I’ll always remember the day I created my first mail account. Fine, I lied! I don’t recall which day it was. I also can’t say the exact year. But it doesn’t matter. What matters is that I made mistakes. I had no idea I had to secure my mailbox. I quickly selected a password which was easy to remember. I later learned that a password made of 6 small letters is no good. I learned this the hard way 🙁 My account got compromised. Spammers used it to send unsolicited messages and also I became registered for many unwanted services. The good news is that at the time I was still in school, and the account was not something important. Thus, I just deleted it.
Fast forward nowadays people often ask me for bits of advice when it comes to security. I discuss with SiteGround clients the safety of their websites. Online safety and protection for people who are not tech savvy is overwhelming. Staying out of trouble online has become difficult even for people who are experts. Even tech giants are struggling to deal with unauthorised access to valuable resources. In this post, I focus on how you can better protect your accounts and avoid account takeover.
How do hackers gain access to data? Account takeover is probably the biggest challenge for most systems administrators and security professionals. If an attacker manages to get your password you’re in trouble. During the last decade, web services evolved. Reputable sites do not allow you to use a password made of 6 small letters anymore. Captcha challenges are also utilised to stop bots. Many other similar techniques protect people online. The attackers, however, are also getting creative. What is the most secure way to log in to your accounts? The answer is physical security keys.
What are the physical security keys?
This is a more recent form of two-factor authentication. The user is required to insert a special USB key into the computer in order to log to a site. You also do this just one time per device. In case you want to access your account from a new device you need to have your security key with you. One day attackers will come up with a way to also hack you even if you are using security keys for all your accounts. But right now the use of security keys gives you the best protection.
If you don’t trust me then ask Google. At the beginning of 2017, Google started requiring all employees to use physical security keys. Since then not a single successful phishing attempt has been registered on their end. This has become a standard for over 80,000 Google employees. Last year Google even started selling security keys on the Google store.
I got the Titan security key bundle right after the CMS Security Summit earlier this year. Thanks, Google for the gift 🙂
Which websites support physical security keys?
I use the security keys I have for my Google accounts, Facebook account, GitHub account, and Twitter profile. The truth is that very few websites support physical security keys. The adoption is still in its early stages. The problem is also not only the websites but also the browsers. Right now Chrome supports physical security keys by default. In Firefox you need to manually turn it on. Opera also supports security keys, but I haven’t tested it. I use both Firefox and Chrome and they work just fine with my Titan security keys.
Should you use physical security keys?
For me, the security of my accounts is of utmost priority. The Google Advanced Protection Program identifies politicians, business leaders, activists and journalists as people at high risk. I would add to the list also people who have access to huge amounts of data and also people working for the government. I think that all those individuals need security keys to make sure that they will not fall victims of phishing attacks.
Just a small percentage of people fall into these categories. What about the rest? According to a blog post by Experian personal data is pretty cheap on the dark web. You can get a social security number for just $10. If you need a driver’s license it’s $20-30. Your personal data can be stolen pretty easily if you don’t secure your accounts so that you are the only one able to access them. The best way to do this is to use physical security keys. I say buy yourself physical security keys and stay calm.
The Titan security key is currently out of stock. But you can get a YubiKey for $50.