by Dave Moore, CISSP, 09/19/2021
Want to learn more about how to stay out of trouble on the Internet in one evening than you have in your entire computing life? Come take the new version of my free, one night only class on Internet safety, “Fight the Internet Bad Guys and Win,” Wednesday, September 29, 2021, 6:30 p.m., at the Central Location of the Norman Public Library. Reserve your seat by calling the library at (405) 701-2600, or visit pioneer.libnet.info/event/5524409. Sponsored by McClain Bank, The Norman Transcript, Josh Nelson Allstate Insurance and the Pioneer Library System.
In the past two columns, we looked at how we sign in to our online accounts, such as email, banking, Amazon and other e-commerce services. Typically, we have signed in with usernames and passwords, a method that has served us for years.
Unfortunately, those days are long gone; we need more in the fight to stay safe on the Internet. Usernames and passwords are no longer enough. It’s time to start using multi-factor authentication (MFA, sometimes called “two-factor authentication, or, 2FA) but doing it using text messaging is not safe; the Internet bad guys have hacked that old method to pieces.
Instead, we should move to using authenticator apps like Authy, or “secure tokens” like YubiKey. Last week, we looked at Authy. This week, we’ll look at YubiKey.
Manufactured by global authentication company Yubico, a YubiKey device looks like a flash drive you would plug into a USB port. It also has near-field communication capability (NFC) that lets it communicate wirelessly with a phone, within a range of about two inches or less. Wireless access keycards and “tap and go” credit cards use the same technology.
To setup your YubiKey, visit yubico.com/start. Pick your YubiKey model and view the instructions. It’s best if you have two YubiKeys, one as your primary key for everyday use, and one as a spare backup key, in case your primary key is lost or damaged. I purchased two YubiKeys from Amazon, so I was ready.
Next, prepare a “trusted device.” “A trusted device is one that is not public and has an up to date operating system with the latest security patches installed,” the website reads. You need an updated PC running Windows 10. With a Mac, it needs to have MacOS Catalina or Big Sur with the latest Google Chrome browser installed. I chose a Windows 10 PC using Firefox.
The actual “setup” is determined by the individual services, websites and online vendors that you want to use, and they may all have their own special procedures to use your YubiKey. Sign in to an online account the “old fashioned way,” go to your account settings for that particular site, tell it you want to use a YubiKey, and follow their instructions. Here’s how I approached the process, with Amazon.
After signing in, I selected my Account section, and then Login & Security. Next, I clicked the Edit button next to “Two-Step Verification Settings.” This is the same section where I had successfully setup and used Authy, the MFA app I discussed last week. And, this is where everything started to fall apart. Terribly. “Hell in a handbasket” would not be too extreme of a description.
As it turns out, I had been led astray. I went to the Amazon Login & Security settings page, expecting to be greeted with an option to use, not only SMS text-based MFA (bad), an Authentication App-based MFA (like Authy, good), but also Secure Token-based MFA, like YubiKey. Sadly, the option wasn’t there.
Amazon makes a YubiKey setup option available for users of its Amazon Web Services business (the biggest cloud computing service in the world), complete with detailed instructions. There’s also a YubiKey login option for Amazon Sellers, those third-party vendors who sell things on Amazon, again, with nice, detailed instructions. But, after two hours of scouring the Yubico website, Amazon and Google, I could find nothing for regular, every day Amazon customers like you and me, folks who shop at the Amazon Store.
What?
So, flirting with insanity, I took the only option left to me: I called customer support.
I learned years ago that Amazon actually has customer support phone numbers where you can speak to real humans in a shared language. The number is 888-280-4331. You can also try 206-922-0880.
After the nice Amazon customer support guy attempted to help me for about 45 minutes, he, too, concluded that Amazon did not have a way for normal Amazon Store customers to setup and use what is said to be the world’s best secure token device, YubiKey. There were some work-arounds with multiple extra steps, downloads and hassles that might work, but that’s when I put on the brakes. I decided years ago to only recommend things I have tried personally, and that are easy for every day folks to figure out. He promised to kick the problem upstairs and get back with me.
We shall see. Until then, forget YubiKey. Meanwhile: everybody set up Authy and start using it, today; it’s great. Be safe, and see you September 29.
Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd, he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or internetsafetygroup.org