2024 resolution: Get started with security keys

Martin Shelton

Principal Researcher

Photo by Freedom of the Press Foundation. (CC BY 4.0)

It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

In the news

  • If you’ve ever logged into a bank account on your phone or computer, you were probably told to enter a short code into the app that was sent to your phone so that you can prove you are the rightful account holder. Congrats, you just used two-factor authentication (2FA)! 2FA is great because it helps harden your account security. But the strongest such option commonly available today depends on a piece of hardware, a security key — a little device you can plug into your USB port to help log in.
  • A few days ago The New York Times’ Wirecutter shared its new recommendations on security keys. Wirecutter’s top picks included two kinds of models of Yubico’s popular YubiKey, both of which support connections to your devices through USB Type-C and wireless NFC to help log into accounts on your phone or computer. Read the recommendations here.

What you can do

If you’re a journalist or news organization, you are likely at elevated risk of targeted attacks on your professional and personal accounts. This is a great year to finally bite the bullet and try a security key as at least one of your security options. Keep in mind that while authenticating with a security key is one of the strongest options for account security available, it’s not universally supported. So we recommend journalists also enable 2FA and then opt for security keys wherever possible. Check out our guide to comparing 2FA options and how to set them up.

  • Want to learn more about the physical durability of security keys? My colleague David Huerta put them through a number of tests to see how a variety of security key brands held up — including running over them with a car. Spoiler: Some lived! (Side note: We did it before Wirecutter.) Read our blog post about the durability of security keys.
  • You can also use password-free logins with certain types of security keys, allowing you to log into your account by simply inserting your security key into your USB port and tapping the security key’s button. Read our guide to setting up passkeys.
  • If you have extra money, consider getting a second security key as a backup in case you lose the first. If you choose not to get the second key, that’s OK too. Regardless, when setting up your two-factor authentication, you’ll need to save “backup codes” — an emergency code you can use to reenter your account in case you lose your authentication device.

Updates from my team

  • Our digital security training team's fearless leader, Harlo Holmes, will be at this year's FOSDEM 2024. She’ll be at Open Source Symposium Day, where she'll be speaking about the sustainability of open source tools journalists depend on. Likewise, my colleague Saptak S will also be in attendance to give a talk on OnionShare, an open source tool for securely sharing files. We’ll share more details on their upcoming talks and the event soon. If you'll be in Brussels, Belgium, between Feb. 2-4, come say hi!

We are always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,
Martin

Donate to support press freedom

Your support is more important than ever.

Read more about Digital Security Digest

Mozilla breaks into the anti-data broker game

Hundreds of data brokers aggregate and sell access to personal data, such as phone numbers, emails, addresses, and even purchasing habits collected through loyalty card programs, social media sites, apps, trackers embedded in websites, and more. Mozilla has a new monthly subscription service which automatically scans for your personal data on data broker websites, but there are other ways to make your data less easily searchable. Read more from the Digital Security Team.

Moving from passwords to passkeys

Instead of traditional passwords, where you log into a website with credentials that you know or store in a manager, a passkey is a credential that you store on your device, registered with an online account. Read more in our newsletter.

Journalists targeted with Pegasus yet again

Mercenary spyware firm NSO Group’s Pegasus spyware, designed to remotely access targeted smartphones, is marketed to governments around the world for the purposes of law enforcement and counterterrorism. But in the wild, we’ve seen governments repeatedly abuse this and similar spyware tools to infect journalists, spying on their most sensitive files, communications, and sources.