As a follow up to a previous blog post on two-factor authentication (2FA), Visual Labs now supports yet another 2FA method: hardware-based security keys. This type of 2FA is often considered the most secure method, but may be unfamiliar to many and may not be appropriate in all circumstances.
As a reminder, the main purpose of 2FA is to authenticate with two factors: generally, your password (“what you know”) plus a second factor to prove “what you have” or “what you are”. While generally quite secure, the standard 2FA methods have a variety of risks. For example, SMS 2FA is vulnerable to a SIM swap attack where an attacker is able to convince the victim’s cellular carrier to port the victim’s number to the attacker’s SIM card. Once the attacker has access to the victim’s phone number, they will receive the two factor codes, which is clearly problematic.
Hardware-Based Security Key Overview
At present time, the most common type of hardware-based security key is a YubiKey (see picture below). They come in different sizes, ranging from the size of a fingernail to a bit smaller than a USB flash drive. The larger ones typically have NFC so they can be used with mobile phones in addition to computers. You can even add a secondary PIN to your YubiKey.
Interestingly, the biometrics on your device (e.g. fingerprint for your laptop or phone) can also be used in a similar fashion since they also function as FIDO U2F (Fast IDentity Online Universal 2nd Factor) keys. Clearly, it is difficult for someone other than you to replicate your fingerprint and use it on the fingerprint reader on your computer.
Fortunately, these standards allow you to mix and match keys among various browsers and phones since every modern browser now supports the Web Authentication API (also known as WebAuthn).
Benefits of Security Keys
Here are some notable benefits of security keys:
- Security: The user does not need to enter a code into the website. This eliminates the most common “man in the middle” attacks where an attacker tricks the victim into entering the code into a similar looking website. The attacker then enters the code on the real website to gain unauthorized access.
- Flexibility: Unlike Google Authenticator, a security key is not tied to a particular phone. If you lose your phone, you do not need to reset your Authenticator app secret.
- Speed: Touching a YubiKey or fingerprint reader is usually much faster than typing in a code. It is also not subject to delays from the cellular network for texts.
Downsides of Security Keys
Many IT professionals would likely say something to the effect of “you can’t put a price on security.” However, budgets are finite and Google Authenticator (which is free) is still quite secure. A typical YubiKey is approximately $50, and it is recommended that each user have at least one backup key. In addition, some users may not be familiar with YubiKeys in comparison to a typical text message, which could lead to additional strain on IT resources. Lastly, many people carry their smartphone with them at all times but may not necessarily be in the habit of carrying a YubiKey around.
Visual Labs Usage
We are excited that the Lassen County, California Sheriff’s Office was our launch customer for this new feature. This feature addition to the Visual Labs system was suggested by Information Technology Coordinator Robert Talley in December 2021. The feature went live in February 2022 – a timeline indicative of our focus on customer service. Robert remarked, “I setup my Visual Labs account using the two YubiKeys I have and it was super easy. You guys were superfast with this, thanks!”
As our customers look at options to secure their data, we are pleased to offer one more tool that may help protect footage from potential attackers.