Merge pull request #28 from lukasz-a-krol/main

link fixes + updated note on physical security keys

content/chapters/chapter-2.en.md

@@ -53,8 +53,8 @@ _Two-factor authentication_
 - You can add more than one 2FA option to an account. For example, an authenticator app and a security key. This is important because it stops people from being locked out of their accounts should they lose access to one form of their 2FA.
 - If a company offers 2FA it should also offer the option of saving a backup code or backup codes for that account. These are a one-time code that can be used should the journalist be unable to access their form of 2FA.
 - While SMS is suitable for the majority of people they may not be secure for journalists facing threats from government actors or other very highly skilled actors. This is because the code could be intercepted or accessed via the tele-communications company. When teaching about 2FA, emphasize that SMS-based 2FA is far better than having no 2FA at all, but that we heavily encourage journalists to take up other forms of 2FA instead.
-- Where possible, encourage journalists to use an authenticator app. These are easy to set up and free to use. There are a number of apps available, and it's easiest to go with a mainstream one like Google Authenticator.
-- Security keys are physical devices that you link to your accounts. To link the key to your account you have to insert the key into your computer or phone, go to the account you want to add the key to and follow the steps to set up 2FA. It is advisable to have more than one key linked to the account in case of loss or theft. Keep one key with you, for example on your keychain, and store the other key somewhere safe. Once set up, when you log into your account you will need your email address, your password and you may be prompted to insert your security key. Security keys are an effective way to prevent phishing attacks. For more details, see the information on phishing below.
+- Where possible, encourage journalists to use an authenticator app instead of SMS codes. These are easy to set up and free to use. There are a number of apps available, and it's easiest to go with a mainstream one like Google Authenticator.
+- Security keys are physical devices that you link to your accounts. They are the most secure option, along with passkeys. To link the key to your account you have to insert the key into your computer or phone, go to the account you want to add the key to and follow the steps to set up 2FA. It is advisable to have more than one key linked to the account in case of loss or theft. Keep one key with you, for example on your keychain, and store the other key somewhere safe. Once set up, when you log into your account you will need your email address, your password and you may be prompted to insert your security key. Security keys are an effective way to prevent phishing attacks because, unlike SMS or app codes, it is not possible for an attacker to intercept the signal they send and use it to log in on your behalf.
 
 _Passwords_
 
@@ -141,7 +141,7 @@ The following templates and tools can be useful for teaching this session:
 
 The following resources may be helpful for teaching this chapter:
 
-[Create and maintain strong passwords](https://securityinabox.org/en/passwords/passwords-and-2fa/) by Security in a Box
+[Create and maintain strong passwords](https://securityinabox.org/en/passwords/passwords/) and [Use Two-Factor Authentication](https://securityinabox.org/en/passwords/2fa/) by Security in a Box
 
 [Using password managers to stay safe online](https://ssd.eff.org/module/animated-overview-using-password-managers-stay-safe-online) by the Electronic Frontier Foundation