You wouldn’t leave the door to your house unlocked, so why leave it open online for criminals to access your data?You wouldn’t leave the door to your house unlocked, so why leave it open online for criminals to access your data? You wouldn’t leave the door to your house unlocked, so why leave it open online for criminals to access your data?
You don’t have to be a cybersecurity expert to understand the importance of protecting your online data, particularly access to your financial accounts. Unfortunately, people fall victim to scams, data breaches and malicious hackers specifically targeting passwords all too often. Single-factor authentication, like a password, may have once been enough to get the job done, but it has since been rendered obsolete by determined criminals.
But a hardware security key uses multi-factor authentication, or MFA, which requires you to verify your identity with more than one source. Many sites already require multi-factor authentication using a PIN or password verified via phone or email, and it’s highly recommended that you enable MFA for all of the most important online services that you use, even if it isn’t required.
However, using a hardware security key can be faster and easier than getting a code sent to you every time. It’s like using a key to enter your home. It can be less intrusive and more secure than other forms of MFA.
What is a hardware security key?
A hardware security key is a physical device that supports MFA of online accounts. These devices use public key cryptography, which creates two keys for your data: one public and one private. Your data is encrypted with the public key, but can only be decrypted by the private key.
This makes it one of the most secure authentication methods possible. Hardware security keys are among the strongest protections available against online threats like phishing scams.
Unlike other means of multifactor authentication, such as transmitting a one-time code by text or email, hardware security keys require the purchase of a physical dongle that connects to your phone or computer. They are usually the size of your standard USB or smaller.
There are several companies that make hardware security keys, with the leaders being Yubico, Google Titan and Thetis. All three are compatible with the most popular browsers and services.
How do you use a security key?
You should receive instructions with your hardware security key for setting it up, but in general:
- Once you have the key, you’ll need to enroll it with an account that accepts security keys.
- Go to a website where you have an account to change your login settings. We’ll use Google as an example. You’d head to your Google account management page. From there, choose “security” and navigate to “how you sign in to Google.” Here you can choose 2-Step Verification.
- Insert the key into your device to connect it to your account.
- Once it’s connected, you’ll need to insert your device each time you want to log in to your account.
Try not to let these steps discourage you. After all, it’s harder to lock your door than it is to leave it open, right? It’s a preventative measure that can save you from a huge headache if your info is breached.
What should I look in a security key?
There are a number of features to consider when picking the best hardware security key for your needs:
Compatibility
If you have a newer device you’re protecting, you’ll likely want a security key that’s compatible with USB-C, but you can also find keys that are USB-A compatible. Security keys can also have wireless, near-field communication. Google’s Titan Security Key has tighter integration with Google’s services, such as Google Cloud.
Security level
When it comes to security standards, you should get at least FIDO U2F certification, which supports most basic security key context.
FIDO, or Fast Identity Online, is a set of standardized authentication protocols aimed at removing the need for a password while maintaining a high level of security. The protocols include anti-phishing, biometric data safeguards and compliance with data protection standards, among others.
The next level is FIDO2/WebAuthn, which is compatible with additional types of authentication. FIDO2 features greater security measures against phishing scams and other security issues.
Capacity
While multiple accounts can be on a single key — which is easiest to manage — in an ideal world, each account should have its own key. If you have all of your accounts on a single security key, it makes it all the riskier if you lose that security key or if someone were to get their hands on it.
Other features
Some keys can also include fingerprint readers or biometric scanners for an additional layer of security.
Price
Basic models can start at about $30, while the most expensive ones approach $100. It’s also recommended that you purchase a backup key, which can factor into which model you’re looking into. Having a spare key can come in handy should you ever misplace your main key.
What happens if I lose my hardware security key?
If you lose your key, you should still be able to access your account. The beauty of multifactor authentication is that there are multiple ways to verify your identity. So long as you had other MFA set up before you applied the security key, you should be able to access your account even if you lost your key.
Each hardware security key manufacturer also recommends having a backup key, or a “spare key” to add to your account in addition to your main key in case the first one goes missing. After all, you wouldn’t have only one key to your house.
Other ways to keep your information secure online
Beyond multi-factor authentication, here are some other tips for keeping your online information secure:
- Create strong passwords. Even if your password is just one step in your multi-factor authentication, you still have a responsibility to make it strong. Try not to use the names, birth dates or addresses of yourself or loved ones as any part of your password. Make sure your passwords include a mix of upper and lower case, as well as special characters, when permitted. Or, use a password manager to do it for you.
- Be careful what you share on social media. While it can be fun to let your friends know what you are up to, use caution. Many people publicize information that can be used to hack your account, including your hometown, birthday and details of your past.
- Be extremely cautious about links and attachments. If you receive an email or text with an attachment or a link, it could be the toehold that a hacker needs to gain access to your account. Worse, these links and attachments may come from a trusted source who’s been hacked themselves. Only click on links or attachments that you’re expecting — if in doubt, reach out to the source of the message separately to confirm.
And if you’re worried about having your personal or financial details compromised, investing in an identity theft protection service with white-glove restoration can offer you peace of mind.
Discover more from World Byte News
Subscribe to get the latest posts sent to your email.
