2024 resolution: Get started with security keys

Martin Shelton

Principal Researcher

Photo by Freedom of the Press Foundation. (CC BY 4.0)

It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

In the news

  • If you’ve ever logged into a bank account on your phone or computer, you were probably told to enter a short code into the app that was sent to your phone so that you can prove you are the rightful account holder. Congrats, you just used two-factor authentication (2FA)! 2FA is great because it helps harden your account security. But the strongest such option commonly available today depends on a piece of hardware, a security key — a little device you can plug into your USB port to help log in.
  • A few days ago The New York Times’ Wirecutter shared its new recommendations on security keys. Wirecutter’s top picks included two kinds of models of Yubico’s popular YubiKey, both of which support connections to your devices through USB Type-C and wireless NFC to help log into accounts on your phone or computer. Read the recommendations here.

What you can do

If you’re a journalist or news organization, you are likely at elevated risk of targeted attacks on your professional and personal accounts. This is a great year to finally bite the bullet and try a security key as at least one of your security options. Keep in mind that while authenticating with a security key is one of the strongest options for account security available, it’s not universally supported. So we recommend journalists also enable 2FA and then opt for security keys wherever possible. Check out our guide to comparing 2FA options and how to set them up.

  • Want to learn more about the physical durability of security keys? My colleague David Huerta put them through a number of tests to see how a variety of security key brands held up — including running over them with a car. Spoiler: Some lived! (Side note: We did it before Wirecutter.) Read our blog post about the durability of security keys.
  • You can also use password-free logins with certain types of security keys, allowing you to log into your account by simply inserting your security key into your USB port and tapping the security key’s button. Read our guide to setting up passkeys.
  • If you have extra money, consider getting a second security key as a backup in case you lose the first. If you choose not to get the second key, that’s OK too. Regardless, when setting up your two-factor authentication, you’ll need to save “backup codes” — an emergency code you can use to reenter your account in case you lose your authentication device.

Updates from my team

  • Our digital security training team's fearless leader, Harlo Holmes, will be at this year's FOSDEM 2024. She’ll be at Open Source Symposium Day, where she'll be speaking about the sustainability of open source tools journalists depend on. Likewise, my colleague Saptak S will also be in attendance to give a talk on OnionShare, an open source tool for securely sharing files. We’ll share more details on their upcoming talks and the event soon. If you'll be in Brussels, Belgium, between Feb. 2-4, come say hi!

We are always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Get Notified. Take Action.

Best,
Martin

Donate to support press freedom

Your support is more important than ever.

Read more about Digital Security Digest

When data brokers break

We often talk to newsrooms about dealing with data brokers — companies that aggregate and sell data from commercial and public records. According to recent reporting from TechCrunch, an alleged breach of a U.S. data broker impacted at least 300 million people. Their reporting suggests “mixed results” verifying the authenticity of the data.

Apple's password app

In the hope of simplifying how customers can log into apps and websites, Apple has announced it will offer a new Passwords app in its upcoming versions of iOS 18, iPadOS 18, and macOS 15.

Oops, all breaches!

Data breach notification service “Have I Been Pwned?” has added the login information associated with 361 million email addresses. Have I Been Pwned owner Troy Hunt says as many as 151 million of these unique email addresses have never been seen in his database before. The website boasts tracking over 13.5 billion breach accounts. Some of these credentials are reportedly harvested from users’ devices infected with information-stealing malware.