The YubiKey is a hardware device that generates passcodes for 2-factor authentication (2FA). It is not a password manager and does not store username/password pairs for your online accounts. It is a pure 2FA device that generates HMAC-based One Time Passwords (HOTP) and Time-based One Time Passwords (TOTP) that you can plug (or NFC) into your smart device. The YubiKey is recognized as a human interface device (HID) and delivers password as if the keystrokes are coming from a keyboard.
What is 2FA (2-Factor Authentication)
In traditional online platforms, the username and password pair was used to authenticate a user. As there have been a number of security breaches in cyberspace and hackers are committing cybercrimes to steal personal data from online communities, more and more online platforms are offering a second form of authentication to validate the users from who they claim they are. The use of SMS and email are early form of 2FA offerings, and the current method employ 6-digit passcode generated from software authenticators such as the Google Authenticator, Duo Security and Authy. The industry has expanded to offer a variety of additional authentication methods including biometric (fingerprint and face recognition) and hardware dongle such as the YubiKey. Combined with using strong passwords with an aid of password managers, and adoption of 2FA greatly enhances online security to the next level. 2FA is not currently mandatory for many online services, but everyone should adopt the 2FA service is offered by your online provider.
What is YubiKey?
YubiKey is a small plastic key that resembles a USB stick and provides various interfaces such as USB A, USB C, Lightning, and NFC. It is plugged into a computer, tablet, and smartphone, and completes 2nd form of authentication when required by the online services. YubiKeys is a fully FIDO compliant device that is used to allow users to log in to their accounts without entering passcodes themselves. YubiKeys complies with FIDO standards and supports U2F, FIDO2/WebAuthn, Smart Card, OpenPGP, and OTP protocols.
YubiKey also allows storing static passwords for sites that do not require 2FA, and static passwords can be programmed to YubiKey using the YubiKey Manager software. Although not yet available, Yubico is planning to release YubiKey Bio which is a hardware authenticator with a fingerprint capability.
YubiKey comes in with various Interfaces including USB A, USB C, USB C/Lightning and NFC. YubiKey 5 Series currently do not support a single device that supports both USB A and USB C. You can buy one device type, and use an adapter to convert the interface from one type to another like the picture below.
YubiKey with USB A to USB C adapter
Is YubiKey worth using?
At the time of this writing (1Q2021), the cost of typical Yubikey devices cost around US$50 and there are less than 260 companies natively supporting YubiKey authentication. For those supported, it makes it easier to authenticate yourself by just touching the button on the YubiKey when asked. For those not natively supported, you'll have to install Yubico Authenticator on your desktop (or smartphone) and use it much like the Google Authenticator. Based on the number of companies supporting YubiKey (or any FIDO standards), the benefit of having YubiKey cannot be fully utilized. For this reason, I personally think YubiKey or any other FIDO compatible devices are not yet fully worth the effort of acquiring and using it. Perhaps, a few years down the road when more companies support FIDO standards natively, it can be more beneficial to individuals.
As we depend more on online platforms for managing financial accounts, productive accounts, and social media accounts, it becomes apparent that we must embrace 2FA as the means to tighten our online security. There are many forms of 2FA including SMS, email, software authenticators, and biometric but having a hardware dongle is the easiest and secure way to complete second-factor authentication. YubiKey is not the only hardware device available for 2FA, and there are a handful of companies offering similar devices including Titan from Google, Fido U2F from Thetis, and Verimark from Kensington among many.
Leave a comment
All comments are moderated. Spammy and bot submitted comments are deleted. Please submit the comments that are helpful to others, and we'll approve your comments. A comment that includes outbound link will only be approved if the content is relevant to the topic, and has some value to our readers.