tru.ID versus Hardware security keys

Hardware security keys

tru.ID

Why does it matter?

Security factor

Hardware keys provide a

possession factor

and are harder to steal, but require the user to carry an extra piece of tech.
‍

tru.ID is a stronger

possession factor

that uses the mobile phone to prove possession of a SIM card paired with the expected number.
‍

Both tru.ID and hardware security keys are proof of possession, but hardware security keys are not connected to an identity.

Possession-factor authentication is much stronger than passwords alone. However, having to carry a separate hardware fob or dongle is not practical or feasible in many cases, due to the prohibitive cost and lack of remote access.
‍
Additionally, since these security keys only generate a singular identifier (a code), they need to be associated with an existing credential for an identity (an email address, for example). This means they are easier to compromise.
‍
Using tru.ID's SIM-based verification adds an additional credential – verifying possession of a phone number in addition to the primary identifier (e.g. email address). This makes an attack harder.

Identity credential

None or custom

Mobile phone number

Hardware tokens generate a single credential, associated with either a custom identity or nothing. As such, they can only be used as a second factor.
‍

Risk of compromise

Medium

Low

Hardware security keys are one small piece of hardware for people to lose, which makes compromise possible. On the other hand, mobile phones are essential and personal. Most users guard theirs vigilantly, would notice it missing, and take swift action. tru.ID authentication makes faking possession virtually impossible.

User effort required

High

Minimal

Any friction that disrupts the flow of signing up (or other user actions) causes users to drop off.

Hardware security keys require the user to carry an additional piece of hardware. Typically, users require a token generated by these keys to authenticate themselves, so they have to retrieve the key every time.

In addition, because the codes are time-sensitive and the process requires back-and-forth between two services, users inevitably mistype codes. All in all, it’s a lengthy and frustrating experience.

Verification with tru.ID is strikingly different. Totally in-band, near-instant, and invisible, it feels like magic to the user. Users never have to leave your app and never have to carry anything additional.

Data Collected

None

Changing privacy laws mean collecting user data is legally complex – and anything you store is at risk of being breached.

Susceptible to Man-in-the-middle attacks?

Yes

MITM (man-in-the-middle) attacks occur when an attacker intercepts a private communication.

Although they can’t be directly remotely accessed, hardware tokens still generate a code which the user must enter themselves. A bad actor can take advantage of this by tricking the user into entering that code on a fraudulent version of the website/login page.
‍
Authentication with tru.ID is passwordless, requires no user action, and doesn’t show codes to the user, leaving no room for MITM interception.

Susceptible to SIM swaps?

SIM swap fraudsters impersonate a victim to receive a new SIM card, which all calls and messages for the victim's number are then routed to. Both hardware tokens and SIM-based authentication are effective at stopping SIM swap fraud.

Compare tru.ID to hardware security