Keeping online accounts secure is critical for journalists or anyone working with sensitive information. You’re more likely to be targeted and you have sources or data you need to protect. You’re also on deadline, and can’t have security slow you down. So what should you do?
Secure your email with a $25 physical key like this.
This post is a guest piece from Wonder Tools reader Paul Schreiber, @paulschreiber, Director of Engineering at Tech Matters. Paul wrote persuasively to me about the value of security, and I suggested he share a summary of his #1 piece of advice.
Two-factor authentication (2FA) is all about adding a layer of security beyond a password that can be stolen. Not all forms of two-factor authentication are equal. Some 2FA methods— like text messages, authenticator apps and push notifications— are vulnerable to phishing attacks. If someone can trick you into typing in your password, they can trick you into typing in a one-time code or tapping yes on a notification prompt, too.
So what should you use? A security key.
It’s faster and easier to use than other two-factor authentication methods. A Google study showed keys reduced login time by two-thirds).
Keys are resistant to phishing attacks, since they only work on the authentic site.
According to Dr. Martin Shelton, Principal Researcher at the Freedom of the Press Foundation, “when it needs to be truly locked down, a security key — such as a YubiKey — is crucial.”
How does the security key work?
After entering your username and password, a site (like your email service) will prompt you to tap the key that’s inserted into your computer’s USB slot. That’s it!
They start at $25
Security keys are inexpensive. Yubico and Feitian both have $25 models. Students and teachers with a .edu address can save 20% on Yubico keys.
Google sells its Titan key for $30, though Google’s key doesn’t support the fancy-sounding FIDO2 standard that some Microsoft applications require.
[Note: no affiliate links are used in this post, and no one associated with this post has any financial stake in these products. We’re recommending what we think will work best for you.]
Keys work across platforms
The Yubico and Feitian keys work on modern browsers including Chrome, Firefox, Edge and Safari. You can use them with desktop computers as well as Android or iOS devices. That means you can use your key to log into email on your desktop or phone. Your key can be used to log into lots of services, including:
Email providers — Google, Microsoft, Yahoo
Social networks — Twitter and Facebook
Popular services like Dropbox, 1Password, GitHub, Cloudflare, Amazon Web Services and WordPress.com.
I recommend getting two keys, so you’re not locked out if one is lost or damaged. You can use the same keys for your work and personal accounts.
What to secure first when you buy a key
Start by securing your primary email address. Not only does it contain your most important information, it’s also the account hackers rely on to access your other accounts. That’s the lesson from the hacking disaster that befell journalist Mat Honan a decade ago. To definitively lock down your Google account, consider enabling Advanced Protection, which makes a security key the only allowed second factor.
Additional resources for more on two-factor authentication
What is two-factor authentication? Here’s a quick primer from the Freedom of the Press Foundation
Here’s a step-by-step walkthrough to help you get set up with a new key.
Directory of hundreds of services that work with 2FA.
Yubikeys are a great tool for multi-factor authentication, but when setting them up make sure you get backup codes from the application or add a second MFA tool to the account (like Google Authenticator) that you can use in case the Yubikey is lost or damaged.