Plus the advantages and disadvantages of using it
To secure your online accounts, a process called two-step authentication is absolutely necessary. But out of sheer laziness or apathy, not many people bother. Most likely, they think “nobody will ever hack my account”. But that is a risk you never want to take.
If you would like a safe and effortless way to use two-step authentication, then consider buying a YubiKey.
What Is Two-Step Authentication?
Usually, when you log into an online account, you need a password. Get the password right and you are in. But with two-step authentication, you need a second code to log in successfully, which is inputted after the first password is successfully entered.
Consider it the same as unlocking and walking through the front door of a house only to find a second door you need to unlock. It’s simply extra security.
One of the safest two-step authentication methods is Google Authenticator which puts the codes on your phone. An open-source alternative is Authy. Other websites send codes to your phone in a text message which is highly risky if the phone gets cloned. Same with codes sent in emails which should be avoided at all costs.
Therefore a YubiKey – which is similar in appearance to a USB stick – is the best option of all. As long as you keep the key safely in your possession, nobody can ever grab it remotely, unlike a phone’s text message.
Some Facts About a YubiKey
In case you’re thinking this is a niche product that very few people use, think again. Yubikeys have been endorsed and are being used by some heavy hitters including Google, Facebook, Dropbox, and the British Government, to name a few.
The 3 gram YubiKey also advertises itself as “nearly indestructible”. To quote the company :
“The standard-sized YubiKey is made of injection-molded plastic encasing the circuitry, while the exposed elements consist of military-grade hardened gold. Waterproof and crushproof, the standard-sized YubiKey attaches to your keychain alongside your house and car keys”.
They are also cheap. You can pick one up from Amazon for $27. Google is also known for handing them out for free at conferences.
How Does It Work?
As I said, it resembles a kind of USB stick. You must register the key with online accounts that support the technology via the two-step authentication settings of that account.
Then when you are logging in, plug the key into your USB port. The gold button with the key logo will light up blue. Tap that gold button with your finger and that touch sets off an electrical charge which enters a one-time code which gets you into your account.
How Do You Set It Up?
Here is how to set it up for a Gmail account. This will show how user-friendly the whole concept is.
First, go to your Google account page, to the security section, and to “2-Step Verification”.
After signing in to verify your identity, scroll down to the various authentication methods available. One of them is “Security Key”. Click on “Add Security Key”.
It will then ask you to enter your key into the USB port and tap the gold button.
As soon as you tap the gold button, it will tell you that the key has been registered to your account, and it invites you to name it. There’s no need to make this part complicated.
Once you click “Done”, the security key will show up as an authentication method.
And that is it. Setup is complete. I told you it was easy.
In case you’re not yet sold on a YubiKey, let’s look at three advantages of using one.
It’s Extremely Simple To Use
There is absolutely no way to mess up using a YubiKey. Once you have set it up with each online account, just insert the key into the USB port, and press the glowing button once. That’s it. You’d need to be a total idiot to mess THAT up!
Extra Account Security Without The Hassle
Two-step authentication is good – but it can also be annoying. When I speak to someone who doesn’t have it, the excuse is usually “it’s too much of a hassle“.
Although the benefits of having two-step authentication vastly outweigh not having it, I do get it. Two-step authentication involves signing in, then getting the code and entering it. Doing it once is no big deal, but when you do it on a regular basis, it starts to get tedious.
A YubiKey removes that annoyance and makes you more inclined to use the extra protection. One tap and you’re in.
It’s Impossible To Get Virus-Infected
One of the things I have noticed the most when reading about YubiKeys, is people saying “and get it infected in a public Internet terminal? No thank you!“.
Although you shouldn’t be using public Internet connections for security reasons, YubiKeys can’t get viruses as it is impossible to move any files onto it. This is where it differs from the conventional USB device. Plus all the information on the key is write-protected.
Are there any downsides to using a YubiKey? Well, yes there are. Whether or not they are deal-breakers would depend on your individual situation.
It Doesn’t Work On Smartphones & Tablets
As someone who uses mobile devices and tablets a lot, this is a huge drawback. My iDevices are fantastic, but the one weakness is the lack of a USB port. So where does the YubiKey go?
The short answer is that it doesn’t go anywhere as the YubiKey doesn’t work with smartphones and tablets. When you log into your account, it detects you are not on a conventional computer and it will revert to your backup authentication option. This is why you should always have at least one more authentication process on your account.
YubiKey also doesn’t work with local email clients such as Outlook and Apple Mail.
It Only Works In Chrome
Don’t ask me to explain this one as I don’t understand it. But as of this writing, YubiKey only works on Google Chrome.. So tough luck users of other browsers.
If Someone Gets Your Key & Account Password, It’s Game Over
The thing with usual two-step authentication is that any intruder would need physical access to your phone, in order to get the SMS or Google Authenticator code. Barring the phone being cloned, having a passcode on your phone stops access to your two-step authentication codes by an unauthorized third-party.
But if someone gets a hold of your YubiKey, and also knows your account password, then that would be it. They would have no smartphone passcode to bypass to get to your SMS codes or Google Authenticator app.
The best solution is to use a very long, hard-to-guess account password (and keep it in a password manager). And keep the YubiKey in a very safe place such as on a keyring in your pocket.