2

From my reading I understand that USB keys (for example Yubikeys) are more secure than OTP authentication apps (such as Google Authenticator). The primary reason is that FIDO is done without human interaction so it's not susceptible to social engineering or phishing attacks. Also, it connects with the service provider using encryption so it protects against man-in-the middle-attacks. Is my understanding correct so far?

I can still think of several benefits that Authenticator Apps have over USB keys.

  1. Most people already have a smartphone so there's no additional cost or burden
  2. If lost or stolen, phones can be remotely tracked, locked and wiped.
  3. Phones can be encrypted or at least have a lock screen
  4. The Authenticator App can be password protected
  5. Backup codes for OTP can be used, whereas it seems much more of a problem if a USB with keys is lost.

Given these facts I find it hard to see why people use things like USB keys?

northerner
  • 283
  • 2
  • 10
  • 1
    "If lost or stolen, phones can be remotely tracked, locked and wiped." In terms of using phone as security key generator, the ability to remote wipe should not be considered a security feature. You should deauthenticate the OTP key from the relying party services, not by remote wiping the device. It's possible for a sophisticated attacker to fake a successful wipe response, while in fact, they have already duplicated the OTP secret key. – Lie Ryan Aug 31 '21 at 03:34

2 Answers2

1

Like so many other questions on this site, you'll find the answer is "it depends on your threat model."

If your biggest risk is "employees who lose their USB keys and don't report them in time", then you might consider an authenticator app to be "safer".

If your biggest risk is "phone remotely hacked and the authenticator app is targeted by a hostile actor, and the authenticator's internal state is compromised" then a USB key might offer a "safer" solution.

Whatever your "keeps the CISO awake at night" threat is, that's typically the path you'll take.

--

Also, be aware that most of your "advantages" are not quite the security differentiators that you think. Most are policy choices available either way.

  • One less thing to carry is a convenience and cost advantage, not security. A USB key can "just work" without requiring both a phone and typing a bunch of passcodes, which is also a convenient time saver. Either way, convenience can lead to increased user acceptance, which can be argued is a security advantage.
  • When reported lost or stolen, any authenticator will instantly be revoked by serial number, regardless of if it's a phone app or USB key. And both can be restored by a simple administrative process. In the real world most users report their phones as lost, not stolen, and are strongly opposed to remote wiping of their device if there's a chance it's merely hiding under the car seat (aggressive lost-device response measures will result in under-reporting of lost devices.)
  • The USB key requires a computer; both computers and phones have lock screens and can be encrypted.
  • Phone authenticator apps can be password protected or not; that's a configuration choice. Computers are protected by the logon screens.
  • Backup codes for both OTP and USB keys can be enabled or not; or an organization might require a user to physically check-in and present their ID before security reissues them a new code or device.

Finally, there's nothing preventing an organization from offering multiple authenticator options, leaving the choice up to the users.

John Deters
  • 34,205
  • 3
  • 61
  • 113
0

True, under the right circumstances one can be better than the other. Especially when you factor in practicality concerns, such as the extra cost mentioned in point 1.

But help me out; maybe I misunderstood or missed something, but isn't the final question already answered? The harder phishing and better encryption mentioned in the 1st paragraph is why some people may use hardware keys. For some, that by itself makes it worth it over OTP.

Maybe you're interested in more perspectives? Consider:

  • The secrets are generated by the hardware key, not the server/service. Whereas OTP secrets are shared between user & server/service, making it easier to steal (see the 2011 RSA SecureID breach)*
  • Malware on the phone/device that generates OTP codes can steal them. See the Cerberus malware.*
  • There are ways to mitigate a stolen hardware key; a pin can be added and the key can be de-registered from services before an attacker could leverage the stolen hardware key.

*To be fair, stolen/compromised OTP seems pretty rare as of Fall 2021; or at least compared to other credential compromises (cough cough SIM jacking). But in the context of question which is comparing the two methods (key word 'safer'), I think these points are relevant.

user8187
  • 141
  • 1
  • 6
  • Re: "help me out". It sort of seems like catch 22 logic in that if someone knows the benefit of USB keys is to avoid phishing then they already know about phishing and can just avoid the scam by not telling the OTP to anyone who asks. Am I missing something? – northerner Aug 31 '21 at 05:18
  • Ah I see; so the question's context is from a user who has already educated themselves on phishing? (As opposed to say an average person or an it administrator?) – user8187 Aug 31 '21 at 11:14