DISCLAIMER: This isn't an advert and I haven't been paid to promote the Yubico, their Yubikey products or any company/product mentioned.\n\nIntroduction\n\nIn some absolutely fantastic news, Windows will be supporting hardware Yubikeys for authentication! Hopefully this will open the gateway for accessible, non cost-prohibitive hardware keys (not just these ones offered by Yubico) becoming the updated standard for all system authentication over the next few years (maybe via a unified Windows interface) as this would do wonders for security 😁. This would be similar to needing the key to your front door and/car, and by everyone using them we will GREATLY improve our security!\n\nYubico: Windows Release\n\nYubico: Protect Data with Secure Access to Computers\n\nYubico Security Keys Can Now be Used to Log into Windows Computers\n\nThe Importance of Hardware Keys\n\nPhysical key on keyboard which protects your account\n\nLogging into systems (notably password administration) is a difficult process to get right and actually presents us with numerous hurdles that we need to overcome. We need our systems to be secure enough to allow the right people in and grant them access to the resources that they are permitted to see. At the same time we have to balance the need for our systems to be usable and that our security mechanisms don't actually get in the way. Unfortunately this is easier said than done due to the many issues including (but not limited to) the following:\n\nBad password hygiene from users, leading to weak, reused secrets that are easily determined and maliciously used. We need to educate users to set a different SUPER-STRONG password for each service that they use (which could be in the tens or hundreds) and suggest using a password manager to make this bearable.\n\nPassword storage, with many services (still) persisting passwords without protection within their databases 😟. This means that anyone with administrator access both permitted and maliciously obtained could easily read them and login. Not good, and instead passwords should be stored after being well and truly scrambled by a one-way, slow password hashing algorithm to hinder brute-force cracking.\n\nLeaky systems, with vulnerabilities that allow malicious attackers to steal account information (with both protected and unprotected passwords) and then use these stolen credentials to authenticate with the service. These credentials can also be used in other services because remember, users tend to reuse passwords which can lead to a lot of damage. Organisations should develop their systems to standards to help prevent this, and one such advisory is the excellent OWASP Secure Coding Practices. We should also block authentication with known breached credentials to keep users safe, and there are excellent services out there like HaveIBeenPwned (HIBP) and Firefox Monitor (interfaces with HIBP) for us to check against.\n\nPlain Text Offenders: Sites Which Store Passwords Without Protection\n\nOWASP Secure Coding Practices\n\nHaveIBeenPwned: Database of Breached Credentials\n\nFirefox Monitor: Check Breached Credentials\n\nPasswords are integral to accessing our accounts currently\n\nWhilst hardware keys are by no means the magic bullets that kill our security woes (like silver to Werewolves 🐺), they do give us a SIGNIFICANT advantage in the fight for secure access to our systems. Passwords can be entered remotely, meaning that a criminal who has swiped your credentials can authenticate as you from potentially anywhere in the world (depending on the system and the security measures in place). A hardware token REQUIRES LOCAL, PHYSICAL ACCESS, which significantly reduces the scope of attack. For example, lets say that due to a databreach (so common these days), an account with hardware key, multi-factor authentication enabled has had its credentials stolen. The attacker still won't be able to authenticate as they would still need the physical key, which CANNOT be remotely stolen. Boom, our account is secure in the face of adversity 🤓!\n\nSecurity is Progressing\n\nI firmly believe that this is definitely a step in the right direction. In terms of a potential uptake timeframe, I'd like to ensure that we secure privileged/corporate accounts first as an absolute priority, and then allow for this behaviour to seep into everyday life on personal machines. I can see hardware tokens being far easier to use than authenticator apps and are more secure as their secrets cannot be phished from users remotely. With authenticator apps, (much like with your password) an attacker can ring you up and sweet talk you into disclosing your code, which they cannot do with a physical key. This is at least until teleportation is invented and becomes cost-effective enough to sell cheaply to the mass market 💰! As more of our account providers (Microsoft, Apple, Facebook, Amazon, Twitter, Email etc.) move towards Multi-Factor, the baseline guidance for account management shifts to it, and using hardware keys to serve this purpose is a great win for security.\n\nHowever, with every positive, we also need to balance our outlook with the negatives so that we can issue a proper solution that takes all of the important factors into consideration. Human beings are human (duh), and can accidentally forget and misplace important items at home. Like with our house keys, car keys, office keys (OMG forget those and you can't work!), our hardware keys can be forgotten or lost, which of course would prevent us from accessing our devices. But much like with the rest of our keys, we can put them on our keychains regardless and integrate them into our daily routine. It could take time, but I think it would be worth the effort.\n\nGuy angry and screaming that he forgot his hardware token at home and cannot login to his computer\n\nHowever, it cannot be understated that the cost of forgetting or even losing your key could be extremely high, so education and good practice is definitely key. We should also have a fallback to authenticator tokens, much like how we have automated "Reset Password" functions when users forget their passwords (we've all been there, especially with all the accounts we have to manage now). This would prevent a misplaced key caused by Human beings being human from preventing people from using their computers. Security is supposed to help, not get in the way! We should also try and avoid using SMS (text messages) as our fallback second-factor due to known security and privacy concerns.\n\nThis is Why You Shouldn’t Use Texts for Two-Factor Authentication\n\nYes Facebook is Using Your 2FA Phone Number to Target You with Ads\n\nNever Trust a Platform to Put Privacy Ahead of Profit\n\nLocking down your accounts with physical security makes it difficult for the bad guys\n\nPhysical Security\n\nAs we move towards more and more of our lives being managed digitally by numerous services, each with their own account management, we need to do everything that we can to keep ourselves safe and secure. Passwords have their well-documented weaknesses, and whilst providing a huge security boost, app-based tokens also have potential vulnerabilities not shared by hardware keys. With Microsoft's popular operating system now supporting a popular brand of hardware key to login, we may progress towards living in a world with higher baseline standards of security. There will be hurdles to overcome, and it is likely we will start with our most high-value accounts first, but adoption across other accounts could be possible as we become more and more used to authenticating with hardware keys. This would make it far more difficult for our accounts to get hacked, making us more safe and significantly more secure 😎.\n\nTake care and all the best. Si.