This might be the best form of two-factor authentication.
It’s possible that last year’s presidential election in the U.S. would have been different if John Podesta used better email security. I don’t know for sure, but it should serve as a wake-up call to people that security matters.
If that’s not enough to make me serious, there was this warning in my Gmail account late last year:
The primary precaution I take to protect my accounts (including domain registrar) is to enable two-factor authentication.
Depending on the registrar, I am either sent a one-time password via text message after entering my login credentials or I get a secondary code from the Google Authenticator app.
But there are some problems with these types of secondary factors. Text messages can be intercepted, and a phishing site can also prompt you for your secondary code to quickly log in to your account.
That’s where Security Keys, like the pictured U2F security key from Yubi, come into play. These small and cheap (I paid $18) hardware devices provide a more secure (and easier) way to provide secondary authentication when logging in to accounts.
Once registered to your account, you can just touch a spot on the key when prompted as a secondary form of authentication. There are no codes to enter and it is more secure than the alternatives.
Of course, if you still keep secondary options available for your accounts (such as SMS texting) then someone can still potentially hack you, but it’s less likely.
Google, DropBox, Github and other services accept U2F keys now. I’m not aware of any registrars that do, but my understanding is the technology is easy to implement.
Ah Yes, Fabulous.com have been using Security Keys for Years and definitely is best way ,and Fabulous.com
Thanks, I wasn’t aware they were doing this. Are these the security keys with rotating numbers or the new type that just inserts via USB?
Andrew, the New types that insert via USB and you press the little button to insert the code. Must be several years now been using. In hindsight I wonder whether we should even be saying the names of registars using them as that is one less level > You can remove their name if you wish. ?.
Nah, I think it’s secure enough that it shouldn’t be a concern. Getting more people to use two-factor authentication, especially strong types, outweighs any potential downside.
……..are one of safest Registrars I have come across.
This is awesome! I think it should be at the top of everyone’s New Year’s Resolutions list to beef up their online security.
Fabulous is also using the Yubikey. I like the one with the NFC function, since you can also use them by just touching then to your smartphone.
This solution is the FIDO U2F standard… It is a public-key challenge-response solution that essentially uses a digital signature on a challenge, that is authenticated by a public key on the server side.
It eliminates secrets (which can be stolen) in the login process altogether.
There are a number of certified vendors… Including Bluink Injector, which provides Password Bank, OTP, and FIDO U2F all from a smartphone app and USB Bluetooth dongle. Get everything in a single solution…
And then there are registrars like Network Solutions who still don’t offer ANY form of 2 factor auth, let a lone a U2F key?
Frankly any respectable company holding sensitive customer information should offer SOME form of basic 2 factor auth. I’m seriously insulted when they don’t, its as if they don’t care.
I use this key, but it is in no way more secure than entering text. Entering text is exactly what this device is doing. It register itself as keyboard, generates the key and enter it when you press the button.
So it can also be intercepted like when you are entering the second factor yourself..
Not correct Michael.
For FIDO U2F, the server sends a digital challenge, which is signed with a private key on the device… The signature is validated with the public key on the server.
You do enter a User ID and Pin/Password at the beginning, but this is only used to validate the public key handle.
FIDO U2F use different “end points” in the USB stack, not keyboard and mouse. The Chrome browser connects to these endpoints for FIDO U2F, not keyboard and mouse HID Endpoints.
http://www.fidoalliance.org
This method is much more secure than Password, or TOTP, preventing man-in-the-middle attacks, phishing attacks, etc…
Google is a registrar too if it’s available from your country. Then you can use it with FIDO U2F