How do security keys work?
A security key is a small device you plug into your computer or phone with a special key on it. When you set up a security key with an account, the key will know it should only work on that site. This is very helpful against phishing attacks!
Let’s say you add a security key to your Twitter account, and later you click on a phishing link (to realtwitterlogin.com) trying to steal your Twitter account. You don’t realize you’re on a phishing website, and so you enter your username and password. But wait — the attackers need one more thing to steal your account!
This is usually where hackers ask for your two-factor code from SMS or TOTP. But they can’t steal a security key. The security key will only work on twitter.com – it will not work on a phishing site and can’t be used remotely.
Do you need a security key? Yubico is the absolute best in the business. If you have a USB-A port on your computer (the older, rectangular kind) you can get this one for $25. If you need USB-C (the newer, oval-shaped port on Androids and Macbooks) grab this one. Both have near-field communication (NFC) which means you can touch them to the back of your phone to use it on the go.
Multi-key madness
Most sites will let you use multiple 2FA methods. Usually, they prompt for two-factor methods in order of security — security key first, then TOTP, and so on. When possible, consider adding two security keys to your account. If you only have one, remove your phone number and rely on a TOTP code.
Try to make it a habit that whenever you can log in with a security key, you do. This can alert you to danger if you end up on a phishing site asking you for a TOTP code where you usually use a key.
How does a security key protect you against phishing?
To help prevent you from being tricked by attackers, we need to look a little deeper at how the Web works. In the next section, we’re going to walk through all the parts of a website, so you can spot the real ones from the fakes.