And the password is Yubico YubiKey 5

YubiKey

Perhaps the hardest thing to do in a consumer review of the Yubico YubiKey is to explain what it does and use cases – why you need this security device to supplement or replace passwords.

Yubico YubiKey can replace passwords and do a lot more to keep your data safe in Windows, Android, iOS, macOS and Linux.

Yubico YubiKey (website here) documentation is terribly complex talking about FIDO/2 (Fast IDentity Online), OTP, CCID, OpenPGP, PIV, OATH-TOTP and various combinations of all.

In layman’s terms let me explain: A door is the best analogy of perimeter security (e.g. entrance through the door).

  • If it has no lock it is unsecure (no password)
  • A generic key/lock is easy to pick, so it is insecure (easy password)
  • Add a deadlock to the generic key it is harder to pick and is more secure
  • Add biometric or other means (locked bars) to a deadlock, and generic key makes it impossible to break (secure)
  • Or what if before a person could unlock everything and gain access, you get a text to verify their bona fides? (two-factor authentication and that is one of YubiKeys main jobs)
YubiKey

But that does not stop criminals simply breaking down the door

Or coming in through the windows or making a hole in the wall or roof. Security needs to be holistic and is only as good as its weakest point. So now you add security cameras, motion/infra-red heat detectors, and more.

That is the same analogy as using smartphones, smart devices like tablets, PCs and TVs that have access to our Microsoft, Google, Apple, Linux or other email/cloud accounts that store all our private information.

Sure, you can add a password, pin, pattern, fingerprint or face scan to a device but that is only perimeter security. What if a thief steals the device while it is still logged in or cuts your finger off to use fingerprint access?

Once inside your home (or PC) – by whatever means – you can steal anything you see. In computing that means anything you are logged in to – mail, cloud, local storage, network storage, banking (especially if like most you let the device remember your passwords).

YubiKey 5 controls access to the device and most of your on-device and online assets.

What is YubiKey 5?

It comes in four main formats – two are for USB-A ports, and two are for USB-C. Two of these are e key style (one with NFC), and two are for leaving in a device. They all do the same thing, and there is a comparison chart here.

YubiKey

You can set it up to provide

  • Single-factor authentication, e.g. to replace a user name/password
  • Two-factor authentication (2-F-A) – use both a user name/password and a YubiKey
  • Multi-factor authentication – (Passwordless, Pin and YubiKey)

Either place the YubiKey into a USB-C or USB-A slot or use NFC (smartphone must have NFC to work with YubiKey) – that is it.

Setup

For Windows 10 (version 1809 or later)

  • Launch Microsoft Edge (Windows 10 version 1809 or later)
  • Go to the Microsoft account page
  • Sign in as you normally would
  • Click on Security > More security options, select Set up a security key.
  • Identify what type of YubiKey you have (USB or NFC) and select Next.
  • The setup begins where you will insert or tap your YubiKey 5 Key. This generates a unique public-private key pair between your YubiKey and your Microsoft account, and only the YubiKey stores the private key. It never leaves your device. The public key is stored with the Microsoft service to allow for verification of your authentication.  
  • You then set a unique PIN to protect your key. This PIN is on the YubiKey—not with Microsoft accounts.  

Using YubiKey does not exclude but can replace PIN, password, fingerprint or facial recognition methods. Use it with or instead of them.

Then you can go to most services and look for set up of a hardware key.

YubiKey

Android, iOS and macOS users can access this setup via an app from their respective app stores.

What if I lose the Yubikey?

Buy at least two keys and register them with each device. Lose both, and you are screwed! Well, not really but you would have to reset your entire password and security ecosystem.

Why would you use it?

For Joe and Jane Average the answer is you would not. Perhaps if you share the same device and want to protect your accounts from your respective partners. If you have multiple computing and smart devices, it may be handy. If you have lots of online accounts like Facebook, Twitter, Dropbox, banking etc., it may be handy.

But the real user is someone who understands the value of the devices and data it can protect. You will also need to be a little tech-savvy to make the most of what this device can do. Single-factor password replacement is the most basic use.

If I were Yubico I would spend a lot of money and time writing a micro-site that Joe and Jane Average could understand – no jargon for starters. But that may not be their audience!

I suspect the real users are more enterprises with vast computing assets, hot desking and dealing in commercially sensitive information.

But Yubico says

YubiKeys are relevant to individuals, not just enterprises. Since everyone conducts their lives online these days, the risk of a data breach that affects a company like Facebook, Twitter, Google, Instagram, Westpac, CommBank and so on where logins, passwords and credit card details are stolen, is more likely than ever before and since people often use the same one it puts them at greater risk. Therefore it is more important than ever to know that your online accounts are properly protected and since mobile devices are now being cloned and used to log into them, you don’t even know it has happened to you until it is too late and your money is gone.

Price (from Yubico store)

YubiKey USB-A NFC (the most popular) is A$61.50 from M.Tech Australia and on Amazon. The USB-C and Nano designs are slightly more expensive. There are no ongoing fees for its use, but there may be fees for password managers etc, if you use them as well.

At that price, it’s not too much of a stretch to buy and try – with a little tech-savvy it will become your default security.

Pro

  • Rock solid perimeter, on-device and online assets
  • More secure than an SMS for 2-F-A
  • Tested on Windows Surface Pro 5 and Samsung Galaxy Note9 – all fine but I can’t vouch for macOS and iOS.

Con

  • Having a key in a sole USB-A (we are talking about you Surface Pro) or USB-C port can be a pain
  • Don’t lose the key – buy at least two
  • Be prepared to invest lots of time to set it up for all online assets
  • Google accounts only work via Chrome browser at present (Firefox may have a plug-in)