Is it worth buying a USB security key for your PC?

The Yubikey Neo connects to a computer and your phone
The Yubikey Neo connects to a computer and your phone
0
Have your say

With convenience comes risk, especially when you’re trying to access your online accounts from multiple sources.

The proliferation of smartphones and tablets means that few of us still use a single PC; we have become used to carrying our email and social media profiles around in our pockets.

That’s all very well until you lose your phone, or - less likely but by no means impossible - someone hacks into it: your personal details are suddenly at someone else’s disposal. Unless, that is, you invoke a second layer of security.

Google now lets you do just this with a process it calls two-step verification. It requires you to not only enter a password but also prove you are who you say you are, in order to access some of your accounts.

The emerging method for doing this is with a physical key that you carry separately, and which plugs into a USB socket of the device you are currently using. If no USB socket is available, certain keys can connect to it wirelessly.

The advantage of this is that no-one else can log into your accounts unless they have access to both your password and your key. The disadvantage is that neither can you.

Yubico is among the leading third-party supplier of security keys, and offers a range from £18-£45. You can attach them to your keyring or lanyard and the smallest, which is designed to stay put in its socket, is no bigger than your thumbnail.

But there are a number of important caveats. Only the top-of-the-range Neo key supports wireless communication - the others are unsuitable for phones and tablets. And the system requires you to use the latest version of Google’s Chrome browser - rival software is not supported, and that means you can’t use a key with, for instance, the standard mail, calendar or contacts apps on an iPhone or iPad..

Setting up a “Yubikey” involves a certain amount of persistence, since each of the services it supports - Google, Facebook, Dropbox and so on - has its own method for turning on the two-step security process, and you have to go through a separate routine each time.

In the case of your Google account, which also encompasses Gmail and YouTube, you have to follow the link on Yubico’s website to a Google page that sends a text message to your phone - which will itself then require you to log into your account a second time.

The system is not infallible. I found I could continue to use Gmail even with the security key removed, so long as I didn’t actively log off.

Yubico is marketing its keys at students and others concerned about their online safety, but with the products still commanding premium prices and some lacking wireless functionality, they may yet be some way off finding a place on everyone’s keyring. Amazon does offer cheaper alternatives - the Feitian ePass key with wireless functionality is £14, though some users have complained that it, too, is fiddly to set up.

However, keys like these are ideal for workplaces where computers are shared - and if you are in the habit of sending emails from public PCs, a key should eliminate any possibility of the next user accidentally accessing your details. But the best security practice of all costs nothing, and it is this: whatever online service you use, always log off when you stop using it.