A fake sense of security that needs to be deprecated
3 min read · Nov 22, 2023
--
I’ve never been a fan of 2fa, but once introduced to FIDO2 security keys, esp. together with passwordless login, I can’t look back.
A password is really secure until you use it. Once used, anyone or anything can have snooped it. Be it a keylogger, a screensharer, a bad web browser or just simply a fake website. Spilling the beans is easier than you think, and if you have a lot of money or other assets on the line, you really don’t want to rely solely on passwords.
Introducing multiple factors of authentication. It can be something you know, something you have, something you are. Google Authenticator takes the form of something you have — your mobile phone. Or, at least that is the story they go with. It’s not the case, really. Google Authenticator is at best another form of something you know — just like your password. It doesn’t truly bring another factor of authentication.
The problem lies in how Google Authenticator is set up. You go to some website, enable 2fa and are presented a QR-code to be scanned. The fundamental problem is that, the QR-code that is shown to you on screen, is the very private key of your Google Authenticator set up. If that QR-code is snatched, any person on earth can generate your one time passwords without you even knowing. It’s a fake sense of security you can’t trust.
All it takes is one bad web browser extension and you are f*cked. A web browser extension can steal both your passwords and your QR-codes, reducing your security to “complete garbage”. There is no way of knowing whether someone has snatched it or not. It’s no better than relying on the secrecy of your password itself. A set up process where the very private key is shown on screen is terrible and at best dumb luck.
This is the main difference with FIDO2 security keys. They are set up by having the USB-key present its public key to the website, while keeping its private key entirely secret on specialized hardware, never presented to anyone. When you log in, a one-way derivative of the public key and private key is sent to the website. The private key itself never leaves the device. This is fundamentally different from how Google Authenticator works.
With a FIDO2 security key you can be certain that no middle party knows the secret used to generate one time passwords. Heck, you can even set up a FIDO2 key on a compromised system and still be entirely sure of secrecy. In other words it’s a system you can actually trust, and that actually do fill the purpose of “something you have”, as the key cannot be (trivially) duplicated.
Further on, the ergonomics of passwordless is fantastic. You have some basic pin code on the device itself — not a complex long password, just some short digit sequence like 6778. Then you just touch the device and you are logged in. It beats Google Authenticator in every possible way. And you can have as many keys as you want, for back up in case of physical theft or for when you drop one of your keys in the toilet.
