Just published 15,000+ words on security keys. 🔐📱💻

With SIM attacks at their highest, now is a great time to take a closer look at your online security.

Removing SMS from your two-factor auth is a start, but authenticator apps have downsides too...


Just look at these headlines from recent SIM swap and port attacks.

It's all too established for attackers to find ways to socially engineer control of your phone number and start gaining control of your accounts.

I first talk about some general security tips.
Unfortunately not all websites let you remove your phone number from accounts.

You may consider migrating your phone carrier to @googlefi , which requires email account access to do anything (and can be locked down with security keys and even Advanced Protection)
Beyond SMS, I talk about issues that TOTP authenticator apps (the code generators) have as a form of two-factor auth. They're so, so much better than relying on SMS for your second factor but they still have issues like utilizing shared secrets and lacking phishing prevention.
Enter security keys!

Utilizing public key cryptography they don't have any shared secret between the client and the server. They prevent phishing by taking the website domain into account.

Even if you get tricked by a clone phishing website, your key won't.
Keys have been around for a while under various names and technologies. Recently it was FIDO U2F + CTAP1 but now we have FIDO2 WebAuthn with CTAP2..

It's all very confusing...
Security keys are great for two-factor auth but FIDO2 has a vision for more: support for platform authenticators (like fingerprint readers and other biometrics) as well as being able to use them for "passwordless" authentication. https://t.co/qHI8n8x8m6
But this area is still nascent. Plagued by years of sub-par security key support across browsers. Things have been getting better in recent years with recently updated NFC support on iOS 13 but it's still a waiting game until things are made easier.
Which brings the question.. Why must I carry around an extra device just to be safe online?

You shouldn't. WebAuthn aims to change that.

But for now, security keys—combined with strong online security best practices—are a great way to fortify your regular online activities.
This article was so long (like all of mine) that I took the time to build this little fly-out table of contents browser 🤣
I also went out of my way to design these little security key icons in figma while I was writing this 😍 cc @Yubico

More from Tech

I think about this a lot, both in IT and civil infrastructure. It looks so trivial to “fix” from the outside. In fact, it is incredibly draining to do the entirely crushing work of real policy changes internally. It’s harder than drafting a blank page of how the world should be.

I’m at a sort of career crisis point. In my job before, three people could contain the entire complexity of a nation-wide company’s IT infrastructure in their head.

Once you move above that mark, it becomes exponentially, far and away beyond anything I dreamed, more difficult.

And I look at candidates and know-everything’s who think it’s all so easy. Or, people who think we could burn it down with no losses and start over.

God I wish I lived in that world of triviality. In moments, I find myself regretting leaving that place of self-directed autonomy.

For ten years I knew I could build something and see results that same day. Now I’m adjusting to building something in my mind in one day, and it taking a year to do the due-diligence and edge cases and documentation and familiarization and roll-out.

That’s the hard work. It’s not technical. It’s not becoming a rockstar to peers.
These people look at me and just see another self-important idiot in Security who thinks they understand the system others live. Who thinks “bad” designs were made for no reason.
Who wasn’t there.
So we had to develop technologies like this to barely manage control over limited areas in Iraq's few urban centers. Only ~8 in 100 Iraqi adults owns a personal vehicle. That rate is > 1 car/adult in America yet I have never seen any doctrine paper or work of fiction address this

We've seen and struggled in civil conflicts with instant, local, universal, distributed communications (cell phone era, basically every conflict since 2000). We've seen and struggled in conflicts with instant, global, universal distributed communications (everything since 2011).

The world's most overfunded military and glow in the dark agencies struggle and largely fail to contain conflicts where fhe vast, vast majority of people are locked into a ~5mi radius of their home.

How can they possibly contain a conflict in a nation with universal car ownership and the most developed road network in the world? The average car can travel over 400 miles on one tank of gas, how can you contain the potential of that kind of mobility?

I think that's partially why the system was so freaked out by 1/6. Yes, most of it is histrionics but you don't decide to indefinitely turn your capital into the Baghdad Green Zone with fortifications and 25k troops over histrionics alone.

You May Also Like

Viruses and other pathogens are often studied as stand-alone entities, despite that, in nature, they mostly live in multispecies associations called biofilms—both externally and within the host.


Microorganisms in biofilms are enclosed by an extracellular matrix that confers protection and improves survival. Previous studies have shown that viruses can secondarily colonize preexisting biofilms, and viral biofilms have also been described.

...we raise the perspective that CoVs can persistently infect bats due to their association with biofilm structures. This phenomenon potentially provides an optimal environment for nonpathogenic & well-adapted viruses to interact with the host, as well as for viral recombination.

Biofilms can also enhance virion viability in extracellular environments, such as on fomites and in aquatic sediments, allowing viral persistence and dissemination.