In 2022, if one thing has been proven, it has been made very clear that not all multi-factor authentication (MFA) is created equal. Vulnerabilities with legacy forms of MFA, such as SMS, TOTPs, and mobile-based apps, continue to be the target and victims of data breaches, with attackers taking aim in record numbers in 2022. For companies like Cloudflare that were targeted and escaped attacks, they have one thing in common – they protect their digital footprint with phishing-resistant MFA in the form of modern, FIDO-based authentication with security keys. The success of hardware security keys isn’t new and can go traced back to Google instituting FIDO U2F internally with a perfect success rate of protecting against account compromise due to phishing.
We believe (as do our customers) that every app and service should allow for the option of hardware security keys for MFA. While support continues to grow, there are some apps and services that have introduced the highest level of advanced authentication – enhancing security by allowing access to accounts with only security keys, and turning off other authentication methods for access.
For those at high risk and enterprise alike, this is an extremely important level of protection. This high-assurance security model is currently available for Google, Twitter, and with Apple’s announcement last week, coming soon for Apple and iCloud accounts.
Google Advanced Protection Program and Security Key Announcement
For some background of how this has evolved, in October 2017, Google introduced the Advanced Protection Program – designed particularly for their users who would be at a higher risk of targeted online attacks, such as political figures, celebrities, journalists and much more. This protection reached the full Google platform, from consumer email, Youtube channels and content creators (protect your content) to the enterprise with Google Workspaces (protect your workforce).
According to Google, Advanced Protection provides “The strongest defense against phishing: Advanced Protection requires the use of Security Keys to sign into your account. Security Keys are small USB or wireless devices and have long been considered the most secure version of 2-Step Verification, and the best protection against phishing. They use public-key cryptography and digital signatures to prove to Google that it’s really you. An attacker who doesn’t have your Security Key is automatically blocked, even if they have your password.”
Twitter Security Key Announcement
Protecting your brand and communications on social media is critical, whether a celebrity, enterprise, or political figure, having your account hacked could be devastating. In June 2021, Twitter followed suit and announced that they also introduced enhanced security with hardware security keys for Twitter accounts (also highlighting that year how they successfully rolled out YubiKeys internally).
According to Twitter at the time of the announcement, “Today, we’re adding the option to use security keys as your sole 2FA method — meaning you can enroll one or more security keys as the only form of 2FA on your Twitter account without a backup 2FA method. We know this is important to people because not everyone is able to have a backup 2FA method or wants to share their phone number with us. With this update, we want everyone to feel empowered to enable security keys to better secure their Twitter account.”
Apple Security Key Announcement
And just last week, Apple announced that they are joining this motion. As part of their move to advance security with new data protections, they will soon be introducing Security Key support for Apple IDs, accounts, and iCloud.
According to the announcement regarding security keys, “Apple introduced two-factor authentication for Apple ID in 2015. Today, with more than 95 percent of active iCloud accounts using this protection, it is the most widely used two-factor account security system in the world that we’re aware of. Now with Security Keys, users will have the choice to make use of third-party hardware security keys to enhance this protection.”
“This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government. For users who opt in, Security Keys strengthens Apple’s two-factor authentication by requiring a hardware security key as one of the two factors. This takes our two-factor authentication even further, preventing even an advanced attacker from obtaining a user’s second factor in a phishing scam.”
(image courtesy of Apple Newsroom 12.7.22)
We applaud Google, Twitter, and Apple for helping to drive adoption of security keys and FIDO-based authentication. We’re excited to see what 2023 has in store for cybersecurity. Whether that’s more innovation, and a move away from passwords altogether with the adoption of passkeys or more apps and services allowing for advanced protection, it has become apparent that authentication will continue to be a top priority both for security leaders as well as in the boardroom.
For any individual user, or enterprises that require high assurance authentication, we highly recommend taking advantage of these features with hardware-based, YubiKey authentication.
Do you use apps and services that you wish offered advanced protection with YubiKeys? Let them know!
For more information on how Yubico can protect you and your organization, see here or visit our store to purchase your YubiKey today.