Especially radio and wireless.
But also networks. The brain itself is a network. Quite possibly even the mind. Oops, drifting from tech!
Uh oh, here comes a shallow dive into extreme tech!
I spent a couple decades in forward error correction (FEC) coding of digital communication channels. So, without apology, I offer a short glimpse into the decoding of FEC convolutional codes. Yes, there is such a thing as coding gain! You may first want to research FEC. The basic idea is here in Wikipedia. Why would you care? FEC is how all communications today, from mobiles to WiFi to cable to satellite to Mars to the heliopause and beyond, control (i.e., reduce) errors. Without effective, efficient FEC, there would be radically less mobility (we're talking 10+ times) to take the web with us most everywhere we go.
I gave a talk at IEEE San Diego COMSOC back in 2019 just for fun by revisiting the subject, even the site, of my early career.
My IEEE talk was about a revolution in FEC in the '60s. I once built FEC codecs, designing one of the very first LSI codecs. Here are my talk slides on the Viterbi Algorithm, a dynamic programming procedure for discovering hidden Markov states.
Viterbi's algorithm is still in vibrant use. A guy who studies algorithms ranks Viterbi's among the most important ever invented. That list is in alphabetical order, so people, #32 is just for the "V." How often do you get to work for a guy on such a list? It was pure luck, and the graciousness of a well-connected professor I had fifty years ago, one Martin Hellman, who has fought some good fights in his interesting life. A talk Marty gave to a bunch of Nobel laureates seems to conclude that sometimes, when the stakes are high, it's better to fight the good fight than to just give in. That may not be tech, but it might be wisdom.
This Blog Topic is: Security Keys (SK)
Yep, it keeps on coming up, every day as you wake up: Web Security.
Most of us don't want to study the thing, but just be aware and take advantage of the best tech.
So here I consider the latest wrinkle in the weave of our web-powered lives.
User Authentication and the Security Key, this blog being a rough Primer
First off, SK is a dedicated device-oriented method for Two-Factor Authentication
So we must first talk about Two-Factor Authentication, which has been around for a while now
Two-Factor Authentication (or 2FA, for short) is the objective. 2FA improves your network security.
User authentication is just the providing of a trustworthy assurance, vetting that "you are you."
(And, apologies in advance, but "acronym stew" very much applies to the topic of networking security.
And, more apologies in advance, the verbosity (sorry!) of this blog is needed to express uncertainty.
There is simply nothing "certain" about user network security, only about "higher" levels of protection.)
2FA is an example of a more general, higher level Multi-Factor Authentication category of methods.
Yet, 2FA is available free, and ordinary web users are using it. 2FA is not experimental. It's operational.
Why should I care about Two-Factor Authentication?
You may want 2FA for susceptible important service accounts, such as for banking or purchasing.
This is actually to say that you almost surely want 2FA for your most important, critical accounts.
(What to pick up on here particularly is accounts involving money or personal information of any kind.)
(Yes, 2FA involves more effort to get into an account. Some consider this a nuisance.
Others come to consider this an essential after getting hacked, even just once!)
Now, a word about definitions
Above, "susceptible" means your account might be "vulnerable."
(But that doesn't mean it is vulnerable, just that it could be if facing a real threat!
When a threat actually materializes, your account is said to become vulnerable.
That doesn't mean that an attack will even happen, let alone succeed, but it does imply something:
That something being a web security defense upgrade at some point, and better now than too late!
2FA is an industry-wide defense upgrade that is recognized by experts as useful if not dependable.)
Alas, not every important service, even those in online banking, is 2FA compatible at present.
But services, from buying stuff, to watching stuff on TV, to banking, are definitely "going 2FA."
What's driving 2FA?
Network (think web) security is only getting more complicated, year by year.
You are (probably) getting more and more dependent on web services for everything, year by year.
The bad guys are (definitely) getting better at breaking into service systems, year by year.
No end is in sight.
You don't want to fall too far behind this curve!
SK is an option for 2FA where SK is supported, and is becoming relatively common these days
You could even say it's a convenience option, because that's pretty much exactly what SK is.
Even if "plain vanilla" 2FA is for free, you may want convenience using it, and that's where SK comes in.
Just like plain vanilla 2FA, SK supports the "OTP" method of authenticating your access to an account.
OTP = One-Time Passcode, highly secure. Note: a passcode is not to be confused with a password!
So how does OTP work?
In plain vanilla 2FA, an OTP arrives, typically, in a text message sent promptly to your smartphone.
(This happens just after you enter your username and password
on a device to access an account.)
The OTP you get this way is usually a 6-digit code you will then enter onto the service access webpage.
(Here, your web account may be accessed on a PC or it could even be done on the same smartphone.)
OTP is a non-biosecurity "secondary secret" that supplements your ordinary secret password.
(You still need to enter your username and password, just as before, but now with the follow-up OTP.)
So why do I need 2FA if I've got a really good password, like one that cannot be guessed?
First off, security experts consider a username to be totally non-secure, with only your password secure.
(Usernames are frequently just email addresses, all of which are assumed known to the bad guys.)
So you depend on secrets like the password, but these are stored data that could somehow be stolen.
(We assume here that the bad guys cannot change data at the service provider, data like your mobile #.)
Using 2FA simply makes it quite hard, if not harder*, for a crook to get at two separate account secrets.
* "Impossible" is a word no one uses these days with respect to security, so we merely say quite hard.
* But there's no doubt that 2FA is much harder to "break" than the mere one secret password access.
* Username, password might fail if a hacker captures a password from any source using any method.
* But a hacker has a really big obstacle to overcome to additionally capture your opened smartphone!
Eventually, biosecurity, e.g. face or finger scan, etc., may get added to 2FA as well, actually soon.
Getting on with the SK, it's a small physical device, usually sporting a USB-C plug
An SK often resembles the commonplace USB "memory stick."
USB = Universal Serial Bus, -C being the latest plug type.
An SK physical device may also support a wireless connection
So further, if so supported, the SK can be an "NFC" device in addition to plug-in use.
NFC = Near Field Communications
With NFC, you needn't plug it in ... it only needs to be very nearby, like a credit card at the supermarket.
Does SK have an industry standard?
Yes, there is an industry standard for 2FA OTP via SK.
It is the FIDO Universal 2nd Factor (U2F) standard. Go to https://www.fidoalliance.org on any browser.
There are good explanations of all this on that website. Probably better than this blog. Anyway ...
Be sure to check any SK offering you're considering for U2F compatibility.
You should also look for SK capability in your PC (or Mac) OS, on its "service app" Utility settings.
No SK capability in your PC or smartphone? No SK possible, period! Your devices are too old! ;-)
Do all of this investigating before investing in SK. SKs cost money. Don't be disappointed.
So does your PC (or Mac) support SK?
Ignoring NFC for the moment, SK early on has been aimed mainly at MS Windows 10 (Copyrights).
Recent Apple (Copyright) devices may support SK, but this is not assured!
Re: Mac, macOS 14 (Copyrights) onward supports SK on most web browsers.
iPhone iOS 13 (Copyrights) onward is more tricky than macOS, but likely does.
NFC is yet another issue, but you can still use SK without using NFC.
How can I find an SK vendor?
There are (at least) several SK device providers.
To find some, just type "Security Keys for Multi-Factor Authentication" into any browser.
Many links will come up, reflecting the several commercial providers of SK.
What follows below is not an ad or recommendation, or representation, of any particular provider!
But we need an example to proceed, so Yubico (Copyright) is one such device provider.
It is strongly suggested that you look at a couple providers, not just Yubico.
Here's what the Yubico SKs basically do
Yubico has a fairly simple typical installation procedure. An ordinary person can do it.
As it is for most of these SKs, Yubico SKs (it offers several) employ a “touch button.”
(Caution: This “touch button” should not be mistaken for a biosecurity button; it isn't that.)
When tapped (by anyone!), the SK’s button starts up a "handshake" process for account access.
Handshake sets things up between the device (e.g., a PC) accessing the account and the SK.
This handshake process happens each and every time it's used to get into a desired account.
And a single SK device can store multiple (even many) different account access credentials.
("Credentials" are your username and ordinary password, protected after setup inside the SK.
Each account, with its username and ordinary password, is setup with the SK in advance.)
While nominally quick, bear in mind that the SK is just automating what you would do manually!
This is the convenience that an SK is all about. It's what you paid for and expect to get.
The touch feature is also used to initially set up your new SK with your PC. Follow instructions!
This is true whether the SK-to-user device (i.e., the PC, etc.) connection is plug-in, or NFC or both.
If NFC, then after setup the touch button is then no longer needed in regular use.
Are there other things to know about SK, speaking practically?
Yes.
Experts advise obtaining two SKs to safeguard against the physical loss of one!
From an independent, no "single-point-of-failure" perspective, you might even consider this:
Obtain SKs from two different SK vendors. You can set both of them up, independently.
And you will need habits to protect the SK(s) against theft, or loss by your own misplacement.
SK convenience comes with an initial cost and the need for (possibly new) beneficial habits.
It's also important to remember that SK does not improve on the inherent security of 2FA!
It simply automates what some users think of as an inconvenient thing requiring a phone.
You don’t get something for nothing with an SK! You do get convenience, day to day.
What particular popular service accounts are using SK?
Online services accepting SK vary, and it is fairly new. It will grow.
Google (Copyright) is one cloud service that accepts SK for account accesses.
Others include social networks and other cloud memories, not to name specific ones.
Whatever and wherever your account is, the service must accept SK in order for you to use it.
Not all services will, maybe not even most at present!
Bottom Line: SK is fairly new, but it can be a fairly useful convenience as well.
