The Strongest Protection for Your Online Accounts? This Little Key

Strong passwords are very important, but they’re not enough to protect you from cybercriminals.

Passwords can be leaked or guessed. The key to online security is protecting your account with a strong secondary measure, typically a single-use code. This is referred to as “two-factor authentication,” or 2FA, as the nerds know it.

I’ve written about all the different types of 2FA, such as getting those codes sent via text message or generated in an authenticator app. Having any kind of second factor is better than none at all, but physical security keys—little dongles that you plug into a USB port or tap on your phone during account logins—offer the highest level of protection.

Security keys have been around for over a decade, but now they’re in the spotlight: Apple recently introduced support for them as an optional, added protection for Apple ID accounts. Last month, Twitter removed text-message-based authentication as an option for nonpaying users, recommending instead an authenticator app or security key.

Some people are hesitant to use security keys because carrying around a physical object seems burdensome and they come with a $30-and-up added cost. Plus, what happens if they get lost?

I’ve used security keys since 2016 and think they are actually easier to manage than codes—especially with accounts that don’t require frequent logins. They’re not only convenient, but they can’t be copied or faked by hackers, so they’re safer, too.

Here’s how to weigh the benefits and common concerns of adding one or two of these to your keychain.

Which security key should I use?

Many internet services support the use of security keys, and you can use the same security key to unlock accounts on many different services. I recommend two from industry leader Yubico:

YubiKey 5C NFC ($US55) if you have a USB-C laptop or tablet
YubiKey 5 NFC ($US50) for devices with older USB ports

Other options include Google’s Titan security keys ($30 and up). In addition to working with laptops and tablets with USB ports, these keys are compatible with smartphones that have NFC wireless. Most smartphones these days have that, since it’s the technology behind wireless payments such as Apple Pay.

Adam Marrè, chief information security officer at cybersecurity firm Arctic Wolf, recommends that your chosen key is certified by the FIDO Alliance, which governs the standards of these devices.

How do security keys work?

To add a key, look in the security settings of your major accounts (Facebook, Twitter, Google, etc.). During setup, it will prompt you to insert the key into your laptop or tablet’s port or hold the key close to your phone for wireless contact.

Apple requires you to add two security keys to your Apple ID account, in case you lose one.

Typically, when you log in, you just go to the app or website where you’ve set up a key, enter your username and password as usual, then once again insert the key into the device or hold it close. (Some keys have a metal tab you have to press to activate.) At that point, the service should let you right in.

Why are they so secure?

Getting those two-factor login codes via text message is convenient, but if you are someone criminals are targeting, you could be the victim of SIM swapping. That’s where thieves convince carriers to port your number to a new phone in their possession, and they use it along with your stolen password to hack your accounts.

Even if they don’t go to all that trouble, criminals might try to trick you to hand them your codes, by calling you or spoofing a website you typically visit. At that point they can use the code for about 60 seconds to try to break in, said Ryan Noon, chief executive at security firm Material Security.

Security keys protect you in two ways: First, there’s no code to steal, and second, they use a security protocol to verify the website’s domain during login, so they won’t work on fake sites.

You can also add an authenticator app such as Authy to your most important accounts, to use only as a backup. But once you add these secure methods, you should consider removing the text-message code option.

In the rare case that someone snoops your passcode then steals your iPhone, beware: The perpetrator could still make Apple ID account changes using only the passcode, and even remove security keys from your account.

What happens if you lose your key?

The most important rule of security keys is to buy an extra one (or two).

“Think of your security key as you would a house or car key,” said Derek Hanson, Yubico’s vice president of solutions architecture. “It’s always recommended that you have a spare.”

If you lose a security key, remove it from your accounts immediately. You should have already registered your spare or an authenticator app as a backup to use in the meantime.

Where can you use a security key?

Start with your most valuable accounts: Google, Apple, Microsoft, your password manager, your social–media accounts and your government accounts.

When it comes to financial institutions, many banks don’t offer security-key protection as an option, though most leading crypto exchanges do.

What comes after security keys?

Security professionals and tech companies widely agree that passkeys are the future. They’re a new type of software option that combines the high security of a physical key with the convenience of biometrics such as your face or fingerprints. Passkeys are supported across the Android, iOS, Mac and Windows platforms, and some of your favourite sites already let you use them.

You can create a passkey on Facebook in security settings by following the app’s instructions under the security-key option. Dropbox has a similar passkey setup. Once you’re done, you’ll use your face or fingerprint as a second factor, instead of a code or key.

Eventually, physical security keys could be what we keep safe in strong boxes, as backups for our biometric-enabled passkeys. Even then, you’re probably going to want to have spares.

I wish to protest the current ugliness. I see it as a continuing trend, “the uglification of everything.” It is coming out of our culture with picked-up speed, and from many media silos, and I don’t like it.

You remember the 1999 movie “The Talented Mr. Ripley,” from the Patricia Highsmith novel. It was fabulous—mysteries, murders, a sociopath scheming his way among high-class expats on the Italian Riviera. The laid-back glamour of Jude Law, the Grace Kelly-ness of Gwyneth Paltrow, who looks like a Vogue magazine cover decided to take a stroll through the streets of 1950s Venice, the truly brilliant acting of Matt Damon, who is so well-liked by audiences I’m not sure we notice anymore what a great actor he is. The director, Anthony Minghella, deliberately showed you pretty shiny things while taking you on a journey to a heart of darkness.

There’s a new version, a streaming series from Netflix, called “Ripley.” I turned to it eagerly and watched with puzzlement. It is unrelievedly ugly. Grimy, gloomy, grim. Tom Ripley is now charmless, a pale and watchful slug slithering through ancient rooms. He isn’t bright, eager, endearing, only predatory. No one would want to know him! Which makes the story make no sense. Again, Ripley is a sociopath, but few could tell because he seemed so sweet and easy. In the original movie, Philip Seymour Hoffman has an unforgettable turn as a jazz-loving, prep-schooled, in-crowd snob. In this version that character is mirthless, genderless, hidden. No one would want to know him either. Marge, the Paltrow role in the movie, is ponderous and plain, like a lost 1970s hippie, which undercuts a small part of the tragedy: Why is the lovely woman so in love with a careless idler who loves no one?

The ugliness seemed a deliberate artistic decision, as did the air of constant menace, as if we all know life is never nice.

I go to the No. 1 program on Netflix this week, “Baby Reindeer.” People speak highly of it. It’s about a stalker and is based on a true story, but she’s stalking a comic so this might be fun. Oh dear, no. It is again unrelievedly bleak. Life is low, plain and homely. No one is ever nice or kind; all human conversation is opaque and halting; work colleagues are cruel and loud. Everyone is emotionally incapable and dumb. No one laughs except for the morbidly obese stalker, who cackles madly. The only attractive person is the transgender girlfriend, who has a pretty smile and smiles a lot, but cries a lot too and is vengeful.

Good drama always makes you think. I thought: Do I want to continue living?

I go to the Daily Mail website, once my guilty pleasure. High jinks of the rich and famous, randy royals, fast cars and movie stars, models and rock stars caught in the drug bust. It was great! But it seems to have taken a turn and is more about crime, grime, human sadness and degradation—child abuse, mothers drowning their babies, “Man murders family, self.” It is less a portal into life’s mindless, undeserved beauty, than a testimony to its horrors.

I go to the new “Cabaret.” Who doesn’t love “Cabaret”? It is dark, witty, painful, glamorous. The music and lyrics have stood the test of time. The story’s backdrop: The soft decadence of Weimar is being replaced by the hard decadence of Nazism.

It is Kander and Ebb’s masterpiece, revived again and again. And this revival is hideous. It is ugly, bizarre, inartistic, fundamentally stupid. Also obscene but in a purposeless way, without meaning.

I had the distinct feeling the producers take their audience to be distracted dopamine addicts with fractured attention spans and no ability to follow a story. They also seemed to have no faith in the story itself, so they went with endless pyrotechnics. This is “Cabaret” for the empty-headed. Everyone screams. The songs are slowed, because you might need a moment to take it in. Almost everyone on stage is weirdly hunched, like a gargoyle, everyone overacts, and all of it is without art.

On the way in, staffers put stickers on the cameras of your phone, “to protect our intellectual property,” as one said.

It isn’t an easy job to make the widely admired Eddie Redmayne unappealing, but by God they did it. As he’s a producer I guess he did it, too. He takes the stage as the Emcee in a purple leather skirt with a small green cone on his head and appears further on as a clown with a machine gun and a weird goth devil. It is all so childish, so plonkingly empty.

Here is something sad about modern artists: They are held back by a lack of limits.

Bob Fosse, the director of the classic 1972 movie version, got to push against society’s limits and Broadway’s and Hollywood’s prohibitions. He pushed hard against what was pushing him, which caused friction; in the heat of that came art. Directors and writers now have nothing to push against because there are no rules or cultural prohibitions, so there’s no friction, everything is left cold, and the art turns in on itself and becomes merely weird.

Fosse famously loved women. No one loves women in this show. When we meet Sally Bowles, in the kind of dress a little girl might put on a doll, with heavy leather boots and harsh, garish makeup, the character doesn’t flirt, doesn’t seduce or charm. She barks and screams, angrily.

Really it is harrowing. At one point Mr. Redmayne dances with a toilet plunger, and a loaf of Italian bread is inserted and removed from his anal cavity. I mentioned this to my friend, who asked if I saw the dancer in the corner masturbating with a copy of what appeared to be “Mein Kampf.”

That’s what I call intellectual property!

In previous iterations the Kit Kat Club was a hypocrisy-free zone, a place of no boundaries, until the bad guys came and it wasn’t. I’m sure the director and producers met in the planning stage and used words like “breakthrough” and “a ‘Cabaret’ for today,” and “we don’t hide the coming cruelty.” But they do hide it by making everything, beginning to end, lifeless and grotesque. No innocence is traduced because no innocence exists.

How could a show be so frantic and outlandish and still be so tedious? It’s almost an achievement.

And for all that there is something smug about it, as if they’re looking down from some great, unearned height.

I left thinking, as I often do now on seeing something made ugly: This is what purgatory is going to be like. And then, no, this is what hell is going to be like—the cackling stalker, the pale sociopath, Eddie Redmayne dancing with a plunger.

Why does it all bother me?

Because even though it isn’t new, uglification is rising and spreading as an artistic attitude, and it can’t be good for us. Because it speaks of self-hatred, and a society that hates itself, and hates life, won’t last. Because it gives those who are young nothing to love and feel soft about. Because we need beauty to keep our morale up.

Because life isn’t merde, in spite of what our entertainment geniuses say.