Two-Factor Authentication with Yubikey – What is it?

Yubico FIDO U2F dongle

If you’re here it’s probably because you received a Yubikey USB dongle from me for Christmas 2017, and you’re probably wondering what the heck it is, even if you’ve Googled it. I’ve got you covered!

What is a Yubikey?

A Yubikey is a USB two-factor authentication dongle made by the company Yubico, an industry leader in this type of equipment.

You can learn more about Yubico here:

What is Two-Factor Authentication?

In computer security, Multi-Factor Authentication (MFA) means you must present multiple forms of identification to a computer system in order to gain access. A password by itself is a form of Single-Factor Authentication. In other words, all you need to know to gain access to your Facebook or Gmail account is your password. By turning on MFA a password alone is not enough to log in to them.

Two-Factor Authentication (2FA) is a type of MFA where you use a password plus one other thing to log in. A password is something you know, and the other thing – in this case a Yubikey – is something you have. A hacker can know what you know (your password) but they cannot have what you have (the Yubikey you now own).

Sounds Like a Pain in the Butt!

Two-Factor Authentication certainly can be a pain in the butt. It certainly has been in the past, but the security industry has done a lot of work to make it way easier and more convenient over the last couple of years.

The easiest form of 2FA for many people, and one which you may be familiar with already, is having a temporary code text messaged to your phone or sent to your email when you log into something like your online banking website. While this is better than no two-factor, it’s not the best method because it’s shockingly easy for a hacker to intercept these codes.

The best form of second-factor authentication is a physical device like a Yubikey or a smart card. Smart cards are generally more difficult to setup, but luckily the Yubikey is dead simple to use. For many websites it’s as easy as going to your security settings and clicking “Enable”.

Why Should I Bother With All This?

2017 has been dubbed “The Year of the Breach” by many cybersecurity experts and journalists. It’s not hard to see why. This year we saw, or newly learned about, some of the largest data breaches we’ve ever seen. The Identity Theft Resource Center has identified 1,293 data breaches this year, including personal information and passwords.

Phishing emails continue to be the number one way hackers deliver malware to people’s computers. These statistics on Barkly tell the story. The industry has seen nearly 1 million new malware threats released to the internet every day for the last several years. Many of these malware programs steal usernames and passwords from your computer.

What I’m getting at here is that your passwords are probably floating around the internet already, and if they aren’t yet they will be eventually. The website Have I Been Pwned tracks all thefts of data where usernames and passwords are involved. As of 23 December, 2017 they have identified 4,846,841,219 – nearly 5 billion – usernames and passwords that are available to hackers to use.

Using the Yubikey you now own stops all but the most sophisticated hackers from being able to use the usernames and passwords to hack your online accounts. How? Because when you turn on Yubikey authentication the hacker MUST have the Yubikey to make use of the stolen credentials and log in! And only you have it!

I’m Not a Senator, a CEO, a Nuclear Scientist, or Something… This Means Hackers Wouldn’t Be Interested in Me, Right?

It’s tempting to think you’re not important enough to be hacked, but most hackers aren’t going to be picking specific people of interest to hack. They’re going for economy of scale. They do this through automation. Computers owned by hackers run programs that use the 5 billion stolen usernames and passwords to automatically and constantly try and log into various websites.

This is known as brute forcing. Statistically speaking they’re always guaranteed to have some successes, and when they get in they’ll act on their objectives.

If they’ve targeted an online banking site – Wells Fargo or Bank of America, for example – they’ve gained a lot of power to steal your money.

You don’t have to be special. All you have to do is be a target of opportunity. By using the Yubikey you just received you can take some of the control back and help prevent yourself from becoming a victim of a drive-by hack.

Okay, I’m Convinced. How Do I Use It?

Sweet!! First, please feel free to call me if you have any questions or need any help. My contact details are always on my site here.

Second, it’s pretty easy to get it going yourself. The only catch is not all websites support the Yubikey. Still, the ones that do are pretty important! Google, Gmail, Facebook, Dropbox, Bank of America and many others allow you to use your new Yubikey to better secure your accounts.

One of my favorite websites is Two Factor Auth, which lists all websites that support MFA and provides setup instructions for all of them.

Once you’ve set it up, all you have to do to use it is go to the website you’ve enabled it on, plug in your Yubikey, and touch the gold circle with the flashing light on it. That’s it! You’re in!

And that’s the magic of the Yubikey. A hacker can know your password, but they can’t have your Yubikey and press the gold circle with their finger. Only you can.

Eh, I Don’t Want to Use It.

That’s fine! I’m not here to force anyone to do anything they don’t want to do. I have a lot of experience in cybersecurity and I see the lack of Two-Factor Authentication as a HUGE thing people can do to take control over their digital lives.

I bought these and set up this website to encourage you to use 2FA. I know it’s extra steps and sometimes stuff like this just doesn’t seem worth it. And that’s OK. You have to want to do it – not be forced into it. Security shouldn’t work by force.

Please do me a favor, though. Keep it around even if you don’t want to use it now. At some point you may be hacked yourself and you’ll remember this gift and site. I’ll keep this page up forever and you can always call or email me if you get into a situation like this.

Merry Christmas and Happy Saturnalia!

Ho Ho Saturnalia