Good cyber-hygiene is as important and as neglected as good hygiene and maintaining our health and relationships. Apart from gently encouraging you to brush your teeth twice a day and to call your mother, there’s not much more I can tell you, but it’s a different story when it comes to protecting your online identity.
We all know - and we do; there isn’t really an excuse - we need unique logins for each site and application we use, that we should use MultiFactor Authentication, and that we should have passwords that are mathematically complex to break.
So too the emphasis today on SMS text message-based MultiFactor Authentication might be doing more harm than good. The principle was sound - a bad person could get your username and password but they wouldn’t have the time-limited code sent directly to your mobile phone, and thus even if your credentials are compromised nobody else can log in as you. Well, except for the fact the bad guys started using identity theft to transfer mobile services to blank SIM cards and thus gain control of all your incoming SMS messages.
There's a good example in the Gimlet Media “Reply All” podcast episode where cybercriminals use this tactic to steal social media accounts with prized usernames, which they then sell. Fortunately, these guys aren't out to rob you, but even so, the message is you can’t ultimately rely on SMS-based authentication to protect you.
A helpful, if that's the right word, hacker divulges his recommendations to the Gimlet team how to keep yourself truly safe online and to protect yourself from people like him - which includes using Yubico’s hardware-based YubiKey solutions for your authentication, not SMS. People don’t need to handle your mobile phone to steal your number but are powerless if they can’t get their hands on your YubiKey. This advice is not from Yubico’s marketing team but from a person who makes his living stealing people’s online accounts and is a powerful testimony.
To be clear, a YubiKey is a hardware device with vast multi-protocol support (FIDO2, FIDO U2F, smart card PIV, Yubico OTP, OpenPGP, OATH-TOTP, OATH-HOTP and challenge-response) that provides password-less authentication and with no reliance on a mobile phone or phone number. Yubico has been doing this for some time, and the current crop of YubiKey’s are their fifth-generation product. Not only is it more secure, but it allows you to sign-in four times faster than using a mobile authenticator app or an SMS message.
The YubiKey 5C NFC includes near-field communications (NFC) support, while also sporting a USB-C interface to accommodate your non-NFC devices. Having both options in one product is tremendous because you can use the same device to access your accounts no matter if you move across computers, tablets and phones over the course of your day. This is truly a solid, reputable, reliable, strong authentication protection product that supports the fluidity of modern computing.
Despite the power and capability it brings it's trivially simple to use your YubiKey. Login to yubico.com/start, choose your key and follow the instructions to set it up. From then, merely hold the key near your device or plug it in to have the YubiKey authenticate for you.
For IT departments, Yubico's research finds a 92% reduction in support costs when YubiKeys are deployed. This not only resolves many login problems but also diminishes the risk of fraudulent logins.
In iTWire's own testing the YubiKey 5C NFC worked a treat, providing fast and effective logins across Windows and macOS laptops, a Windows PC, an iPhone and an Android smartphone. From a testing point of view, there is little to say - in fact, it’s almost blandly and unexcitedly dull how effortless and seamless it is to operate the YubiKey 5C NFC. Open an app or website, present the key, continue. That’s it!
We know good password and authentication security is important. When it becomes this simple there’s no reason to put it off any longer. You can find YubiKey resellers online.