How YubiKey Saved My Google Account from Being Stolen
I got a suspicious SMS code one day and realized someone was trying to hijack my account. Luckily I had a YubiKey enrolled — it blocked the phishing attempt cold. Here’s my story and why you need hardware 2FA.
That Afternoon, I Got a Mysterious SMS
“Your Google verification code: ******.” I hadn’t requested it. Then an email said “New sign‑in attempt.” I rushed to Google’s security page and saw someone trying to log in with my password, but 2FA blocked them.
Why YubiKey Beats SMS
SMS can be SIM‑swapped, and phishing sites can trick you into entering codes. YubiKey uses FIDO2—only the real website can trigger authentication. Even if they had my password, they couldn’t bypass the hardware key.
How I Secure My Accounts Now
- All FIDO2‑compatible services: Google, GitHub, Cloudflare, Bitwarden — YubiKey
- Others: TOTP (Authy), but SMS disabled wherever possible
- Recovery codes printed and stored in a drawer
Common Misconception
People think hardware keys are inconvenient, but it’s just plug in and touch — takes seconds. One YubiKey can store unlimited accounts, no scanning QR codes like TOTP.
If that attack had succeeded, my email, cloud storage, even bank accounts would be at risk. Still gives me chills.
Buy two YubiKeys: one for daily use, one as backup. If you lose one, use the backup to remove the lost key from your accounts immediately.