Multi-factor authentication with a physical object

A security key is inserted into a computer and a checkmark is displayed on screen.

Description

Multi-factor authentication adds an extra layer of security on top of having a username and password.

For this kind of multi-factor authentication, people log in and then connect a physical security object to gain access. This object can be standalone or built into a smartphone and connect via USB, NFC or Bluetooth.

IF thinks that this pattern effectively protects people against phishing attacks. So far it has mainly been used for enterprise security, where extra protection is needed. That said, it is not universally supported by services and needing an extra object to log in (unless it’s built in a phone) makes it less useful for most users.

Examples of authentication using a physical object but without passwords are currently being trialled.

Advantages

Adds one more barrier if other authentication methods are compromised or broken.
Protects people from phishing attacks.

Limitations

People need to have the physical security object to hand.
The hardware is not universally supported.

Examples

Yubico's Yubikey →

Yubikeys can authenticate people on desktop and mobile through USB and NFC.
Google Titan Security Key →

The Titan Security Key can authenticate people on desktop and mobile through USB and Bluetooth.
Android phone’s built-in security key →

Use Android phone’s built-in security key to authenticate. The phone acts as a security key. It connects via Bluetooth and it checks it’s near the primary device.

Was this pattern useful?

Thank you 🙂

Description

Advantages

Limitations

Examples

Related patterns