Nothing Says “Happy Mothers Day!” like a Hardware Token of Your Appreciation.

Brian Wills extols the virtues of multi-factor authentication and suggests Mom might like a FIDO U2F token for Mother's Day.

The world is settling deep into the ennui that comes along with prolonged social isolation, a lack of professional (or any) grooming, and uncertainty about the future. Nighttime pajamas have become daytime pajamas. “5 o’clock pants” is the new happy hour.

We’re all talking/typing/video-ing to each other more then we used to, and the mind wanders. You may be thinking things like “What if I called my parents up, unprompted, to say hello and set up two-factor authentication for their gmail over the phone for them. I have nothing else to do. Why not jump into a voluntary, protracted support session?”. Why not indeed! Just as you are about to make the call, an SMS message arrives heralding a new transaction on your credit card…

As businesses adjust to the new regime of curbside pickup and other contactless transactions, the opportunity for fraud has grown. Credit card numbers are being written on pieces of receipt paper all over the country. As we step up the number of card-not-present transactions, some of these pieces of paper will no doubt be mishandled, and you may find yourself ripped from your 2FA daydreams. Logging into your online credit card account you wonder to yourself “Edible arrangements? $276? No way THIS fruitcake ordered THAT fruit basket”.

A simple call to the fraud line on the back of your card stretches into the wee hours. Luckily, it doesn’t matter. You have no plans. Thousands of people just like you are sitting on hold, waiting for their turn to tell someone about the fruit baskets they didn’t order, and will not be paying for. Your turn comes like(and with) the night.

Despite sitting on hold for hours and talking to a fraud specialist about that super expensive fruit basket, you’re somehow still lonely. You want more. Your mind returns to your parents, and how much fun it would be to talk them through some on screen instructions you cannot see in the language you both speak fluently. But then you remembered, Mothers day is coming up(May 10, everybody). Finally, something to break the monotony. Why not step up your mother’s security beyond what a simple SMS-based 2FA code can offer? You still have time to order. Send her a Yubikey!

Once she gets her new Yubikey, you may need to explain what it is. Let’s say you already had 2FA set up for your parents, either via SMS or the authenticator, because you care. They push back on you, asking how is this better and more convenient than simply using your phone. Most people love acronyms and IT jargon, your retired parents are surely no exception. U2F is the new acronym you will want to familiarize them with. Standing for Universal 2nd Factor, the key difference (pun intended), is that U2F uses a digital signature, rather than just a code and passphrase.

An example of how this is better: Your father has clicked a link in an email he received (IT WAS FROM GOOGLE!), asking him to reset his gmail password. Alas, the link does not go to google. It goes to a phishing site which resembles google in nearly every way. It is perfect. Perfectly malevolent. He inputs his password and after a slightly longer delay, an SMS arrives. He inputs the code. The phishing site passes both through to google, and his SMS-based 2FA is defeated.

Later, you spend hours on the phone attempting to help him get access to his email again and secure his other accounts. Luckily, you have nothing better to do during quarantine. If he had been using a Yubikey, the digital signature it passes along would match the phishing site and the google servers will reject it as the stinky phish that it is. You would have to find some other way to consume your free time.

Even those of us who smugly use authenticator apps are vulnerable to a phishing website. Only a U2F digital signature will be resistant to this form of attack. It’s also faster, and works even when you leave your phone somewhere, like in your car, or on that sheet of cookies you just put in the oven (the cookies will also burn, as the timer set on your phone didn’t go off for some reason…oh).

Now that you have your parents on board, it’s time to sit back and stare at the ceiling or the void (if you have one to gaze into). Allow your eyes to unfocus and let them glaze over, and then talk them though the setup.

To begin: Have them visit https://myaccount.google.com/security. Don’t recite the period at the end of the sentence. Once they get there, and are logged in, have your parent scroll down to “Signing in to Google”. If they are already using one touch authentication, they will need to disable it first to add in a hardware key. 2FA via the authenticator or SMS will be unaffected. Instruct them to click the “Add Security Key” link under the Security Key entry. There will be a number of prompts. At the appropriate prompt, they will need to plug in the key, tap on it to show they are present, and give it a name. Once they have clicked through all the prompts, they’re done!

For bonus points, you can remove the SMS 2FA option while you’re here, to protect your dear parent against being sim-swapped. Just be sure to leave the authenticator app option enabled, as a backup. You can also encourage the proper storage of the 2FA backup codes inside of some type of password manager, rather than written on the post-it note stuck to the bezel of the screen. We will address these options another time.

It’s that easy! Now that you’re an expert, consider getting one for yourself as well. There are options other than Yubikey; the important thing to pay attention to is that whatever you buy is FIDO U2F. Happy authenticating!