How to protect your Google and Facebook accounts with a security key - martinbegroway

In late March when I got an unsettling message on my Gmail report: "Warning: Google may sustain detected government-backed attackers trying to bargain your countersign."

Google sends them out when IT detects a "regime-backed attacker" has attempted to hack an account through and through phishing or malware.

Last time I saw one, I added two-constituent assay-mark to many of my accounts. This clock time it prompted me to ask: Can I do even better?

Martyn Williams/IDGNS

A security warning message displayed by Google.

It turns out I can.

Google suggests a security key as a more secure choice. These are miniscule USB devices that generate one-time tokens in situ of the six-digit codes from authenticator apps.

Google supports a format titled FIDO Universal 2nd Element (U2F), which IT helped formulate. Keys are available that work finished USB, Bluetooth, and NFC, sol they can be used with a smartphone or lozenge in increase to a PC.

Martyn Roger Williams/IDGNS

Hardware security keys from Feitian (left hand) and Yubico.

They are really easy to use.

First, once you've bought a identify, IT needs to be listed with the site. When subsequently logging in, a remind appears subsequently a username and password have been entered. Authenticating with the central is simply a matter of plugging it into a USB socket and imperative the small aureate saucer.

MARTYN WILLIAMS/IDGNS

A dialog box greets users signing into a Facebook calculate protected by a security paint.

The disc triggers the key to channel a 44-character code to confirm the login. The first 12 characters of the codification are the public key of the twist being used and the odd 32 are a unique passcode for the login endeavor.

On a smartphone, an NFC key can simply be placed against the back of the sound to send the codes.

And that's all there is to it. Information technology's more easier than juggling a smartphone and assay-mark codes.

Ahead you commit

U2F is currently only supported by two browsers, Google Chromium-plate and Opera. Together, they account for about ii-thirds of background browsing and are available on Windows, macOS, and Linux, so a good portion of the market is covered, but if you prefer Firefox, Hunting expedition, or another browser, you'll need to flip.

And U2F only works on a handful of sites and services at demo, but they do include some major ones same Google, Facebook, Salesforce, GitHub, and DropBox. Simply securing your Google and Facebook accounts might be persuasive enough to add a security key to your key ring because some sites are prime targets for cyberattacks and identify theft.

But, if you use an iPhone surgery iPad, bad news. The keys don't decent work with these devices. You should have no problem with Android.

Martyn Williams/IDGNS

Yubico's smallest key can slip into a billfold or remain in an USB socket.

Too consider logistics. With an appraiser app, the codes are wherever your phone is, and your phone is usually with you. With a security nam, you'll motive to carry IT or so. The good news is that it's diminutive, very sturdy and easily sits on a keyring.

Know your standards

The certificate primal canful also be exploited to protect access to a password director.

The Dashlane password manager supports FIDO U2F, patc different different competitors, including LastPass, support OTP, a similar but incompatible standard, so you pauperism to be careful while shopping as non complete keys will generate both U2F and OTP codes.

Some of the all but popular keys come from Yubico and most support both U2F and OTP, but the cheapest of the company's draw-up isn't compatible with OTP.

One step full-face, two steps back

While Google and Facebook both promote protection keys Eastern Samoa a better way to keep your account safe, both companies wealthy person a potential hole in their implementations. If you hard a recovery number to receive security codes via SMS, that phone phone number cadaver active until you disable it.

That's a trouble because SMS is not a secure transmission channel. Hackers have already managed to attack banking company accounts protected with SMS-settled authentication codes due to weaknesses in the protocol.

Soh, you need to disable ring backup man. The security settings pages in both Google and Facebook will tolerate you to do that.

While you're in thither, it's a good idea to set up account login alerts, so you if somebody does do to get into your account by no affair what means, you'll know about it.

Google and Facebook wouldn't comment along their use of security keys.

Where can you use security keys?

Yubico has a helpful matrix on its site detailing compatibility, and there are a few listings of sites that back up security keys and the standards they use. One is well-kept by Yubico, only the nearly exhaustive I constitute was from Germany's Nitrokey, which also sells security keys.

Source: https://www.pcworld.com/article/406720/how-to-protect-your-google-and-facebook-accounts-with-a-security-key.html

Posted by: martinbegroway.blogspot.com

Share this post