How to protect your Google and Facebook accounts with a security key

The keys are a step up in account security, but is implementation letting them down?

IDG

IDG

In late March when I got an unsettling message on my Gmail account: "Warning: Google may have detected government-backed attackers trying to steal your password."

Google sends them out when it detects a "government-backed attacker" has attempted to hack an account through phishing or malware.

Last time I saw one, I added two-factor authentication to many of my accounts. This time it prompted me to ask: Can I do even better?

170427 warning 2 Martyn Williams/IDGNS

A security warning message displayed by Google.

It turns out I can.

Google suggests a security key as a more secure alternative. These are little USB devices that generate one-time tokens in place of the six-digit codes from authenticator apps.

Google supports a format called FIDO Universal 2nd Factor (U2F), which it helped develop. Keys are available that work over USB, Bluetooth, and NFC, so they can be used with a smartphone or tablet in addition to a PC.

170504 keys Martyn Williams/IDGNS

Hardware security keys from Feitian (left) and Yubico.

They are really easy to use.

First, once you've bought a key, it needs to be registered with the site. When subsequently logging in, a prompt appears after a username and password have been entered. Authenticating with the key is simply a matter of plugging it into a USB socket and pressing the small gold disc.

170505 facebook security keyMARTYN WILLIAMS/IDGNS

A dialog box greets users signing into a Facebook account protected by a security key.

The disc triggers the key to transmit a 44-character code to confirm the login. The first 12 characters of the code are the public key of the device being used and the remaining 32 are a unique passcode for the login attempt.

On a smartphone, an NFC key can simply be placed against the back of the phone to send the codes.

And that's all there is to it. It's much easier than juggling a smartphone and authentication codes.

Before you commit

U2F is currently only supported by two browsers, Google Chrome and Opera. Together, they account for about two-thirds of desktop browsing and are available on Windows, macOS, and Linux, so a good portion of the market is covered, but if you prefer Firefox, Safari, or another browser, you'll need to switch.

And U2F only works on a handful of sites and services at present, but they do include some major ones like Google, Facebook, Salesforce, GitHub, and DropBox. Simply securing your Google and Facebook accounts might be compelling enough to add a security key to your key ring because both sites are prime targets for cyberattacks and identify theft.

But, if you use an iPhone or iPad, bad news. The keys don't properly work with these devices. You should have no problem with Android.

170509 securitykeys 2 Martyn Williams/IDGNS

Yubico's smallest key can slip into a wallet or remain in an USB socket.

Also consider logistics. With an authenticator app, the codes are wherever your phone is, and your phone is usually with you. With a security key, you'll need to carry it around. The good news is that it's small, very sturdy and easily sits on a keyring.

Know your standards

The security key can also be used to protect access to a password manager.

The Dashlane password manager supports FIDO U2F, while several other competitors, including LastPass, support OTP, a similar but incompatible standard, so you need to be careful while shopping as not all keys will generate both U2F and OTP codes.

Some of the most popular keys come from Yubico and most support both U2F and OTP, but the cheapest of the company's line-up isn't compatible with OTP.

One step forward, two steps back

While Google and Facebook both promote security keys as a better way to keep your account safe, both companies have a huge hole in their implementation. Both offer the ability to login using an alternative method, either a code from a two-factor authentication app or sent via SMS.

170509 google login Martyn Williams/IDGNS

A login screen for Google

That means your account is only as secure as codes delivered by SMS text messaging, and that's a problem because SMS is not a secure transmission channel. Hackers have already managed to attack bank accounts protected with SMS-based authentication codes due to weaknesses in the protocol.

It would be nice if both services allowed users to disable the ability to fall back to other login methods.

At a minimum, you'll want to set up account login alerts, so if someone does manage to get into your account through the SMS channel (admittedly, a pretty big undertaking) you'll know about it.

Google and Facebook wouldn't comment on their use of security keys.

Where can you use security keys?

Yubico has a helpful matrix on its site detailing compatibility, and there are a couple of listings of sites that support security keys and the standards they use. One is maintained by Yubico, but the most exhaustive I found was from Germany's Nitrokey, which also sells security keys.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Martyn Williams

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?