Last Active
  • Apple's iPadOS 16.3 is out with support for security keys

    SHK said:
    I'm not "getting" the benefit to Security Keys over two factor authentication, which is easy to use and effective.
    I hope AI does a story like "who needs Security Keys" to help me understand it better.
    There are a number of MFA capabilities that are available.  Most are not really secure and susceptible to Phishing.  SMS Text MFA can be intercepted by a hacker via a number of methods, such as SIM Swapping and by a vulnerability in the SS7 protocol used by almost all Cell Phone technologies. 

    OATH OTP  (Google Authenticator etc.) is susceptible to Phishing and uses older, symmetric cryptography. An end user can be tricked into revealing their login credentials and OTP code by a phishing attempt.  The hacker sends the user a link to a website.  The nend user clicks on the link thinking it's a legitimate site.  But, the hacked set up www.g00gle.com (google with 2 zero's).  When the user clicks on the link and enters their login credentials and OTP, the hacker uses that information to quickly login to www.google.com with that users information.  There is link between the website and the OTP code generated so the user has not check and balance that the site is legitimate.

    Security Keys use the newer FIDO2 technology.  FIDO2 uses asymmetric cryptography.  Think PGP or X.509 Certificates.  There is a public key and a private key that are generated on the Security Key when the user registers it with a service.  The public key is sent up to the service and stored with the User Identity.  The Private key ONLY exists on the Security Key and can NEVER be exported.  We don't care if the public key is exposed as the Private key is required to authenticate and that key is only on the Security Key.  There is also anti-phishing technology built into this process.  When the public/private key pair is generated, a AppID and the URL are used to create the key pair and that info is cryptographically bound to the key pair.  IF you do go to www.g00gle.com, the cryptographic hash won't match and the login will fail.  Currently, FIDO2 is the most secure MFA method available.  Yubico has a great overview of FIDO2 here: WebAuthn (yubico.com) (FIDO2 is the umbrella that consists of both CTAP and WebAuthn)

    You may have heard the phrase that Apple, Google, and Microsoft are pushing, PassKeys.  Passkeys are FIDO technology. Instead of having the private key on a Security key, like a YubiKey, Passkeys store the private key on a phone or computer in a keychain.  Apple, for example, uses iCloud Keychain to store the FIDO private key.  That private key is then synchronized across multiple devices via iCloud sync.  This solves two problems, but introduces potential security issues.  When using a security key, you should register AT LEAST two keys with any service so that if you lose you key, you are not locked out of your account.  The other main issue is that now the user has to ensure that they have a security key with them, incase they need to login again.  If the user does not have their security key with them, they won't be able to login.  Personally I have a YubiKey on my key chain and carry it with me whenever I leave the house.

    With Passkeys, the main security concern is that the private key is now shared across devices.  This might expose the private key if a hacker got into iCloud.  I prefer to use a Security Key as I err on the side of caution.  I might use PassKeys for lower value accounts, but will always use a Security key for my email accounts and my financial accounts (AND my iCooud account...).

    Over all, Security Keys are a easy to use and very secure method of MFA.  As Passkeys are built in FIDO technology, the are a reasonable solution as well.  

    Sorry for writing a novel.  Hopefully that helped.