Are security keys with touch requirements more secure than those without?



  • My friends and I have worked at various tech companies which required us to use a security key in order to login to our computers. Some of us had to physically "touch" the device to login, while some of us at other companies did not need to touch our key.

    Does the addition of having to touch the security key add any additional security? If so, how? If not, what is the purpose of it?



  • Touch is the one thing that cannot be forged

    The idea with hardware security tokens is that secret crypto keys are stored on the token itself. Even if the computer/device it plugs into is compromised, the secret keys cannot be stolen.

    Usually, PIN entry is required by the token in order to start performing cryptographic operations. For convenience/usability, the PIN is often cached for a period of time, not requiring re-entry during this time.

    Imagine that you use your security token to sign code, decrypt secrets, or SSH into servers. Once the token is unlocked, any of these operations can take place without further user interaction.

    Now imagine your computer is compromised. Once you've entered your PIN, the attacker may be able to perform the above cryptographic tasks using your token without your knowledge. Even if you require the PIN on every operation, the attacker could keylog or capture it, and possibly present it for unlock.

    Here's where the touch feature comes in handy. By requiring a touch, the token won't perform any cryptographic operations without confirmation from the user physically sitting at the computer. Of course, it doesn't protect against a physical attack, but that's already game over.

    Now, while this gives a layer of protection against inadvertent or malicious operations with your secret keys, a remote attacker is not necessarily foiled by it. They may still backdoor your tools to insert malicious code into signed commits, copy your decrypted secrets, and hijack your SSH client to gain access to your servers.

    I'd guess that it provides little to no benefit if you are only using it to log in locally.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2