Why banks should consider taking a page from Facebook on security keys

If Facebook brings physical security keys to the masses, is it time for online banking to finally adopt them too?

Facebook announced Thursday it is giving its users the option of authenticating with hardware security keys that meet the standards of the Faster Identity Online Alliance. These devices are typically the size of a thumb drive and can be plugged into the USB drive of a desktop computer. When logging in, after typing in their passwords, users would press a button on the device as a second factor of authentication.

Banks have long offered similar physical authentication devices to larger commercial clients, but rarely if ever to retail customers. The second factor of authentication is more likely to be a one-time code sent via email or text message.

Among consumers, usage of physical security tokens may be largely confined to computer geeks. But if Facebook brings these devices to a wider consumer audience, demand for such features may pick up. People using public Wi-Fi in places like coffee shops could then browse sensitive information — such as personal banking data — without fear of it falling into the wrong hands.

"Using hardware tokens is nothing new, but this could bring it to a mainstream consumer base," said Ben Knieff, a senior analyst with Aite Group.

He pointed out that the iPhone made Touch ID fingerprint authentication technology ubiquitous. Facebook's move "could be another example of that."

To be sure, in a world where bank customers are migrating from online banking to mobile banking — on phones and tablets that don't feature USB ports — physical security keys may seem to have missed their moment.

In a blog post Thursday, Brad Hill, a security engineer at Facebook, wrote that using a hardware key makes an account "practically immune to phishing because you don't have to enter a code yourself and the hardware provides cryptographic proof that it's in your machine."

Authenticating via SMS text message, Hill wrote, "isn't always reliable and having a phone backup available may not work well for everyone."

Knieff said that as long as it is cost-effective to do so, it makes sense for banks to introduce security keys as an option.

"Why not offer it, even if it's just 3% or 5% of your customer base that uses it?" he said. "Anything that gets people to enhance security is a good thing."

More than the security factor, offering such an option would benefit a bank's brand and reputation, agreed Ed O'Brien, executive vice president of research and strategy for ath Power Consulting.

"Especially for community banks and credit unions, it could reinforce that notion of 'Hey, we're here for you and we care about you' that they have with customers," he said. "There could be a halo effect to offering it."

It could also be beneficial to offer to that "subset of customers that have greater security concerns," such as small-business customers, he said.

The idea of using physical keys in enhancing online banking security dates back more than a decade. In 2005, the Federal Financial Institutions Examination Council issued updated guidelines for internet banking security, saying banks should implement additional controls such as multifactor authentication, including physical tokens.

In addition to Facebook, these physical keys can be used for any website or service that has adopted FIDO's U2F standard; Google deployed it in October of 2014.

One of the largest sellers of consumer security keys is Yubico. Ronnie Manning, a spokesman for the company, said that while there is still an "educational process" ongoing to make the general public aware of its Yubikey devices, the Facebook move could now "introduce this concept to a very broad user base."