Yes, that’s a hardware TOTP generator. It qualifies as something you have because it is locked to hardware you have to possess.
Glenn, couldn’t something like that be used by 3rd parties instead of SMS for 2FA?
It has been for years, but the devices gradually became replaced with authentication apps, which are more or less as secure, because the use of the token is tied to the app as installed on a specific hardware device. You can’t move the app or its data to another device and have it work, as opposed to a phone number.
I had a couple of hardware TOTP dongles for E*Trade and PayPal for many years (I think one had to be replaced), before companies switched to authentication apps and SMS.
My suggestion, echoing security experts who understand the details better than I do, is that SMS be slowly phased out, and that existing services that allow SMS fallback provide an option for sophisticated users to disable SMS. So for Apple users, you’d rely entirely on trusted devices. But Apple would have to create one-time use backup codes, too, which they don’t offer now.
The other issue with those dongles is that it was infrequent when you could use one with multiple services, so you could envision carrying multiple dongles with you. That’s definitely an advantage of Google Authenticator based TOTP apps, which deliver the codes to apps on the phone or tablet, though many more services are now supporting the YubiKey devices that Glenn mentioned earlier.
I’m not at all convinced apps are a good replacement for dedicated hardware. I am also not convinced that trying to have everything on one phone and accessed through one app (such as Google Authenticator) is a good idea. Just look what happens each time Google or Facebook get hacked and people realize they used Google or FB to authenticate with all kinds of other businesses.
I realize the convenient solution is one app on your one phone with you at all time and accessed by just glancing at the FaceID camera. That kind of convenience, however, appears to come with a security penalty. I’m not ready to believe there’s a free lunch here.
An issue with hardware dongle authenticators is that there is no universal peripheral connector on Internet capable devices. For example, my 3-year old desktop has only USB3 and Thunderbolt 2, my 3-month old laptop has only USB-C/Thunderbolt 3, and my IOS devices have only Lightning. So for all but one device, you end up needing to use another dongle to interface to your hardware dongle.
As I already wrote above, the dongle I used a couple years ago never required any kind of tether, wired or wireless. The only standard it relied on was my eyes and my fingers. I’d argue that’s a rather global standard.
Definitely a key problem. I have an iMac, and I got a Yubikey with USB-C—then realized I a) don’t want to occupy a port all the time with it, as I only have four USB-C ports, and b) it’s hard to reach (as you have to press it) behind my iMac!
Yes, Alan is talking about the new U2F and similar authenticators. The kind you’re talking about are many years old and have been widely used in government, commerce, and sometimes in consumer finance.
Google’s entry into the U2F field (the Titan Security Key) comes in USB and Bluetooth flavors. (Last time I looked, it appeared that you had to buy one of each. I’m not sure how close Bluetooth comes to “universal” these days, but it has to be more widely available than any given single wired connector.
–Ron