Google trusts them, we trust them, and here’s why you too can rely on security keys like the YubiKey and Titan Key.
The Google Advanced Protection Program was introduced back in October 2017, and it’s still one of the strongest security solutions you can find.
The program requires not one but TWO physical security keys so that you have a backup if the main one gets lost. The physical key takes two-factor authentication (2FA) to the next level by requiring a unique physical object that remote hackers have no chance of replicating. Google touts the program as an especially strong defense against phishing.
Researchers at the company studied the effectiveness of various two-factor authentications and multi-factor authentications before launching the program. A better solution, they realized was the universal second factor, or U2F, a security protocol that uses a physical key. Standard 2FA uses a security question or a one-time texted password as the second security element, but for its Advanced Protection Program, Google will only allow physical security keys as the second factor.
“Academic research has produced numerous proposals to move away from passwords,” wrote Google researchers in a 2016 study on security keys, kicking off the Advanced Protection Program. To sign up for the program, users are directed to buy two security keys. Google provides links to the Titan Security Key, sold in the Google store, and a search result page of other U2F keys approved by the FIDO alliance, a tech industry authentication standards group. In fact, originally Google used and endorsed YubiKey’s from Yubico.
Security keys are affordable, easy to use, and almost indestructible. They are no larger than a USB stick and they serve one function — to provide its unique login credential to your account. Security keys can be used for more than Google also. Online services such as Facebook and Dropbox, password managers like LastPass and Dashlane, and operating systems like Windows and macOS can be accessed with U2F keys.
And once the keys are tied to your accounts, there is no logging in without one of them. You’ll need it in addition to the account password, as will anyone else who wants to crack into your account. Should one key get lost...well, that’s why you have a backup. But should BOTH keys get lost, there is no workaround or easy recovery. There are steps you can take to regain the account, but it takes days. This is good security, as it makes it impossible for anyone to impersonate you to crack into your accounts. And in these days of rampant data breaches and phishing, good security can be the difference between happiness and ruin.
This article is an adaptation of "How Yubikey could double-lock your online accounts," originally published by The Parallax on November 1, 2017. Avast is a sponsor of The Parallax.