How do USB security keys work?

65 views
0

Not looking for anything super deep, just more of how it differs from being like a simple “this is my device ID number” as a form of verification.

I have a Yubico NFC Security Key (blue stick) and it supports a few protocols, with other USB keys supporting additional protocols.

[https://www.yubico.com/store/compare/security-key-nfc-by-yubico,yubikey-5-nfc,yubikey-5-nfc-fips/](https://www.yubico.com/store/compare/security-key-nfc-by-yubico,yubikey-5-nfc,yubikey-5-nfc-fips/)

So I’m wondering how it all works so that the key is able to act as a MFA method, but in simple terms.

In: 5

As a general rule, the key contains some kind of secret, like a password but more obscure, which it never gives out to the computer it’s connected to. However, it will perform math with this password and provide the outputs.

Whatever backend service you are trying to authenticate to also has the same password, and has the same math formulas. When the user (well, their USB security key) provides a computed output, the server runs the same math with the same password to see if it got the same result. If so, then the user has the key and off you go.

An important part of this is that each authentication session must produce a different result. Either the server sends something to the key to do its math formula with (called a “challenge”), or the key must have a counter that counts upwards every time there’s an authentication session and never counts down, using that as the “challenge” value. The server never provides the same challenge twice, and/or it makes sure that the counter really is counting upwards, always saving what number it’s seen from the key.

A crude but simple way to do the math is with a common hash function like SHA256. Hashing the text from the challenge string followed immediately by your secret password saved on the key, the result would be good enough to convince the server you’re legit.

It’s a two way password.

The key provides a secret password verifying your identity AND confirms the identity of the service you’re authenticating with.

This way it defeats eg phishing attempts by detecting that you are attempting to authenticate with a fake website.