A tiny device you can plug into your computer or simply tap on your smartphone, Yubico’s Yubikey range offers an extra line of defence against hackers.
Relying on passwords alone is no longer enough to keep your online accounts secure. The challenge is not just that strong and complex passwords are difficult to remember, but also that hackers are getting better at tricking us into handing them over via malware or phishing attacks.
Two-factor authentication (2FA), also known as multi-factor authentication, provides an extra security check when logging into your accounts – making it much harder for someone to break in even if they know your login and password.
2FA relies on something you know and something you have. Just one won’t do, you need both to access your account. The something you know is your login and password, while the something you have is usually a one-time code from your smartphone – either sent via SMS or generated by an app.
To make life easier, you can often “trust” your own devices so you only need to use 2FA when logging into an account from a new device for the first time.
Who goes there?
Any form of 2FA significantly decreases your chances of getting hacked, but some are more foolproof than others.
Relying on your smartphone to access that one-time code can be risky. Hackers are known to hijack mobile phone accounts and transfer the number to another handset and SIM, known as SIM jacking or a phone port scam, so they can intercept your 2FA text messages.
Generating one-time codes with an authenticator smartphone app is more secure, as the codes can’t be intercepted in transit, but you can still be left in the lurch if your phone runs flat.
However your one-time code is generated, there’s also a risk that you might be tricked into entering it into a bogus website so hackers can use the code to break into your real account.
Yubikey helps tighten your defences
A Yubikey takes a different approach to 2FA, known as hardware authentication. The “something you have” is a tiny device that’s small enough to fit on a key ring. The keys come with a choice of USB-A, USB-C and Lightning connectors, plus some also support NFC wireless which is similar to tap-and-go credit cards.
You can set up a Yubico security key with a range of services, such as your Google account. Now the next time you log into your Google account from a new device, after entering your login and password, you’re asked to present your security key – by either plugging it in or tapping it. You don’t need to install any extra software on your device.
Rather than relying on you typing in a one-time code, the Yubikey shares a complex code directly with your device to prove your identity. It also works with some password managers, to thwart hackers trying to steal all your passwords.
The security keys don’t rely on a battery, so you don’t need to worry about them running flat. Plus, because you’re not manually entering a one-time code, you don’t need to worry about hackers intercepting the code.
It doesn’t matter if you lose the security key, because it’s only one part of the puzzle and someone can’t use it to access your accounts unless they also know your login and password.
Considering that most services let you trust your devices, so you don’t need to continually use 2FA, you might not see the need for a security key if you rarely log in from new devices – but that misses the point. The benefit of needing a security key in order to log in is that it provides you 24/7 protection against anyone else getting into your account.
With some services, Yubico security keys let you do away with passwords. For example, you can use passwordless authentication with a Microsoft account and passkeys with Apple and Google accounts.
Depending on which Yubico security key you choose, they also support a range of other authentication methods.
Every Yubikey supports the widely used FIDO2/WebAuthn and FIDO U2F standards, which are enough to cover most situations where you need to log into an online account. Some keys also support OATH-TOTP, OATH-HOTP, OpenPGP and smart card authentication (PIV) – although you’re more likely to need these for workplace authentication rather than with your own personal accounts.
One limitation of Yubico security keys is that using one to protect an account relies on the service provider supporting Yubico. Right now that includes around 300 services. If a service provider supports 2FA but not Yubico, you still might be able to use Yubico’s one-time passwords feature or the Yubico Authenticator app.
There are other brands that produce similar hardware authentication devices, too, like Kensington. However, Yubico is almost ubiquitous in the security space, with plenty of options to choose from.