Choosing a FIDO2 Security Key

A picture of several automotive keys on a wall

As I’ve been keeping up with my FIDO2 Security Key roundup, which you can find here, Azure AD: FIDO2 Security Key Roundup and Review – Eric on Identity, I’ve had some folks on occasion ask me what key(s) I would recommend.

In the roundup, while it’s hard to not inject some subjectivity, I try to stay objective, hence my reason to not score/rank the keys. Also, that would be a lot more work.

At the end of this article, I still wont’ have provided a ranking of everything out there, but hope the points indicated within can help organizations make some informed decisions.

Note that any lists included within are in brand alphabetical order and does not indicate an order of preference.

Design

A Key is a Key is a Key

In the review there are several FIDO2 security keys that fit into what I would consider the classic key shape:

Of course this is all somewhat subject to individual interpretation. While I classify the BioPass K27 as a key in the security key roundup, I dropped it from this list because it does not have the classic USB-A flat-blade. Likewise, the only reason I left the G320H on the list is that it has a USB-A counterpart with that classic look. A few vendors like Identiv and SoloKeys have a bit of a play on the potentially boring matte black look of the keys, but overall they are all almost interchangeable from a design perspective.

It makes it a rather safe presumption that this design is going to continue to be mainstream for security keys, at least until some larger innovation happens with NFC or Bluetooth. And generally the design works well – none of the keys listed are too bulky or heavy, but also not small enough to lose.

The Badge

When working with a couple customers who were accustom to using smartcards, there was a strong desire to find a FIDO2 security key that matched that employee badge aesthetic.

While Thales and HID make badge-style FIDO2 security keys, they are much harder to obtain as you primarily have to have a vendor relationship and purchase in bulk. Up to this point, I’ve only been able to work with a demo Feitian Fingerprint Card. I don’t qualify the AuthenTrend ATKey.Card in this group because of it’s thickness not fitting into the spec for the ID-1 or CR80 card size. To help better understand the market, I do have the GoTrust Idem Card added to the review list.

I don’t want to speculate too much here, as perhaps industrial design experts, who know a lot more than myself, have well-executed cases using badge-style FIDO2 security keys. In work from home scenarios, it feels more awkward having to use NFC than just using a USB key – you need to buy more things (NFC reader) to produce a worse usability experience. Even in a shared device situation, such as a conference room computer, it would still incur more cost with all those NFC readers. The only net benefit I can see is for organizations that really want to have a single card for authentication; the Feitian demo card includes a sample printed badge on the other side.

The Permanent Fixtures

The Yubico YubiKey 5 Nano, and Token2 T2F2-mini, are the two keys tested of the micro design. While a bit niche, these keys shine when it comes to needing a security key that is permanently left within the device. A common use case would be retrofitting a device for stronger authentication, but the device itself does not have a TPM onboard. As long as you have a USB port to burn, you can stick one of these keys in and instantly upgrade the quality of strong authentication on the device. Considering that the key still requires a PIN for entropy and physical touch for the presence component, there is little real world security concern in most scenarios for just leaving the key in the device.

The Outliers

From the faux badge AuthenTrend ATKey.Card to the oddly shaped Feitian MultiPass K32, and not missing the potentially bulky swivel thumb-drive style Token2 T2F2-Bio, there is an array of keys out there that are trying to find their own path.

Reading through my reviews of all of them, there is nothing particularly exciting about any of the design outliers. While some have valid reasons for a bit of bulk, such as the Thetis as it requires room for a battery for Bluetooth functionality, others do not, such as the mentioned Token2 T2F2-Bio, which is about 10x the volume of a YubiKey Bio with no incurred benefit.

While there are a few out there if you prefer to go fully fob style with NFC, such as the Feitian MultiPass K16, the majority of outliers appear they are just destine to remain that way.

Location Matters?

The keys greatly varied as far as where they were manufactured, and vendors varied as well in how well they do (or do not) use that for marketing.

Some vendors clearly had written on the packaging where the key was manufactured, some specify it on their websites, and some required you to perform a bit of internet sleuthing to determine.

Ultimately it depends on whether or not this matters to your organization. One one hand you could be wearing your tinfoil hat and be concerned about the origin of the keys and have thoughts regarding the security of such. On the other hand, the device you’re plugging the key into likely has plenty of it’s components or is wholly manufactured in said same country.

  • AuthenTrend, Feitian, Thetis do not market their source of origin but are manufactured in China.
  • TrustKey lightly markets that their keys are made in South Korea.
  • GoTrust manufactures their keys in Taiwan.
  • Yubico markets that their keys are manufactured in the United States or Sweden.
  • Identiv, which appears squarely aimed at the US military and law enforcement, indicates their keys are manufactured in the United States.
  • SoloKeys are interestingly made in Italy.
  • Hypersecu does not indicate where their key is manufactured.

Token2 also does not indicate where their keys are manufactured. I might note a slight bit of deception in marketing on their part. The Token2 website has a tagline swiss made software, however, at least some of their keys are definitely not made in Switzerland – the T2F2-mini is made for them by Feitian.

Who’s Who

Loosely tied to the location, it’s apparent that some keys are not manufactured necessarily by the vendor selling them. Feitian is probably the most well known for making keys for other companies, as they manufacture the Google Titan Keys (which are not reviewed here as they only support FIDO U2F).

Ultimately it may have little relevance in the procurement process, and while it’s common to have parts sourced from the same manufacturers, was surprised to see the similarities, especially when they came along with a price difference.

During my procurement of keys, I came across the following.

None of these observations have been posed to or confirmed by any vendor

Thetis, ExcelSecu and Token2

The style and manufacturing traits of the Thetis, ExcelSecu and Token2 keys that are of “swivel style” all bear a striking resemblance to each other. When I received the Token2 T2F2-Bio, and then examined the Thetis FIDO2 Security Key, they both have similar design features in the metal shell. Likewise, the plastic housing for the key itself has a striking similar opaqueness to it, and the same very specific dimpled design on the back end. They all also share a similar trait in being particularly oversized compared to other keys of similar features and function. Note that the stock images from Thetis and ExcelSecu are doctored up a bit (or perhaps drawings), the plastic on the Thetis I have in hand is much more opaque than the image.

Feitian and Token2

Both of these keys have a striking resemblance to each other; on the back of the T2F2-mini is an imprint on the PCB of FT10823. Interestingly, the K10 is roughly $5 USD more than the T2F2-mini, while the feature-set between the two is the same.

Technical Bits

Standards

The range of keys evaluated support a minimal to broad range of standards. Azure AD only leverages FIDO2, but if your organization has other platforms in place that use these other standards, it may be a relatively important factor.

FIDO2

The only thing that matters in the world of Azure AD. FIDO2 uses an asymmetric key-pair for authentication.

When you browse to a website over HTTPS, the web server has the private key, only known to itself, and everyone can see a copy of the public key. That mechanism allows for users to securely communicate with the site without ever having hold of the secret (private key), and also allows the site to identify that it is, in fact, the site it claims to be.

FIDO2 essentially flips that around. The private key is maintained on the FIDO2 key, and it never leaves it. During the enrollment process, the public key is provided to Azure AD and associated with your user object; the PIN and/or biometrics enabled on the key is stored local to it, and is entropy used to unlock the private key local to the FIDO2 key’s secure enclave. During authentication, the private key is used to digitally sign a nonce received from Azure AD. Because Azure AD holds the public key, it’s able to verify the signature of the nonce. There’s a bit more depth to the process, but this is why it’s not possible to adversary-in-the-middle (AiTM) (previously commonly referred to as man-in-the-middle, MITM) a FIDO2 security key.

FIDO U2F

Leveraged heavily in the world of Google (among other places), FIDO U2F is similar to FIDO2, in that asymmetric keys are leveraged. Unlike FIDO2, FIDO U2F still requires a username and password, and then the key-pair is used for MFA.

The biggest weakness in FIDO U2F is that the user is still required to know their password, as well as that the password can still be exposed in certain attack mechanisms. While the password may not be useable in that instance, the threat actor may attempt to use or disseminate it.

Smart Card

Many keys may also provide smart card support, which seems like a natural fit, as smart cards use similar asymmetric key-pairs for authentication. You could think of smart cards as the predecessor to FIDO2, even though their use is alive and well. Sometimes manufacturers may refer to the functionality as PIV (personal identity verification), based on the NIST standard that defines it.

As smart card rollout can be a more complex process, if this support is important to your organization, it would be critical to pilot the usage.

TOTP

Time-based One Time Password (TOTP), sometimes also referred to as Time-based One Time Passcode, is the same as the software-based OATH token (not to be confused with OAuth) that is commonplace in all smartphone authenticator apps, including the Microsoft Authenticator. That rolling code you see, it’s TOTP. In the instance of a security key, the secret key is stored on the key (commonly referred to as a seed), and then companion software is required to generate the OTP.

While TOTP may seem convenient to roll into the security key, the software requirement makes usage more complex than purchasing a relatively cheap hardware OATH TOTP key, showing the rotating code on a small display. Anyone that’s been around for a while in IT would likely think of these as RSA SecureID fobs (RSA SecureID hardware however uses a proprietary mechanism).

HOTP

Event-based One Time Password (HOTP), the name comes from HMAC-based One Time Password, and HMAC stands for Hash-Based Message Authentication Code.

HOTP is similar to TOTP, with the one key difference in that the OTP is valid forever until it is used, or a subsequently generated OTP is used. From a security perspective, this makes HOTP weaker than TOTP as there is a larger window for brute-force OTP guessing.

I know, technically these are not acronyms.

FIDO Levels

Of all the keys tested, only TrustKey and GoTrust have an Authenticator Level 2 Certification from the FIDO Alliance. When you look at keys and/or their packaging where they choose to show the FIDO certification logo, there might be a lock symbol with an L and a number in it.

FIDO2 Level 2 Certification

TrustKey has a writeup, Why FIDO Level 2 Certification Matters | Blog (trustkeysolutions.com), that dives into the details on Level 2 certification. The FIDO Alliance also provides a vast amount of information on the different levels of certification here, Certified Authenticator Levels – FIDO Alliance.

The purpose of Level 2 is to protect the key from scalable client-side attacks, which gets very deep into the weeds; if you are interested in reading more, the FIDO Alliance has a draft 2.1 spec detailing attack classes here, FIDO Security Reference (fidoalliance.org).

Microsoft Certified

It’s possible that some vendors argue the validity of this process, but if Microsoft has not validated the security key, users will receive an enrollment failure. This can be overcome by disabling Enforce attestation within the Azure AD portal. The unfortunate part is that this also disables the ability to check against the FIDO Alliance Metadata service, as the two are tied together in this toggle. While we haven’t seen anything in the form of malicious security keys, this setting is generally considered a security setting as it’s another step in validation of the key; Microsoft would recommend that this stay enabled.

If an organization were to need to disable attestation, they may decide to restrict the keys that can be enrolled to the select AAGUIDS.

End of the day, Microsoft is looking to validate the keys to ensure that end users have a quality experience, which brings forth their certification process.

Biometrics

Looking through the reviewed devices, 7 of the 21 devices have biometric fingerprint support. Again, since any biometric for FIDO support is required to be encapsulated on the device, it’s why these keys can’t leverage something like an IR camera for face recognition – you’d be surprised how some folks wonder why you can’t just glue things together for some hot mess authentication experience.

Two items that are critical in the realm of biometrics: usability and enforcement.

On the usability front, the enrollment experience for the AuthenTrend ATKey.Card and Feitian Fingerprint Card was absolutely dismal, the details of the enrollment processes are described in their respective reviews. On the other keys, only the Token2 T2F2-Bio seemed to be less responsive as far as fingerprint recognition.

As fare as biometric enforcement goes, for the majority of keys, when enrolled against Azure AD, the end user is not forced to configure biometrics. I have not had a chance to delve further into if there is a mechanism to ensure such happens, but currently it’s left up to the user to optionally enroll.

Cost

A typical factor, this one has a pretty broad range. Of the key style security keys listed in at the top of this article, the price varies from $14 USD for the Identiv uTrust FIDO2 NFC all the way up to $80 USD for the Yubico YubiKey BIO. Some vendors that claim to be cost-effective, when comparing features, end up being far from such. Perhaps there are some corporate discounts in there, but the purchasing model also seems to greatly vary, and it’s uncertain what large-scale enterprise purchases might look like.

The Other Stuff

Corporate Citizenship

For the majority of the security key manufacturers, they seem to primarily stick to the business of manufacturing security keys. Yubico is the most prominent to standout from the pack as far as corporate citizenship goes. For every 20 keys sold, Yubico states that 1 key is donated as part of their Secure it Forward program. Yubico also was prominent in donating 20,000 keys in this past year to Ukraine in efforts to help secure authentication in the ongoing war.

Site Usability

While this falls somewhat into the subjective category, in researching all the keys out there, trying to find a wide array of different brands and types, site usability always ended up being somewhat of a factor in research.

I would say that Yubico and TrustKey sit at front as far as site usability goes, as well as design. All the information you need about the key is clearly marked on it’s relative page, and the links to software downloads were easy to find.

On the other end, AuthenTrend has some deceptive graphics that would make one think that the ATKey.Card could fit into a badge holder or that it would easily function within one (recall the slide-out side USB blade for auth and/or charging). The Feitian websites – both ftsafe.com and ftsafe.us, the ability to find quality information is all over the place. Downloads to detailed papers land you on marketing documents with little relevant material. Some of the site looks like it was designed with FrontPage.

Final Notes

For those that have wanted a bit of a different perspective on the security keys that have been evaluated so far, hopefully this sheds some light. If there is something I’ve missed, something that you feel is incorrect, or something you’d like me to expand upon, reach out to me on LinkedIn or Twitter.

About this posts featured image

The chosen photo is the work of Chunli Ju, used under the Unsplash license.

Eric Woodruff
Eric Woodruff

Leave a Reply

Your email address will not be published.

Writing about all things identity and identity adjacent in the Microsoft ecosystem of Azure AD and Active Directory.

Read More
Mailing List

Subscribe to posts here

Categories