Today we’re taking a look at the YubiKey 5 series from Yubico; in particular the YubiKey 5C NFC and the YubiKey 5Ci.
Now if you have no idea what these are, don’t be afraid you’re definitely not alone. I’ll do my best to explain what they are and why you should consider using them to tighten up your online security & safety.
What is a YubiKey?
To explain that we’ll need to take about two-factor authentication or 2FA as it’s more widely known and those annoying websites that send us codes to type in after our passwords via a text, email or apps like Google Authenticator and Authy.
Those codes are only valid for a short amount of time and that extra layer of security is great, but they can also be easily accessed by hackers, especially if you receive them via email or SMS. In fact SMS is probably the worst way and has led to many of the major security breaches in the past decade.
Enter Yubico and the YubiKey. Using the simplest of simple explanations these guys act as a key. When you turn that key by plugging it into your computer or tapping it against your phone it unlocks access to the special one-time codes stored on it.
The codes are displayed via the Yubico Authenticator app, which if you’ve used Google Authenticator, looks & works pretty much identically. All the YubiKeys are doing is shifting the storage of the secret tokens to generate the codes to hardware instead of virtually.
Going beyond TOTP
To be fair, that’s just one way of using a YubiKey. In addition to handling one-time passwords they also support a variety of new authentication protocols with cool names that’ll mean nothing to most like FIDO & U2F. What they mean to you & I is that if you’re using websites that support them, like Twitter, Google and Facebook, just plugging in your YubiKey and tapping it authenticates you without having to open another app or type in another code.
Which YubiKey is right for you
There are a variety of YubiKeys available depending on what phone and/or computer you’re using. For example the 5C NFC has a USB-C connector, but can also be used with newer Android & Apple phones with their NFC sensors. The 5Ci on the other hand has a USB-C & lightning connector where as the nano range is designed to discreetly plug into your computer via USB-A or C.
Yubico have a really good tool on their website that’ll help you pick the best key for you depending on what devices you plan on using it with and how you’d like it to work. For me, using a MacBook Pro and iPhone the 5C NFC is my favourite, but I could just as easily use the 5Ci.
What if I lose my key?
All of that sounds great, but I can hear most of you asking the same question as me when I first looked into them. What happens when you lose your key?!
Well, it’s basically the same thing as when you lose your phone or somehow accidentally delete the Google Authenticator app. Ideally you have your 2FA backup codes somewhere safe, you have them right? If you’re nodding your head you’ll be using one of them to get into your account disable & re-enable 2FA on a new key and violá!
If you’re not nodding, well, that’s a different story and depending on the website you’re now locked out of you’ll go through some recovery process. This is no different to if someone hacked your email or spoofed your phone number to stop you getting codes. It can be a painful process so save those backup codes!
YubiKeys offer a new option though and that is simply to buy more than one. Having a backup YubiKey means that when you add a new website to your Yubico Authenticator you need to do it again for your backup, but it’s a hell of a lot more convenient than going through recovery processes let me tell you!
For the security savvy of you out there you’re probably screaming that 2FA apps like 1Password and Authy allow you to sync your 2FA codes across multiple computers & devices, and that’s 100% correct. You essentially have as many backups as you do devices that have access, but for each of those devices you’re also x number of times more vulnerable to being compromised. A physical entry point significantly narrows your exposure.
Another layer of security is a must!
In today’s world there is absolutely no reason to not use 2FA. Username & passwords are compromised so often these days we’ve basically become desensitised to it. A good GPU will crack a password hash in seconds so having another layer of security is an absolute must.
For many that might be taking their first step into not adding “1” to the end of the same password they use everywhere, for others that’s making use of a password manager like LastPass or 1Password. For those that want to go one step further, and I highly encourage you to do so, a YubiKey that starts around A$70 is the best way to do it.
Yubico YubiKey 5C NFC
Yubico YubiKey 5C NFC- Design4/5 Good
- Features4/5 Good
- Performance4/5 Good
The Good
- Small, lightweight & near indestructible
- Connects to all modern devices easily
- Physical security at its best
The Bad
- Yubico Authenticator app is just "ok"
- Isn't mainstream for setup & use