"Security Keys"- An alternate 2FA to "OTP -One Time Password"

Recent Data Breaches, Online Frauds (Credit/Debit Card or Internet Banking), User Account compromises have once again highlighted the challenge of securing user data online: where accounts are often protected by no more than a weak password.

Researchers across the globe have produced numerous proposals to move away from passwords, but in practice such efforts have largely been unsuccessful. Instead, many service providers augment password-based authentication with a second factor in the form of a one-time passcode (OTP). Unfortunately, OTPs as a second factor are still vulnerable to relatively common attacks such as phishing and man in the middle attack. In addition, OTPs have a number of usability drawbacks hence it limits the success and deployment of OTPs as a reliable and secure second factor.

Yesterday, RBI has relaxed two-factor authentication for online payments below Rs 2,000. India as a nation is witnessing Digital Transaction trend (Moving towards cashless economy) we need to adopt technologies which can be implemented for securing the financial transactions. One of the recent researches focused on the “Security Key” as an alternative to 2FA. “Security Keys” are supported by the Chrome browser and by the login system of major web service providers such as Google, GitHub, and DropBox already.

"Security Keys" are second-factor devices that protect users against phishing and man-in-the-middle attacks. Users carry a single device and can self-register it with any online service that supports the protocol. The devices are simple to implement and deploy, simple to use, privacy preserving, and secure against strong attackers

Security Keys are intended to be used in the context of a web application in which the server wishes to verify the user's identity. At a high level, Security Keys support the following commands which are provided to web pages as browser APIs

1. Register: Given this command, the Security Key generates a fresh asymmetric key pair and returns the public key. The server associates this public key with a user account.
2. Authenticate: Given this command, the Security Key tests for user presence and exercises its private key to provide a response. The server can verify that the response is valid, and thus authenticate the user.

Key Features of “Security Key” as a 2FA

• Easy for Users: Using Security Keys are fast, easy, and "brainless”. It is difficult to use Security Keys incorrectly or insecurely.
• Easy for Developers: Security Keys are easy for developers to integrate into their website through simple APIs.
• Privacy: Security Keys would not allow tracking of any kind. In addition, if a Security Key is lost, it should be difficult for an attacker to get any useful information from a Security Key.
• Security: Security Keys would protect users against password reuse, phishing, and man-in-the-middle attacks.

Security Keys support two basic operations: register, to create a new key pair, and sign, to produce a cryptographic signature.

Security Keys for consumers are faster to use than OTP's, whether they were delivered by SMS or via a Smartphone app.