Does YubiKey Make Two-Step Authentication Less Annoying?

Ads by Google

With the number of hacking incidents increasing day by day, everyone should be using two-step/two-factor authentication (2FA). It adds a bullet-proof layer around your online account, which makes it extremely difficult, if not impossible, for a hacker to penetrate.

dropboxyubico

But many people are put off from using 2FA, simply because of the inconvenience of having to get a second code from their phone, every time they want to log in. So people either disable the feature, or don’t bother setting it up in the first place. But you should, as many companies are now getting on board with the idea.

If you count yourself in the “easily inconvenienced” group, then you’ll be happy to hear that there is another option instead of 2FA. This option keeps your account just as secure, but all you need to do is press a button and you’re in. It’s called the YubiKey, and after a few days of using it, I am already converted. Baby, you had me at hello.

What Is a YubiKey?

yubikey

A YubiKey is a USB-like stick, made by the company Yubico. They make various products, all of which do similar jobs. But for the purposes of this article, I am going to focus on the Fido U2F, (Universal 2-Factor) which is the one I received. It’s easy to set up and use, and is apparently indestructible.

Ads by Google

From the site:

“All YubiKeys are nearly indestructible. The standard-sized YubiKey (such as the YubiKey Standard, YubiKey NEO, YubiKey Edge, and FIDO U2F Security Key) is made of injection-molded plastic encasing the circuitry, while the exposed elements consist of military-grade hardened gold. Waterproof and crushproof, the standard-sized YubiKey attaches to your keychain alongside your house and car keys”.

yubikey_waterproof

It’s quite a small, delicate looking thing, and you would be forgiven for doubting the “indestructible” claim. Weighing only 3 grams, its measurements are just 18mm x 45mm x 3mm. But this little key, along with storing all my passwords in KeePass, has suddenly made signing into accounts pain-free and annoyance-free. Google and Facebook use the YubiKey for employee credentials, so the concept has some very heavy hitters behind it, backing it up. Google introduced it for their users in 2014.

How Does It Work?

The YubiKey is a piece of hardware which supports one-time passwords, public key encryption and authentication, and the Universal 2nd Factor (U2F) protocol developed by the FIDO Alliance. You can use it to securely log in to your supported accounts by using a one-time password or a FIDO-based public/private key pair generated by the device. After entering the key, you press the gold button and the touch of your finger gives off a small electrical charge which activates the device.

How Do You Set It Up?

A YubiKey is very easy to set up, as you will see below. A U2F key works for Google Accounts, Dropbox, Github, and Dashlane. For the purposes of this article, I am going with Google accounts, but the others will more or less follow the same procedure. Just different screenshots.

Head towards your Google 2-Step Authentication page, and click on the Security Keys tab.

yubikey1

This then takes you into the setup page. Follow the instructions as laid out on the page. It’s all very basic and straightforward.

yubikey2

When the key has been successfully registered, the “Register” key at the bottom will turn green and show “Registered”. If it doesn’t, start again from the beginning until it does.

yubikey3

You can check to see if the key has been successfully registered by going back to the Security Keys tab.

yubikey4

And that, ladies and gentlemen, is it.

What If You Sign In Using a Smartphone or Tablet?

iphone

This was one of the first things that came to mind. I sign into all of my Google accounts a lot on my iOS devices. My iDevices are wonderful and all, but the one weakness they have is they have no USB port. So where does the YubiKey go when it asks me?

After checking with the company, it seems that if you log into your account via a phone or tablet, the YubiKey detects this, and the login screen will automatically default to y0ur 2 factor authentication method (SMS, Authy, or Google Authenticator). The YubiKey itself will only be requested if it detects you are using a desktop computer or laptop, something which will have a USB port.

It is also worth noting that if you route your email through a local client such as Apple Mail or Outlook, then neither the YubiKey or 2FA is supported. In this case, you would need to use a special app password from the app in question.

Its Advantages

Let’s now run through a few of the advantages of using a key like this.

It’s Extremely Simple To Use

touch_yubico

There really is no way to mess something like this up. Once it has been properly configured, just insert the key into the USB port, and press the glowing button once. That’s it. Now how could anyone possibly get that wrong?

Your Account Has Extra Security Without the Annoyance

As I previously mentioned, 2FA is good – but it can be annoying. When I speak to someone who doesn’t have 2FA, the normal excuse is invariably “it’s too much of a hassle“. But my counter-argument is always “and how much hassle is involved in trying to retrieve a hacked account?“. But nevertheless I still get it. 2FA involves signing into your phone, getting the code and entering it. Doing it once is no big deal, but when you do it on a regular basis, it starts to get tedious. Even I’ve been tempted on several occasions to turn the whole thing off and not care that someone can break into my accounts, and I’m not alone in this.

A YubiKey removes that annoyance and makes you more inclined to use the extra protection. However, you will still need 2FA set up if you access your online accounts via a smartphone or tablet. So you can’t escape 2FA entirely.

It’s Cheap

The various YubiKeys on offer are all of varying price ($40-$50), as each one does a certain job (see the “Disadvantages” section for more on this). However, the U2F is really cheap ($18 on Amazon), as it does less than the other keys. To get your feet wet with the device, starting off with the U2F is ideal. Think of it as learner wheels on a child’s bicycle.

It’s Impossible To Get Virus-Infected

virus

One of the things I have noticed the most online, when reading about YubiKeys, is people shrieking “and get it infected in a public Internet terminal? NO THANKS!“. Well first, you shouldn’t be using public Internet connections for security reasons, and secondly, the YubiKeys can’t get viruses as it is impossible to move any files onto it. It’s not that kind of USB device. Add to that the fact that the information contained on the key is all write-protected, and the computer recognizes the key as a keyboard. So there’s no need to worry on that score.

Its Disadvantages

Although the YubiKey is a great device in my opinion, there are still some notable disadvantages you should be aware of.

It Only Works In Chrome

too-many-chrome-tabs

As of this writing, YubiKey only works on Google Chrome, version 38 or later. So tough luck users of Firefox, Safari, Opera, and Edge. It’s very possible that they will come on board in the future, but right now they don’t support the YubiKey. For the life of me, I can’t understand why only Chrome is being supported. It kind of alienates a large number of browser users.

Different Accounts Require Different Keys

yubikeys

Yubico makes 7 different products, and they all do different things. For example, my key, the Fido U2F, only opens accounts on Google, Dropbox, Github, and Dashlane password managers (premium accounts only).

But – and here’s the really big but – if you want to secure your operating system, Paypal, Evernote, or WordPress accounts, then you are going to need different YubiKeys. If all you need however is something to unlock your Gmail account, then the U2F is sufficient. Anything else is like using a tank to swat a fly.

The YubiKey 4 pretty much does everything, but at $50 it might prove to be a bit too expensive for someone just wanting to get into their email.

If Someone Gets Your Key & Account Password, Your Account Is Compromised

hacker

The thing with 2FA is that any intruder would need physical access to your phone, in order to get the SMS or Google Authenticator code. If you have a passcode on your phone (which you should, especially in light of the showdown between Apple and the FBI), then access to your 2FA codes would be impossible to an unauthorized third-party. Unless your code is something extremely obvious (such as your birthday), and the intruder knows you well enough to guess that.

But if someone gets a hold of your YubiKey, and also knows your account password, then they would be into the account faster than a hot knife through butter. They would have no smartphone passcode to bypass. That’s assuming you have a passcode on your phone to begin with. If not, well then there’s no difference between using 2FA and using a YubiKey.

The best way to fix this problem is to use a very long, hard-to-guess account password (and keep it in an encrypted password manager). That way, even if the key fell into the wrong hands, figuring out the account password would be extremely difficult, if not impossible. Without the password, the key would end up being a useless piece of plastic.

Are There Any Alternatives To YubiKey?

nitrokey

After looking around, the only alternative to YubiKey seems to be Nitrokey. Approximately the same price as the YubiKey, NitroKey is made in Germany, and prides itself on being open-source. It also seems to do a lot more than a YubiKey, which is making me consider buying one and testing it to compare. The product was previously called Crypto-Key and was reviewed by Danny back in 2012.

But it’s nice to see that at least one other company is making a rival product and in the process, advancing the whole concept of a security key. Rivalry promotes research, and research ends up in better products (usually).

Peace-Of-Mind Or Convenience?

keyboard

The whole exploration of the YubiKey concept has brought up, for me anyway, the whole question of what we should be prepared to put up with in the name of security. 2-Factor Authentication is an excellent way to make sure your account is locked down, but as I mentioned, it can be a real pain in the butt. This leads many people to say “sod it, I’m turning this off!”.

On the other hand, something like a YubiKey or a NitroKey makes the whole process convenient. Press a button and you’re in. But if you lose the key, and someone can easily guess your password, then you are going to have a very bad day. So peace-of-mind (and going a few extra steps of hassle) or pressing the button on a key and saving 60 seconds? Which camp do you fall into? Tell us in the comments.

Join live MakeUseOf Groups on Grouvi App Join live Groups on Grouvi
Stay Incognito On The Web
Stay Incognito On The Web
938 Members
Online Security Tips
Online Security Tips
409 Members
Tips for Privacy Obsessed
Tips for Privacy Obsessed
288 Members
New Security Breaches
New Security Breaches
197 Members
Affiliate Disclamer

This article may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.
New comment

Please login to avoid entering captcha

Log In