishing, man-in-the-middle, and credential theft; supports device attestation |
Security keys are secure in part because they use Fast Identity Online (FIDO) technology. FIDO is a collection of protocols designed to work with passwords during authentication. With FIDO, you don’t need to remember dozens of passwords or even use a password manager to log in. With passwordless authentication, you only need to insert and press your security key to authenticate.
All FIDO protocols use public key cryptography to authenticate. This type of encryption uses two keys to safeguard data: a public and a private key. Your private key decrypts information and is not shared.
Unfortunately, physical security keys can’t be used to authenticate every account. Although the technology has existed since 2008, it is still being slowly adopted.
There are three types of security keys. While each key type is incredibly secure, some provide more security than others.
USB
A USB security key is the most secure of all the key types. By being physically inserted into the computer, there is less chance that the data sent will be intercepted by someone listening to your network. That being said, even if a cyber whiz is able to collect the data being sent by your physical key, they still need to go through the painstaking work of decrypting that data. Brute forcing a FIDO-compliant USB security key could literally take an eternity, depending on the key length.
NFC
NFC stands for near-field communication. While you may have never heard of NFC, you use it whenever you tap to pay with your credit card or phone. This same technology is found in computer security keys. In order for NFC technology to work, you need to be within about two inches of the device you’re attempting to communicate with. This means that to capture the signal, an interloper has to be intimately close to you.
While this is not very feasible, it is possible. However, remember that FIDO-compliant security keys use extremely strong encryption, so even if this data is intercepted, it must still be decrypted. Should the private key be compromised, NFC protocol makes the impersonation of a user difficult by requiring both parties to verify their identity before sending sensitive information, while the physical security key’s encryption makes it extremely unlikely that your data will be breached.
While NFC hardware security keys are incredibly secure, the good news is that most NFC-enabled security keys also provide a USB connection.
Bluetooth
We use Bluetooth when sharing files and connecting to speakers, and now we can use it when authenticating with a security key. At first glance, Bluetooth may appear insecure because of its broadcast radius of 33 feet. While this does create a very low risk of man-in-the-middle attacks, the probability of your information being intercepted is incredibly small. Your hardware security key will use the Bluetooth Secure Simply Pairing mechanism designed to address man-in-the-middle attacks that made legacy pairing mechanisms vulnerable to such an attack.
Even if a hacker defied the odds and intercepted your private key, current computing power makes decryption impossible. Hackers can intercept all they want, but the data they collect will be no good if they can’t unscramble the cipher.
While each type of security key has its pros and cons, it’s important to remember that each type is incredibly safe. Using any of these keys ensures that your information will be kept safe—unless, of course, you lose your key.
