Product Review: Yubikey 5

For years, as a security professional I have told people that they need to start using multi-factor authentication (MFA) if they aren’t using it already. Username and password is the weakest form of credential, and we really need to get better about securing our online identities. MFA has different implementations. Some people/orgs opt to use SMS text messaging. This method is the least secure. Other common methods are using authenticator apps like Google Authenticator and Authy, or by using push approvals like Duo or the WordPress app.

What is a Yubikey and why should I get one?

The Yubikey gives you the ability to securely store/generate secrets in a hardware-based key. While software authentication apps are certainly better than no MFA, they are still potentially vulnerable to hacking attempts, and if lost could be difficult to recover from. Since you can use more than one Yubikey, you don’t have to be concerned about losing a single key if you have two of them. If a hacker compromises your device, the Yubikey will protect your identities, as you must physically touch the contact on the Yubikey to log in. This keeps a remote hacker from logging into your account.

What do I need to use a Yubikey?

For some services, you will need a browser that supports FIDO U2F. Currently, that is limited to the Google Chrome browser although there are reports that Firefox is developing support for it as well. You will also need a Yubikey. You can use the Yubikey with Windows, Linux and MacOS, and there is some support for Android phones and iPhones.

The Yubikey 5 Series

The Yubikey 5 series added additional support that the older models lacked, like support for FIDO2 / WebAuthn and NFC (on specific models). Why is FIDO cool? Because it allows passwordless logins! The Yubikey 5 also supports FIDO U2F, PIV, OpenPGP, Yubico OTP, OATH-TOTP, OATH-HOTP, and challenge-response.

This post is specifically on the models that I purchased, the Yubikey 5 NFC and the Yubikey 5 Nano. I will discuss what I liked or disliked about each. The services that I have added the Yubikeys to so far support more than one Yubikey which allows you to have one at home and one for mobile. That is the use case I was tackling because I am constantly on the go. I also wanted a backup key so that if I lost one, I could still get into my accounts, and revoke access from the lost key.

Yubikey 5 NFC

I chose the Yubikey 5 NFC because I wanted to use a Yubikey with the LastPass vault on my iPhone (at the time of this writing this was the only option for iPhone), and also have a Yubikey to travel with when using my MacBook abroad. I needed it to be sturdy, and easy to use.

Pros:

  • Small form factor, but not so small you will lose it
  • Contact is easy to touch, and even lights up which makes it easier if you are working in a darker room
  • Easy to add the Yubikey NFC to accounts
  • At $45 (Amazon.com) it is an affordable option for most home/professional users

Cons:

  • Apps on the phone don’t necessarily support the Yubikey even though the web application does (ex. Facebook)
  • Thin enough that I was a little concerned about sturdiness when traveling. I bought a small hard shell case for it.

img_3234-1

Yubikey 5 Nano

I chose to look at the Yubikey 5 Nano because I wanted a small form factor Yubikey for my desktop. I wasn’t worried about losing it, since it isn’t going to move around much. Let me tell you…it is tiny! It works really well though. The contact that you touch when authenticating is on the end, and is easily accessible on the front of my PC.

Pros:

  • Tiny…doesn’t stick out from my PC very far
  • Contact is easy to touch
  • Adding the Yubikey Nano to accounts was simple
  • At $50 (Amazon.com) it is an affordable option for most home/professional users

Cons:

  • Due to its small size, its difficult to grip to pull it out of the USB slot

img_3258

Note: I did not receive anything from Yubico in exchange for this review. I bought both of my Yubikeys. The skin on the Yubikey 5 NFC was a free item that they were giving out at the 2019 RSA Conference, but that was in exchange for my information so they could call me later. They did not solicit this review in any way, shape or form.  🙂