By The Beast
It’s more secure than a code sent to your phone, and—in many cases—quicker to use.
By The Beast
It seems like every other week, some service on the web gets hacked, revealing a batch of passwords ripe for ne’er-do-wells to steal. You need to protect your accounts with a second form of authentication, and the YubiKey is one of the most secure and convenient options: just insert it into your computer, and like a real key, it’ll unlock your accounts.
Tell me if this sounds familiar: You get an email from LinkedIn, or Adobe, or Comcast, saying that thousands of accounts (or more) were compromised in a breach, and you should change your password immediately. These days, this fiasco happens all too often, meaning your passwords are not enough to secure your accounts. Not even the one protecting your laptop’s user account.
That’s where two-factor authentication comes in. You’ve probably used it before, even if you didn’t know what it was called. With this feature turned on, you enter your password as normal, after which the service will ask for a code—usually sent over a text message, or generated by a mobile app—before allowing you to log in. In other words, it combines something you know (your password) with something you have (your phone) to provide an extra layer of security. That way, if someone steals your password, they won’t be able to get into your account.
Most people use their phone for two-factor authentication, either by getting a text message with a code in it, or using an app like Google Authenticator or Authy to generate codes every 60 seconds. However, there are some problems with these methods. Text messages are relatively easy to hijack, and while authenticator apps are much better, they’re still vulnerable to certain types of attacks—not to mention it’s inconvenient to open an app on your phone every time you log into something.
This is where a physical key comes in: It’s more secure than a code sent to your phone, and—in many cases—quicker to use. Instead of pulling out your phone, opening an app, reading a code, and typing it in, you just plug the key into your computer’s USB port, and boom: you’re logged in. It’s not rare that security and convenience go hand-in-hand, but when they do, it’s glorious.
There are a few different brands of physical keys, but Yubico’s YubiKey is definitely the most well-known, and comes in a number of flavors. $20 gets you a basic security key that’ll cover the FIDO protocol supported by Gmail, Facebook, Dropbox, Twitter, and a bunch of other services. More advanced keys support certain mobile apps with Near Field Communication (NFC), allowing you to just tap the key to the back of your phone when logging into, say, your Google account. This includes the $45 YubiKey 5 (which is only available from Yubico directly, and is currently backordered) and the last-gen YubiKey Neo (which you can find on Amazon for $50). You can also do a search on Amazon for other slightly cheaper brands, though I haven’t tested them myself.
I’ve been using the YubiKey Neo since January, but for my use case (and, I imagine, most people’s), the $20 version would definitely get the job done admirably, if you’re willing to give up mobile support. (It also doesn’t support the LastPass password manager, which is a bummer—you’ll need one of the more expensive models for that. It does, however, support Dashlane.) You can check out this comparison chart on their site for more info on the differences between models.
Setting up the YubiKey is easy: check out their list of supported apps and services, and make note of the ones you use regularly. (Most are online accounts, but you can also use it to log into your Mac or Windows PC).
Then, log into each of those services, navigate to your account settings, look for the Security category, and enable two-factor authentication (if you haven’t already). When you set that up, you’ll probably be offered the opportunity to set up a security key—that’s what you want. I like to use my YubiKey as the main form of authentication, with an authenticator app as a backup. Just make sure you turn SMS off, since it’s the least secure.
In addition, when you set up two-factor authentication, most services will offer you a few one-time backup codes. It’s extremely important that you write these down. If you ever lose your YubiKey, these will allow you to get into your account, but if you don’t write them down, you’ll have a hell of a time getting back in. (This is also why some security-minded folks recommend having two YubiKeys, but that’s up to you.)
In addition, I’ve found that keeping the YubiKey with my car keys—which seems like a natural fit—just makes me hate using it, since my keys aren’t always in my pocket when I’m at home. So to make it as convenient as possible, clip it onto something you tend to have with you when you need it—for me, that was the office keys I keep in my desk, but for you it might be your wallet, or pocketknife. If you don’t keep it with you, it’s going to be more of a nuisance than a convenience. But if it’s always within arm’s reach, logging in will be a breeze.
Scouted is internet shopping with a pulse. Follow us on Twitter and sign up for our newsletter for even more recommendations and exclusive content. Please note that if you buy something featured in one of our posts, The Daily Beast may collect a share of sales.