I saw my friend Chris tweet this question yesterday and had to respond:

Nick helped me get Yubikeys set up on all of the services I use that support them in the past few weeks. If I had a new year's resolution, which I don't, it would have been to start to use Yubikeys.

So what are Yubikeys?

They are a brand of "security keys" that are supported in the two factor authentication offerings at Google and many other Internet services.

They look like this:

Courtesy Yubico
Courtesy Yubico

You can buy Yubikeys here.

The idea is you keep one with you and one in a safe place in your office or home or a bank safe deposit box.

If you lose your phone, you have a Yubikey to get you back into the service.

But I don't only use Yubikeys as "backup codes," which I also keep stored safely.

I have started using my Yubikeys instead of a Google Authenticator code. It can be easier if you have the Yubikey handy.

But whatever you do, don't use SMS for two-factor codes.

I was hacked this summer and the attacker tried (unsuccessfully thankfully) to port my phone number.

My partner Albert recently experienced a similar attack. He wrote about it here.

So here is the best practice as I see it:

  1. Always use two-factor authentication if it is offered. And it is almost always offered on popular services.
  2. Don't use text messaging to deliver two-factor codes. It is not safe. You can have your number ported way too easily.
  3. Use Google Authenticator to deliver two-factor codes onto your phone.
  4. Use a Yubikey as a backup in case your phone is lost, stolen, or dropped in a swimming pool or toilet.
  5. Print out the backup codes to the two-factor services and put them in a safe place.

Personal data security is a big deal. Trust me on this. Don't let yourself get hacked to understand why.

And Yubikeys are a nice addition to the personal security mix. I like them a lot.