How this $18 key protects you from hackers
SAN FRANCISCO — Your online accounts should be protected with more than just a password. And using a cheap device called YubiKey can help keep you from being hacked.
By now you’ve probably heard you should be using two-factor authentication, often called 2FA, to log in to your accounts. If you’re using 2FA, you need an additional code to access your email, Facebook or other accounts. This is often sent via SMS, which may not be the most secure.
For instance, if you request a texted code, it could be intercepted by someone snooping on your mobile network or a hacker who has convinced a mobile operator to redirect your phone number. Further, when you don’t have cell service, you can’t get the text.
YubiKey, created by Yubico, is one solution. The $18 key connects to a USB port on your computer and tells a service, like Gmail, that you are you.
You simply plug it into your computer, touch it and your identity is authenticated. It automatically creates a one-time-use password to log in to an account, and because it’s a physical key, data can’t be intercepted in transit.
Security researchers say Yubikey is the best method to protect yourself from phishing, a common tactic that tricks a person into thinking a malicious message was sent by someone they trust. Usually phishing attacks are used to gain access to your personal information, like emails or bank accounts.
Facebook added support for the security key in January.
“We added support for U2F Security Keys because they offer the best possible account protection against the potential risk of phishing,” Facebook security engineer Brad Hill said in a statement to CNN Tech.
It takes just minutes to set it up with services like Facebook and Gmail, which let you add it under Security Settings.
“Security is the biggest issue on the internet,” Yubico CEO Stina Ehrensvard said. “For the internet to be secure … it should be the users who own and monitor and control what data they want to provide.”
YubiKey doesn’t work for all accounts that support 2FA. But Gmail, Facebook, and Dropbox are hugely popular consumer products that support this key.
Yubico has a list of accounts that support its method of authentication.
According to Ehrensvard, the firm has seen a major increase in Yubikey adoption recently. During the 2016 holiday season, some security researchers suggested it as a stocking stuffer, and the company said there’s been a “huge spike” in orders over the last year.
Yubico, alongside Google, helped create U2F, or Universal 2nd Factor, a security standard to let users access their accounts with a physical key, like Yubikey.
Ehrensvard said Yubikey has protected journalists, students, and corporations from hackers.
“We got an email from a journalist who said, ‘Thank you for saving my life,'” Ehrensvard said. “Because he had set up a security key with Gmail and some of his coworkers had not. And they’re no longer there.”