How YubiKey could double-lock your online accounts
You don’t have to be a high-profile hacking target to take advantage of the technology behind Google’s new Advanced Protection Program.
The partnership, which the company announced in October, uses two kinds of physical security keys to make it much harder for hackers to break into online accounts. And although the technology is intended for journalists, politicians, CEOs, activists, and domestic-abuse survivors, it’s available to anyone with an Amazon account.
Google says the program is the “strongest defense against phishing.” It takes two-factor authentication to the next level by forcing the account owner to log in with a password and a physical security key. Standard second-factor authentication methods, such as receiving a SMS with a one-time code or a code generated by the Google Authenticator app, will no longer work with the account.
Two-factor authentication generally uses a username and password, plus a one-time passcode generated by an authentication app or sent as a text message to the user’s phone. If sent over SMS, that second factor can be phished by hackers, according to a 2016 study published by Google. Researchers at the search giant spent two years comparing the delivery, use, and effectiveness of different types of multi-factor authentication.
“Academic research has produced numerous proposals to move away from passwords, but in practice, such efforts have largely been unsuccessful,” the study’s authors wrote.
YubiKeys are the most ubiquitous physical keys among consumers, owing to their relative affordability, availability, use across business and consumer platforms, and vocal support from tech cognoscenti. YubiKeys and competitors such as the Feitian MultiPass (also recommended by Google for its Advanced Protection Program), NitroKey, and OnlyKey look like USB sticks, flash drives, or car key fobs.
YubiKey, specifically, can used for two-factor authentication with a wide range of online services such as Google, Facebook; and Dropbox; password managers such as LastPass, Dashlane, and KeePass; and operating systems such as Windows, Mac OS, and Linux, though all of those services should support all U2F keys.
Brad Hill, a security engineer at Facebook, wrote in a review of the YubiKey U2F Security Key that the device is “very reliable,” “faithfully” applies the security protocol, is a “good bet” for businesses because the YubiKey is spoof-resistant, and is also “a solid general consumer choice.”
Hill also lauds the YubiKey NEO as his “daily driver,” which has been “attached to my badge lanyard and used every day for several years.”
While the new system is designed to make the accounts of high-profile online targets harder to crack and spoof in an account recovery process, the extra level of protection that a physical key can provide (without the stringent account recovery) is available to anyone who buys a YubiKey, Feitian fob, or similar physical security key.
YubiKey models and the services that use them have varying setup processes, detailed on the YubiKey site. They also have varying account recovery processes. Once you’ve tied a key with a device and an account, you will need to touch the key’s gold button for about a second, then release, to log you into your account.
The Advanced Protection Program streamlines the process of Google account protection. To enroll, Google sends you to Amazon to buy a Feitian MultiPass Security Key (currently $24.99, for all devices including iPhones and Androids) as your main log-in key, and a Yubico FIDO U2F Security Key (currently $17.99, for all desktops and laptops) as your backup key, though it also supports other physical keys approved by the FIDO Alliance, a tech industry authentication standards group.
Once you’ve tied the keys to your Google account, you can log in to it only with the account password and one of the keys. There’s no work-around—and no easy account recovery process, should the physical keys get lost. Joseph Lorenzo Hall, chief technologist at the online privacy advocacy group the Center for Democracy and Technology, told Wired that the Advanced Protection Program recovery process for lost keys takes “days.”
Certainly, resilience is an important feature of YubiKeys. Waterproof and crush-proof, they impressed Christopher Soghoian, the principal technologist at the American Civil Liberties Union from 2012 to 2016. He recommends using a YubiKey because it “can take a beating.”