My smartphone and tablet make it easy to access my Internet accounts, maybe too easy: what happens if my devices fall into the wrong hands, or if a username and password are somehow intercepted?
On my most recent trip, I used a YubiKey Neo one-time password (OTP) generator.
My usernames and passwords are generated and managed by a password manager, LastPass. The passwords cannot be decrypted without my LastPass password, known only to me, and a one-time password that cannot be reused.
Here's how I access my Internet accounts:
- Hold the YubiKey against the back of the device. (I can also use the YubiKey on a regular computer by inserting it into a USB port.)
- Touch the circle in the middle of the key. This wirelessly communicates a single-use password via NFC (near-field communication).
- Enter LastPass password into the window that pops up.
It's really that easy: fewer taps than hand-entering a username and password.
Usernames and passwords are stored encrypted on my devices and on LastPass servers. LastPass only stores a one-way hash of the LastPass password, not the actual password. If LastPass servers are compromised, my usernames and passwords cannot be decrypted. (OK, maybe by the NSA!)