Securing your identity online has never been more serious. The days where a simple password was all you need to protect yourself are long gone. Hackers can guess simple passwords within minutes to hours using basic tools or can swipe them directly from you using various phishing methods if you aren’t paying close attention to everything you click on. This is where solutions like the YubiKey come into play.
2FA (two-factor authentication) and MFA (multi-factor authentication) used to be something we grunted at. Extra steps in having to log into a website seemed like an added annoyance for some. However, it keeps us safe and made it difficult (and sometimes nearly impossible) for a hacker to gain access to your account. Now it is something that many users prefer to see when registering with a new website or service. Especially, if you have personally been a victim to everything that has been going on over the years.
Most of these added layers of protection involve adding something in addition to using a password. Many times it involves responding to a link or code that is email or texted to you. There are also options that include biometrics (fingerprint scanners) or physical digital keys that you have to manually slide into a USB port, which provides an even stronger layer of protection. The latter of which is something we are focusing on today.
These encrypted keys can be found in various formats, covering everything from USB (USB-A or USB-C) to Lightning, or even both in one. They are also working on a key with a built-in biometric reader (fingerprint), which will really take things up a notch since the key won’t even work without a registered fingerprint (multi-factor authentication). However, that isn’t available and there is no word on when it will release just yet.
The one we have been playing with is the YubiKey 5C NFC. It is a USB-C variant designed to take things one step further by also supporting NFC (near field communication). NFC allows you to tap it to the back of mobile devices that also support NFC, giving you wireless access to the key. This makes it easier to work with multiple mobile devices, even if they do not have a USB port (ie, iOS devices).
They are designed so that you can carry one around on your keychain like any other key. When you need to log into a website or service, simply take it out and plug it in (or tap it to the mobile device) when it asks for the added authentication step/layer.
It can even be used in place of your password in some cases. Although it is still more secure when using both (you can never be too secure when online). You can use it for both personal needs as well as business requirements since there is an enormous list of companies and services that support Yubico products.
Learning about the various websites and services that support the keys is part of the setup process. There is actually no registration that happens with Yubico or anything to install. The keys come unique and ready to go from the moment you break them out of the package. You are presented with a database of known websites and services that support YubiKeys that walks you through the unique process of adding your key to each account.
There is a lot that you can choose from and the list is constantly growing. From common names like Google and Microsoft, or financial services and even cryptocurrency exchange services (like Kraken). You can use a YubiKey to log into your computer in place of a password (or along with it), and can even use it as an added layer of protection for popular password managers (like Dashlane, 1Password, Keeper, and LastPass). There are also video game platforms/services that support them and much more.
So does it work? It actually does and quite well too. We have tried associating the key to multiple services, including ID.me (which can be a bit of a circus at times). The fact that it supposed NFC is a major plus if you aren’t one who locks into any specific device ecosystem (ie, Android/Windows vs Apple). Since most modern mobile devices support NFC now, this covers most of your angles of use, including both Android and iOS devices.
USB-C is also commonly found in many modern mobile devices (Android smartphones and tablets). It is also becoming quite common with laptops and desktop models as well, both Windows and Mac. So having USB-C and NFC support opens you to a lot of possibilities. Also, NFC results in less wear on the key since you aren’t having to physically slide it in and out of a USB port.
There was only one catch that we could find for using a physical key that offers no registration or software. The idea is fantastic and it works really well. By keeping them isolated from all of that, it increases their security all the more. However, it also means you cannot duplicate them. This means if you lose your key, you lose access to your accounts and have to re-authenticate yourself with all of them.
So the solution recommended by Yubico and just about everyone else is to buy more than one. Again though, you can’t duplicate (the keys will be unique and not associated with each other). So the idea is to add both keys to whatever websites or services. It’s an added step and you’ll be spending more money by buying a backup key, but you can then store one in a safe or lockbox. This way, if you lose your main key, you still have another key that will work on these services. It is a solution, but that means spending twice as much from the start and doubles the setup time for all of your accounts since you have to add each key separately.
Nothing is perfect and everything is going to come with some sort of catch. That happens to be the catch for this one. However, if you are ok with spending the extra time associating both keys and the little bit of money to buy more than one (you can even use more than 2 if you want to spread the backups around), using a product like this to secure yourself is incredibly effective compared to relying on text codes being sent to your email or phone.
In some situations, websites you associate the key to might offer you the ability to download backup codes in case you lose access to your selected authentication solution. If so, make sure you do this. Store them in a safe place as a form of backup.
This is an incredibly secure way of locking down your accounts for both personal and business needs. The number of websites/services that support YubiKeys is constantly growing and has become large enough to justify the investment. Simply plug the key into a device or tap it to your mobile device when asked, and it takes just a quick second or less to process.
As techniques to protect your passwords grow, so do the ways of cracking them. So why not protect yourself with something that can’t be copied or accessed by anyone (unless someone physically gets a hold of your key, of course)?
We will continue to play with the YubiKey and let you know if anything changes.
|Authentication Methods||Passwordless, Strong Two Factor, Strong Multi-Factor|
|Identity & Access Management||AWS Identity and Access Management (IAM), Centrify, Duo Security, Google Cloud Identity, Idaptive, Microsoft Active Directory, Microsoft Azure AD, Okta, Ping Identity|
|Productivity & Communication||Google Account, Microsoft account, Salesforce.com|
|Password Managers||1Password, Dashlane Premium, Keeper, LastPass Premium|
|Function||WebAuthn, FIDO2 CTAP1, FIDO2 CTAP2, Universal 2nd Factor (U2F), Smart card (PIV-compatible), Yubico OTP, OATH – HOTP (Event), OATH – TOTP (Time), Open PGP, Secure Static Password|
|Certifications||FIDO 2 Certified, FIDO Universal 2nd Factor (U2F) Certified|
|Cryptographic Specifications||RSA 2048, RSA 4096 (PGP), ECC p256, ECC p384|
|Design & Durability||Water Resistant, Crush Resistant, No Batteries Required, No Moving Parts|
|Device Type||FIDO HID Device, CCID Smart Card, HID Keyboard|
|Manufacturing||Made in the USA and Sweden|
Are you a manufacturer or distributor that would like us to test something out for review? Contact us and we can let you know where to send the product and we will try it out.
Don’t forget to subscribe for a chance to win cool prizes!