safe login | yubikey

passkey inserted

logging into an account such as paypal, amazon, ebay, instagram, the train app, your employer’s intranet, cloud storage or your email client should be done with care. name and password is not enough any more. actually, it is careless to use one password, even if the password is unique and complex.

what we all should do instead is activate the so called 2 factor authentication (2FA). it basically means that you deliver your name (or email) and password to the site you’re logging into as usual, and in addition to that you provide a certification which is being produced locally.

the charm of this process is that if a hacker steals your email address and password (for example by getting access to an online game server or breaking into a social network site), he/she still cannot log into your account. the hacker needs to get “personal”: access to your phone, your home, your face (for facial recognition) or finger print.

the downside is that you need something to create the additional certification. in the old online banking days the TAN list did that job. it is an early example of 2FA: you had to log into your account with your password (first factor), but for actions like a money transfer you needed one number out of your personal TAN list (second factor) which you kept at home in a safe place.

there are basically to ways to create the second factor: by using an app on your smartphone. or a hardware key which you connect via NFC or USB to your computer or tablet or phone. the most used app for 2FA is google’s authenticator. it creates a six digit code which runs out within 60 seconds. in the app you store the sites you want to use 2FA for. the codes are being produced locally on your device. google does not know anything about it.

authenticator app

an even safer method is to use a hardware key such as the yubikey. it works by pressing a button on the key to create the 2nd access step. the problem is that you need to carry the key with you, for example on a business trip or on your vacation in italy. and it is tricky with some websites such as wordpress to activate the key as the 2FA tool.

good news is that if you activate two factor authentication with the key and the app, you have the choice when logging in. if you don’t have your key with you, you select the authenticator app instead. it is also pretty simple to deactivate either of the options. important, however, is that you stick to some kind of 2FA.