Multi-factor authentication (MFA) is the best way to prevent thieves from Getting hold of your accounts, and using hardware security keys is the most secure MFA method. The Kensington VeriMark Guard USB-C Fingerprint Key works with the most widely accepted MFA standards and adds biometric protection. Its small and durable design means it can withstand the tough life of a keychain, but at $ 69 it might be too expensive for first-time buyers and its list of advanced features too for buyers who seek the most capabilities.
Why should you use a security key?
"But what is MFA? "I can hear you cry. MFA authentication,sometimes called two-factor authentication, or 2FA, is a method of verifying who you are with several (and different) factors. In other words, it doesn't just mean using two passwords per account. MFA requires at least two of the following means of authentication:
- Something you know, such as a password;
- Something you have, such as a hardware authenticator; and
- Or something you are ie biometric authentication such as fingerprint scans or facial recognition.
Notably, some connections diagrams combine all three, like a biometric hardware MFA key with a password or PIN.
When using MFA to protect an online account, it is infinitely more difficult for a villain to take control. Even if an attacker manages to get your password, he will not have access toyour fingerprint or security key. This is particularly important if we consider that passwords are not secure and we do not use them. A quick glance at Have I Been Pwned shows over 11 million breached accounts, which shows how many exposed passwords are circulating.
Yubico YubiKey 5C NFC $ 45.00 See It on Amazon Read our Yubico YubiKey 5C NFC Review
Yubico YubiKey 5Ci Read our review Yubico YubiKey 5Ci
NFC security key by Yubico $ 24.50 See on Amazon Read our NFC Security Key Review by Yubico
There are several ways to configure MFA, but not all are equally robust.Receiving one-time codes via SMS is the weakest method, as determined attackers can use SIM-jacking and other tips to hang the codes. One-time application codes are much better but require a phone with a working battery. Hardware security keys, like the Kensington VeriMark Guard USB-C fingerprint key, are more difficult to attack and do not require batteries or network connectivity. regarding the authenticator, the d applications 'authentication are completely free. Considering the limited hardware MFA support, you'll probably need to use one of these apps for some accounts anyway.
Regardless of the MFA method thatyou choose, it is more important that you choose one that you will actually use. While you're at it, use an manager passwords to create and store unique and complex passwords for each site and service you use.
What is biometrics used for?
Most others hardware MFA keys simply require you to press down on part of the device to test for liveliness, i.e. testing to see if a real human is using the device and not intelligent malware masquerading as a device. But ske Physical consumers might fear that anyone could just steal their MFA key. Although it is possible, it is exceptional.highly improbable.
(Photo: Max Eddy)
Adding biometric confirmation to the mix means that even if someone steals your VeriMark Guard, they cannot use it without your finger (and all the potential dismemberment that entails). It also makes it much harder to attack youraccounts, using all three possible factors.
Kensington tells me that fingerprints are not stored on the VeriMark Guard. Instead, it contains what the company calls an "encrypted fingerprint template ". The company claims the devices use AES-256 / SHA-256 encryption to secure its data. When you use the biometric sensor, VeriMark Guard confirms that your fingerprint matches its model, then securely sends the confirmation to your device and to the site or service you are accessing. This process keeps your data encrypted even on the VeriMark Guard.
Biometrics is not very good if it can be tricked. Kensington says VeriMark Guard has a false rejection rate of 2% and, most importantly, a false acceptance rate of 0.001%.
What MFA standards does VeriMark Guard support?
The name " KensingtonVeriMark Guard USB-C Fingerprint Key "is a real mouthful, but it tells you everything you need to know about the device. For convenience, however, I'll call it the VeriMark Guard from now on. The VeriMark Guard is a USB-C hardware MFA from device maker Ke nsington that has a fingerprint scanner for biometric authentication.
The VeriMark Guard supports FIDO U2F, FIDO2 and WebAuthn / CTAP2 MFA standards. The most common ways to perform MFA authentication on all devices and VeriMark Guard support for them means it will work in almost any location that supports hardware MFA keys. Note, however , that all the sites and services that takesupport hardware MFA do not also support biometric MFA. In these cases, the VeriMark Guard functions as a standard authentication key.
( Photo: Max Eddy)
How does the VeriMark Guard compare toother hardware keys?
At $ 69.99, the VeriMark Guard isn't an impulse buy, but it compares well to other high-end keys. The Yubico YubiKey 5Ci , which includes both a USB-C and an Apple Lightning connector, costs $ 70. The YubiKey 5C Nano has a similar profile and costs $ 60, while the size of a house key YubiKey 5C NFC costs only $ 50. Google's USB-A and USB-C variants of its Titan stick cost just $ 30 each. Kensington also offers a USB-A version of the VeriMark Guard for $ 64.99.
If you're ready to ditch USB-C, the price of a hardware dongle drops dramatically. There is the aforementioned Titan key, but the USB-A Yubico The key ofNFC security sneaks in at just $ 24. For € 29 ($ 34.26, at time of writing), the bulky but open source NitroKey FIDO2 can be yours.
Many of these devices also support NFC, unlike VeriMark Guard. NFC allows multifactor keys to communicate wirelessly with devices, regardless of the physical connector. For example, you can use a USB-A or -C dongle with an iPhone, as long as the dongle has NFC technology. Because the VeriMark Guard has a USB-C connector but lacks NFC, it may work with some iPads but cannot work with an iPhone, which can be a problem for some consumers.
Qu What puts the VeriMark Guard in a tricky spot is that while its price compares fairly with other high-end security keys, its feature list doesn't. The YubiKey 5 series varies in shape and price, from the YubiKey 5 NFC to $ 45to the very small YubiKey 5C Nano and the expensive YubiKey 5Ci, but all of them have the same full set of features. They support FIDO U2F, WebAuthn, and FIDO2 just like VeriMark Guard, but also support use as smart cards (PIV), work with apps to generate one-time passcodes ( TOTP), can generate Yubico's own OTPs. , works with OpenPGP and even replay static passwords. These are advanced features, to be fair, but demonstrate the value these devices bring.
To date, the VeriMark Guard is the only biometric security key we've reviewed. Yubico has finally released his YubiKey long-awaited biometric for $ 80, and we can't wait to see it again soon. The YubiKey Bio series, like the VeriMark Guard, lacks NFC and advanced featureses of the YubiKey.
The VeriMark Guard is 20.8mm from its USB-C connector end and only measures slightly larger with the included cap. Without the cap it's only 5g, but it's pleasantly heavy in the hand like a worry stone. The main l body of the VeriMark Guard has a "K" stamped into a padlock on one side, which serves as an LED indicator. When it turns white, it is time to press the key. Opposite the USB-C connector is a smooth black plastic panel. It serves as a fingerprint reader and touch button.
The tight-fitting plastic cap protects the USB-C connector and is secured with a thin cord and ring. I appreciate that Kensington rightly acknowledged that these caps are almost certainly doomed to be lost, but the ring is of poor quality and broke with only a moderate tug. I wants recommend getting a stronger ring and lanyard.
(Photo: Max Eddy)
The VeriMark Guard will certainly live in a pocket or on a keychain and protect its most delicate components. This is a different approach than many YubiKey models, which are more grands, flatter and with a l reinforced hole so that it can fit perfectly with the keys of the house. The VeriMark Guard design, however, is small enough that it can live semi-permanently in a device, similar to the Yubico Nano line of keys. I slightly prefer the flat YubiKey design, but it's mostly a matter of taste.
Hands On With the VeriMark Guard
One of the selling points of VeriMark Guard is that it is supposed to be easy to use on any platform. Biometric authentication is optional and will switch to normal tap -key-to-confirm MFA mode without any effort on the part of the user. This is fine in theory, but I found it confusing in practice.
I started by registering VeriMark Guard with Twitter as an MFA key. Twitter accepted the device and I was able to connect to the service with the key through the browserFirefox on both my 2020 13-inch MacBook Pro and my Pixel 3a. So far, everything is fine.
Testing the biometric capability of the VeriMark Guard was more difficult. The company's onboarding documentation is confusing and scattered across a few sites. The documentation I found stated that I needed to enroll fingerprints on the VeriMark Guard using the Windows 10 security settings. According to a note on the Kensington site, Windows 11 compatibility is still being tested. . Some competing products have indicated that I can configure their devices with the latest version of Google Chrome browser. Kensington has confirmed that this is the case for VeriMark Guard following a new Chrome update. Integration with MFA keys has always been difficult, but Kensington really needs to do better.
(Photo: Max Eddy)
Once I figured out what to do, setting up VeriMark Guard wasn't difficult. I plugged it into an Intel Kit NUC NUC8i7BEH (Bean Canyon) desktop and followedinstructions (PDF link) from Kensington. It was similar to registering a fingerprint on an iPhone or Android where I touched the sensor repeatedly. The device We can store up to 10 fingerprints. I find it helpful to register right and left fingers so that I can authenticate regardless of how I hold the device. You will also need to set a PIN code for VeriMark Guard in this process.
Although Windows Hello does support biometric logins through fingerprint readers, VeriMark Guard cannot fulfill this role. This limitation isn't Kensington's fault, but it's a preview of the confusion to come.
Enrolling a fingerprint through Chrome was also straightforward. Log in to the browser with your Google account, open the browser settings, then go to Privacy & Security> Security> Manage Security Keys. Ofthere you can register or delete fingerprints, as well as add or delete a PIN code. I prefer this setup method because it doesn't require specific hardware. In fact, I tested this method on a MacBook Pro and then verified that the newly enrolled fingerprints worked by logging into my Microsoft account without a password.
The taking into account Biometric MFA load varies by service, browser, and platform. Use the Kensington guides To find services that supported biometric authentication, I registered the VeriMark Guard with Dropbox. When I signed into Dropbox on macOS with Firefox, it didn't matter which finger I tapped on the device; I got access after entering my password and tapping on the device. This is a coNormal behavior for an MFA key. Signing in to Dropbox in Chrome on macOS, using the wrong finger generated an error message but worked fine with the finger I registered with the device.
(Photo: Max Eddy)
I don 't like that there is no way to tell if VeriMark Guard uses biometrics or not. It's great that the VeriMark Guard is smart enough to work seamlessly with and without biometrics, but it should communicate that to me. If, for example, the LED indicator was white for standard authentication and blue for biometrics, I would know exactly what's going on.
Ahead of its Time
The Kensington VeriMark Guard USB-C Fingerprint Key is a well-designed, discreet device that brings hardware MFA to most devices and seamlessly switches between Traditional biometric and MFA authentication. Using it will definitely make you more secure and can help alleviate the nagging worry that a lost key will kill your accounts. If someone tries to use your key, they will be foiled by the fingerprint requirement.
Without NFC, however, the VeriMark Guard leaves out pretty much everything.s iPhone users, an important omission. It also has advanced features found among competing devices. More generally, Kensington needs to explain more clearly how to configure and use the VeriMark Guard, as its documentation is rather scattered. I would prefer the device to have an indicator to show when biometric authentication was also being used.
However, the biggest challenge I encountered in testing the VeriMark Guard did not come from the device itself, but many variables that dictate whether or not biometrics would be available. It's not in Kensington's hands, but I think it should be pointed out as the barrier to entry for the MFA has always been confusion over what it is and how it works. Having to line up a seemingly magical array of devices, services, and browsers is a nightmare.
As long as support for biometric MFA remains availableimitated, Kensington's VeriMark Guard is a better buy for someone who secures their life rather than someone who buys their first hardware MFA key. For this, the Yubico Security Key NFC is probably the best bet. Anyone willing to do anything with MFA should look to the Editor's Choice winner instead Yubico YubiKey 5C NFC , which is cheaper than the VeriMark Guard, works with more devices and supports a host of advanced features. Monitoring Security newsletter for our top privacy and security articles delivered straight to your inbox. ", " first_published_at ": " 2021-09-30T21: 22: 09.000000Z ", "published_at ": "2021-09-30T21: 22: 09.000000Z ", "last_published_at ": "2021-09-30T21: 22: 03.000000Z ", " created_at ": null, " updated_at ": " 2021-09-30T21: 22: 09.000000Z "}) " x-show = "showEmailSignUp () "class = " rounded bg-gray-lightest text- md: px-32 md: py-8 p-4 font-brand mt-8 container-xs ">
Do you like what you read?
Subscribe to The Security Watch newsletter for our best privacy and security stories delivered straight to your inbox.
Thank you for subscribing!
Your subion has been confirmed. Keep an eye on your inbox! Subscribe to other newsletters