ArticlesExplainersPrivacy Tools

Privacy Upgrade – Using a U2F hardware key

Because SMS 2FA aren’t enough

If you care about your privacy and security, you probably know that passwords have too many weaknesses to trust that they’re enough to protect your accounts. To stay secure, perhaps you’ve setup 2-Factor Auth (2FA) on at least a few of your most important accounts.

But you’re probably getting your 2FA codes via SMS, or maybe you’ve upgraded to the more secure Authenticator Apps on some of them. As helpful as they are, they still have some weaknesses and vulnerabilities. So would you like even MORE security?

The ultimate upgrade is to generate the 2FA codes cryptographically in real-time based on your possession of a physical device. This is done with a hardware key. With these devices, you’re far less likely to have a hacker compromise or tamper with your accounts. And because hackers usually do most of their dirty work remotely, a u2F hardware key puts a stop to that because you need to have the key with you physically.

These devices are called hardware keys, and are based on the Universal 2nd Factor (U2F) standard, which is an open authentication standard that allows you to securely access online services with a single security key and without the need for drivers or client software. They are simple, quick and convenient.

Putting a hardware key into practice

Here’s how the key set-up process works: First, you will need to connect the key to your device and register it with a compatible service. Then, to connect it with password-protected sites and services, you will need to connect each from the device you’ll be using to log in. Tap the token button and you’re ready to start using the key.

Once set up, the process uses a challenge-response authentication method to give you access. Each time you want to log on to a secure site, you insert the key into your computer or connect it wirelessly. You activate a button on the key, and the account site’s server generates a ‘challenge’ – a random number – that your browser passes to your security key to validate the site’s domain name Once validated, you’re in.   Cryptography used between your device and security key is what keeps your data safe each time because the transaction is hidden behind coded language.

What kind of hardware key should I get?

The most popular hardware key at this time is YubiKey from Yubico, which pioneered the but made consortium known as the FIDO Alliance and the tech is available on many different models of hardware keys on the market. Other vendors include Thetis, Kensington and Google.

Any hardware key that is compatible with the U2F standard will work with any compatible service, but there are differences when it comes to the interfaces supported by the key. This directly determines which devices it can work with, and some keys are not compatible with mobile devices. It’s important to determine what kind of device you will be using to access secure sites first before purchasing a key. There are USB-A and USB-C keys for PC users, NFC for Android devices, and Bluetooth keys, which are needed on mobile devices that do not have NFC.

Keys are available for any $10 -60 and offer additional features on more expensive models.

Is there a downside to using a hardware key?

The biggest downside is, of course, that it is a piece of hardware, which means you have to carry it with you to use. And like anything you carry with you (keys, wallet, gloves), it can be lost. Data cannot be migrated between keys, so you can’t ‘copy’ a key. If you lose your key, you will have to go through the process of reauthorizing your accounts all over again.

There is a solution to that problem, however. Some services (not all), allow you to register multiple keys so if you do lose one, you’ll have another key that will let you into your account. However, that does mean you’ll have to purchase multiple keys so it may not be the best solution for you.

Also, hardware keys are not supported by very many sites or accounts. The current list includes Google (who has their own security key and has also turned Android devices into keys but only for Google accounts) but not Apple or Amazon. Yubico has a catalog of services and companies that work with their hardware keys. Unfortunately, there’s currently no support for any retail banks but for other high risk type of accounts like email and social media, Yubico is supported.

Other than these caveats, hardware keys are simple and quick to use. A U2F security key ups your security and privacy game considerably – and should be used by anyone with a high risk security or privacy profile, or anyone who is just concerned about secure access and keeping sensitive data private.

Show More
Back to top button