Are you looking for security keys? Read this comparison
Last month I received two ATKeys from Authentrend Technology, to do some tests with Windows 10 passwordless. The two ATKeys that I received are the ATKey.Pro and the ATKey.Card. I already have the YubiKey 5 NFC and the YubiKey 5C, so it would be nice to start with a comparison between those security keys.
Introduction Passwordless
Sooner or later, most people will login devices, accounts, and services via mobile phones and/or biometric security keys to eliminate passwords. Microsoft has continually added features that make it simpler for businesses to step ahead with a passwordless direction in an industry increasingly looking to do just that with some standard-based tools making it easier to follow.
Passwordless login represents a massive shift in how billions of users, both business and consumer, will securely log in to their Windows 10 devices and authenticate to Azure Active Directory-based applications and services.
— Alex Simons, Corporate Vice President PM, Microsoft Identity Division
Microsoft has four steps in their roadmap:
- Develop password-replacement options: this involves the release of tools that allow organizations to implement biometrics, PINs, public/private cryptography, and FIDO2.
- Reduce the user-visible surface area: this means setting the authentication options by default to passwordless, cutting back on how much users think about passwords at all.
- Passwordless implementation transition: entails taking the new NIST guidelines and moving away from asking users to reset their passwords every few months and continuing to reduce the need for day-to-day password use.
- Eliminate passwords from the Corporate Identity Directory: means fully deleting passwords from Azure AD because they still exist even though workers no longer use them.
FIDO2 security keys are essential in this roadmap. Besides FIDO2 security keys, you can also have a Windows Hello camera, like the Logitech Brio or the built-in Windows Hello cameras in laptops / tablets from HP or Microsoft. In this blogpost, I will do a comparison of the FIDO2 security keys, that I have on this moment.
Installation
All the keys are USB HID-devices, so you will not need to download additional drivers, Windows 10 will do that for you after that you plugged in your security key.
Access Management
With the four security keys, you can configure and logon to your organizations Azure AD tenant. You can also use any of these keys to logon at your personal Microsoft account, Google, Dropbox, and many more services.
Certifications
The ATKeys as well the YubiKeys are certified for FIDO2, FIDO2 U2F and are MISA validated. The ATKey.Pro is certified for FIPS-140-2 level 3 security CV.
| Certifications | ATKey Pro | ATKey Card | YubiKey 5 NFC | YubiKey 5C |
|---|---|---|---|---|
| FIDO2 Certified | V | V | V | V |
| FIDO2 U2F Certified | V | V | V | V |
| FIPS 140-2 Compliance | V | |||
| RSA Ready | V | V | ||
| MISA Validated | V | V | V | V |
Interface
From the four security keys, there is only one who is supporting Bluetooth. That is the ATKey.Card. If you want a USB-C security key, then you can choose between the ATKey.Pro or the YubiKey 5C. If you want to unlock your Android with NFC, then the ATKey.Card or the YubiKey 5 NFC is your security key that you want.
| Interface | ATKey Pro | ATKey Card | Yubikey 5 NFC | Yubikey 5C |
|---|---|---|---|---|
| USB-A | V | V | V | |
| USB-C | V | V | ||
| NFC | V | V | ||
| BLE | V |
Function
All security keys can offer the FIDO2 function, but the YubiKeys do have a few more function that are unavailable at the ATKeys. With the YubiKeys, you can sign e.g., self-written apps with OpenPGP. If you have a modern browser, then you can use all four keys to login at a Microsoft or Google and more accounts with the WebAuthn functionality. FIDO2 and U2F are common functions.
| Interface | ATKey Pro | ATKey Card | Yubikey 5 NFC | Yubikey 5C |
|---|---|---|---|---|
| WebAuthn | V | V | V | V |
| FIDO2 CATP1 | V | V | ||
| FIDO2 CTAP2 | V | V | V | V |
| U2F | V | V | V | V |
| AT OTP | V | V | V | |
| OATH - HOTP (Event) | V | V | V | V |
| OTAH - HOTP (Time) | V | V | V | |
| Smart card (PIV-compatible) | V | V | ||
| Yubico OTP | V | V | ||
| Open PGP | V | V | ||
| Secure Static Password | V | V |
Software
Of course, you need sometimes to manage your security keys. For example, if you want to reset the key, because you left a company, or similar. Both manufacturers are offering different software. Yubico offers three management tools, which you can download, and a Yubico Authenticator, which you can install via the Windows Store.
Authentrend also offers three different tools. Via the Windows Store you can install the ATKey for Windows app. For Mac devices, you have the ATKey for Mac tool. They also provide the ATKey Admin Tool, which is probably for bulk enrollment.
With the YubiKey software, you can enable or disable features on your YubiKey, like PIV, OATH or OpenPGP. With the Yubico Authenticator app, you can store your unique credential on a hardware-backed security key and take it anywhere from smartphone to desktop. No longer store confidential secrets on your cell phone, leaving your account open to takeovers.
| Software | ATKey Pro | ATKey Card | Yubikey 5 NFC | Yubikey 5C |
|---|---|---|---|---|
| Yubico Authenticator | V | V | ||
| YubiKey Manager | V | V | ||
| YubiKey Personalization Tool | V | V | ||
| YubiKey NEO Manager | V | V | ||
| ATKey for Windows | V | V | ||
| ATKey for Mac | V | |||
| ATKey Admin Tool | V | V |
Firmware
In contrast to the ATKeys, you cannot do a firmware upgrade at the YubiKeys. To upgrade the firmware on the ATKeys, you must install the ATKey for Windows or Mac app. The ATKeys that I had received, where one firmware versions behind and the other one five firmware versions.
| Firmware | ATKey Pro | ATKey Card | Yubikey 5 NFC | Yubikey 5C |
|---|---|---|---|---|
| Firmware upgradeable | V | V |
Battery
Only the ATKey.Card has a 90mAh built-in Li-on rechargeable battery. With this battery you can allow up to 150 fingerprint authentications on a full battery.
| Battery | ATKey Pro | ATKey Card | Yubikey 5 NFC | Yubikey 5C |
|---|---|---|---|---|
| Rechargeable Li-on | V |
Fingerprint
This is a subject which is not comparable. Because the YubiKey allows a "fingerprint", but this is a in fact any finger that you can use to touch the golden circle plate on the YubiKey. The ATKeys, that I received, are configured for a real fingerprint. For the ATKey.Pro you can setup 10 different fingerprints. So technically, you can setup your 10 fingers. The ATKey.Card can have a maximum of 8 fingerprints. At this time of writing, Yubico has announced the YubiKey Bio in a private preview.
Standalone Enrollment is AuthenTrend's patent. It means that you can register your fingerprints to the key without installing the additional application. Take the ATKey.Pro as an example, you can insert an ATKey.Pro to a power bank, and once the LED indicator turns to blue, you can click the 'side-button' three times and then register your fingerprint directly to the key.
| Fingerprint | ATKey Pro | ATKey Card | Yubikey 5 NFC | Yubikey 5C |
|---|---|---|---|---|
| Standalone Enrollment | V | V | ||
| Matching-on-Key | V | V | ||
| Max. Number of Fingerprint | 10 | 8 |
Password Manager
The last subject, that, I think, is important, are the password manager options. Personally, I have 1Password as a password manager, and I can access that with my Windows Hello camera, PIN or YubiKey. This is also working with the ATKey. So, software-based password managers are working the same with the four keys.
But Authentrend is delivering something more. The ATKeys are also a hardware-based password manager. This is done with the cooperation of Broadcom's Bio-Safe application. This application is using the FIPS 140-2 security chip on the ATKeys. So, if you do not trust software-based password managers, you can try the hardware-based password manager.
| Password Manager | ATKey Pro | ATKey Card | Yubikey 5 NFC | Yubikey 5C |
|---|---|---|---|---|
| Hardware-based | V | |||
| Software-based | V | V | V | V |
AuthenTrend Passwordless Pilot Program
AuthenTrend will co-host with Microsoft a Passwordless Pilot Program, which is available right now. So if you are, a SMB or Service Provider with 250+ users, you can sign up at https://authentrend.com/msft-si-program/ to enroll in the program. They are offering 20 ATKey.Pro's to 200 SMBs / Serivce Providers. This program ends, when AuthenTrend reacht their goal of 200 enrollments.
Conclusion
I think that each security key will fit for the general MFA authentications on accounts, like Azure AD, Microsoft, Google, Twitter, etc.
If you want to do some more specific things like, signing software with OpenPGP, than a YubiKey is your key to go. The ATKeys and the YubiKeys can also be used for access to buildings.
In my opinion, firmware upgrade is a topic that you can not manage with the keys around your organization.
For my daily jobs, I can work with the ATKeys as well as the YubiKeys, because I use them mainly to verify my identity on administrative portals and to access my password manager.
Resources
For a complete overview of my comparison, download this comparison sheet.