Security concerns for hardware security tokens: what are their security concerns, and what role do they play in your organization's cybersecurity?
Let's examine some critical real-world security considerations associated with hardware security tokens that security architects should consider when planning and implementing token-based access security controls meant to protect their organization:
An Introduction to Hardware Security Tokens
Hardware security tokens offer organizations a promising solution for improved access security. These tokens are small physical devices that can authenticate a user's identity and are often used in addition to a password as a form of multi-factor authentication. The use of hardware security tokens does provide an additional layer of security.
Still, the idea that hardware security token-based security is not easily compromised is perhaps too readily accepted as a given fact and less often inspected with a critical eye. Without verifying the potential ways that an attacker could circumvent the protection of a hardware security token, an organization may potentially and indeed be at greater risk than they were without using them.
For example, if hardware tokens offer a false sense of security, users may be more reluctant to set a strong password and instead set one that could be easily guessed. After all, the requirement of upper and lowercase letters, numbers, and some special characters can still allow a password such as "P@a$$word123" and not all applications check for commonly used passwords. Potential victims may also be lulled into forgoing other standard security practices such as protecting the physical security of their device.
1. Can Hardware Security Token Protection Be Easily Disabled?
In this first scenario, the potential victim, let's call them "A", has just configured their password manager with a hardware security token for MFA. The need for strong password manager security is obvious considering this one account is the gateway to many sensitive account credentials, secure notes, and other information.
Of all accounts, a password manager deserves a higher standard of security, right? "A" quickly completed the setup and considered the job done. Password manager protected? Check. One problem. If it can be easily disabled from a not-logged-in state, then it doesn't offer as much protection.
Several months went by and the practice of pulling out the security key became second nature. A small price to pay for bulletproof security, victim "A" thought. However, what "A" didn't notice was that each time they logged in, there was an option to completely disable the requirement for the hardware security token.
"A" had never noticed it because they always had their token with them. In the case that the victim's email account was compromised, an attacker could not only reset the victim's account password but also disable the hardware token requirement making the victim's email account a critical single point of failure that hardware token-based authentication did not protect against.
A Stronger Configuration
In this case, it would be stronger security to configure the account so that hardware-based MFA could not be so easily disabled. In most cases, users are suggested to configure more than one key and store the backups in a physically secure location such as a safe or a safe deposit box to mitigate against the loss of a hardware token.
As a last resort, only an administrator should be able to disable the requirement for hardware token-based MFA
2. Automatically Trust Devices?
In our second scenario, the victim, let's call them "B" has just configured a sensitive company account to require a hardware security token. The turnover rate has been high over the past few months and the boss felt it would be better to increase security. After all, hardware security tokens require you to be in the same room as the login right? Sounds really secure.
After setting up the MFA security options to require the hardware token for access, the victim decides to log out and test that the security key works as expected. The victim logged in to the service on his online crypto exchange account, and the service demanded their key, and they provide it and logged into their account. Perfect.
Except for one problem. Without noticing, the login included a prechecked checkbox that set his device to be trusted indefinitely or for long durations of up to 6 months. "B" has just disabled the hardware key protection on their device completely defeating its purpose. In today's fast-paced digital workplace, password fatigue, and digital fatigue have been proven to cause users to lose focus and click through the myriad of options they are presented with constantly.
The security consideration here is clear. Do you want your token to secure your account every time you log in? Does checking a user's hardware token once a month provide much additional security? In fact, it offers virtually no protection. In cases such as a "Stealer" form of malware that can include a keylogger and steal session tokens from the device or an adversary with physical access to the device, the purpose of the security token would be defeated.
A Stronger Configuration
According to the Zero Trust Architecture (ZTA) principle, stronger security is gained by frequent re-authentication. Since hardware tokens are a very convenient way for an individual to authenticate, they allow the implementation of much stronger security control. For example, tokens could support ZTA by forcing the user to authenticate with their hardware token each time they leave the browser tab, or after a certain amount of inactivity.
Although hardware security tokens promise organizations improved access security, it is important to critically examine their effectiveness as they can offer a false sense of security. It is essential to consider each service's implementation of hardware token-based MFA, the potential ways that an attacker could circumvent their protection, and whether the expected protection is actually provided and security requirements are adequately met.
For instance, hardware security tokens can be disabled if the attacker gains access to a user's email account or services are configured to automatically trust a device for a certain period. These critical real-world security considerations highlight the need for IT security architects to consider when planning and implementing access security controls to protect their organization. Ultimately, hardware security tokens offer an additional layer of security, but it is essential to understand their limitations and potential vulnerabilities.
Looking to determine who your organization has let through your cybersecurity defences recently? Schedule a Compromise Assessment to uncover zero-day malware, trojans, ransomware, and other anomalies that may go unnoticed in standard automated vulnerability scans.
ICS/OT Cyber Security Assessment
An Industrial Control System/Operational Technology security assessment is important to ensure the safety and security of devices or systems that are used to control, manage, monitor and/or otherwise impact operational processes and activities. An assessment simulates the likelihood of an attacker reaching the control centre from an external and internal perspective and can help identify vulnerabilities and prioritize remediation efforts to reduce risk.