A Google Titan security key, used for 2FA purposes. (Tony Webster from Minneapolis, Minnesota, United States, CC BY 2.0, via Wikimedia Commons)

Google last week revealed that it was coordinating efforts with global partners to hand out free USB security keys to 10,000 elected officials, political campaign workers, human rights activists and journalists, and other users considered to be at high risk of getting hacked.

This announcement helped bring attention to the benefits of hardware-based authorization keys and tokens as a more secure version of two-factor authentication — especially as crafty cybercriminals are becoming increasingly effective at bypassing traditional 2FA.

Still, asking employees and user organizations to incorporate physical keys or tokens into their regular authentication process will require — like many other aspects of security — a certain amount of culture change, training and buy-in. Which leads to the question: What additional efforts are needed to persuade even more companies to move to hardware-based 2FA?

Amazon and Microsoft launched similar campaigns

Google’s giveaway was part of an effort to persuade high-risk individuals to enroll in its Advanced Protection Program (APP), which uses physical keys to protect against phishing attacks, malware and other threats. “The more high-risk users that we can get into a protected state, the safer we all are,” said a blog post co-authored by Grace Hoyt, partnerships manager of Google’s Advanced Protection Program, and Nafis Zebarjadi, product manager, account security.

For instance, Google partnered with the International Foundation for Electoral Systems (IFES) to hand out the tech giant’s Titan Security keys to attendees of the organization’s global cyber hygiene trainings, including Middle East-based journalists and women activists in Asia. Google also gave keys to 180 federal election campaigns through the nonprofit Defending Digital Campaigns (DDC).

“We were very pleased to see Google’s announcement, and I absolutely think that this will help further adoption for utilization of security keys by enterprises and individuals alike to provide simpler, stronger and phishing-resistant user authentication,” said a statement from Andrew Shikiar, executive director and CMO of the FIDO (“Fast IDentity Online”) Alliance, an open industry standards organization with a mission to phase out the use of outdated password technology, and replace it with cryptographically secure, standards-backed authentication alternatives such as on-device biometrics and FIDO Security Keys.

“Whenever a major organization makes a major announcement bolstering their security controls, it sparks conversation and movement in the broader industry,” agreed Wolfgang Goerlich, advisory CISO at Cisco Secure. “Google’s announcement that it is enrolling 10,000 people in authenticating with strong security keys will make it easier to explain a similar need in other organizations.”

And this isn’t the first such corporate endorsement of hardware-based authentication. Among the companies using FIDO’s standards for Universal 2nd Factor (U2F) authentication keys is Yubico, which like Google has been working with DDC to provide its hardware-based authentication keys to campaigns from both major parties.

This effort is being conducted through Yubico’s Secure it Forward program, “which was established to provide YubiKeys to help nonprofits and at-risk organizations improve their security posture,” said Chad Thunberg, Yubico CISO. “For every 20 keys sold on the Yubico e-commerce store, we donate one key to nonprofits, individuals or organizations in need.”

Shikiar also cited a recently reported commitment from Amazon to provide Amazon Web Services admins with security keys, as well as Microsoft’s use of security keys as part of its newly announced plans to let its account holders go passwordless for a multitude of services.

“When three of the largest and most influential technology companies on the planet [Google, Amazon and Microsoft] embrace security keys for MFA, it gives greater impetus and a path forward for other companies to follow suit — which we’re already seeing at scale both within the enterprise, and as well as for a growing number of consumer implementations,” Shikiar said.

“In a similar vein,” he continued, “we’ve recently seen the Biden administration, through an executive order back in May, embrace security keys as a mechanism to bolster cyber defenses for government agencies — a domain previously reserved for CAC and PIV cards, neither of which bring the scale and cost benefits of security keys.”

Getting users into the habit

Despite Google’s free giveaway, 10,000 hardware-based auth keys are just a drop in the bucket.

Cisco cited a report from its subsidiary Duo Security, which found that U.S. and UK, security keys were used by fewer than 10% of surveyed individuals. SMS- and email-based authentication, meanwhile, still reigns supreme as the two most popular 2FA options.

To reverse this trend, more efforts are needed to encourage adoption of physical keys and tokens and get employees comfortable with the notion of using them regularly. Erich Kron, security awareness advocate at KnowBe4, said that despite the technology’s effectiveness, it may take some time getting used to the concept.

“The inconvenience is often the factor that will cause [their] use to be abandoned by many,” said Kron. “In a world where we value the option of using our cell phones to make point-of-sale purchases, open smart locks and even start our cars, just so we do not have to carry extra items with us, the addition of a physical key is challenging.”

This problem particularly presents itself when absent-minded employees mistakenly their key behind somewhere, creating additional headaches.

“As a long-time user of key-based 2FA, I have found myself in situations where I am out of town and have left it on my keychain at home, or otherwise do not have access to it when needed,” said Kron. “While there are often other options for a secondary 2FA choice if you do not have your key, your account is only as secure as the least-secure option, so if you allow SMS 2FA as a backup, the key really does little to improve security over that option.”

Goerlich also said there are challenges related to “delivering the keys, replacing the keys when they are lost or stolen, and retiring the keys when people leave the organization. This requires a degree of identity proofing, discipline, and process maturity.”

Nevertheless, Kron believes that education and awareness programs will help drive up acceptance of the technology — provided they can clearly communicate the advantages and benefits. Case in point: Shikiar noted that a Google study conducted several years ago found that hardware keys stopped 100% of phishing attacks, while also reducing time to authenticate and help desk and support costs. “And their employees reported broad satisfaction as compared to [one-time passwords],” he added.

“Whenever we ask a person to take an additional step to accomplish the same goal — in this case using a security key to access an account — the person should understand the importance of the change, how it will help them, and the consequences of not complying,” said Kron.

To that end, Thunberg said that Yubico works with a number of enterprise customers “who are preparing their companies to adopt broad usage of YubiKeys.”

“We believe that with education, training and the proper tools, usage and adoption rate of hardware keys, like YubiKeys, will only continue to increase,” he continued. Change in this regard will likely be incremental, “with enterprises first taking the right steps to modernize their authentication infrastructure. Modernizing authentication infrastructure is a large task, but once complete, the rollout can shift its focus to user adoption.”

To facilitate the adoption process, Thunberg recommended that companies understand their user base, and prioritize individuals with high-risk situations, focusing on them first. Then they need to clearly communicate the workflow of the integration, along with the benefits of the technology. Finally, companies should offer training sessions, which should “demonstrate how easy the transition and use will be,” and also “ensure your helpdesk is also properly training for support calls.”

Organizations may also want to consult with the FIDO Alliance’s Enterprise Deployment Working Group, which has been documenting best practices related to hardware-based authentication.

With all that said, some experts contend that physical security keys, relative to other technologies, are comparatively simple to implement, with few obstacles impeding an efficient roll out.

“Frankly, I’m not sure the usability barrier is that high in the enterprise, especially when compared to other forms of MFA like smart cards, tokens and OTP apps that require multiple steps for enrollment, login and general administration,” said Shikiar.

Goerlich agreed, noting, “While many security changes require in-depth training and culture changes, security keys are surprisingly easy to use and adopt.”