Security Keys: Practical Cryptographic Second Factors for the Modern Web

Alexei Czeskis
Marius Schilder
Financial Cryptography (2016)
Google Scholar

Abstract

The security of online user accounts is often protected
by no more than a weak password. We present “Security Key”, a second-factor device based on open standards that protects users against phishing and man-in-the-middle attacks. The user carries a single device and
can self-register it with any online web service that supports the standard. The devices are simple to implement
and deploy, are not encumbered by patents, are simple to
use, privacy preserving, and secure against strong attackers. We have shipped support for Security Keys in one of
the mainstream web browsers. In addition, multiple device vendors produce security keys.
In this work, we demonstrate that Security Keys lead
to both an increased level of security and user satisfaction by analyzing a two year deployment which began
within our 50,000 person corporation and has extended
to our consumer-facing web applications. The Security
Key design has been standardized by the FIDO Alliance,
an organization with more than 170 member companies
spanning the industry.