So you’re a digital leader, and you need to show your team how extra security can be convenient and secure… You’re looking at 2 step authentication, but you’ve tried it out before and it sucks. The convenience level is actually quite low, you go overseas and you can’t get the SMS because you changed SIM cards, or you’re fresh out of interwebs… If you have all that covered, you just don’t need the extra hassle of typing out those 6 digits all the time. But most of all you know if you make it harder for your team to get logged in then they’ll just find a work around, or not even participate at all. So what do you do?
Use a hardware token, but why?
You (and your team) are only human, you can’t remember all the passwords you have at work, let alone your personal ones. You might even be guilty of re-using the odd password here and there. So to get around the fact that the most secure password is one you can’t remember you’re using a password manager. A password manager introduces a ton of convenience, and you know you need to make this hard to break into. Your best bet is to protect the login with two steps/factors. You need ‘something you have’, and ‘something you know’. This technique makes it more difficult for unauthorised access to be made, but traditionally reduces convenience.
Hardware tokens aren’t just for logging into online accounts, they can also be used in other places too. They were fast enough for Facebook to get their developers using them (Some had 30,000 authentication events/day). In fact YubiKeys are used by 8 of the top 10 internet enterprises and by millions of users in over 150 countries. Google, Facebook and even Auckland University staff are using Yubikey to balance convenience & security.
So now you know you should enable two step authentication on all the accounts you possibly can. But it’s just so inconvenient, right?
My Yubikey trial – finding convenience
I’m all about making technology work for people, rather than the other way around so I decided to try out a couple of Yubikeys for a month. To make life more interesting I set all my systems to maximum security/minimum convenience. If I’m going to recommend this – I need to know about the pro’s and the con’s. For four long weeks I logged in and out of every account on my computer each time I wanted to use it. I logged in using other peoples computers too – just to see how painful it really is to type out those long passwords.
I bought a Yubikey 4 NEO and a Nano and I configured them both everywhere I could. I deliberately unchecked the “remember me” box everywhere, so I would be forced to provide the second factor every single time I wanted to log in from anywhere, or do anything.
I kept the NEO on my keyring, and the Nano in my laptop. If I wanted to unlock my password manager on my phone, then I entered my password and waved the NEO past the back of my phone. On my laptop, I enter my password and touch the gold bar in my USB port.
- You only need to touch it, no more digging around in your bag to find your phone, flicking through your apps, getting distracted by Facebook and then copying 6 digits from your phone to your laptop.
- It was so convenient I even started using it on my personal accounts! I was annoyed at having to go back to using the type in 6 digits method of 2 step auth. when I realised I had missed an account during setup.
- No batteries.
- Ridiculously convenient to use.
- When you’re walking around with your laptop in hand, it’s easy to touch the Yubikey NEO and leave a random string of text hidden within a document. ccccccevejtlctedkiysrfleurnweydbrcbgdidflkwc. Or if you happen to be in a messaging app you can quickly, easily and unintentionally send people your current OTP.
- You can easily lose your keys – Either have two, or make sure you have printed and securely stored your backup codes. Keep them in your safe (or safe place). The Yubikey is no excuse for a poor password…
- ~$40USD a pop.
When you don’t have your Yubikey
Just like when you get home and realise you’ve left your keys on your desk at work, you might need to phone a friend to get you back in.
If you printed and stored your backup access codes in your safe, or used multiple Yubikeys, then you’ll be away again in no time.
If you’ve set yourself up with all the correct backup access codes you shouldn’t have a problem getting back in even if your Yubikey is destroyed, or lost for good…
Doesn’t leaving the token in defeat the purpose?
No, It’s not there to replace your password, but to supplement it. If you lose your hardware, you haven’t lost your password (unless you keep it on a sticky note by your screen) and if someone gets into your computer through the internet and steals your password, they can’t physically touch the Yubikey to get the one time password. Convenience… at last.