Almost no one takes their security seriously. I know there are some people who think it’s a good idea to store a password written down in an actual book—that these timeless invocations to Amazon, Bank of America, or Google from their presence whispering in taps make them look like glasses and trenchcoats. -dressed “hackers.” These are the same people who ignore a plethora of pending security updates and lose an entire inch of screen in the browser toolbar.
You simply can’t make people store their banking credentials in plain text notes saved in iCloud or drive about their security because any loss of convenience is a non-starter for them. But nearly every adult keeps a set of keys for their car or home, and there’s a solution they can use that’s as convenient as it gets.
I urge everyone reading these words to install every possible service just to buy and use a YubiKey.
You need two-factor authentication, and a hardware key is best
It’s the easiest way to increase your online security, and with all the constant hacks in many companies and the legitimately unreliable lack of even basic security standards, you have a password standing between the world and any digital account. Must be something other than you keep the value of the last $20.
There are a lot of things you can add to the equation and a number of 2FA (two-factor authentication) systems you can adopt, such as SMS and email-based methods. But your security is only as good as the one you choose, and a hardware key is the best option.
Of course, not every company supports 2FA or hardware token-based 2FA. There is a large public list of 2FA-compatible online services that I recommend checking against, but most popular non-financial services support two-factor authentication.
It’s a shame how little American banks care about their customers, as only Bank of America supports big-boy hardware security keys, and even online-first banks like Ally, SoFi, and Capital One. Some are firmly stuck in the 2002-era outlook. Internet. The best you can hope for is SMS-based verification, which is a pretty bad idea considering how little security the carrier has.
As far as I can tell, like banks, carriers don’t really care about you – just look at the constant stream of hacks and basic failure to meet primary security standards. We are all a source of revenue in return for the highly valuable data that sits in columns on quarterly financial reports. Carriers can hand your number over to someone to call, Google your name, and even attempt half-baked copying. Don’t trust them.
Metaphorically, your phone number is basically as secure as your wallet, and you can be robbed, confiscated, and stolen. Just as you probably won’t feel safe carrying around thousands of dollars in cash all the time, don’t rely on your phone number as a last line of security for anything of high value, like an important online account.
A hardware 2FA security key is convenient – you don’t have anything extra to remember and it’s like carrying your house key. If it’s stolen, no one can magically log into your account. They also require your other credentials, and this serves as the final, difficult-to-duplicate barrier. Even if your username and password are in the hands of a malicious actor, they can’t get into your pocket without a dongle.
Upcoming passwordless standards also mean that using a hardware security key may actually be more convenient than remembering and tapping on a pretty long password — just input your username, pop in the key, and you’re on your way. are good to go. Depending on some obnoxious policy it won’t need to be changed every three or six months, it won’t hack or phish, and you won’t have to add yet another password or deal with a password manager. It will be the epitome of convenience and every bit as secure.
Seriously, Buy a YubiKey
I said “Buy a YubiKey” before, but I must stress that I don’t particularly like Yubico more than other hardware 2FA companies. Really, any recent hardware 2FA key is fine as long as it plays nice with FIDO2 and WebAuthN (for upcoming passwordless standards) and supports the ports you need.
But YubiKeys are sold in more places, they release models that support the new standards more quickly, they offer a wider range of ports for device compatibility, their products are externally audited, And they’re mostly black, so they’re not stained. Or wear lighter colored models as much as you can. (You also have fun stickers to make your keys a little less boring – maybe dBrand should take a look at that.