Google: FIDO2 security keys capable of resisting quantum attacks

The security keys are great, and if you don’t have one yet, I suggest you simply buy one.

Don’t know the security keys? A security key is a tiny USB key that connects to your computer or smartphone and replaces SMS messages for the authentication of your account.

Concretely, when you log in to an account and are prompted to authenticate, instead of grabbing your smartphone to retrieve a code that reaches you via SMS, all you have to do is press the security key. And here we go. In short, this is the best thing that has happened to online security since the appearance of password managers.

IT security will have to keep up with the dramatic increase in computing power

However, as we enter an era where quantum computers will be able to handle workloads considered impossible today, computer security will have to keep up with the spectacular increase in computing power that is coming.

“Although quantum attacks are still planned for the distant future, the deployment of cryptography on the scale of the internet is a large-scale undertaking, which is why it is vital to get started as soon as possible,” write Elie Bursztein, director of cybersecurity and AI research, and Fabian Kaczmarczyck, software engineer, on Google’s Computer Security blog.

“For security keys, this process should be gradual because users will have to acquire new ones once FIDO has standardized post-quantum resilient cryptography and this new standard will be supported by the main browser providers.”

Optimize the code so that it runs on only 20 KB of memory

How does Google manage to protect security keys against the power of quantum computers? “Fortunately, with the recent standardization of public-key quantum resilient cryptography, including the Dilithium algorithm, we now have a path to secure security keys against quantum attacks.”

One of the challenges is to make all this work on the tiny amount of hardware resources available on a security key. According to Google, it is possible to optimize the code so that it runs on only 20 KB of memory and use hardware acceleration to guarantee the fluidity of the user experience.

Google hopes that this resilience to quantum computing will be added to the FIDO2 key specification and supported by major web browsers in the near future.

The blog post explains in more detail how this was achieved.

In the meantime, I recommend that you protect yourself with a security key. I recommend the YubiKey 5C NFC, which works like a USB-C flash drive, and which also uses NFC for iPhones and Android devices that support this technology.