Security Key!!! What Is Security Key? (Yubico - YubiKey 5 NFC - USB-A - Two Factor Authentication Security Key)

So maybe I'm just getting a lot more paranoid as I get older or maybe it's because my kids are now old enough to use phones or maybe it's because we can't go a day without hearing about some website getting hacked. But I've been thinking a lot more about online security lately and basically how it's kind of backwards and broken for so many people. But I was really intrigued by this headline recently.

  It said out of Googles 85 thousand some-odd employees, not a single one had been phished. Their accounts had not been compromised since they moved to using these. Physical hardware security keys. So their accounts are safe. I want my account to be safe. I want my kids accounts to be safe. So I went down a pretty deep rabbit hole. I've turned on Google's advanced protection program for my person Google account and that's Google's strongest consumer level system that requires these hardware keys to work. So what are they? What can they do? How do you use them? Hang on, we're gonna have to get in the weeds just a little bit here. We're gonna talk about hardware keys, we're gonna talk about advanced protection, and we're gonna talk about Google's brand new Titan key. Yeah, we're gonna nerd out a little. Here we go. (playful music) All right, first things first, Let's talk about what the hell I'm talking about. So look, we all know passwords, okay, and we all know that we should be using strong unique passwords. We all know that we should be using password managers for those strong unique passwords and if you're not doing that already, go do it.

 I'll wait. All right, good, you're back. And we all also know about two-factor authentication. That's a second password after your password but here's the thing, it's possible for someone to hijack your text messages. It's possible for them to get into your phone account. It's possible for them to intercept the one-time passwords you get via an authenticator app. This isn't necessarily tinfoil hat stuff I'm talking about, okay. I mean yeah, if you're a target, it's a lot more likely that someone's gonna try to fish you because that's spearfishing but it's also possible that you could just blunder across a bad link that somebody sent you or you just didn't know it and that's why this stuff is also important. And so, more secure than text messages and authenticator apps are these physical hardware keys. 

So what are they? Look they're little USB sticks. They look like thumb drives, yeah. And the way it works is this. You take your key and you stick it in the computer and you register it with whatever service it is you're using, Twitter and Facebook are two. Dropbox is another really good one. Google, obviously. Not every website and service out there uses them. I really wish they did. There's a good website to use two factor auth.org. They have a huge database telling you what forms of two-factor authentication websites use and whether or not they take hardware keys. So I use my password, I stick this in the computer, I give it a little tap and that's it. I'm logged in. Now there are several kinds of these physical hardware keys, okay. There's this normal little USB type which is nice and easy and small, you can keep it on a key chain if you want or stash one in a drawer or a safety deposit box or wherever as a backup. That's not a bad idea but remember the more these you have laying around with your credentials on them the more it's possible for somebody to get a hold of it, right? Trade-offs. Phil what about my phone? Well, okay, you have keys, little USB keys that also have NFC chips in them or you have these larger fobs that have to be charged but they have little Bluetooth radios in them and those work, as well. 

In fact, they work with the iPhone which doesn't have wide open NFC until iOS 12 comes out. Really, when it comes to the keys themselves, there's, kind of, noone right way to do it. Fewer is obviously more secure but you're gonna have to figure out what works best for you. So also, hardware keys are faster, actually, and when I really got to using them it made total sense. So instead of waiting fora text message to come in and then me copying that over and then pasting it into a website, I stick this in, I tap it, I'm done. Same goes for the authenticator apps, exactly the same deal. Now what about this Titan key that you've been hearing about? Yes, it's all nerdy and sounds Titan key. 

That's a great name for it. It's actually named after part of what Google useson its enterprise servers for security stuff and really all it is is a physical hardware key, only it's controlled byGoogle from start to finish. Google controls the hardware, Google controls the firmware, and that's really all it is. It's the same kind of physical key you would get from, say Yubico, only it has Google's name behind it. These are now on sale from Google directly in the Google store and for 50 bucks you get a Bluetooth fob that'll work with pretty much everything, including the iPhone, and you get a slick looking USB key that also has NFC built in. Now one quick note on that, at launch, the NFC is not actually workingwith Android phones. They have to do abehind-the-scenes update on that so I'm not quite surewhen it's gonna happen but it is coming. 

But let's stick with Google for a second. So if you're really worried about keeping yourGoogle account secure, there's what's called GoogleAdvanced Protection Program and here's how Google explains that. - [Instructor] But if you're an activist, journalist, thought-leader, business executive, or other public figure, or anyone who feels vulnerable to highly targeted online attacks, you might need a differentlevel of security to keep your data safe. That's where the AdvancedProtection Program comes in. It's Google's strongest account security. - So here's how I explain it. 

Once you turn advanced protection on, the only way to getinto your Google account is to first, have the password and second, have one ofthe physical hardware keys attached to your account. No more text messages. No more authentication codes. No more using a secondtrusted device, like a phone, to login. You have to use a physical key. And by the way, Googlealso makes it harder, once you turn this on, for somebody to use theaccount recovery process to actually get into your account. It includes you, by the way. So this will, kind of,break some stuff initially. When you first turn on advanced protection it logs you out of everysingle device you're in because now you have to log back into it using a hardware key. It means every phone, every computer, every third-party app that you might haveused Google to log into, you're now logged out and that means you can'tuse third-party email apps. I use Mailplane and Shift on my Mac. 

You can't actually loginto your Google account from the Mac. You can't use Apple's mail apps anymore. And the one really weird one, and I think this is just broken, I can't even use my NVIDIA shield TV box. I can't log in with myGoogle account on that. Whoops. And that actually bringsus to the question, do you really need Google'sadvanced protection? I'm thinking for the vastmajority of us out there, no. You have different options, anyway, when you log into Google accounts, right? You can use a hardware keyand not use text messages or not use authenticator apps. 

Advanced protectionreally just takes things to the next level where youhave to have the password and you have to have a physical key and you can only use aphysical key to login. And I'm willing to bet that Google's also doing some otherstuff in the background to keep an eye on things. So if you really think you're a target, if you're a journalist ora politician or whatever, then yeah, it would be a really good idea. For the rest of us, probably gonna be a little moreof a headache than you need. All right, that was a lot. I get it. Let's recap. You gotta have a goodstrong password, right? You got to use a password manager. You gotta use a password manager. You have to use two-factorauthentication of some kind. Text messages are okay. Authenticator apps are okay. Physical hardware keys are better, much, much better. And remember, Google isn'tthe only company out there to use these things, okay?

 There's a whole website, twofactorauth.org where you can look up services that use hardware keys fortwo-factor authentication. And Chrome isn't the onlybrowser out there that uses it. Firefox does and Microsoft just announced that it's finallybringing support, as well. Safari. Well, Apple's gonna Apple. And finally, grab yourselfa key to use, okay? Maybe it's one of thesereally simple USB keys and that's it, maybe you want one with NFC so you can use it with your phone, maybe you want one withBluetooth if you have an iPhone and that's the best way to go. I can't tell you which wayis gonna be best for you. You're gonna have tofigure that out on your own a little bit but use it. Get a hardware key. 

Register it with these services and sleep a little better at night. So that's it on hardware keysand Google advanced protection and the new Titan key. Again, I've got links downbelow for all this stuff, if we went a little fast. And I've got a link down below for that talk fromChristian Brand of Google at the Google cloud conference. I tell you, it reallyopened my eyes to all this and made it make even more sense even as I was using it. Really good, it's worth your time. So go get a key. If you got any more questions, ask them down below in the comments. That's it, see you next.

                 https://amzn.to/355dNOS