YubiKey has been around for a few years now, and they are perhaps the leaders in tap to authenticate hardware-based 2-factor authentication.
2-factor authentication has boomed in recent years as both companies and consumers finally realised it was time to take cybersecurity seriously. The trend has been leaning towards phone based 2FA with companies like Google and Facebook adopting the tap to accept based model. SMS and email are still popular but have serious security issues themselves.
It would appear the phone model wasn’t the best solution for Google’s own employees. Back in July 2018, Google revealed the extreme effectiveness of FIDO Universal 2nd Factor (U2F) security keys against phishing within the company. This, therefore, led Google to launch their own Titan Security Key, only to recall and replace them due to a Bluetooth vulnerability (doh!).
For your average users, faffing around with security measures is a headache, I think most none techy people I know still don’t bother with 2FA as they are too lazy. So selling them on the idea of a hardware-based solution is not easy, at the same time phone-based solutions could give a false sense of security.
In recent weeks a cautionary tale has occurred that should make you sceptical of the phone-based solution. An unfortunate individual was hit by a SIM-swap attack which is when an unauthorised individual ports a targeted phone number (usually tied to a two-factor authentication method attached to another account, the goal of the attack) to another SIM, surreptitiously redirecting that number to a new device. SIM-swap attacks often occur via social engineering, with carrier support agents performing the switch in the belief they're operating under the instruction of the account holder. Once a user has access to your number, it opens you up to a whole world of hacks, any SMS based 2FA is entirely vulnerable. Quite often account resets will use your number for password resets etc, also social engineering becomes a lot easier when you call people from the number on record.
The hackers were able to access the Google account of the individual which then gave them access to all his backup up phones and all the sensitive document in his Google drive including things like tax returns, bank account information, and other account passwords.
His financial accounts used SMS 2FA and thanks to that the hacker even tried to perform an ACH transfer of $25,000 out of the person's bank account.
So now we have established that SMS 2FA is bad, Googles Titan is/was flawed, so what about Yubico?
For this review I was supplied the YubiKey 5 Series devices, one is the NFC model the other the tiny USB-C based 5C. There is not much to review with these little devices, they do one job, do it simply and do it well, hence the preface to the review.
The blurb from Yubico states:
Multi-protocol security keys, providing strong two-factor, multi-factor and passwordless authentication, and seamless touch-to-sign. Supports FIDO2, FIDO U2F, one-time password (OTP), and smart card, choice of form factors for desktop or laptop.
- Stops account takeovers
- Multi-protocol support; FIDO2, U2F, Smart card, OTP
- USB-A, USB-C, NFC
- Single key pricing starts at $45
With most laptops and recent motherboards, the USB-C model is the perfect solution for any computer-based 2FA. The key is smaller than the NFC model, and I feel more confident about not snapping it off, its overall form factor is a nicer and the USB-C design means you don’t get frustrated when trying to plug it in. There is even a nano model which is designed to be left permanently in your computer.
Set up varies dependant on your application. The most obvious one is Google, all you need to do is login into myaccount.google.com go to security, add security key and follow the instructions. I did this on the desktop, so I just inserted the key when requested (for both models).
And that’s about it. Whenever a new login occurs, you just tap the button, and that’s that.
Yubico has a handy set-up page which points you in the right direction for enabling their hardware on a variety of services.
YubiKey 5 NFC
With our reliance on mobile phones, the NFC model is perhaps more useful. You can use it just the same as the USB-C model, but when logging into accounts on your phone, you can then tap the key to the back of your phone to login in.
Yubico has their own authenticator app which allows storing of OATH credentials allowing to keep them secure even if your phone becomes compromised.
For the security conscious, Yubico range of products is the superior solution to 2FA. The biggest downside is (for me) convenience. While tapping the key is about as simple as it gets, I rarely carry anything other than my phone with me, and this, therefore, is why phone-based authentication is so good. Dependant on the application you can fall back to other methods, but then you need to take into account the security, there is not much point having hardware 2FA if a hacker can then select phone based.
Overall though, Yubico has an excellent range of products, at multiple price points to suit any need. By all accounts, they are the market leader for this technology, and this method of 2FA is the most secure on the market. So if you take security seriously, then you should really consider investing in one of these keys.
For business use, I would also say these are absolutely essential. I occasionally work from an office doing white label work and my Google account with them is bound to my mobile. This would be a disaster for them if they lost access to my mobile. With a physical key, you could have staff leave their keys in a secure place, and not force staff to use personal phones for work-related purposes. One option could be to have two keys, one that the staff member keeps and another than the business keeps secure (as you can have two keys on one Google account)
YubiKey 5 NFC & 5C review –
Overall - 92%
YubiKey products are the most secure way of using 2FA, it is moderately more inconvenient than using your phone, but the security is worth it. For anyone that has their life tied to a Google account, I would argue it is an essential investment.