Understanding the YubiKey: A Distilled Introduction





※ Download: What is yubikey


So I click to the YubiKey page and... This is different from U2F but it in practice it feels very similar. The YubiKey 4 includes most features of the YubiKey Neo, including increasing the allowed OpenPGP key size to 4096 bits vs.


A device like the YubiKey is just that sort of hardware. There are standardized hardware protocols and software interfaces for programming and interfacing with these smartcards over USB. In practice, means having to do a second thing after entering your password to prove it's you.


Understanding the YubiKey: A Distilled Introduction - The two Nano devices are the most diminutive devices in the group and nestle within your USB-A or USB-C slots, easily within reach if you need them often.


No batteries or moving parts. Supports FIDO U2F, FIDO2. Can generate six-digit one-time use passcodes with companion app. Supports multiple protocols for different security roles. Requires effort and education to fully realize its potential. The YubiKey does so much more, too—provided you can take the time to figure it all out. Passwords have been the weak point of security since they were first introduced. Thankfully, the Yubico YubiKey 5 NFC is here to protect our most important accounts and much more besides. The fifth generation of the YubiKey supports FIDO U2F for a secure second-factor authentication and uses NFC to work with your phone. But that's just the start of what this remarkably powerful, and remarkably tiny, device can do. If you're just looking for a simple hardware U2F option, the YubiKey 5 NFC is probably overkill—consider the more affordable Security Key by Yubico or the instead. But if you're already steeped in security wonkiness, you'll love what the 5 NFC has to offer. How Two-Factor Authentication Works While there's a lot you can do with a hardware security key such as the YubiKey, its primary role is as a second factor of authentication. In practice, means having to do a second thing after entering your password to prove it's you. For example: a password, is something you know, and it should exist only in your head or inside a. Biometrics—thingk fingerprint scans, retina scans, heart signatures, and so on—count as something you are. Yubico YubiKeys and their ilk are something you have. Using two factors from this list of three provides greater assurance that you are who you say you are, and that you have authority to access the thing you're trying to access. It's also harder for bad guys to break. An attacker might buy your password from the Dark Web, but she's probably not going to be able to get your security key, too. The authentication provided by 2FA is also ephemeral: it only works once, and usually for only a limited time, for added security. This review looks primarily at hardware 2FA, but there are many ways to add a second factor. Many sites will send you codes via SMS to verify your identity. Apps such as and Authy rely on push notifications which are in theory harder to intercept than SMS messages. Whether you go with a hardware or software solution or a mix of both, do add 2FA wherever you can. When internally, it saw successful account takeovers drop to zero. The Many Flavors of YubiKey Yubico has always offered several sizes and variations of its security keys to fit just about every need. This is great, because consumers and IT professionals can get exactly what they need at a variety of prices. The downside is that browsing the Yubico store is a frequently overwhelming experience. I'll do my best to boil down the basics. The 5 NFC is the only YubiKey to offer wireless communication, but besides that the only difference among these devices is size, price, and USB connector. The two Nano devices are the most diminutive devices in the group and nestle within your USB-A or USB-C slots, easily within reach if you need them often. The YubiKey 5C uses a USB-C connector, is slightly smaller than the 5 NFC, and can hang on your keychain alongside the 5 NFC; it lacks wireless communication. You can, however, connect either the YubiKey 5C or 5C Nano directly to your Android device. What sets the YubiKey 5 Series apart from the competition isn't just the variety of form factors. These devices are real digital security Swiss Army knives. Each one can function as a Smart Card PIV , can generate one-time passwords, support both OATH-TOTP and OATH-HOTP, and can be used for challenge-response authentication. All four devices support three cryptographic algorithms: RSA 4096, ECC p256, and ECC p384. These devices can fit so many different roles, often at the same time—provided you know what you're doing. While the YubiKey 5 NFC is the focus of this review, I have tested the YubiKey 4 Series devices in the past, and these are physically identical to the USB-C and Nano variations of the YubiKey 5 Series. All of them are well-made, clad in black plastic that hides wear, and equipped with hidden green LEDs to let you know they're connected and functioning. The USB-A devices have either a gold strip or disk that you tap, depending on the size of the device. The USB-C devices, meanwhile, have two tiny metal tabs that you tap to authenticate. The USB-A Nano device is harder to remove from a slot than the USB-C Nano device, but the USB-A Nano YubiKey has a tiny hole, so it can be hung from a string or cord, while the USB-C Nano does not. Which YubiKey device you purchase will largely depend on what context you plan on using it. The Nano devices are useful if you plan on using them with a trusted computer, and you know you'll need to access the YubiKey often. The full-size keys are better for hanging on a keyring and keeping close at hand. Hands On With the YubiKey 5 NFC To help you get started, Yubico has created a for new users. Just pick the YubiKey device you have, and the site displays a list of all the places and contexts you can use your YubiKey. Some of these link directly to a site or service's onboarding page, while others provide instructions you have to follow yourself. Setting up the YubiKey as a U2F second factor is very simple. Follow the site or service's instructions and then insert the YubiKey into the appropriate slot when prompted. Just tap the gold disk or metal tabs, depending on the model , and the service enrolls your key. The next time you go to log in, you enter your password and you get a prompt to insert your key and tap. In my testing, I enrolled it as a second factor for a Google Account. When logging in on a desktop computer, I entered my login credentials, and then Google asked me to insert and tap my security key. That's no problem, although I did have to use the Chrome browser to log in. On my Android device, the process is just as simple. When logging in testing, I entered my credentials, and then my phone prompted me to use my security key. I selected NFC from a menu along the bottom, and then slapped the 5 NFC against the back of my phone. It took quite a few tries, but eventually the phone buzzed an affirmative and I was logged in. The YubiKey 5 Series can authenticate you in a number of ways, not just via U2F. With , for instance, you enroll the YubiKey to generate one-time passwords specifically One-time Passwords, but I'll use OTP for brevity with a tap. This is different from U2F but it in practice it feels very similar. Log in to LastPass, navigate to the appropriate part of the Settings menu, click on the text field, and tap the YubiKey. A string of letters spews out, and that's it! Now when you want to log in to LastPass, you'll be prompted to plug in your YubiKey to have it spit out more OTPs. Most of you are probably familiar with Google Authenticator, an app that generates six-digit passcodes every 30 seconds. This technology, more generally, is called and it's one of the most common forms for 2FA used today. Along with a companion desktop or mobile app, Yubico puts an interesting spin on the TOTP system. Plug in your YubiKey, fire up the Yubico Authenticator app, and then navigate to a site that supports Google Authenticator or a similar service. To secure a Google Account, for example, I clicked the option to enroll a new phone with the authenticator app. A QR code usually appears at this point, and the site prompts you to scan it with the appropriate authenticator app. Instead, I selected a menu option in the Yubico Authenticator desktop app and it capture the QR code from my screen. After a few more clicks, the app started providing unique six-digit codes every 30 seconds. The trick is that the Yubico app cannot generate TOTPs without the YubiKey. Instead of storing the credentials needed to create those codes on your computer, the Yubico Authenticator stores that data directly on your YubiKey. Pull it out, and the Authenticator app can't make new TOTPs. That's handy if you're concerned about someone stealing the device you use to generate your TOTPs. You can also lock your YubiKey with a password, so even if it were stolen from you it couldn't be used for generating TOTPs. Yubico also offers a TOTP-generating Android app that works with the YubiKey 5 NFC, to take your TOTPs on the road. When you open the app, it's empty, but slap your 5 NFC against the back and it begins to generate codes. Quit the app, and the codes disappear; you'll have to tap the 5 NFC again. That's less convenient than storing the information in the app itself, but far more secure. These were the scenarios I looked at, but the YubiKey 5 Series can do much more. You can use it as a smartcard to log in to my desktop computer. You can use it log in to SSH servers. You can even generate a PGP key and then use the YubiKey to sign or authenticate. Frankly, however, just getting my head wrapped around the TOTP keys was difficult enough. Although Yubico has lots of documentation and three separate desktop apps and three more mobile apps , it's very difficult to use every facet of the YubiKey without a good dollop of existing knowledge. Yubico has deployed a website to help inform customers about what they can use their key for, and to guide them toward the necessary information. That guidance is great, but it's just guidance, not the hand-holding usually provided by tech products. Using your YubiKey for U2F is also very simple but getting the most out of your YubiKey isn't easy for a novice—or even a security journalist. That gives you a spare right off the bat. On the other hand YubiKey just has more security bang for your buck assuming you puzzle out how to use it all. Both Titan devices can use NFC but, as of this writing, support has not been enabled on Android devices. Google also supplies a USB-C adapter, so you can use your Titan key with just about any device. The Titan keys, however, only support FIDO U2F. That will work for just about every website or service, but they can't be used for TOTPs, OTPs, Smart Card access, and the other protocols supported by YubiKey 5 Series. This USB-A key has the same silhouette as the YubiKey 5 NFC, but can be identified by its handsome blue plastic enclosure, a key glyph on the center button, and the number two etched on its top. As the name suggests, this device supports FIDO U2F and FIDO2, but that's it. The Security Key doesn't support all the protocols of the YubiKey 5 Series, so you can't use it with LastPass or as a smart card, nor can it communicate wirelessly. It also costs less than half the Titan key bundle or the 5 NFC. The YubiKey to Success? The YubiKey 5 Series is a remarkable family of devices that fill a dazzling number of niches. Its most basic use is as a FIDO U2F authenticator or an OTP generator, but it can do so much more. The trouble we've always had with YubiKeys, and Yubico overall, is simply the challenge of figuring out which YubiKey to choose, among the half dozen the company currently offers. Figuring out what you can do with it beyond U2F is doubly challenging. The Yubico devices are excellent, and their documentation improving, but they are definitely designed with security wonks and IT professionals in mind. If you glance over the laundry list of capabilities the YubiKey boasts and understand them, or are at least curious about them, then this is the device for you. You won't be disappointed in this rugged little device. If you know you want to better secure your online accounts, but aren't sure how to go about doing it, you're probably better off with the Google Titan Security Keys or the far more affordable Security Key by Yubico. YubiKeys are an established and mature technology, but we're still exploring this space. As such, we're giving the YubiKey 5 NFC four stars, but are withholding an Editors' Choice award until we've examined more options. Software Analyst Max Eddy is a Software Analyst, taking a critical eye to Android apps and security services. He's also PCMag's foremost authority on weather stations and digital scrapbooking software. When not polishing his tinfoil hat or plumbing the depths of the Dark Web, he can be found working to discern the 100 Best Android Apps. Prior to PCMag, Max wrote...

 


Connected tokens Connected tokens are that are physically connected to the computer to be used. Google also supplies a USB-C adapter, so you can use your Titan key with just about any device. Decryption is not possible, no security threat. So if the phone is lost or stolen, all accounts for which the email is the key can be hacked as the phone can receive the second factor. You can set up your YubiKey for use with password management solutions like Dashlane and LastPass, and developer platforms like Github and Bitbucket. The opponent will gain nothing from sneaky access to the key.