Yubi‐co‐key, my designer
How to design software that uses security keys
The value of emails, domains, passwords, and the accounts associated with those passwords is ever increasing. But with greater value comes greater risk (of loss). SMS codes make account takeovers more difficult, but they don’t prevent them entirely. In the coming years, we can expect the popularization of more effective security measures. One such security measure is security keys.
Security keys are authentication devices that require physical contact and cannot be remotely hacked.
I wanted to learn how to design software that uses security keys. I couldn’t easily find any good resources on the subject, so I decided to order some security keys and research the topic myself.
Security keys are not popular (April 2022)
It’s good practice to use a minimum of two security keys
Security keys require the physical push of a button at login
Security keys only require interaction at login; if the session doesn’t expire (i.e., if you check “Remember me” or do something similar), you can access the service on the same device without touching the security key again until you clear the cookies
If you’re using security keys, it’s good practice to disable SMS code authentication; SMS codes are less secure than hardware security keys, and if you leave them enabled as an authentication option, they can be used by hackers to bypass your security keys
Security keys can be used with phones and tablets using NFC, USB-A, USB-C, and Lightning ports
It’s common practice for people to name their keys
Security key implementation can differ in the order that the key name and the key touch are requested
The implementation of security keys varies with the presence or absence of an application transition state in anticipation of a key touch; sometimes implementation relies solely on the browser interface, while some applications support such a transition state in their interface as well
Some applications don’t mention security key support anywhere until you activate 2FA without a security key; it’s worth not repeating this mistake
For services that support 2FA but don’t support hardware authentication keys, a smart solution is to use Authenticator from Yubico (iOS, Android), which requires a key at the mobile app level; this may be a cheaper way to implement security key support in your project
Enabling security keys brought to my attention the presence of recovery codes in applications; worth considering
Some service providers (Basecamp, GitHub, Twitter) email people when a security key has been assigned to their account; consider this in your project
In most applications, security keys are the second factor of authentication, and so—unlike the Apple Watch—you can’t unlock 1Password with them
iPad requires YubiKey 5Ci
Follow me on Twitter