Protect Your Accounts with Security Keys | Axos Bank

Passwords are Obsolete. Protect Your Accounts with Security Keys.


 

Last year, Twitter CEO Jack Dorsey found himself with a problem.

A group of hackers used his phone number to post offensive tweets from his personal Twitter account.

How were hackers able to gain control over his phone number?

Easy – SIM swapping.

By getting access to his login credentials – likely through a leaked password list – this gang of hackers was able to convince Dorsey’s phone provider to swap numbers from his device to theirs. (Hence the term, SIM swapping.)

Dorsey was lucky. Typically when hackers gain control over a phone number, they leverage this control to attack a victim’s most important online accounts, including banking and investment accounts. In the case of Jack Dorsey, however, he only had to deal with a mildly embarrassing moment on Twitter.

But what can you, as a consumer, learn from this debacle?

Lesson No. 1: Passwords are Obsolete

Passwords cannot be the end-all, be-all of your digital defense. In fact, we would even argue that passwords are becoming obsolete. In the age of constant cyberattacks, data breaches, and general mismanagement of private consumer data, it’s safe to assume that your login credentials are accessible to hackers. Instead of solely relying on passwords, you need additional defenses to protect your digital accounts.

Lesson No. 2: SMS Authentication is Not Enough

Remember those 2-step verification passcodes that you receive via text message? They mean nothing when hackers have complete control over your phone number. And, as we saw in the Jack Dorsey example, it doesn’t take much for hackers to steal your digits. When SIM swapping and port-out scams run rampant, you need a defense that’s less vulnerable to online attacks.

In other words, you need physical security keys.

What are Security Keys?

Security keys are the ultimate form of digital protection. By adding physical hardware to your digital defense, security keys make it exponentially more difficult for hackers to break into your accounts. To crack your account, hackers would need to physically take control of your security key. Considering that most hackers launch attacks remotely, this mode of attack is highly unlikely. (But not impossible – so take good care of your keys.)

Why Security Keys Are a Game Changer

When security keys protect your digital accounts, you become immune to the consequences of data breaches. Essentially, it will no longer matter if hackers have access to your passwords – it won’t even matter if your passwords are on the front page of the New York Times . Unless someone also has access to your physical security key, it will be near-impossible to break into your digital accounts.

Security keys are small hardware devices that you can plug into a computer or mobile device or connect via Bluetooth. (Here’s an example of what security keys looks like.) Like a regular house key, security keys are small enough to carry with a keychain.

Unfortunately, not every online company has the capabilities to accommodate security keys. But the list of compatible companies is growing. These include Google, Amazon Web Services, Facebook, Shopify, and more. To get a full sense of the companies that are compatible with YubiKey (the leading security key provider), take a look at this list.

Here’s how the security key process works:

  • Step 1: Register the Security Key. Each company handles this process differently, but the overall process is the same. Visit your account’s security settings and locate the option to enable security key protection. Then, follow the steps to register your security key to the account.
  • Step 2: Visit Your Account. When you’re ready to log in, your account’s website will prompt you to enter your username and password. After you enter your login credentials, the account will trigger your security key – or, in technical terms, send a challenge to your key.
  • Step 3: Activate the Key. Once your security key receives a challenge, you’ll activate your key by tapping it. (A small button is located on each physical key.) This action will allow your security key to cryptographically sign the challenge and log you into the account.

That’s it! There is no software installation or battery charging required on your end – just register the key, log in to your account, and tap the key when prompted.

Security Key Alternatives

Right now, security keys offer the highest form of digital protection. But, as we mentioned earlier, not all companies are compatible with security keys. This is understandable, as security keys are relatively new – it will take time for the mainstream to adjust. However, you can still boost your digital protection with the following alternative methods:

Authenticator Apps

Authenticator apps are two-factor authentication apps that you can install directly onto your mobile device. Popular apps include Google Authenticator, LastPass Authenticator, and Authy.

In practice, authenticator apps work similarly to SMS-based authentication. However, instead of receiving one-time passcodes through text messages (which can be easily intercepted), the authenticator app will generate its own one-time passcode. Because the app is installed onto your mobile device, it essentially turns your device into a security key. To crack your account, a hacker would need to take physical control of your mobile device or gain access to the account’s secret key. Man-in-the-middle attacks are also possible, but – because a new passcode is generated every 30 seconds – these attacks are unlikely to happen.

Password Managers (with Frequent Password Changes)

A password manager stores unique passwords for all of your accounts. Popular password managers include 1Password, LastPass, Dashlane or Bitwarden. Or, you can use the password manager that’s stored on your Apple or Android device.

To decrease the chance of a hacker cracking your account, we recommend using your password manager to change your passwords often (every 3 – 6 months is fine). If a hacker does get access to your login credentials, frequent password changes will help to ensure that hackers only have access to outdated credentials.

Main Takeaways

With cybersecurity concerns ever-increasing, it may seem overwhelming to keep up with all of the new security trends. Fortunately, if you stick to core cybersecurity best practices (unique passwords, avoiding public wi-fi, not oversharing online, etc.), you will protect yourself against most attacks. A security key is merely a simple way to add another layer to your defense against hackers. Should your primary defenses fail, a security key is your best option for protecting your accounts against fraudulent behavior.

For more information on how to protect yourself against cybersecurity threats, take a look at our articles below.

Related Articles

View All

Passwords are Obsolete. Protect Your Accounts with Security Keys.