"You should use hardware security keys."
That's been the terse advice from infosec people for the past few years, especially for people in exposed positions. That includes politicians, corporate drones in key jobs, bankers, journalists targeted by spy agencies, cops and government assassins, and crypto-currency speculators.
Really, anyone with a computer and a smartphone should use a more secure way to log in than just a username and password. Maybe you think that it doesn't matter if you're hacked because your stuff is not important.
Imagine though if someone gets into your email or smartphone, and sends messages to friends and family claiming you're in trouble and need money urgently.
It has happened through hacked accounts and unprotected devices. For those of you who still have unlocked devices - and this includes kids: secure them now.
Hardware security keys talk directly to your computer or smartphone when an application needs to verify who's trying to access a system. You plug it in to a computer or smartphone via the peripheral port (usually Universal Serial Bus or USB) or communicate over a wireless protocol like Bluetooth or Near-Field Communications tap-and-go.
Yubico is one of the big names in the hardware authentication business, with lots of application support and keen marketers, which is why I was sent four of its Yubikey 5 devices: the USB-C 5C and 5C Nano, and the USB-A 5 NFC and 5 Nano.
The idea behind the Yubikeys is that they provide the response to the challenge "prove who you are by generating a unique code" locally. That is, the codes are not sent as a text messages because they can be hijacked over the network or through porting your number to a new SIM card or several others.
What's more, security keys avoid heart attack moments overseas when you try to sort out urgent things over the internet, only to be foiled by the verification texts not getting through.
They're also more secure than expiring one time passcodes generated via apps that can be compromised. How this works was developed by Google and Yubico, and is now managed as the Universal 2nd Factor standard by the FIDO Alliance (Fast Identity Online, get it?).
Yubico isn't the only U2F security key game in town and Amazon sells keys from five other makers. They key (sorry) here is to make sure that the services and apps that access them support U2F.
Google services such as Gmail and its Chrome web browser do, and there are hundreds of others as well that can be secured with security keys. Even Twitter can use security keys, which should put an end to the dreaded Rogue Staffer posting risqué and rude things on corporate accounts' timelines.
New Zealand banks however do not support U2F, but using a mobile app avoids SMS codes being sent (and not received, especially when you're overseas).
For the benefit of many irredeemable crypto-geeks Yubikeys go beyond one time passwords, making them rather flexible authentication devices.
Are you one of the patient few who've set up Open PGP (Pretty Good Privacy) for digitally signing and encrypting emails? The Yubikeys have a 4096-bit OpenPGP key, and can act as SmartCards for logins to enterprise computers. Are you a developer wanting to sign code so that users know where it comes from? Yubikey can do that too, by importing digital certificates.
Registering a Yubikey with a Mac was easy enough once I figured out that the latest macOS Catalina beta wasn't going to work and dropped down to the current Mojave version.
Adding Yubikeys via the USB-C port on an Oppo Reno running Android 9 was easy too, and the 5 NFC was recognised with a tap on the back of the phone.
As I was feeling paranoid about getting locked out in case a high-spirited colleague nicked the tiny USB-C Yubikey while humming that popular Rick Astley tune, I added a second one as a precaution and put it in a safe place and added a note in my credentials manager app in case I forget where that is.
And, having learnt the hard way how difficult (and sometimes impossible) it can be to restore access to strongly encrypted services if you lose or forget the credentials to them, I added alternative authentication methods in case both hardware keys goes walkabouts.
If someone steals your security key, there's not a great deal they can do with it. No data is stored on the keys that connect it to your services and devices. Once you discover the key is lost, use the second one immediately to log in and remove first device from your accounts.
If the above sounds like too much hassle, then bear in mind that most of us can get by without separate security keys and still get many of their benefits with a bit of extra multi-factor authentication tweaking.
Apple services can be set up to ask for login approval from another machine, ditto Google with the Prompt feature, which work well.
Google accounts can also be protected using security keys or chips inside newer smartphones, which will prompt you for approval and have to be near the device on which the log-in is taking place.
That said, U2F keys are a step up for secure access. While they're probably not a hundred per cent secure if an attacker tampers with the USB port electronics for example, they're so difficult to get through that a hacker will move onto easier targets of which there are plenty.
That protection comes with a degree of complexity though, and cost (my keys cost between $45 to $60 each retail) and you'll have two more little things to manage, and remember which key was used for what account.
Is it worth jumping through additional security hoops with hardware authentication? That question is best answered after recovering from a hack, which I hope you'll never have to do.