1

I would like to use hardware security keys in an environment where it is additionally needed to lock down any ways in which a user could download data to a device like a usb key. Is it possible to lock down a usb slot in a way, that file transfer is not possible but hardware security keys still work?

In my case the scenario would include Windows 10 Pro as an OS and preferably a fido2 capable key.

Elsie
  • 25
  • 3

2 Answers2

2

Yes, it is possible. It will reduce security, but may still be good enough.

U2F devices appear as a HID device. That's a USB class for keyboards and mice. USB storage devices appear as USB storage devices.

You can disable one class in your OS, e.g. disable USB storage (and UAS), but allow HID.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
0

One option would be to attach the security key permanently. This still keeps most of the benefits of the security key defending against phishing or credential stuffing.

  • Gluing the key into an external USB slot will allow using keys which require the user to press a button on the key, but will make the key impossible to replace if broken (or after a recall like the recent Yubikey FIPS key recall)
  • Attaching the key to a USB header on the motherboard (and locking the case shut) will allow replacing a broken key but means that you will have to use a key that works without a button press, which is slightly less secure due to not requiring user confirmation.
user7813790
  • 121
  • 3
  • Embedding the security key in the device negates many of the security benefits of using one. –  Jul 17 '19 at 23:59
  • 1
    It reduces the set of possible attackers from "anyone on the internet" to "anyone with physical access to the device". Admittedly the requirement "lock down ways in which a user could download data to USB" implies that not all people with physical access are trusted, but at least the threat has been reduced. – user7813790 Jul 22 '19 at 15:53