In Harry Potter and the Chamber of Secrets (https://en.wikipedia.org/wiki/Harry_Potter_and_the_Chamber_of_Secrets), there is a scene where Harry, Hermione, and Ron need to locate a key to unlock a door. Easy enough, right? But what if there are hundreds of keys? And what if they have wings and are flying around? And what if they swarm?

The film version has a great bit where Harry flies through the door while being chased by the swarming keys, and dozens of keys slam into the door like darts.

Keys are an important part of our lives, but they are shifting from traditional physical keys to software-based cryptographic keys. If you are trying to access your house or car, you generally still need a physical key, but as “smart” devices are becoming more common, more and more devices can be accessed and operated remotely. Does that mean that physical keys will become a thing of the past and that we’ll all use passwords for everything?

Maybe not. In fact, it seems that physical keys might become the norm again, as we see the limitations of password-based authentication again and again. To paraphrase Winston Churchill, passwords are the worst form of authentication, except for all the others.

Now, there are two main issues with that statement. First, while Churchill is usually credited with the quote: “Democracy is the worst form of government, except for all the others”, he’s actually paraphrasing some earlier, unknown source. In fact, the quote is:

Second, multi-factor authentication (MFA) is becoming more and more popular (and more and more necessary). I have written about MFA before (https://www.til-technology.com/post/infosec-basics-multi-factor-authentication), and am seeing more and more services requiring it. While there is a lot of hype around “passwordless” access, it seems clear that it will be some time before we get to a point at which passwords are no longer necessary.

As a refresher, MFA is based on using multiple “factors” as part of the authentication process. These are usually defined as “something you know” (eg, password), “something you are” (eg, fingerprint, retinal scan, face scan), and “something you have”.

That last one is what I’ve been thinking about lately. There are frequent stories about “SIM swapping” to compromise the use of SMS (ie, “text messaging”) for MFA, and the US FCC (Federal Communications Commission) recently released a notice stating that:

While it’s great that the FCC is taking action, this indicates the beginning of what could well be a multi-year process to develop a new set of rules which may take years to implement. Also, sadly, it’s a process which should have been initiated (and completed) years ago, and one that we really cannot wait for.

That’s why I’ve been thinking more and more about other forms of supporting MFA. While SMS-based MFA is still vastly better than no MFA, it appears to be falling further and further behind other options. Many people use their phones, but should now probably consider “soft tokens” or “authenticator apps” rather than SMS.

Or, maybe it’s time to seriously consider a connected token. I’ve been watching Yubico (https://www.yubico.com/) for some time, and almost all of the reviews I have seen rank them very highly. (In fact, a few of the “top x” lists ended up consisting of different Yubico devices...)

I’ve just ordered, and may write a bit during “unboxing” or setup, or at some later date.

Cheers!