A Security Key is a device that facilitates access, or stronger authentication, into other devices, online systems, and applications. Security keys are also called security tokens.
Security keys are secondary devices that are dependent upon a primary device. These hardware devices work in tandem with the workstation, application, or other system in the way that a smart card does. The two are quite similar although a smart card also requires card-reading hardware attached to the primary device. Security tokens, like smart cards, require a software integration with the primary device or system as part of its authentication mechanism.
The information a security key displays or its insertion of the key into, for example, a USB port serves as an additional possession factor. In instances where the security key has a biometric capability, it serves as an inherence factor. Security keys are used for single sign-on (SSO), multi-factor authentication (MFA) and sometimes support FIDO Alliance authentication standards such as Universal Second Factor (U2F). Legacy security keys support one-time passwords or time-based one-time passwords (OTP/TOTP) by displaying the numeric or alphanumeric strings that a person inputs into a separate field following the username/password fields.
A downside to security keys is that they are costly and not scalable. For the enterprise, they are more expensive to purchase, maintain, and replace than software solutions are. They also degrade the user experience (UX) by making authentication slower and requiring the user to carry, remember, and replace an extra device. Security keys’ challenges of high costs and scalability are compounded when they are used for consumer-facing applications. These devices are used for employee access where users receive the education and support for their use, and where company mandates forcibly reconcile questions of their poor UX.
“Cybersecurity has evolved to where usability is one of a security solution’s most important features. That means the use of security keys is in the spotlight. As people recognize that the use of extra hardware and the steps these tokens entail are onerous, they will continue to seek solutions that make use of familiar platform authenticators like Touch ID.”