Perhaps the hardest thing to do in a consumer review of the Yubico YubiKey is to explain what it does and use cases – why you need this security device to supplement or replace passwords.
Yubico YubiKey can replace passwords and do a lot more to keep your data safe in Windows, Android, iOS, macOS and Linux.
Yubico YubiKey (website here) documentation is terribly complex talking about FIDO/2 (Fast IDentity Online), OTP, CCID, OpenPGP, PIV, OATH-TOTP and various combinations of all.
In layman’s terms let me explain: A door is the best analogy of perimeter security (e.g. entrance through the door).
- If it has no lock it is unsecure (no password)
- A generic key/lock is easy to pick, so it is insecure (easy password)
- Add a deadlock to the generic key it is harder to pick and is more secure
- Add biometric or other means (locked bars) to a deadlock, and generic key makes it impossible to break (secure)
- Or what if before a person could unlock everything and gain access, you get a text to verify their bona fides? (two-factor authentication and that is one of YubiKeys main jobs)
But that does not stop criminals simply breaking down the door
Or coming in through the windows or making a hole in the wall or roof. Security needs to be holistic and is only as good as its weakest point. So now you add security cameras, motion/infra-red heat detectors, and more.
That is the same analogy as using smartphones, smart devices like tablets, PCs and TVs that have access to our Microsoft, Google, Apple, Linux or other email/cloud accounts that store all our private information.
Sure, you can add a password, pin, pattern, fingerprint or face scan to a device but that is only perimeter security. What if a thief steals the device while it is still logged in or cuts your finger off to use fingerprint access?
Once inside your home (or PC) – by whatever means – you can steal anything you see. In computing that means anything you are logged in to – mail, cloud, local storage, network storage, banking (especially if like most you let the device remember your passwords).
YubiKey 5 controls access to the device and most of your on-device and online assets.
What is YubiKey 5?
It comes in four main formats – two are for USB-A ports, and two are for USB-C. Two of these are e key style (one with NFC), and two are for leaving in a device. They all do the same thing, and there is a comparison chart here.
You can set it up to provide
- Single-factor authentication, e.g. to replace a user name/password
- Two-factor authentication (2-F-A) – use both a user name/password and a YubiKey
- Multi-factor authentication – (Passwordless, Pin and YubiKey)
Either place the YubiKey into a USB-C or USB-A slot or use NFC (smartphone must have NFC to work with YubiKey) – that is it.
- Launch Microsoft Edge (Windows 10 version 1809 or later)
- Go to the Microsoft account page
- Sign in as you normally would
- Click on Security > More security options, select Set up a security key.
- Identify what type of YubiKey you have (USB or NFC) and select Next.
- The setup begins where you will insert or tap your YubiKey 5 Key. This generates a unique public-private key pair between your YubiKey and your Microsoft account, and only the YubiKey stores the private key. It never leaves your device. The public key is stored with the Microsoft service to allow for verification of your authentication.
- You then set a unique PIN to protect your key. This PIN is on the YubiKey—not with Microsoft accounts.
Using YubiKey does not exclude but can replace PIN, password, fingerprint or facial recognition methods. Use it with or instead of them.
Then you can go to most services and look for set up of a hardware key.
Android, iOS and macOS users can access this setup via an app from their respective app stores.