Sunday, April 9, 2023

Digital Security: How I Do Things, Part I

Occasionally someone will ask me how I protect myself online. Usually, the question is superficial, and a superficial answer is expected. But the answer I give rarely is. There are reasons for this. 

For one thing, during my years as a reporter, I had to learn to be careful when communicating with confidential sources. None of them were exactly Deep Throat, but I did take steps to make sure that what they might say in an email or text message exchange was protected. 

Even so, once, during the summer of 2017, my email account was breached by someone using an IP address in South Africa. I could go into detail about why I believe this, but the fact that it happened — and my conclusion may be wrong — shook me.

I thought I had been careful. I had been an early convert to two-factor authentication, and not the weak version involving text messages, but the stronger app-based version. I also used robust passwords and an encrypted password manager.

I resolved after that breach to be a little more paranoid. I started changing my email password as well as a few others at least once a month and doubled down on 2FA everywhere. My worries about that old breach faded, but my paranoia about the next one never did. 

Last summer, I kicked my security posture up a notch. I decided to experiment with hardware security keys from the Swedish company Yubico. It wasn't long before that experiment became a full-scale deployment across my digital footprint and that of my spouse. And the technology is having a moment: Earlier this year, Apple enabled support for hardware keys on its AppleID/iCloud scheme. That got people interested and writing articles about it in the press

Essentially they work like this: When engaged by touching a tiny button after they've been inserted into a USB port, or in some cases held close to a phone or tablet, these keys generate the second code required in two-factor authentication process using the chips in them, and replacing the code, also known as a "one-time password" or OTP that would be texted to you or show up in an authentication app. It can be used to eliminate those inherently less secure approaches to 2FA. There are far more detailed and technical explanations you can find, but that more or less explains it. 

I enabled a set of keys to protect my AppleID. Setting up the first one literally took no longer than the demonstration in this 45-second video. I used two Yubikey 5Cs which cost me $55 each. (Apple smartly requires a minimum of two.) They support NFC or Near-Field Communications protocol, and so when I use it to authenticate to the phone all I have to do is hold it up to the back of the device. One is on my keyring, and another is locked away in case the first one gets lost. For my MacBook Pro I bought a tiny Yubikey 5C Nano  (This one was $65) which sits more or less permanently in a USB-C port. I enabled three keys to start— the first two were already visible on my Mac and iPad Pro — and it took minutes. A few days later I repeated the process for my spouse.

It was more time-consuming to enable all three keys for several other accounts I use that support Yubikey, and there are many. Among them are my Google account, including GMail, Dropbox, Twitter, and Facebook, and even one financial account, but notably not my bank. It also works with Microsoft accounts including, OneDrive, and Office365. It also works with several good password managers, including both 1Password and BitWarden which are the two options I recommend, which aligns with advice from reviewers at The New York Times' Wirecutter

One downside: You will need multiple keys, in case you lose one, so you'll have to spend a touch more than you may like. As I noted above, Apple requires two keys minimum to protect an AppleID. And frankly, you'll want a backup key in case you misplace one. I have two key rings, so between one for each plus the Nano device in my MacBook, and a backup locked in a safe, I ended up actively using four. My wife has three. 

Obviously, no security scheme is perfect, but I think adding hardware-based 2FA to the mix is a significant step, that at first seems like it's going to be complicated, and then it's really not. It's not inconvenient to use the keys to authenticate into a service at all — unless you honestly don't have your key with you, in which case you can still use other 2FA apps like Duo Mobile or Authy in addition.

There are a few other things I do to protect myself online, and I'll share some of those ideas in a future post.