As we become more dependent upon online platforms for social and professional purposes, it grows increasingly important that we embrace stronger online security measures. One of the most important steps[1] you can take to secure your online services is setting up two-factor authentication. This protocol—commonly abbreviated as 2FA—requires you to type in a password and also provide one other piece of proof that you are who you say you are before you can log into a service. One of the more common 2FA methods in use today employs six-digit passcodes that are sent to your phone via text message. When a unique scramble of numbers shows up on your phone, you type them into the browser along with your password at the login screen. Combined with a strong passphrase like those generated by password managers such as 1Password or LastPass[2], a 2FA login is quite effective at verifying your identity.
But no matter how strong a password is, or what level of code-based authentication a website is using, any system that sends codes in a text message can be compromised from afar[3] by a skilled attacker. The best way to set up two-factor authentication is using a secure app on your phone to generate those six-digit codes, or to carry a piece of hardware that can verify your identity.
A device like the YubiKey is just that sort of hardware. These little key-shaped fobs plug into your computer and, along with your password, complete the second half of a 2FA web login. A hacker might find a way to snoop on your passwords or intercept a six-digit 2FA code while it’s being sent to your phone, but they’d be hard pressed to snatch an actual key...