Primer: How to lock your online accounts with a security key

A tiny slab of circuitry can lock down your online accounts against some of the most determined attacks—unless your sites, your browser, or your own inertia get in the way.

Universal second factor, or U2F, keys have spent years struggling against all three obstacles. But increasing support from major sites and browser vendors for this two-step verification technology, along with a broader industry standard called “WebAuthn,” have begun to ease their progress—just in time for the weakness of text message-based verification to become increasingly apparent.

How it works

These security keys operate using the same public-key cryptography as site encryption. You log into a compatible account such as Google, which began supporting this option in 2014, in a compatible browser (Chrome supports it by default), select an option to add a key to your account, and plug it into a USB port. It then generates a key pair for your account, sending the public key to the site while locally safeguarding the private key.



READ MORE ON ACCOUNT SECURITY


The next time you log in, and the site rates your access as unusual, you plug this accessory back into a USB port. (On a mobile device, you’d connect it via Bluetooth or NFC wireless.) Most keys will ask you to tap a button on them, though smaller models skip that step, and then the site and key match public and private keys to verify your account.

You can also employ the same key to secure other sites offering this option—for example, Facebook, Twitter, and Dropbox. In some cases, such as with the password managers LastPass and Dashlane, this requires a premium subscription.

But while other two-step methods need only your existing phone, U2F demands an additional purchase. You can get a key for $20 at the online store of Yubico, the best-known provider of these accessories, though Amazon lists them from other vendors for as little as $10.

(Disclosure: Yubico gave me a USB-C security key, known as a YubiKey, when I visited one of its trade show exhibits.)

Joseph Lorenzo Hall, chief technologist for the Center for Democracy & Technology, advises that consumers insist on keys that explicitly state support for the U2F specification—and ideally those that support the superseding FIDO2 standard. To confirm those details at a database run by the FIDO alliance, a trade group behind this standard, select “Authenticator” under the “Type” menu on that page.

In an e-mail forwarded by a FIDO publicist, certification director Rae Hayward said the group has “built in rigorous back-end mechanisms” to confirm compliance with these requirements, including spot checks. She did not say whether any vendors had been booted for noncompliance.

CDT’s Hall noted that for now, the only widely available choice for iOS users is Feitian’s MultiPass key, which uses Bluetooth, as well as NFC and USB.

Compare the alternatives

Why bother with a security system that costs extra, and doesn’t work with most sites or most browsers? Because when you can use U2F, it will keep you safer.

The simplest two-step verification codes, sent as text messages, have the advantage of not needing additional hardware or software, nor even any reconfiguration when you get a new phone.

But text messages won’t reach your device, if you have no signal—or if a hacker has socially engineered your wireless carrier into moving your number to another SIM card or phone. That’s become a popular way to steal Instagram accounts or stage cryptocurrency heists. This is why the advocacy group Access Now advises against SMS two-step verification.

(An Internet-calling number from a service like Google Voice, with no stores or customer service line, is less subject to those risks, though you still must secure that account.)

Using a mobile app such as Google Authenticator to generate two-step codes avoids connectivity and account takeover risks, but you must renew your authenticator setup for each covered account every time you change phones.

Even advocates of authenticator apps agree that this changing-phones experience is awful. “It is a complete, total, and unmitigated pain,” Google security product manager Stephan Somogyi told me last year.

Two-step codes from SMS or an app can be defeated by a phishing site. A 2015 report by The Citizen Lab, a project of the University of Toronto, exposed Iranian attempts to target dissidents using two-step verification: “The attacker’s log-in attempt triggers Google to send a genuine 2FA code to the victim, which the attacker then collects and enters.”

U2F security keys, meanwhile, need neither connectivity nor a phone, and should last for much longer than a phone. More importantly, they ignore sites with which they haven’t previously communicated; lookalike domain names used in phishing attempts won’t fool them.

“Practically, they are unphishable, since there is no user input to ‘trick’ into entering into a bad/illegitimate site,” CDT’s Hall said.

If you lose a U2F key, it’s no good to an adversary, unless they know your usernames and passwords, and recognize the key as yours. That possibility does, however, argue for having one other two-step verification method active on your account.

Progress, at last

After years of being a bit of an infosec curiosity, U2F is getting traction in the market. The pace of site adoption has picked up—Facebook added this option in January 2017, then Twitter did in June—and browser vendors are starting to catch up with Chrome too.

Firefox already directly supports WebAuthn, though enabling it to work with keys using the older U2F standard requires changing a hidden preference. Type “about:config” into its address bar, click the “I accept the risk!” button, type “U2F” into the page’s search box, then double-click the “security.webauth.u2f” entry to change it from “false” to “true.”

Microsoft’s promised WebAuthn support in its own Edge browser arrived late, thanks to last-minute bugs with the Windows 10 update incorporating this new version of the browser that pushed the release of its “October 2018” patch into November. But Microsoft has since begun supporting security keys as a two-step verification method for its own online accounts.

Apple has yet to announce any such corresponding support, but the feature tracker page for the open-source WebKit code inside its Safari browser now lists WebAuthn as “in development,” after only listing it as “under consideration.”

All this may not make security keys your answer to 2018’s account security anxiety. But it does leave them in a good position to be 2019’s remedy.