Bolster your defences
The problem with SMS-based 2FA is that hackers can get around it by hijacking your mobile account and porting your number to another provider so they can intercept that text message. It’s a popular trick with scammers looking to beat online banking 2FA, so they can clean out business accounts before you even realise that your mobile has stopped working.
The solution to this SMS interception risk is to ensure that the “something you have” can’t be diverted in transit, which is where Yubico’s YubiKey comes in.
The YubiKey is a tiny USB dongle which automatically generates and enters that one-time 2FA code for you. You just stick the YubiKey in the USB port on your computer and tap on it to send the code and provide that extra bit of proof that you’re really you.
YubiKey is compatible with more than 100 online services including Google, Microsoft, Dropbox and AWS, along with social networks like Facebook and Twitter. You can also use it to manage your access to secure password lockers like Dashlane, LastPass and 1password.
For an extra level of security, you can even use your YubiKey to confirm your identity when logging into your computer, whether it be Windows, Mac, Linux or ChromeOS.
The new 5 Series YubiKey comes in four flavours. The $61.50 YubiKey 5 NFC features a traditional USB-A connector, but adds the benefit of wireless authentication with compatible devices. It’s more handy on Android, with iOS only supporting a handful of apps like LastPass at this stage.
Meanwhile, the $68 YubiKey 5C feature a USB-C connectors for those devices which have made the leap to the new USB standard.
Then there are Nano versions of each, at $68 and $82 respectively, which drop NFC but are small enough to live permanently in your computer’s USB port (although that obviously defeats the purpose).
Make the switch
It’s easy to get up and running with a YubiKey, especially if you’ve already enabled 2FA on your sensitive online accounts like Google and Facebook.
It’s generally a matter of logging into a service like Google, going to the 2FA options in the security settings, adding a device and selecting YubiKey. You then stick your YubiKey into your USB port and tap the side, sending the code which links that specific YubiKey to your Google account.
The beauty of the YubiKey is that it doesn’t require any software or special drivers on your computer, you don’t need a special YubiKey account and it works with any web browser.
This means you can sit down at any computer and log in. The YubiKey is only one piece of the puzzle so thankfully, if you lose it, no-one else can use it to access your accounts unless they also know your logins and passwords.
The next level
Ditching SMS 2FA codes is certainly a step in the right direction but there’s still a risk that a sophisticated attacker could sting you via a phishing or man-in-the-middle attack.
For example, hackers could send you a link to a legit-looking spoof Google sign-in page and then grab your login and password as well as the YubiKey one-time code.
To thwart these kinds of attacks, these YubiKeys also support the new FIDO U2F and FIDO2 protocols favoured by Google and Microsoft respectively. Rather than simply sending a one-time code, these protocols use a more complex handshake which is designed to defeat those man-in-the-middle attacks.
The downside of these more secure protocols is that they’re not as widely supported, although the big players like Google, Microsoft, Facebook and Twitter are onboard. They also require support from your web browser, with Safari the major hold out at this point.
While this kind of robust security would seem more than enough for your average person, YubiKey also supports more advanced features that might be favoured by business and enterprise users. For example, the USB dongle can act as a smart card.
So what’s the verdict?
The YubiKey is impressive in its simplicity and effectiveness, although it’s not really a question of whether or not it’s a good product. Rather it’s a question of whether it’s the right product for you, especially considering the price tag.
For starters, there is the much cheaper $27 Security Key by Yubico, which only supports FIDO U2F and FIDO2. This could be enough to meet your needs if you’re only looking to secure a Google or Microsoft account.
There are also free options like the Google Authenticator app, which can generate one-time 2FA codes for a wide range of services within the app on your phone, rather than receiving the code by SMS.
You also need to consider the hassle of messing around with a USB dongle rather than just reaching for your phone to obtain a 2FA code.
In the end it comes down to your realistic security profile. The more sensitive your business, and the more of a target you are for hackers, then the easier it is to justify the expense of stepping up to a device which offers the extra protection of FIDO U2F and FIDO2. It’s certainly appealing to businesses which want to force their people to get into good security habits.
In a nutshell, if you really can’t afford to get hacked then you can afford to invest in a YubiKey 5 Series security dongle.
Adam Turner is an award-winning Australian technology journalist and co-host of weekly podcast Vertical Hold: Behind The Tech News.