Using strong and unique passwords is getting easier. Password managers have been around for some time to guarantee we don’t lose our passwords and online identity at the same time. Recently, a few manufacturers’ products have received wider support and are easy to take into use. These products are security keys, developed to help and secure users with an additional authentication factor.
Instead of using only a password to log in, you need to plug the security key into the USB slot in your computer or swipe it on your phone to read it with NFC. Easy, fast and most importantly, very secure.
Logging in with two authentication separate authentication methods is called 2-factor authentication, in the case of password and security key, it is based on something you know (password) and something you own (security key).
When you have started using the key, you can only log in if you provide these both factors. If your password is weak or was breached in a hack, the cybercrooks can’t log in as they don’t have your security key.
Of course, making our lives easier the browsers usually remember our sessions and therefore you should always be very careful with who has physical access to your devices.
Some services can also be set to remember your session on a specific device. This means you don’t need to type in your password and use your security key when using that service on that device. Your password and security key are still required when a new device tries to log in to your account, keeping your account safe from unauthorized logins.
If you would like to first familiarize yourself with passwords and how to use them securely, I have a post on that here.
What are Yubico and YubiKey
Yubico is one of the many companies manufacturing security keys. It was founded in 2007 in Sweden but has since moved to Silicon Valley.
Yubico has different kinds of products for different use cases. Some of the security keys are for only mobile devices or only for desktop/server use. Some of them are capable of handling authentication to many different devices, like YubiKey 5 NFC, which at the time of writing is the newest version and can be used with mobile devices, desktops, and servers. This, of course, requires your phone to have NFC.
If you would like to see with what services Yubico products work with, they have made this list of all partner services. Check it out here.
If you decide to go with Yubico’s YubiKey products, you can check their product selection quiz. It will help you choose the right product for your needs quickly. It is also a good practice to buy two keys for one person and register them both to all of the services used. This way you make sure that if you lose the main key, you are still able to access your accounts with the spare key. The spare key should be stored somewhere safe.
And a quick disclaimer; this post is not in any association with Yubico. I personally liked their products and decided to go with them as they are one of the most reputable vendors out there at the moment.
Different keys also offer different functionalities, some of the keys are multi-protocol security keys and can offer multiple of the following functionalities:
- FIDO2 (2FA, Multi-Factor, Passwordless)
- U2F Device (2FA for Google, Dropbox, GitHub, Salesforce, etc.)
- Smart Card (PIV/OpenPGP)
- OTP (YubiOTP, HOTP, TOTP)
FIDO2 is an extension of the (FIDO) U2F. It is based on public key cryptography and Yubico keys that have FIDO2 are capable of strong single-factor (passwordless), strong two-factor, and multi-factor authentication options.
These capabilities can replace the need use of username and password logins. Instead, we can use hardware-backed public/private-key credentials. These credentials cannot be reused, replayed or shared. This makes them safe to use as the user is not vulnerable to phishing or Man-In-The-Middle (MITM) attacks. Just don’t lose the key and you are safe!
Read more on FIDO2 from the FIDO Alliance website.
U2F stands for Universal 2nd Factor and it is an open authentication standard. U2F can be used with biometrics, PIN-code or username/password. After authenticating with one of those methods mentioned, the user has to authenticate with their security key. The authentication process required two verifications and therefore it is 2-factor authentication.
You can read more specific details about U2F from here.
Personal Identity and Verification Card (PIV) which is the interface specified for smart cards is supported by the following Yubico products:
- YubiKey 5 Series
- YubiKey 4 Series
- YubiKey NEO
If you are looking for a guide to deploy your YubiKey as a smart card, I suggest you to check out this guide by Yubico.
OTP stands for One-Time Password and it simply means a password that is only usable once. A good example of One-Time Password is an authentication app on a phone that generates a code. The code changes all the time and has to be provided before it changes for the user to log in successfully.
OTP has a few variations that work differently. To understand OTP in more detail, start from here.
Challenge-response is a way of authenticating by presenting a question, which is known as the challenge. The party receiving the challenge has to then provide the other party with an answer. The answer is known as the response. If the response is correct, the authentication is successful.
Online account security
You might be wondering that why you would need this if you are using unique and strong passwords and store them in a password manager.
Well, security keys add an additional layer of security. As mentioned before, you have to provide both your password and your security key. Meaning that you have 2-factor authentication in use!
Security keys don’t really make the logging process longer, it only takes seconds to use the key. In some cases, it can also simplify the login process if you decide to use passwordless login. Note that passwordless login is only available for Windows 10 at the time of writing.
Using only a password to log into an online services makes you vulnerable if the service had a data breach and did not hash, salt or store the user’s password correctly. And believe me, there are data breaches happening ever day and not every service follows the best practices.
As it is the services’ responsibility to take care of hashing, salting and storing user data securely, the users never really know what is going on under the hood. It is better to protect your own accounts as well as you can because mistakes, misconfigurations and data breaches do happen all the time.
The stolen password from an online service becomes useless if you are using security key as your 2-factor authentication method. This is the case if you don’t reuse the same password with some service that doesn’t yet support security keys as 2-factor authentication.
Guide on using YubiKey 5 NFC with Google
Now that we have the knowledge what the security keys are and how they help us stay in control of our accounts we can proceed to take it into use. This is a quick example of how easy it was for me to start using YubiKey 5 NFC with my Google account.
First, you need your YubiKey. I ordered mine straight from Yubico to make sure it is the real deal. You can order YubiKeys from their online store. If you are using some other model, make sure it works with U2F and is USB pluggable
You can also use other security keys from Yubico or from a different manufacturer as long as you make sure they are compatible with Google or any other services you want to use them with. However, the setup with a different key might be different, so make sure you follow the guidelines provided with your key.
Also, make sure from the vendors’ resources that your browser supports the protocol used by the security key. Chrome, Firefox, Opera and Edge browsers now have support for U2F and FIDO2 protocols.
Navigate to your Google Account. You can use this link: https://myaccount.google.com/
Sign in, if you aren’t already. On the left side, you should see navigation with multiple links. Click the one that says Security.
You should now see a section called Log
If you haven’t used any 2-factor authentication method before, you have to click Get Started.
In my case, I had used 2-step verification before, as you can see from the image above. If you had as well, just click on the 2-step verification and then click on Add a Security Key.
Make sure you have your YubiKey ready and then click on Next.
Plug the key in your USB port and then tap on the golden circle in your YubiKey if it has one.
Your YubiKey should now be registered to be used with your Google account and you can give it a name.
You can now view, change or delete your security key from your Google account by going to the Security page and clicking on the 2-step verification.
You can also set Google to remember your login on that device so that you don’t need to provide your password and security key when using your laptop, phone or any other device you use.
If you decided to go with two security keys, repeat the steps for the second key and store it somewhere safe. The main key can be on your keychain and the spare one should be stored so that it won’t get lost but can be accessed quickly when needed.
Now you are all set to start using your Google account with 2-factor authentication using your security keys!