Is a security key, a must have? Yes it is!
The recent hack on Uber showed us again that no system is perfect and there is no 100% security. How was this possible and why is a security key a good solution for this kind of attack?
It all started with a basic fishing attack. The eighteen years old hacker, who didn’t have any corporate agenda on his mind, started by obtaining, somehow, an Uber employee’s phone number and redirected him to a fake login page, as with any normal phishing attack. Uber, like many companies these days, uses a multi-factor authentication system that sends a notification to the owner’s phone.
Having only the username and password wasn’t enough for our hacker to access Uber systems, so what he did was spamming notifications to the employee’s phone for more than one hour. Then he contacted the user via WhatsApp, pretending to be from Uber IT, and informing the user that the notification will not go away until it is accepted. This granted access to a teenager, to the systems.
What is the solution? A hardware security key!
I know that informing the users periodically might help reduce this kind of threat but almost always there will be one user who will not be interested in informing the IT department regarding a similar situation.
How can we protect the systems from human error? Modern cyberattacks can’t be stopped by legacy MFA so our best alternatives are hardware security keys. U2F is the standard used by the keys. More details of it can be found on Wikipedia. The keys are built on USB or NFC connections and have PIN or fingerprint protection, depending on the model.
The number of services having this type of protection is growing every day. If you add your key to a service the user’s client device creates a new key pair registers the public key with the online service.
The principle is the key produces a unique code that is passed on to the authentication server, and acts as proof that qualifies as a “something you have” factor and will typically complement your username and password which counts as “something you know” during two-factor authentication.
I hope this information will help you secure in a better way your infrastructure.