The best method to protect your passwords and where to buy them

A worrying amount of hacks and access to personal accounts He has dominated the news for the last two weeks. While in Ualá cybercriminals managed to empty at least 68 accounts, Mercado Libre suffered a hack in which they admitted that 300 thousand accounts were compromised. For this reason, although the “double authentication factor” (see here) is the key measure to protect yourself, there are ways to strengthen the security measures: that is what the security measures are for. “FIDO keys”.

These devices owe their name to an NGO of more than 250 members between companies and governments, called Fast IDentity Online. They basically define authentication standards based on physical devices that connect by USB or by NFC, that is, by proximity (as when we place the SUBE card on the turnstile reader). However, interestingly, banks and financial entities in Argentina still do not adhere to this practice.

Despite this, they have long been recommended by experts as a second authentication factor to enter our accounts: having a password and a fido key for those services that are compatible, such as Windows, Google or social networks.

Here, what they are, how they are used, how much they cost and where they are obtained in Argentina.

FIDO keys: what they are and why they are so safe

The keys can have a traditional USB or USB-C input, like that of cell phones. Photo: Shutterstock

Devices compatible with FIDO keys are used to have a second authentication factor when accessing a personal account. But what is this second factor?

“When it comes to authentication multiple factors generally refers to more than one of the following factors: knowledge (what one knows), possession (what one has) and inherent (what one is). The first factor refers to passwords pin, passwords, etc., which are based on something that we must remember”, explains Iván Barrera Oro (Hackan), a software developer specializing in computer security, to Clarín.

“The second refers to a unique device that we own, such as a FIDO-compatible key, cell phone, SMS, digital app, etc.; and the last one, refers to what uniquely identifies us among other human beings regarding biometrics, such as being voice, iris, fingerprint“, follow. In addition, he remarks that “it is not very common for a service to require more than two factors to authenticate a user.”

Now, something needs to be clarified: each factor can have more or less security measures. “For the possession factor, not all variants offer the same level of security: physical keys, for example, are among the most securewhile an application on the cell phone, or even worse, SMS, of the least”, he clarifies.

This is because “it is possible to trick the user into entering these second factors on malicious sites, or even intercept them in the case of SMS, which is not possible with physical keys. However, any additional is better than nothing ”, argues the expert.

How FIDO keys are used

Fido key, security device. Photo: Shutterstock Fido key, security device. Photo: Shutterstock

“The operation could be somewhat complex, but its use is very simple: connect the device via USB or NFC [por proximidad and a touch is made on the button they bring. That’s it for the keys, and it’s usually required after entering the first factor (the password, key or pin) ”, explains Hackan.

There is also your practicality: while applications like Google Authenticator ask to enter a 6-digit code that we have to go look for on the cell phone, the key offers a more direct way to gain access. Of course, always after entering the password: if the FIDO key is stolen, with it they will not be able to do anything since they will need a key that only we know.

What services allow you to use FIDO keys

Windows, Google, Facebook, Yahoo, Linkedin, and almost all the most used social networks and services adhere to the FIDO standards. That is, they allow you to use this method.

But here comes the problem:Unfortunately almost no financial institution supports it, being that these protocols are reaching the decade of existence. It should be noted that in the case of home banking, most Argentine banks have long used a card with a table of codes, but it is not really a second authentication factor due to the way it is used, they have currently migrated to using mobile applications”, criticizes Barrera Oro.

In other words: one of the most sensitive online services we use, the one who handles our money it cannot be associated with a key compatible with the FIDO standards.

Which ones and where to buy

FIDO keys are available in Mercado Libre. Free Market Photo FIDO keys are available in Mercado Libre. Free Market Photo

In popular e-commerce sites like Mercado Libre it is possible to get these keys. The most popular is Yubico Yubikey and starts at 9,600 pesos. Depending on the model and functions, it can reach more than 20 thousand.

“It is recommended to buy devices in trusted stores, if possible official, since a malicious replica of it could be purchased. All manufacturers have control and certification mechanisms to prevent these situations, and in general a device can be verified through the manufacturer’s website, ”warns Hackan.

But here is a key point: once purchased, the key is activated with the manufacturer​. If it is original, in just a few steps it is ready to use. If not, it bounces: for this reason, it is key to use it as soon as we have it, to return it in case there are problems.

The alternative is to buy them in the official stores of the brands that manufacture them: YubiKey 5, Librem Key, Nitrokey 3, Feitian ePass among other.

“It is very likely that they ship to the country, so it is not superfluous to make the purchase directly on the official sites, and in any case make verification when receiving the package to detect if it was altered in transit or not”, he adds.

What if I lose my FIDO key?

Authentication methods always have a recovery function that must be followed to the letter. AFP photo Authentication methods always have a recovery function that must be followed to the letter. AFP Photo

Perhaps it is the most important question: losing her is a possibility. In that case, we will not be able to access our account because we will lack the second authentication factor that we ourselves activate.

“It is inconvenient because if the service is not well designed and has not requested a backup factor from the user, the user will be unable to access their account and will have to contact the support department,” warns the expert.

“However, most services that use more than one authentication factor use more than one secondary factor, for example a physical key, a mobile application, a printed table of coordinates, an email address, a number cell phone for SMS or voice call, among other options”, explains Barrera Oro.

In this way, like any second authentication factor, has a way to recover from a series of keys that the system will ask us to save.

And that, after all, it is safer to have written down on paper than in some online service.

By Editor

Leave a Reply