In the past couple of weeks I’ve received three notifications from haveibeenpwnd informing me that a couple of organisations didn’t do a good enough job keeping my info secure. While it’s always going to be a good idea to change your login and password, any sites that use 2FA significantly reduce the value of stolen credentials (as long as you’ve signed up for the 2FA option!)
What’s 2FA? Two Factor Authentication. Still not clear? Maybe you’ve used a web site that’s texted your phone with an extra number or code that needs typed in before you are let in to your account. That number is a “second factor” and you’re using 2FA to get into the web site. Excellent choice. 2FA is good because it means that even if ne’er-do-wells steal your details from a sloppy site, they don’t have access to your phone, so they can’t get any further. However, SMS authentication is not perfect – there are some vulnerabilities typically using “man in the middle” attacks.
If you want to take your online authentication to the next level, you might want to consider a physical security key for your second factor. This isn’t a key like you’d use in a lock, but a USB key that doesn’t look too dissimilar to a memory stick. A good example is Yubico‘s YubiKey 4 series range, which supports a wide range of protocols including “FIDO U2F, smart card (PIV), Yubico OTP, Code Signing, OpenPGP, OATH-TOTP, OATH-HOTP, and Challenge-Response” and can be used with many of the big names like Google, Facebook and Dropbox. The keys can be used for authentication when logging onto PCs too (depending on OS, version etc.)
As an end user, you don’t need to know all the technical stuff, only that it’s a very safe way of authentication and it’s simple to use. To get started, you first associate the security key with your account, and the next time you try to logon to the service, you’ll be prompted to insert the security key into a USB slot (or swipe for NFC keys). You can use one key for multiple sites.
Yubico provides YubiKeys for different use cases. There’s the standard YubiKey 4 which is designed to go on a keyring (keychain) and works with USB A. The YubiKey 4C also goes on a keyring but works with USB C. The 4 Nano and 4C Nano are smaller and are intended for semi-permanent installation in USB A and C sockets respectively. For NFC applications, such as suitably-equipped smartphones, there’s the YubiKey NEO. Physically, the keys are tough. Allegedly, they can go through the washing machine and get run over by a car, though I didn’t try any of these.
Here I have a YubiKey 4 and 4 Nano (shown left) and they both work in the same way – the only difference is the size and what you touch to activate the key. Let’s take a look at getting Google setup with a YubiKey.
Login to your Google account, say via Gmail. Click up on the top right where your “headshot” is and then click again on “My Account”.
Head on into “Signing in to Google”. I’ve blanked out a few sensitive items.
2-Step Verification is what you want. Hopefully, you’ve already got this turned on but if not, go ahead and get this sorted out. This page shows the factors you can use for 2FA. Security keys are topmost with text messages and backup codes below (not shown).
Click on “Add Security Key”.
Get the YubiKey ready and insert when instructed. Hit Next.
On the YubiKey 4, the “Y” logo on the key will flash – tap with your finger to confirm. On the Nano, tap inwards on the end of the key. Once the YubiKey has registered, you can give it a name.
And that’s it – all set and ready to go. The next time you login to Google on a computer that you haven’t used before you’ll be prompted to insert your YubiKey to prove who you are. Super secure!
Other services are similar. Here’s part of the Dropbox procedure.
Supported sites are listed here and you’ll recognise a good few of the names.
The 4 series can do a whole lot more, and if you just want the basics, then a YubiKey 3 at only US$18 is a good start. I personally bought one of these awhile ago to secure my Google account.