Using Two-Factor Authentication

Russell Jelks

Follow

Feb 25, 2017 · 2 min read

Google Authenticator vs. YubiKey

If you want to be more secure online, you use a password manager. Then you enable two-factor authentication — you login to a site, and you are asked to type in a random secret code. The three most common forms of two-factor authentication are:

1. Get your secret code via text message. This is a problem because SMS security is weak. It’s possible to intercept the message, or even impersonate your phone.
2. Generate a secret code from an app on your phone, like Google Authenticator. This generates a six digit code for each site you configure. This code changes every 30 seconds.
3. Use a hardware device that generates the code. I use a YubiKey, which looks like a USB flash drive with a single button. To your computer, it works like a keyboard. When the site asks for the secret code, you press the button and the YubiKey types in the code for you. This code changes every time you press the button.

I’ve been using a YubiKey for the last couple of months, and I’ve noticed a few things:

1. It’s easy to lose. It’s designed to live on my keychain, but it’s inconvenient to have a jumble of keys hanging off the front of the computer. You can unlink it from the keychain, but it becomes tempting to leave it plugged in. Twice I’ve had to retrace my steps and drive back to where we last used the YubiKey to retrieve it. But this is a consequence of my use habits and not a design flaw. Keep it on your keychain and it’s much harder to lose.
2. It doesn’t always work. Windows has to spend a moment identifying the YubiKey and loading the correct driver. Sometimes this takes more than a moment. It works pretty well on the 30 or so computers I use at work. But my personal laptop doesn’t recognize the YubiKey about half the time I plug it in. Sometimes I have to reboot before it will work.

When I can get past these two hurdles, the YubiKey works great — maybe better than Google Authenticator. I can plug in my YubiKey and press the button faster than I can pull out my phone and activate the Authenticator app. It’s not any faster than using Authenticator on my smartwatch, but something about moving my attention from the big screen to a smaller one and back interrupts my flow.

So I’ll keep using both Authenticator and the YubiKey for a while. The drawbacks listed above should diminish over time. I think, as a test, I’ll move some of my logins from YubiKey back to Authenticator and vice versa. That way I can put “Experience with A/B test design” on my resume.