I saw my friend Chris tweet this question yesterday and had to respond:
Nick helped me get Yubikeys set up on all of the services I use that support them in the past few weeks. If I had a new year’s resolution, which I don’t, it would have been to start to use Yubikeys.
So what are Yubikeys?
They are a brand of “security keys” that are supported in the two factor authentication offerings at Google and many other Internet services.
They look like this:
You can buy Yubikeys here.
The idea is you keep one with you and one in a safe place in your office or home or a bank safe deposit box.
If you lose your phone, you have a Yubikey to get you back into the service.
But I don’t only use Yubikeys as “backup codes”, which I also keep stored safely.
I have started using my Yubikeys instead of a Google Authenticator code. It can be easier if you have the Yubikey handy.
But whatever you do, don’t use SMS for two-factor codes.
I was hacked this summer and the attacker tried (unsuccessfully thankfully) to port my phone number.
My partner Albert recently experienced a similar attack. He wrote about it here.
So here is the best practice as I see it:
- Always use two-factor authentication if it is offered. And it is almost always offered on popular services.
- Don’t use text messaging to deliver two-factor codes. It is not safe. You can have your number ported way too easily.
- Use Google Authenticator to deliver two-factor codes onto your phone.
- Use a Yubikey as a backup in case your phone is lost, stolen, or dropped in a swimming pool or toilet.
- Print out the backup codes to the two-factor services and put them in a safe place.
Personal data security is a big deal. Trust me on this. Don’t let yourself get hacked to understand why.
And Yubikeys are a nice addition to the personal security mix. I like them a lot.