How to protect your Google and Facebook accounts with a security key

In late March when I got an unsettling message on my Gmail account: “Warning: Google may have detected government-backed attackers trying to steal your password.”
Google sends them out when it detects a “government-backed attacker” has attempted to hack an account through phishing or malware.
Last time I saw one, I added two-factor authentication to many of my accounts. This time it prompted me to ask: Can I do even better?
[ Further reading: How the new age of antivirus software will protect your PC ] Martyn Williams/IDGNS
A security warning message displayed by Google.
财报速递:株冶集团去年全年净利2068万 同比扭亏为盈
It turns out I can.
Google suggests a security key as a more secure alternative. These are little USB devices that generate one-time tokens in place of the six-digit codes from authenticator apps.
Google supports a format called FIDO Universal 2nd Factor (U2F), which it helped develop. Keys are available that work over USB, Bluetooth, and NFC, so they can be used with a smartphone or tablet in addition to a PC.
Martyn Williams/IDGNS
Hardware security keys from Feitian (left) and Yubico.
They are really easy to use.
First, once you’ve bought a key, it needs to be registered with the site. When subsequently logging in, a prompt appears after a username and password have been entered. Authenticating with the key is simply a matter of plugging it into a USB socket and pressing the small gold disc.
MARTYN WILLIAMS/IDGNS
A dialog box greets users signing into a Facebook account protected by a security key.
The disc triggers the key to transmit a 44-character code to confirm the login. The first 12 characters of the code are the public key of the device being used and the remaining 32 are a unique passcode for the login attempt.
On a smartphone, an NFC key can simply be placed against the back of the phone to send the codes.
And that’s all there is to it. It’s much easier than juggling a smartphone and authentication codes.
Before you commitU2F is currently only supported by two browsers, Google Chrome and Opera. Together, they account for about two-thirds of desktop browsing and are available on Windows, macOS, and Linux, so a good portion of the market is covered, but if you prefer Firefox, Safari, or another browser, you’ll need to switch.
在出了大量安全事故之后,忙于灭火救灾的我们痛定思痛,开始主动抓网络信息安全工作,我们制定了信息安全方针,明确了管理层和每位员工的信息安全职责,建立了安全相关的工作流程,并且对全体员工进行了信息意识的宣贯。
And U2F only works on a handful of sites and services at present, but they do include some major ones like Google, Facebook, Salesforce, GitHub, and DropBox. Simply securing your Google and Facebook accounts might be compelling enough to add a security key to your key ring because both sites are prime targets for cyberattacks and identify theft.
But, if you use an iPhone or iPad, bad news. The keys don’t properly work with these devices. You should have no problem with Android.

Martyn Williams/IDGNS
Yubico’s smallest key can slip into a wallet or remain in an USB socket.
Also consider logistics. With an authenticator app, the codes are wherever your phone is, and your phone is usually with you. With a security key, you’ll need to carry it around. The good news is that it’s small, very sturdy and easily sits on a keyring.
Know your standardsThe security key can also be used to protect access to a password manager.
The Dashlane password manager supports FIDO U2F, while several other competitors, including LastPass, support OTP, a similar but incompatible standard, so you need to be careful while shopping as not all keys will generate both U2F and OTP codes.
Some of the most popular keys come from Yubico and most support both U2F and OTP, but the cheapest of the company’s line-up isn’t compatible with OTP.
One step forward, two steps backWhile Google and Facebook both promote security keys as a better way to keep your account safe, both companies have a potential hole in their implementations. If you set a recovery phone number to receive security codes via SMS, that phone number remains active until you disable it.
That’s a problem because SMS is not a secure transmission channel. Hackers have already managed to attack bank accounts protected with SMS-based authentication codes due to weaknesses in the protocol.
So, you need to disable phone backup. The security settings pages in both Google and Facebook will allow you to do that.
While you’re in there, it’s a good idea to set up account login alerts, so you if someone does manage to get into your account by no matter what means, you’ll know about it.
Google and Facebook wouldn’t comment on their use of security keys.
Where can you use security keys?Yubico has a helpful matrix on its site detailing compatibility, and there are a couple of listings of sites that support security keys and the standards they use. One is maintained by Yubico, but the most exhaustive I found was from Germany’s Nitrokey, which also sells security keys.
To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Related:
Security
Hacking
Google
Facebook
Martyn Williams covers general technology news for the IDG News Service and is based in San Francisco. He was previously based in Tokyo.
Follow
网瘾的原因除了现实生活不够丰富多彩之外,人们的安全意识淡漠也是其中之一,成人尚且如此,何况小孩儿呢?

猜您喜欢

强化安全防范意识 提高安保工作水平
保障信息安全要依常识行事
如何防范假冒WiFi热点-信息安全意识
美国无人空天飞机滞空718天后着陆
ASYNCHRONY EMPLOYCARD
在线信息安全意识测验