Patrick Kerrigan

MFA with security keys

by Patrick Kerrigan, . Tags: Cryptography Security Web

Enabling multi-factor authentication (MFA) is one of the single most effective steps you can take to protect your online accounts against unauthorised access. Combining something you have (a device or smartcard) or something you are (biometrics) with something you know (your password) ensures that if your password falls into the hands of an attacker, whether through a security breach, malware, or brute force guessing, then they still won't be able to get access to your account.

Common types of MFA

More and more online services are now offering some form of MFA. Some methods are better than others, but any form of MFA is better than none. Here are the most common ones that I've seen at the time of writing:

SMS/phone call

SMS MFA works by asking you to register your mobile phone number against your account. When you attempt to log in, the service will send you a short code by SMS and prompt you to enter this code to verify you have possession of the phone you registered. Sometimes this is implemented with an automated phone call that reads the code aloud to you instead of SMS. While probably one of the most accessible forms of MFA, this has some serious drawbacks. Firstly you need a mobile phone signal to be able to log into your account. More importantly, it's possible for an attacker to receive your code by means of a social engineering attack on your mobile operator, convincing them to activate a new SIM for your number (SIM swapping) and then receiving the SMS themselves.


Email MFA is another simple and accessible MFA method that works by the service sending you an email when you attempt to log in, which contains either a code or a link that is used to verify you control the email address you registered. The major downside of this approach is that you can often reset your password via email too, making it possible for an attacker who gains access to your email account to obtain both authentication factors for any account which uses email MFA. This can be somewhat mitigated by requiring a separate email address be used for MFA, but you're still ultimately trusting another online account that's equally open to remote compromise.


Time based One Time Passwords, or TOTP, is probably the most common form of MFA available today, and provides a good balance of ease of use and security. Setting it up usually involves installing an authenticator app (such as Google Authenticator) on your phone and scanning a QR code on your computer screen. This creates a shared secret between your phone and the online service which is used to generate a new 6 digit code every 30 seconds. When you next log in you're prompted to enter the current 6 digit code from your app which is used to verify that you're in possession of the phone you registered. This is a vast improvement over the previous methods, but it's still vulnerable to malware on your phone stealing the shared secret and allowing an attacker to generate the correct codes.

Security keys

Security keys aim to solve a lot of the problems with other methods of MFA. They're extremely easy to use, highly secure, and provide a true physical authentication factor. They also have built-in protection against phishing attacks (nothing stops a phishing website from asking for your 6 digit TOTP code, after all!) and include the web browser as an active participant in the authentication process to verify the identity of the website you're authenticating to.

The principle is similar to how SSH keys work. When you register your security key with a service, the key generates a public and private key pair and sends the public key to the service via your browser. Next time you log in to the service, a challenge is generated and sent to your security key, along with the identity of the site issuing the challenge. Your security key then prompts you to confirm you initiated this by some form of physical interaction (pressing a button on the key for example), and then signs the challenge with its private key to confirm possession of it.

They come in two main flavours:

Portable authenticators

These are dedicated devices, usually in the form of a USB key, which can be kept on your keyring and used with any computer or mobile device that supports them. Private key material never leaves the device, and all cryptographic functions are performed by the device itself which ensures that malware on your computer cannot compromise the keys. A physical button is used to confirm all cryptographic operations to make sure that they were initiated by you or with your knowledge.

Platform authenticators

These are chips built into computers and mobile devices (often as part of Trusted Platform Modules, or security processors) which are purpose built to generate and store encryption keys without ever allowing them to be retrieved. Similar to portable authenticators, all cryptographic functions are performed within the chip, and operations are confirmed by you, often using biometrics such as touching a fingerprint reader. If you have a recent Android phone or iPhone then this functionality is probably already present.

My experience with security keys

Almost a year ago now I decided to make the jump from Google Authenticator to a portable security key (in this case a Yubikey), and I've never looked back. Usually increased security comes with increased inconvenience, but I've found security keys to be a clear exception. Previously using TOTP I would need to grab my phone, unlock it, open the Google Authenticator app, scroll down to find the right account, make sure there's enough time left to use the code, then type it into the MFA prompt. With my security key, which stays plugged into my computer while I'm using it, I simply tap the gold disc when prompted. That's it. While it may not seem like much, this is a massive time saver when I find myself having to log into many MFA protected accounts throughout the day, and is hardly any more effort than having no MFA at all.

Sadly, support for using security keys isn't quite as widespread yet as I would have hoped. While the big players tend to support them, most smaller services still only support TOTP. Some security keys however, such as my Yubikey, can also function as a TOTP authenticator. Rather than registering my phone, I can register my security key using its app, and it will store the TOTP secret internally, meaning there's no way malware can get access to it. Using a TOTP code is as simple as clicking the account in the app, tapping my key, and the 6 digit code is copied to my clipboard ready to paste into the MFA prompt. While the key has a limited number of slots for TOTP accounts I've not come close to it yet, and find the process to be a good compromise while waiting for more services to support security keys in full.

I can highly recommend switching to security keys for anyone who wants to improve the security of their online accounts, or indeed for anyone who's been put off enabling MFA due to the extra effort required when logging in.

A note on backups

It's worth noting that security keys cannot be backed up by design, so you need to make sure you have a backup MFA method enabled in case you lose or break your key. The most secure method is to register a second security key to your account and keep this in a safe place. Alternatively, many services offer recovery codes that can be printed and kept offline in a safe.