Cybersecurity is paramount these days. It seems like every day a new breach exposing personal information, including credit card numbers and passwords, is in the news. If it’s not a large company breach, it’s hacked devices like IP cameras, routers, and network-attached storage. You should work hard to keep your home network secure by following good practices such as segregating your network, monitoring your logs, and keeping your device firmware up to date. You should also keep your accounts secure by using strong and unique passwords. But that’s not enough in today’s world. You also should use a two-factor authentication (2FA) key.
What is multi-factor authentication?
Multi-factor authentication generally describes security technologies and practices that require multiple methods of authentication in order to access a system. These authentication methods include:
- A password, passphrase, or personal identification number (PIN) – Something you know
- A token, smartcard, or key – Something you have
- Biometrics like a fingerprint, voice recognition, or a retinal scan – Something you are
You’ve probably been using multi-factor authentication for years. When you go to an ATM machine to withdraw money, you insert an ATM card (something you have) and then enter a PIN (something you know). This is using multiple methods, or factors, to authenticate that you are you and can have access to your bank account.
Multi-factor authentication can use 2, 3, 4, or more methods of authentication. Two-factor authentication, or 2FA, is a type of multi-factor authentication that requires only two methods. The ATM example above is 2FA. So is your bank emailing or texting you a one-time authorization code when you log in to their website.
Why should you use 2FA?
Picking a strong password to protect your accounts is good protection, but it is often not good enough these days. Many systems are breached these days, and through no fault of your own, your credentials could be leaked. The breached companies may not even know it has happened. Without 2FA, your leaked credentials are all a hacker needs to access your accounts. If you have 2FA turned on, then they’ll need a code, or security key, an app, your cell phone, or something else to access your account. This makes accessing your account much more difficult for hackers.
Why a 2FA key is better than other multi-factor authentication methods
Most people have been using some form of 2FA for years. There’s the ATM card/PIN example I mentioned before. And most people are familiar with services that send you a code via email or text. Some even use 2FA authenticator apps on mobile phones like Google Authenticator and Duo. All of these methods are better than just having a password, but they are not all equivalent to having a physical 2FA key. Let’s walk through the popular 2FA methods and briefly discuss their security.
OK, but not great 2FA methods
Text and voice-call codes are the most common 2FA methods, but they are the least safe. They usually consist of a temporary four- to eight-character code sent via text/SMS or via a voice call to your phone. The service you are trying to log in to automatically generates the code. You enter the code when asked after logging in with your username and password. The code is usually good for a few minutes. One advantage of using voice-call codes is that they can work with landlines.
There are a few problems with this method. Texts and phone calls are usually unencrypted. They are also tied to a specific phone number which can be spoofed more easily than something tied to a specific device. Someone who has stolen your phone number or possibly changed your account to forward calls or texts to a second number, or who works at a cellular carrier, can easily intercept this code.
It’s unfortunate that this is the most common 2FA method, and often the only choice providers give you. It is way better than not having any 2FA, but there are better methods.
Good 2FA methods
Push codes sent to an app on your phone are a step up from those sent via text or voice calls. They are encrypted and can only be sent to devices where you’ve set up the authenticator app. Later iPhones have this ability built into the OS.
Authenticator apps can generate the codes instead of having codes pushed to them or the phone. The service you are using has to support the app. The service and app set up a secret private key and then share a time-based algorithm that uses the secret key to generate valid codes. They have the advantage of not needing a cellular connection or even a Wi-Fi connection to work. Duo Mobile, LastPass Authenticator, Microsoft Authenticator, and Authy are popular apps that have this functionality.
Code-generating hardware tokens (usually small cards or keychain devices) were popular in many large corporations. They work pretty much the same way as code-generating authenticator apps. These devices are decreasing in usage since smartphone authenticator apps are more convenient and less expensive to set up and maintain.
While these methods are pretty safe, they all still use temporary codes which are susceptible to phishing attacks. Criminals can create fake duplicate sites meant to trick you into thinking you are logging into the real site. Then you enter a code from your authenticator app and the criminal takes the credentials you entered and the code and enters into the real site to gain access to your account. This has even happened with Google accounts!
Better 2FA method, but not the best!
Push approvals don’t require any type of code to be synchronized or generated. You use a service or an authenticator app to just select “Yes” or “Approve” when prompted for a second authentication, which comes from the service you’re trying to log into. Services like Microsoft, Google, and Yahoo have this capability. My job uses Duo Mobile to do this. Authenticator apps like Duo Mobile can handle push approvals from multiple services.
One small problem with this method is that malicious mobile apps can fake or hijack push notifications to get someone to mistakenly authorize an account login. Still, this is much less risky than the previous methods discussed.
The best 2FA method
The point of this article is to convince you to consider using physical security keys, like USB security keys. USB security keys are small devices that plug into your computer’s USB port. Some USB security keys also support near-field communication (NFC) and/or Bluetooth and thus can interact with smartphones, tablets, and laptops.
USB security keys are sometimes called U2F (universal 2nd-factor) keys. They have a small chip with all the security protocols and code that allow it to connect with services to verify your identity. The keys work with popular web browsers like Google Chrome to connect to identity verification services.
First, you register the key with the service(s) where you want to enable 2FA. When you log in to the service, you’ll be prompted for 2FA verification from your key. Then you simply plug your key into your computer’s USB slot and tap it to verify your identity.
What makes them better than the other options? There’s no security code used so standard phishing attacks will not work. There’s not necessarily an app involved in using the key so malicious apps won’t work either. A hacker will need access to the physical key to break into your account.
The downside of security keys is that they aren’t free. They aren’t expensive, but apps and text messages are basically free.
Top 2FA keys on the market
There are many USB security keys on the market, many of which I’ve listed below. All of the ones I’ve listed have the basic functionality I’ve described above. You’ll find differences in price, USB connection, NFC and BlueTooth capability, and in which standards are supported. Going into the differences in the standards is beyond the scope of this article. Some standards allow for extra functionality with some services. Make sure you are familiar with the protocols and keys your service supports. I personally use and recommend the Yubikey 5C NFC because it supports many protocols and services:
Editor’s note: I have written an article on the top two-factor security keys that you should check out.
- SECURITY KEY: Protect your online accounts against unauthorized access by using 2 factor authentication with the Yubico YubiKey 5 NFC security key. It's the world's most protective USB and NFC security key that works with more online services/apps than any other.
- FIDO: The YubiKey 5C NFC is FIDO certified and works with Google Chrome and any FIDO-compliant application on Windows, Mac OS or Linux. Secure your login and protect your Gmail, Facebook, Dropbox, Outlook, LastPass, 1Password, accounts and more.
- FITS USB-C PORTS: Once registered, each service will request you to insert the YubiKey PC security key into a USB-C port and tap to gain access. NFC-ENABLED: Also get touch-based authentication for NFC supported Android and iOS devices and applications. Just tap & go!
- DURABLE AND SECURE: Extremely secure and durable, YubiKeys are tamper resistant, water resistant, and crush resistant. The YubiKey 5 NFC USB is designed to protect your online accounts from phishing and account takeovers. Proudly made in the USA.
- MULTI-PROTOCOL SUPPORT: The YubiKey USB authenticator includes NFC and has multi-protocol support including FIDO2, FIDO U2F, Yubico OTP, OATH-TOTP, OATH-HOTP, Smart card (PIV), OpenPGP, and Challenge-Response capability to give you strong hardware-based authentication.
There are many other choices that will work for most people:
Security is important. Secure your home network as best you can. Choose strong passwords and use 2FA. A physical key is the best standardized 2FA protection you can get right now.
Do you use a physical USB security key? Which one do you use and why? Let me know on Twitter or in the comments!