Security keys, like the one pictured, are the safest way to secure online accounts. (CPJ)
Security keys, like the one pictured, are the safest way to secure online accounts. (CPJ)

Digital Safety: Using security keys to secure accounts against phishing

Hackers are using more sophisticated methods to target journalists, including those who use two-step authentication (2FA).

Two-step verification is an extra layer of security used to protect accounts. It commonly comes in the form of a PIN sent via SMS, an authenticator app on your phone, or via push notifications. Although using 2FA is a good way to increase security on your accounts, hackers are finding ways to bypass it.

The most secure way to protect accounts is by using a security key.

What is a security key?

A security key is a hardware device that you can either plug into your computer via USB or connect to wirelessly via your phone. The keys can be purchased online, for example from the YubiKey website.

Setting up your security key:

  • Look to see if the service you are using, for example Gmail, supports 2FA security keys. Not all services currently support security keys. Check the “your account” or “settings” section to see if the service will allow you to link a key to it.
  • If the service allows you to use a security key, follow the steps laid out by the service for registering the key on your device.
  • If you already have 2FA set up on your accounts, for example in the form of SMS, then disable it after you add the hardware key. You should also disable other less secure forms of 2FA, such as authenticator codes and push notifications because these can still be exploited by sophisticated phishing attacks.
  • Once the key is registered with a service, for example Gmail, on your devices, you will generally have the option to remember the key on that device so you will not have to insert it again. However, carry the key with you at all times in case the website logs you out and requires you to verify your account.
  • The same key can be used for all accounts.
  • Keep your key safe like you would your house or car keys, and know where it is at all times. Remember to take it with you when you travel.
  • Do not use backup codes with your security key. 2FA allows you to use backup codes in certain cases, for example when you are travelling and may not have access to internet or mobile signal. However, backup codes can be phished through hackers creating a spoof site mimicking those of your service provider, so they should not be used with a key.

Backing up your security key:

If you are not using any kind of backup 2FA, you may be worried about what happens if you misplace the hardware key.

  • Add a second key to your account. Follow the same steps that you used to add the first key. This may not be possible for all services.
  • Keep your second key in a safe place.
  • If you ever misplace one of the keys, you can remove it from your account in the security settings. Remember to obtain another backup so you always have two or three keys.
  • If someone finds your key they will not be able to tell which account it belongs to just by looking at the key, much like if someone finds your house key they generally can’t tell which house it belongs to.
  • While using a hardware security key for 2FA with a backup key instead of backup codes is the strongest security option currently available, if the particular website does not presently let you add a key, it is still better to use SMS, authenticator, or push notification 2FA rather than not using any 2FA. Just remain vigilant against phishing attacks that may be targeting 2FA codes.