Passwords aren’t enough. The key to online security is a key
Devices by Yubico and Google are helping protect against hackers. Just don’t lose them
No matter how much alphanumeric complexity you add to passwords, chances are they’re still not strong enough. Don’t worry, mine are even weaker. Against all advice, I’m only willing to deliver the bare minimum asked of me when it comes to mixing numbers, letters and symbols. I stupidly use the same passwords for multiples sites, I rarely change them (unless forced to), and I hide them in very obvious places.
Any grade-school computer nerd could hack me on most platforms were it not for an extra layer of security: my YubiKey 5 (from $45 (U.S.), yubico.com). This encrypted device is a unique two-factor authentication system similar to what you’re already using (right?) to bolster your online security.
If you’re not, here are the basics: When logging into a site with two-factor from a new device, entering a password triggers the site to text you a randomly generated code you then type in to complete a login. It seems foolproof at first—no phone, no code. But anything digital is ultimately hackable and online criminals have already found crafty ways to intercept texts.
Here’s what’s different about the YubiKey and its competitor the Google Titan ($50, shop.google.com): They must be in hand and physically connected to a device before you can access online accounts—either plugged into a USB port or pressed against a phone (which activates the key via Near Field Communication).
The keys, which fit on a ring next to ones for your house and car, automatically authenticate the sites you visit. Then each time you click “log in” and type your password, the key creates a onetime cryptographic code that pairs it with a site, completing the process. Without the key your passwords don’t work, for you or, more importantly, anyone trying to hack you.
The key is annoying at first since you have to register it on every site—a simple process but tedious when repeated over and over.
After that, as long you have the key handy you can cruise the internet on any computer or device normally.
So what happens when I inevitably lose my keys? “That’s the rub,” said Matthew Green, associate professor of computer science at Johns Hopkins University, with a laugh. In theory, you’re safest if a key is mandatory to access a site. “But if it’s lost or stolen then you’re suddenly locked out.”
You can stash a spare key in a hollowed-out book or print out emergency backup codes (found in security settings’ menus) that help you access a locked account.
Otherwise you might be barred for days until you’re able to verify your identity and reset your password. Beyond that relatively enormous flaw, keys are the safest way to navigate the net. For now.