One last piece of advice: Buy a YubiKey

Almost no one takes their security seriously. I know there are certain people that think storing passwords written down in an actual book is a good idea — that these timeless invocations whispered in taps to Amazon, Bank of America, or Google by their very presence save them from the glasses-and-trenchcoat-dressed “hackers.” These are the same people that ignore piles of pending security updates and whole inches of screen space lost to browser toolbars. You just can’t make people storing their banking credentials in plain text notes saved to iCloud or Drive care about their security becauseanyloss of convenience for them is a non-starter. But almost every adult carries around a set of keys for their car or home, and there’s a solution they can use which is every bit as convenient as that.

I implore every person reading these words to just buy a YubiKey and set up every service they can to use it.

4

Youneedtwo-factor authentication, and a hardware key is the best

It’s the single simplest way to augment your online security, and with all the constant hacks and the legitimately incredible lack of even basic security standards at so many companies, youneedto have something other than just a password standing between the world and any digital account you value past $20. There are a lot of things you can add to the equation and multiple 2FA (two-factor authentication) systems you can adopt, like SMS and email-based methods. But your security is only as good as the solution you choose, and a hardware key is the best choice.

Admittedly, not every company out there supports 2FA or even hardware token-based 2FA. There’s a greatpublic list of 2FA-compatible online servicesI recommend checking against, but most of the more popular non-financial services support two-factor authentication. It’s embarrassing how little American banks care about their customers, as only Bank of America supports big-boy hardware security keys, and even ostensibly online-first banks like Ally, SoFi, and Capital One are stuck firmly in some 2002-era vision of the internet. The best you can hope for there is SMS-based verification, which is a pretty bad idea, given how little security the carriers have.

SIM tray removed on a Google Pixel 9 Pro XL

So far as I can tell, just like the banks, the carriers don’t actually care about you — just look at the constant stream of hacks and basic failure to meet even elementary security standards. We’re all just a source of revenue in exchange for overpriced data sitting in columns on a quarterly financial report. The carrierscan and will hand your number off to anyonewith the savvy to call in, Google your name, and attempt an even half-hearted imitation. Don’t trust them.

Metaphorically, your phone number is basically as safe as your wallet, and you may be robbed, pickpocketed, and burgled. Just as you probably wouldn’t feel safe carrying around thousands of dollars in cash all the time, don’t trust your phone number as the last line of security for anything high-value like an important online account.

Back view of a Google Pixel 10 Pro XL with a glowing wireless charging icon

A hardware 2FA security key is convenient — you don’t have anything extra to remember and it’s just like carrying around your house key. If it’s stolen, someone can’t just magically get into your account. They need your other credentials as well, and it serves as a final, difficult-to-duplicate barrier. Even if your username and password end up in a malicious actor’s hands, they can’t get in without that jangling dongle in your pocket.

The coming passwordless standardsalso mean that using a hardware security key can actually bemoreconvenient than remembering and tapping in a dumb long password — just input your user name, pop in the key, and you’re good to go. It won’t need to be changed every three or six months based on some obnoxious policy, it won’t end up hacked or phished, and you won’t have to juggle yet another password or deal with a password manager. It will be the epitome of convenience and every bit as secure.

Google Pixel 10 Pro XL held up next to a Pixel 7 Pro

Seriously, buy a YubiKey

I said “Buy a YubiKey” earlier, but I should stress that I don’t particularly like Yubico more than other hardware 2FA companies. Really, any recent hardware 2FA key is fine as long as it plays nice with FIDO2 and WebAuthN (for the upcoming passwordless standards) and supports the ports you need. But YubiKeys are sold in more places, they tend to release models supporting newer standards more quickly, they offer a wider range of ports for device compatibility, their products areexternally audited, and they’re mostly black, so they don’t get stained or show as much wear as lighter-colored models might. (They also havefun stickers to make your keys a little less boring— maybe dBrand should look into that.)

Buy a YubiKey 5 Series

Starting at $45 from Yubico

I personally recommend theYubiKey 5CorYubiKey 5C NFC, but you should choose based on what devices you use. If you’ve got older computers, something with USB Type-A could be important, and if you have an iPhone, the YubiKey 5Ci with its Lightning connector might be necessary. I also recommend that you get at least two, leaving a backup at home in case your keys get lost. If money is tight, getthe more basic $29 Type-C model— it doesn’t support all the standards the more expensive ones do, but it’ll be fine for 99% of people.

Yeeting Ryne

Last year, I also revieweda keychain that’s specially made to fit YubiKeys. You reallydon’tneed to buy one, but it’s snazzy, not too expensive, and fits YubiKeys together with your own standard-sized keys very well.

Buy Yubikey ‘Security Key Series’

Starting at $25

A YubiKey is an easy choice, but you can just as easily get a different brand if a fancy color catches your eye, or you’d just like to be a mild contrarian. Google, Feitan, Kensington, and a lot of companies make or resell models, and this is one area where you should avoid the no-name Amazon special. But this is my final piece of advice to you:Buy a two-factor hardware security key.

And with that, goodbye

I have more takes and more advice (both good and bad), though I’ll have to keep both to myself from here on out. I have “pulled a Dieter,” and the next time you hear from me outside my regular stream ofcabin-related Twitter content, I’ll be equal parts excited and terrified with my new digs atOSOM. (As some of you may have noticed, that’s why I haven’t written about them in some time, and that was a decision made with attention and care on the part of Android Police.)

On my way out the door, I’ve got a few last hot takes that I no longer have to come up with elaborate arguments to defend. I get to live out every blogger’s greatest fantasy: Getting the firstandlast word in.

That’s it from Ryne Hager at Android Police, though you might see a few lingering stories from me landing in the upcoming weeks as drafts for other subjects work their way through the editing process.

It’s beenfive years, and I’ll missadvocating for your obscenities,crapping all over the things you love, writingsteamy love letters to my Android wife, and endlessly shilling for Google. Or is it Samsung? Maybe it’s OnePlus today. You guys will have to tell me.

But trust me on the YubiKey.

Things get red hot for Magenta

From faster storage to better speakers

Not yet, anyway

It helped me wind down before bed

Stop me if you’ve heard this one before

Goodbye, text-only analysis