Almost no one takes their security seriously. I know there are certain people that think storing passwords written down in an actual book is a good idea — that these timeless invocations whispered in taps to Amazon, Bank of America, or Google by their very presence save them from the glasses-and-trenchcoat-dressed “hackers.” These are the same people that ignore piles of pending security updates and whole inches of screen space lost to browser toolbars. You just can’t make people storing their banking credentials in plain text notes saved to iCloud or Drive care about their security because any loss of convenience for them is a non-starter. But almost every adult carries around a set of keys for their car or home, and there’s a solution they can use which is every bit as convenient as that.

I implore every person reading these words to just buy a YubiKey and set up every service they can to use it.

You need two-factor authentication, and a hardware key is the best

It’s the single simplest way to augment your online security, and with all the constant hacks and the legitimately incredible lack of even basic security standards at so many companies, you need to have something other than just a password standing between the world and any digital account you value past $20. There are a lot of things you can add to the equation and multiple 2FA (two-factor authentication) systems you can adopt, like SMS and email-based methods. But your security is only as good as the solution you choose, and a hardware key is the best choice.

Admittedly, not every company out there supports 2FA or even hardware token-based 2FA. There’s a great public list of 2FA-compatible online services I recommend checking against, but most of the more popular non-financial services support two-factor authentication. It’s embarrassing how little American banks care about their customers, as only Bank of America supports big-boy hardware security keys, and even ostensibly online-first banks like Ally, SoFi, and Capital One are stuck firmly in some 2002-era vision of the internet. The best you can hope for there is SMS-based verification, which is a pretty bad idea, given how little security the carriers have.

So far as I can tell, just like the banks, the carriers don’t actually care about you — just look at the constant stream of hacks and basic failure to meet even elementary security standards. We’re all just a source of revenue in exchange for overpriced data sitting in columns on a quarterly financial report. The carriers can and will hand your number off to anyone with the savvy to call in, Google your name, and attempt an even half-hearted imitation. Don’t trust them.

Metaphorically, your phone number is basically as safe as your wallet, and you can be robbed, pickpocketed, and burgled. Just as you probably wouldn’t feel safe carrying around thousands of dollars in cash all the time, don’t trust your phone number as the last line of security for anything high-value like an important online account.

A hardware 2FA security key is convenient — you don’t have anything extra to remember and it’s just like carrying around your house key. If it’s stolen, someone can’t just magically get into your account. They need your other credentials as well, and it serves as a final, difficult-to-duplicate barrier. Even if your username and password end up in a malicious actor’s hands, they can’t get in without that jangling dongle in your pocket.

The coming passwordless standards also mean that using a hardware security key can actually be more convenient than remembering and tapping in a dumb long password — just input your user name, pop in the key, and you’re good to go. It won’t need to be changed every three or six months based on some obnoxious policy, it won’t end up hacked or phished, and you won’t have to juggle yet another password or deal with a password manager. It will be the epitome of convenience and every bit as secure.

Seriously, buy a YubiKey

I said “Buy a YubiKey” earlier, but I should stress that I don’t particularly like Yubico more than other hardware 2FA companies. Really, any recent hardware 2FA key is fine as long as it plays nice with FIDO2 and WebAuthN (for the upcoming passwordless standards) and supports the ports you need. But YubiKeys are sold in more places, they tend to release models supporting newer standards more quickly, they offer a wider range of ports for device compatibility, their products are externally audited, and they’re mostly black, so they don’t get stained or show as much wear as lighter-colored models might. (They also have fun stickers to make your keys a little less boring — maybe dBrand should look into that.)

A collection of hardware two step verification keys (2SV) rest on a striped black, orange, and yellow surface.

Buy a YubiKey 5 Series

Starting at $45 from Yubico

I personally recommend the YubiKey 5C or YubiKey 5C NFC, but you should choose based on what devices you use. If you’ve got older computers, something with USB Type-A could be important, and if you have an iPhone, the YubiKey 5Ci with its Lightning connector might be necessary. I also recommend that you get at least two, leaving a backup at home in case your keys get lost. If money is tight, get the more basic $29 Type-C model — it doesn’t support all the standards the more expensive ones do, but it’ll be fine for 99% of people.

Last year, I also reviewed a keychain that’s specially made to fit YubiKeys. You really don’t need to buy one, but it’s snazzy, not too expensive, and fits YubiKeys together with your own standard-sized keys very well.

Buy Yubikey 'Security Key Series'

Starting at $25

A YubiKey is an easy choice, but you can just as easily get a different brand if a fancy color catches your eye, or you’d just like to be a mild contrarian. Google, Feitan, Kensington, and a lot of companies make or resell models, and this is one area where you should avoid the no-name Amazon special. But this is my final piece of advice to you: Buy a two-factor hardware security key.

And with that, goodbye

I have more takes and more advice (both good and bad), though I’ll have to keep both to myself from here on out. I have “pulled a Dieter,” and the next time you hear from me outside my regular stream of cabin-related Twitter content, I’ll be equal parts excited and terrified with my new digs at OSOM. (As some of you may have noticed, that’s why I haven’t written about them in some time, and that was a decision made with attention and care on the part of Android Police.)

On my way out the door, I’ve got a few last hot takes that I no longer have to come up with elaborate arguments to defend. I get to live out every blogger’s greatest fantasy: Getting the first and last word in.

  • The Essential PH-1 in Ocean Depths is the most beautiful single smartphone ever made and nothing else comes close, sorry.
  • Android phone haptics will always have a lower ceiling for quality than the iPhone’s until Google makes a concerted effort to make haptics a bigger and more granular part of Android itself. There's a whole world of haptic texture and variety out there, and we just get the basic shake.
  • Android wasn’t good until 4.0/ICS.
  • Samsung isn’t enough to sustain the Android tablet ecosystem, and even with Android 12L, Google hasn’t done enough to incentivize development on either software (through tablet layout apps) or hardware. Foldables are the last hope, and if they don’t take off, Android’s big-screen dreams are screwed.
  • Paper boxes, recycled aluminum and plastic in phones, and skipping the charger in the box isn’t eco-friendly; it’s greenwashing bullshit so long as companies still set arbitrarily close death days for updates. Saving a few grams of plastic or paper means almost nothing for the environment or climate if you’re getting rid of a whole-ass phone in a few years, and the companies know it.
  • While macOS does countless things dumb, bad, and wrong, MacBooks are the only good laptops.
  • There’s no such thing as “an Android” or “Androids.” They’re Android phones, period.
  • If Apple actually cared about customer privacy, it would adopt RCS, but it’s only paying lip service in ways that damage its competitors (as in “do not track”) to look good. Stop falling for it.
  • Relatedly, there’s no way to make privacy appealing short of an existential crisis like a massive hack.
  • Bits are bits and bytes are bytes; Nest Aware storage should just be part of Google One.
  • The world needs a real YouTube competitor — Google basically has a monopoly. I nominate Amazon/Twitch, which could step in and fill that void pretty easily.
  • Camera hardware almost barely matters now; software is so much more important. You all need to stop getting upset that phones ship with “old” sensors — if anything, it means the manufacturer has tuned its processing to suit it even better.
  • Relatedly, the rise of computational photography as the avenue for almost all of the recent gains in photo quality in smartphones means “Pro” camera modes are an anachronism — you don’t actually want that level of control, even if you think you do. (But other ways to offer similar controls under this new paradigm could be useful, like what Google’s doing.)
  • Carriers are wielding certification for VoLTE and 5G as a weapon to force manufacturers to do what they want (and include dumb/expensive technologies like mmWave). Someone in a position to effect positive change needs to take control of the situation for the good of customers and market competition.
  • Google’s success with Android means that it can’t understand the difference between a platform and a product (or, at an executive level, can’t make decisions that escape this conflation), and that will continue to ruin Pixel, Nest, etc. in subtle but significant ways until the company gets it.
  • Tied to the above, Google can’t “win” on Android: If it starts to wield GMS certification as a bigger stick and carrot to make smartphone manufacturers stop making bad and dumb changes (as it should), it will face increased regulatory scrutiny as a bigger gatekeeper in the platform (which is a problem). But Google’s already making so many integral parts of the platform proprietary and part of Play Services that the argument of Android as an open platform is already bunk — there’s “Android” and then there’s Google’s Android, and the latter is empirically all that matters in the market. Google should probably be broken up into smaller companies.
  • Where are the better third-party app store integrations for the Android platform you promised in 2020, Google?
  • And WHERE is the Inbox-like bundling Google promised for Gmail in 2018?!

That’s it from Ryne Hager at Android Police, though you might see a few lingering stories from me landing in the upcoming weeks as drafts for other subjects work their way through the editing process.

It's been five years, and I’ll miss advocating for your obscenities, crapping all over the things you love, writing steamy love letters to my Android wife, and endlessly shilling for Google. Or is it Samsung? Maybe it’s OnePlus today. You guys will have to tell me.

But trust me on the YubiKey.