Data security is the number one issue on all tech moguls’ minds. With the increasing reliance on technology to store our sensitive information, security breaches have become a veritable digital boogeyman—one that keeps popping up in the news, no less. So, it’s no surprise then that Microsoft announced that they will begin to support USB security keys for Microsoft account holders.
These keys will allow users to log into accounts and computers without usernames or passwords and they will support users for the whole universe of Microsoft, including Skype, Xbox Live, Office, and more. Microsoft will work with well known names in the USB business such as Yubikey and the FEITIAN Biopass keys, which are all USB keys that can be inserted into USB enabled devices.
Passwords are such an integral part of digital technologies that it’s difficult to imagine what a future without them will be like. Microsoft has long been insisting that this is the natural progression of things and that everyone will be better off in a “passwordless future” where security does not lie in the memory of the user. Passwords are seen as a necessary danger because they are easy methods for gaining access to data and operating systems that don’t tax the user or the system it’s built on. They are dangerous however because of how easily they can be guessed, hacked, or stolen.
As you probably have noticed, a simple password is no longer deemed sufficient to protect your data. Two factor authentication and second step verification is now a common sight when logging on to sites and software that may hold sensitive information like banking and social media apps. These processes require additional steps beyond typing in your password; they frequently require sending a text with a randomly generated security pin to your phone so you can input it into the system to gain entry.
So, this bears the question: How do hackers hack? We’ve all seen movies about it, with some vague black screen and green lettering with a nerd type furiously typing away at the keyboard. Those are the big leagues, however. Hackers in those cases are interested in seriously high paying data breaches from corporations and big business. However, the kind of hacking that an ordinary person should worry about is a bit different; smaller on scale, but nonetheless just as nefarious.
Hackers target passwords because they’re a weak point in security. Often they can be guessed by using the “forgot password?” option on websites because security questions are often easily guessed; these security questions have answers that are pretty easy to find out, like your birthday or the name of your high school. This method isn’t the preferred way though, it’s tedious and without a guarantee success. Plus, your account may lock after a number of unsuccessful attempts and then you’ll be aware something is wrong. They don’t want that. In fact, hackers steal your password and login information by making it seem like nothing is wrong at all. Some older users may still fall for phishing (someone poses as someone you know and asks for sensitive information) but for the most part we’ve become savvy to obviously odd internet requests. So, hackers have instead turned to phishing login pages. These look exactly like the real deal, and most of the time a user won’t notice something’s a bit off. Using keylogging tech (which tracks the keys you type), hackers gain access to your username and password without you knowing. They can also send you malicious software (Trojans, spyware, email worms, and so on) through the email that will be enabled as soon as you click on it or download an attachment. Or that free software that you found available on some random site? It could easily be (and often is) the vessel for a nasty virus. These kinds of threats are everywhere, but a user armed with warnings and a little bit of skepticism can usually avoid these pitfalls.
Tech giants have begun introducing devices and technology to battle against security breaches as well. We wrote a blog some time ago about Google’s foray into security with the introduction of their USB hardware security keys, very similar to Microsoft’s idea but Google’s key still requires passwords to be used in addition to the key itself. Microsoft’s key will grant access to all user systems and logins without requiring them to enter them in each time. Other OEM’s like Apple and Microsoft have been trying to coax the consumer market to adopt biometric security measures like facial and iris recognition and fingerprint locking USB drives. These major players belong to the FIDO Alliance (Fast Identity Online), a consortium of numerous corporations and organizations devoted to increasing cyber security’s strength utilizing authentication technologies such as biometrics and security keys. Their ranks include more than just tech moguls like Amazon and Google but also leaders from other industries plighted by security breaches like medical (Aetna), retail (Samsung, Visa,) and banking (Bank of America, USAA). FIDO embraces secondary authentication methods to increase security and reduce the potential for a data breach, and so they support the Universal 2nd Factor (U2F), a standard that strengthens two factor authentication using USB (Universal Serial Bus) or NFC (near field communication) transmittal methods. These authentication protocols are carried through security keys of which various OEMs have their own version like mentioned above. Several operate U2F natively instead of requiring enablement by the user. Certain Microsoft services to not have them supported either (Office, OneDrive, etc) but the most recent Windows 2018 update and Microsoft Edge supports it.
U2F works by mimicking a keyboard to communicate with the host computer, thereby eliminating the need for a special driver and allowing software direct access to the security features of the key without any other steps (just plug in and go). When the device establishes communication with the host, it engages in challenge-response authentication using a public-key cryptography process and a secret device key installed in the device which is protected from possible duplication efforts through ID based encryption and anti-counterfeiting and reverse engineering encryption. Devices equipped with FH2 tech are considered reliable and secure. FIDO has launched their FIDO2 Project which will augment the FIDO ecosystem and create a FIDO authentication standard that is meant to easily validate access to online domains in both mobile and desktop platforms. The future looks like it will abandon traditional passwords and utilize secure access USB keys.
But will these USB keys be enough to stop all security breaches? Data crises and scares are pretty numerous, like the potential data breach of an Irish university due to a missing USB stick or the city of Amarillo, Texas losing a password encrypted flash drive with sensitive city worker payroll information. As much as we’d like to rely on data encryption and passwords, these can be broken by determined hackers. In addition, using a combination of physical and remote techniques, they can also access your login information. By installing spyware in your USB port, they can use RAT (Remote Administration Tool) to monitor your every move and keylog your passwords. If they’re able to infect your USB ports, any device inserted can be used to access sensitive information by providing remote access.
Another unfortunate reality of USB keys is that they are physical access points that can be stolen, lost, or possibly even copied. Google claims that their hardware key cannot be copied and FH2 standards design devices to be anti-counterfeit, but even if that’s true, how long will it remain so? Hackers are constantly developing new ways to break through security protocols and tech, in fact often surpassing developer’s ability to contain or stay ahead of them. It’s only a matter of time before thieves are able to bypass security keys and find ways to clone or falsify them. We seemed to be forever locked in a cycle of security innovation and breaches. If you build a 10 foot wall, someone’s going to start making 11 foot ladders!
But that is exactly why we need these USB keys. We need to protect ourselves and our data now and these seem to be the best bet. Are they a long term solution? Maybe, probably not. If they’re utilized properly, and perhaps with additional security measures (such as double layers of passwords, one provided by the device and one by you), they could drastically reduce breaches, especially from internet based attacks—at least until black hats worm their way around those, too. And “if” is a transparent word; if a device is used properly depends on the user and programmer’s tendency to error.
If our future is indeed one without passwords that we manually input, then some other innovative technology will have to take its place. But the truth is that we will always need some form of a lock and key system to prevent non authorized users from getting to our stuff, one that is free of user error and risk that must be complicated enough to provide enough padding against hackers. Likely it will be something hardware based, like USB keys that are difficult to remotely hack or manipulate. This practical and necessary use will likely help keep the production of USB peripherals like flash drives going despite the increase in Cloud data storage practices.
What do you think future security deterrents will be like?