Security Keys: Practical Cryptographic Second Factors for the Modern Web

The security of online user accounts is often protected by no more than a weak password. We present “Security Key”, a second-factor device based on open standards that protects users against phishing and man-in-the-middle attacks. The user carries a single device and can self-register it with any online web service that supports the standard. The devices are simple to implement and deploy, are not encumbered by patents, are simple to use, privacy preserving, and secure against strong attackers. We have shipped support for Security Keys in one of the mainstream web browsers. In addition, multiple device vendors produce security keys. In this work, we demonstrate that Security Keys lead to both an increased level of security and user satisfaction by analyzing a two year deployment which began within our 50,000 person corporation and has extended to our consumer-facing web applications. The Security Key design has been standardized by the FIDO Alliance, an organization with more than 170 member companies spanning the industry.