Back to blog

U2F and second factors to get rid of phishing!

03/12/2018 - Posted in internet , minimal security , security , tutorial Posted by:

Tags: , , , , ,

This week’s post in minimal security is about second factors. Apart from password managers, this is perhaps something you can apply that increases your security the most. As we have seen in my post about password managers, passwords can be stolen from websites. A universal second factor (U2F) registered with a website will protect your accounts even if your password has been compromised. One other advantage is that it also protects against phishing. Google reported that after deploying second factors for accounts, not a single employee was successfully phished.

Second factors come in multiple shapes and technologies. Text messages on your phone, apps, phone calls and hardware in the form of USB sticks. I want to focus on the latter form. Points can be made that your smartphone does not constitute a real second factor and the other methods can be expensive (roaming) or cumbersome (typing codes from you smartphone into your computer). Therefore, I suggest that everyone should buy a U2F USB device. Depending on the requirements it might also be possible that other interfaces, such as NFC/RFID or Bluetooth, are preferred. 

The one I recommend is Yubico’s security key. It provides basic functionality and while there are other companies that sell something similar, Yubico is well respected and compatibility is expected to be the highest. They also offer this little device on Amazon. Before you buy, you can check compatibility with services at Yubico’s website or on this third party website.

Follow these steps to increase your security and protect against password leaking and phishing:

  • Check support on your favorite websites
  • Buy a Security Key (can also be any other U2F compliant device)
  • Register your key with your websites
  • Enjoy increased protection!

Additional Information

If you want to use more features or even merge email encryption within one device you can also buy more capable version of the key. You can then use it as a safe storage for your PGP keys or even hard disk encryption. In order to be secure you should also try to not lose your key and register a second key that you use as backup. Although it doubles your initial expenses, this is the best way to stay secure and keep control over your accounts. Everyone of us makes mistakes and by preparing for the occasion nothing goes wrong.

There are other vendors who sell devices that are comparable to Yubico’s. Feitian is such an example. When Google introduced second factors in their environment they even used Feitian’s products instead of Yubico’s. I suppose that means that their devices are also awesome, although I do not have any experience with them myself.

Leave a Reply

Your email address will not be published. Required fields are marked *