Perhaps the hardest thing to do in a consumer review of the
Yubico YubiKey is to explain what it does and use cases – why you need this
security device to supplement or replace passwords.
Yubico YubiKey can replace passwords and do a lot more to keep your data safe in Windows, Android, iOS, macOS and Linux.
Yubico YubiKey (website here) documentation is terribly complex talking about FIDO/2 (Fast IDentity Online), OTP, CCID, OpenPGP, PIV, OATH-TOTP and various combinations of all.
In layman’s terms let me explain: A door is the best analogy of perimeter security (e.g. entrance through the door).
If it has no lock it is unsecure (no password)
A generic key/lock is easy to pick, so it is insecure (easy password)
Add a deadlock to the generic key it is harder
to pick and is more secure
Add biometric or other means (locked bars) to a deadlock, and
generic key makes it impossible to break
Or what if
before a person could unlock everything and gain access, you get a text to verify their bona fides? (two-factor
authentication and that is one of YubiKeys main jobs)
But that does not stop criminals simply breaking down the door
Or coming in through the windows or making a hole in the wall or roof. Security needs to be holistic and is only as good as its weakest point. So now you add security cameras, motion/infra-red heat detectors, and more.
That is the same analogy as using smartphones, smart devices
like tablets, PCs and TVs that have access to our Microsoft, Google, Apple, Linux
or other email/cloud accounts that store all our private information.
Sure, you can add a password, pin, pattern, fingerprint or face
scan to a device but that is only perimeter security. What if a thief steals
the device while it is still logged in or cuts your finger off to use fingerprint
Once inside your home (or PC) – by whatever means – you can
steal anything you see. In computing that means
anything you are logged in to – mail, cloud,
local storage, network storage, banking (especially if like most you let the device
remember your passwords).
YubiKey 5 controls access to the device and most of your
on-device and online assets.
What is YubiKey 5?
It comes in four main formats – two are for USB-A ports, and two are for USB-C. Two of these are e key style (one with NFC), and two are for leaving in a device. They all
do the same thing, and there is a
comparison chart here.
You can set it up to
authentication, e.g. to replace a user name/password
Two-factor authentication (2-F-A) – use both a user name/password and a YubiKey
Multi-factor authentication – (Passwordless, Pin
Either place the YubiKey into a USB-C or USB-A slot or use NFC
(smartphone must have NFC to work with YubiKey) – that is it.
Click on Security > More security options,
select Set up a security key.
Identify what type of YubiKey you have (USB or
NFC) and select Next.
The setup begins where you will insert or tap
your YubiKey 5 Key. This generates a
unique public-private key pair between
your YubiKey and your Microsoft account, and only the YubiKey stores the
private key. It never leaves your device. The public key is stored with the
Microsoft service to allow for verification of your authentication.
You then set a unique PIN to protect your key.
This PIN is on the YubiKey—not with Microsoft accounts.
Using YubiKey does not exclude but can replace PIN, password,
fingerprint or facial recognition methods. Use
it with or instead of them.
Then you can go to most services and look for set up of a hardware
Android, iOS and macOS users can access this setup via an app
from their respective app stores.
What if I lose the Yubikey?
Buy at least two keys and register them with each device.
Lose both, and you are screwed! Well,
not really but you would have to reset your entire password and security
Why would you use it?
For Joe and Jane Average the answer is you would not. Perhaps if you share the same device and want to protect your accounts from your respective partners. If you have multiple computing and smart devices, it may be handy. If you have lots of online accounts like Facebook, Twitter, Dropbox, banking etc., it may be handy.
But the real user is
someone who understands the value of the devices and data it can protect. You will
also need to be a little tech-savvy to make the most of what this device can
do. Single-factor password replacement is the most basic use.
If I were Yubico I would spend a lot of money and time
writing a micro-site that Joe and Jane Average could understand – no jargon for
starters. But that may not be their audience!
I suspect the real users are more enterprises with vast computing assets, hot desking and dealing in commercially sensitive information.
But Yubico says
YubiKeys are relevant to individuals, not just enterprises. Since everyone conducts their lives online these days, the risk of a data breach that affects a company like Facebook, Twitter, Google, Instagram, Westpac, CommBank and so on where logins, passwords and credit card details are stolen, is more likely than ever before and since people often use the same one it puts them at greater risk. Therefore it is more important than ever to know that your online accounts are properly protected and since mobile devices are now being cloned and used to log into them, you don’t even know it has happened to you until it is too late and your money is gone.
YubiKey USB-A NFC (the most popular) is A$61.50 from M.Tech Australia and on Amazon. The USB-C and Nano designs are slightly more expensive. There are no ongoing fees for its use, but there may be fees for password managers etc, if you use them as well.
At that price, it’s not too much of a stretch to buy and try –
with a little tech-savvy it will become your default security.
Rock solid perimeter, on-device and online
More secure than an SMS for 2-F-A
Tested on Windows Surface Pro 5 and Samsung
Galaxy Note9 – all fine but I can’t vouch for macOS and iOS.
Having a key in a sole USB-A (we are talking about you Surface Pro) or USB-C port can be a pain
Don’t lose the key – buy at least two
Be prepared to invest lots of time to set it up for all online assets
Google accounts only work via Chrome browser at present (Firefox may have a plug-in)