JSF

SHK said:

I'm not "getting" the benefit to Security Keys over two factor authentication, which is easy to use and effective.
I hope AI does a story like "who needs Security Keys" to help me understand it better.

"Security Keys" are a generic name for FIDO2.  FIDO2 is a strong, phishing resistant form of 2FA/MFA.  The older styles of MFA, OTP for example, use a cyptographic secret that is the same on both sides.  The same secret key is in the Authentication app (google authenticator, for example) AND the back end service.  If that service is compromised and that secret is taken by hackers, they can then login as you.  A hacker can also build a fake site that looks just like the site you are trying to login to and capture your OTP secret to quickly replay and login as you.  That OTP secret is in no way tied to the website you are logging into.  You might be redirected to www.G00GLE.com (instead of www.GOOGLE.com) so that the hacker can intercept your login info.

FIDO2 is a public/private key cryptographic MFA solution.  That means that the Security Key generates the public and private keys ON The Security Key.  The Public key is sent up to the website and the Private Key is ONLY stored on the security key and can NEVER be exported.  This means that you cannot login without your security key as that private key is only stored on the security key.  This is a MUCH stronger method of MFA.  It can also be PIN protected so that you must enter your PIN to use the Key to login.  IT also is phishing resistant. The web site URL data and AppID is baked into the cryptographic secret so that if you do go to www.G00GLE.com, the authentication will not work.  Again much more secure than the other types of MFA.

You might have heard of PassKeys.  That is a technology pushed by Apple, Google, and Microsoft that is based on FIDO2.  It is essentially the software version of FIDO.  The public and private keys are generated on your computer or phone.  They are then stored in you iCloud keychain and synchronized across your Apple Devices.  The credentials store in iCloud Keychain are protected by a biometric or a PIN.   Passkeys are a good solution, but I prefer an actual Security Key so that my private keys are secured.  Not that Apple's concept is bad, but if they were hacked the private key MIGHT be exposed to a hacker.

I hope that makes sense.