The Key To Being Safer Online Is Actually A Key (#GotBitcoin?)
Let’s Talk About Seat Belts
Specifically, the three-point belt that Nils Bohlin, a Volvo engineer, invented in 1959. Bohlin’s creation didn’t require companies to change the way they made cars—it just added a part, and a small extra step for drivers. Yet wearing a seat belt proved so much safer than driving without one that it spurred a wave of car-safety innovation that continues today.
Stina Ehrensvard, chief executive at online security company Yubico, sees parallels to her work trying to shape the future of online security. The internet came along, fast and new and exciting and totally unsafe—it needed a seatbelt. Ms. Ehrensvard has spent the past decade building hardware and software that makes using the internet safer without adding unnecessary complication.
I’ve been testing Yubico’s newest product, the YubiKey 5, along with a new Google gadget called the Titan Key. Both devices plug into a computer, authenticating you with a “handshake” that can be more secure than a password or authorization code. They can also do the same with some smartphones—either by plugging into a port or communicating wirelessly.
Right now, a key like these is your best defense against anyone trying to get into your email, social media or work accounts. They are also the beginning of a complete overhaul in how security works on the internet, one that might finally kill off the password.
Dance The Two-Step
Keys like the ones I’ve been testing are known as a “second factor” in your internet security arsenal. You may have heard of two-factor, or two-step, authentication: The first factor is almost always your password, while the second is usually a code sent to, or generated by, your phone.
But the second factor can really be anything that can show it’s actually you typing in the password.
Why do we need this? Because passwords are a disaster. Years of hacks have exposed an absurd amount of user data:
Researchers at Google estimated that 3.3 billion credentials were exposed by breaches between March 2016 and March 2017. That included several of my passwords and likely some of yours.
Because so many people re-use passwords across services, any breach can ripple across your entire internet life.
I recommend setting up any kind of two-factor authentication you can, especially on your most sensitive accounts. Your email, certainly, but also your banks, your file storage and anywhere you keep things you’d rather not lose. Pair that with a good password manager, and you’re already ahead of the game.
Lock It Down
A security key is the most secure two-factor device you’ll find, though it’s probably overkill for most people. I like the Google Titan Key and the YubiKey, which comes in multiple sizes and USB types. All cost between $20 and $60. They work most seamlessly with computers, but are increasingly phone-compatible as well—if you use Android. For now, iPhone users are basically out of luck, though Yubico is working on a product for Apple’s Lightning port.
Once you get a key, you set it up by registering it in the settings of whichever app you’re using: Sites like Gmail, Dropbox and Facebook already support security keys, and the numbers are growing fast. Once it’s set up, you just plug it in when prompted, generally after typing in your password.
Then you tap a button on the key, which confirms there’s a human at the helm. The smallest YubiKeys can actually hide in your USB port, so all you have to do is tap.
Why Leave It In?
Hackers who come across your password probably don’t have physical access to your laptop. Likewise, someone who steals your laptop probably won’t have your passwords. When you tap, the app quickly verifies the key and lets you in.
Security keys don’t send anything sensitive over the internet. They use a system called public-key cryptography to verify your identity: The app sends a secret code only you can identify, when your “private key” decrypts it and then encodes a reply message and sends it back—a thumbs-up that you are who you claim.
You Don’t Need To Understand All That To Use This Tech
Security keys also help protect users from being tricked out of their credentials through a process known as phishing. If you get an official-looking email from Bank of America telling you to review your account activity, a security key will attempt to verify that you are on the real site. If you are actually on a page designed to steal your credentials, it won’t log you in.
Even if you use a key only on your computer, it’s still worth having one around. It’s much faster than digging out your phone every time you need to log into something. And it’s good to have a spare handy if you ever lose your key—without it, recovery can be a multi-step process. Even if it gets stolen, hackers can’t turn it against you unless they know your passwords, too.
Passwords aren’t going away anytime soon, according to Brett McDowell, executive director at the FIDO Alliance, a group working on cybersecurity standards across devices and services. (FIDO stands for Fast Identity Online.) Passwords mostly are just too entrenched. They do have some use, though: Without them, what happens if you lose your keys? Still, he says, “passwords are losing their value as a credential with every passing year.”
The tech you need for better security won’t always be a key. Any device that works over USB, NFC or Bluetooth is currently supported by FIDO’s technology.
It might even be a chip inside your phone or laptop itself that allows you to log into everything the way you unlock your device—your fingerprint, or face, could be the only password you need anywhere.
In that world, life online gets a lot easier. You sit down at your computer, and as soon as you’re in, you’re immediately logged into every app and service you use. The system might be set to periodically check on your typing patterns or word choices to make sure it’s still you at the keys.
Once you’ve set everything up—buckled in, you might say—security should never get in your way again. It’s just there in case something happens, making sure you get out unscathed.