Pinterest Stumbleupon Whatsapp
Ads by Google

With the number of hacking incidents increasing day by day, everyone should be using two-step/two-factor authentication (2FA) What Is Two-Factor Authentication, And Why You Should Use It What Is Two-Factor Authentication, And Why You Should Use It Two-factor authentication (2FA) is a security method that requires two different ways of proving your identity. It is commonly used in everyday life. For example paying with a credit card not only requires the card,... Read More . It adds a bullet-proof layer around your online account, which makes it extremely difficult, if not impossible, for a hacker to penetrate.

dropboxyubico

But many people are put off from using 2FA, simply because of the inconvenience Can Two-Step Verification Be Less Irritating? Four Secret Hacks Guaranteed to Improve Security Can Two-Step Verification Be Less Irritating? Four Secret Hacks Guaranteed to Improve Security Do you want bullet-proof account security? I highly suggest enabling what's called "two-factor" authentication. Read More of having to get a second code from their phone, every time they want to log in. So people either disable the feature, or don’t bother setting it up in the first place. But you should, as many companies are now getting on board with the idea.

If you count yourself in the “easily inconvenienced” group, then you’ll be happy to hear that there is another option instead of 2FA. This option keeps your account just as secure, but all you need to do is press a button and you’re in. It’s called the YubiKey, and after a few days of using it, I am already converted. Baby, you had me at hello.

What Is a YubiKey?

yubikey

A YubiKey is a USB-like stick, made by the company Yubico. They make various products, all of which do similar jobs. But for the purposes of this article, I am going to focus on the Fido U2F, (Universal 2-Factor) which is the one I received. It’s easy to set up and use, and is apparently indestructible.

Ads by Google

From the site:

“All YubiKeys are nearly indestructible. The standard-sized YubiKey (such as the YubiKey Standard, YubiKey NEO, YubiKey Edge, and FIDO U2F Security Key) is made of injection-molded plastic encasing the circuitry, while the exposed elements consist of military-grade hardened gold. Waterproof and crushproof, the standard-sized YubiKey attaches to your keychain alongside your house and car keys”.

yubikey_waterproof

It’s quite a small, delicate looking thing, and you would be forgiven for doubting the “indestructible” claim. Weighing only 3 grams, its measurements are just 18mm x 45mm x 3mm. But this little key, along with storing all my passwords in KeePass, has suddenly made signing into accounts pain-free and annoyance-free. Google and Facebook use the YubiKey for employee credentials, so the concept has some very heavy hitters behind it, backing it up. Google introduced it for their users in 2014.

How Does It Work?

The YubiKey is a piece of hardware which supports one-time passwords, public key encryption and authentication, and the Universal 2nd Factor (U2F) protocol developed by the FIDO Alliance. You can use it to securely log in to your supported accounts by using a one-time password or a FIDO-based public/private key pair How Does Encryption Work, and Is It Really Safe? How Does Encryption Work, and Is It Really Safe? Read More generated by the device. After entering the key, you press the gold button and the touch of your finger gives off a small electrical charge which activates the device.

How Do You Set It Up?

A YubiKey is very easy to set up, as you will see below. A U2F key works for Google Accounts, Dropbox, Github What Is Git & Why You Should Use Version Control If You’re a Developer What Is Git & Why You Should Use Version Control If You’re a Developer As web developers, a lot of the time we tend to work on local development sites then just upload everything when we’re done. This is fine when it’s just you and the changes are small,... Read More , and Dashlane Dashlane - A Slick New Password Manager, Form Filler & Online Shopping Assistant Dashlane - A Slick New Password Manager, Form Filler & Online Shopping Assistant If you've tried a few password managers before, you've probably learned to expect some roughness around the edges. They're solid, useful applications, but their interfaces can be overly complex and inconvenient. Dashlane doesn’t just reduce... Read More . For the purposes of this article, I am going with Google accounts, but the others will more or less follow the same procedure. Just different screenshots.

Head towards your Google 2-Step Authentication page, and click on the Security Keys tab.

yubikey1

This then takes you into the setup page. Follow the instructions as laid out on the page. It’s all very basic and straightforward.

yubikey2

When the key has been successfully registered, the “Register” key at the bottom will turn green and show “Registered”. If it doesn’t, start again from the beginning until it does.

yubikey3

You can check to see if the key has been successfully registered by going back to the Security Keys tab.

yubikey4

And that, ladies and gentlemen, is it.

What If You Sign In Using a Smartphone or Tablet?

iphone

This was one of the first things that came to mind. I sign into all of my Google accounts a lot on my iOS devices. My iDevices are wonderful and all, but the one weakness they have is they have no USB port. So where does the YubiKey go when it asks me?

After checking with the company, it seems that if you log into your account via a phone or tablet, the YubiKey detects this, and the login screen will automatically default to y0ur 2 factor authentication method (SMS, Authy, or Google Authenticator Google Recommends 2-Step Process To Protect Your Account [News] Google Recommends 2-Step Process To Protect Your Account [News] Most savvy Internet users probably have at one at least Google account - mainly because Google, for good or bad, crosses paths with so many other websites that it's hard to avoid not using the... Read More ). The YubiKey itself will only be requested if it detects you are using a desktop computer or laptop, something which will have a USB port.

It is also worth noting that if you route your email through a local client such as Apple Mail or Outlook, then neither the YubiKey or 2FA is supported. In this case, you would need to use a special app password from the app in question.

Its Advantages

Let’s now run through a few of the advantages of using a key like this.

It’s Extremely Simple To Use

touch_yubico

There really is no way to mess something like this up. Once it has been properly configured, just insert the key into the USB port, and press the glowing button once. That’s it. Now how could anyone possibly get that wrong?

Your Account Has Extra Security Without the Annoyance

As I previously mentioned, 2FA is good – but it can be annoying. When I speak to someone who doesn’t have 2FA, the normal excuse is invariably “it’s too much of a hassle“. But my counter-argument is always “and how much hassle is involved in trying to retrieve a hacked account?“. But nevertheless I still get it. 2FA involves signing into your phone, getting the code and entering it. Doing it once is no big deal, but when you do it on a regular basis, it starts to get tedious. Even I’ve been tempted on several occasions to turn the whole thing off and not care that someone can break into my accounts, and I’m not alone in this.

A YubiKey removes that annoyance and makes you more inclined to use the extra protection. However, you will still need 2FA set up if you access your online accounts via a smartphone or tablet. So you can’t escape 2FA entirely.

It’s Cheap

The various YubiKeys on offer are all of varying price ($40-$50), as each one does a certain job (see the “Disadvantages” section for more on this). However, the U2F is really cheap ($18 on Amazon), as it does less than the other keys. To get your feet wet with the device, starting off with the U2F is ideal. Think of it as learner wheels on a child’s bicycle.

It’s Impossible To Get Virus-Infected

virus

One of the things I have noticed the most online, when reading about YubiKeys, is people shrieking “and get it infected in a public Internet terminal? NO THANKS!“. Well first, you shouldn’t be using public Internet connections 5 Ways to Make Sure Public Computers You Use Are Safe 5 Ways to Make Sure Public Computers You Use Are Safe Public WiFi is dangerous no matter what computer you're on, but foreign machines demand even greater caution. If you're using a public computer follow these guidelines to ensure your privacy and safety. Read More for security reasons, and secondly, the YubiKeys can’t get viruses as it is impossible to move any files onto it. It’s not that kind of USB device. Add to that the fact that the information contained on the key is all write-protected, and the computer recognizes the key as a keyboard. So there’s no need to worry on that score.

Its Disadvantages

Although the YubiKey is a great device in my opinion, there are still some notable disadvantages you should be aware of.

It Only Works In Chrome

too-many-chrome-tabs

As of this writing, YubiKey only works on Google Chrome, version 38 or later. So tough luck users of Firefox, Safari, Opera, and Edge 10 Reasons You Should Be Using Microsoft Edge Now 10 Reasons You Should Be Using Microsoft Edge Now Microsoft Edge marks a complete break from the Internet Explorer brand name, killing off a 20-year-old family tree in the process. Here's why you should be using it. Read More . It’s very possible that they will come on board in the future, but right now they don’t support the YubiKey. For the life of me, I can’t understand why only Chrome is being supported. It kind of alienates a large number of browser users.

Different Accounts Require Different Keys

yubikeys

Yubico makes 7 different products, and they all do different things. For example, my key, the Fido U2F, only opens accounts on Google, Dropbox, Github, and Dashlane password managers (premium accounts only).

But – and here’s the really big but – if you want to secure your operating system, Paypal, Evernote, or WordPress accounts, then you are going to need different YubiKeys. If all you need however is something to unlock your Gmail account, then the U2F is sufficient. Anything else is like using a tank to swat a fly.

The YubiKey 4 pretty much does everything, but at $50 it might prove to be a bit too expensive for someone just wanting to get into their email.

If Someone Gets Your Key & Account Password, Your Account Is Compromised

hacker

The thing with 2FA is that any intruder would need physical access to your phone, in order to get the SMS or Google Authenticator code. If you have a passcode on your phone (which you should, especially in light of the showdown between Apple and the FBI FBI Backdoors Won't Help Anybody - Not Even the FBI FBI Backdoors Won't Help Anybody - Not Even the FBI The FBI wants to force technology companies to enable security services to snoop on instant messaging. But such security backdoors don't actually exist, and if they did, would you trust your government with them? Read More ), then access to your 2FA codes would be impossible to an unauthorized third-party. Unless your code is something extremely obvious (such as your birthday), and the intruder knows you well enough to guess that.

But if someone gets a hold of your YubiKey, and also knows your account password, then they would be into the account faster than a hot knife through butter. They would have no smartphone passcode to bypass. That’s assuming you have a passcode on your phone to begin with. If not, well then there’s no difference between using 2FA and using a YubiKey.

The best way to fix this problem is to use a very long, hard-to-guess account password Password Management Guide Password Management Guide Don't feel overwhelmed by passwords, or simply use the same one on every site just so you'll remember them: design your own password management strategy. Read More (and keep it in an encrypted password manager Password Manager Battle Royale: Who Will End Up On Top? Password Manager Battle Royale: Who Will End Up On Top? Read More ). That way, even if the key fell into the wrong hands, figuring out the account password would be extremely difficult, if not impossible. Without the password, the key would end up being a useless piece of plastic.

Are There Any Alternatives To YubiKey?

nitrokey

After looking around, the only alternative to YubiKey seems to be Nitrokey. Approximately the same price as the YubiKey, NitroKey is made in Germany, and prides itself on being open-source. It also seems to do a lot more than a YubiKey, which is making me consider buying one and testing it to compare. The product was previously called Crypto-Key and was reviewed by Danny back in 2012 The German Privacy Foundation Crypto Stick - How & Why It Is More Secure The German Privacy Foundation Crypto Stick - How & Why It Is More Secure New technologies are constantly being created in order to increase security, and many of those technologies eventually go away because of loopholes and other issues that are eventually discovered. No form of security is exempt... Read More .

But it’s nice to see that at least one other company is making a rival product and in the process, advancing the whole concept of a security key. Rivalry promotes research, and research ends up in better products (usually).

Peace-Of-Mind Or Convenience?

keyboard

The whole exploration of the YubiKey concept has brought up, for me anyway, the whole question of what we should be prepared to put up with in the name of security. 2-Factor Authentication is an excellent way to make sure your account is locked down, but as I mentioned, it can be a real pain in the butt. This leads many people to say “sod it, I’m turning this off!”.

On the other hand, something like a YubiKey or a NitroKey makes the whole process convenient. Press a button and you’re in. But if you lose the key, and someone can easily guess your password, then you are going to have a very bad day. So peace-of-mind (and going a few extra steps of hassle) or pressing the button on a key and saving 60 seconds? Which camp do you fall into? Tell us in the comments.

  1. dan
    July 11, 2016 at 7:42 am

    i can't imagine how yubikey is less annoying than an authenticator app. you have to fish out your keychain, get the key, plug it into the usb port assuming there isn't something else in there (my laptop has a whopping 1 port), and hit the button. i don't imagine that taking much less time than getting a code off my phone, and i have too much garbage on my keychain already.

    • Mark O'Neill
      July 11, 2016 at 11:44 am

      I personally have only the Yubikey on its own keychain, and the yubikey is permanently in a USB slot (unless I temporarily need the slot for something else). When I am switching computers, I take the key out and put it immediately in the USB slot of the next computer.

      I used to have the key on my bunch of keys and you're right, it was a pain in the behind. So I took it off and it is much more convenient to use now.

  2. Jean-Francois Messier
    March 21, 2016 at 5:21 pm

    Personnally, Iuse Google Authenticator to many services, including LastPass where I keep my other password-only services. No, I do not keep any banking or credit card info anywhere. I have five OTP on this Google Authenticator, and sometime it's rather annoying, but that's the price to pay for a higher security. My wife thinks I am crazy, but nonetheless, I will use such OTPs.

  3. User1
    March 20, 2016 at 7:19 am

    "NitroKey is made in Germany, and prides itself on being open-source. It also seems to do a lot more than a YubiKey, which is making me consider buying one and testing it to compare."

    Sounds like it wouldn't be a bad idea to do a review on NitroKey. YubiKey doesn't sound bad, but I'll wait for a review on NitroKey. Always nice to have two to choice from, yes?

    • Mark O'Neill
      March 20, 2016 at 4:56 pm

      I am strongly considering it, but since Danny reviewed the key (when it was called Crypto-Key), back in 2012, I would need to see what changes have been made since then.

  4. fcd76218
    March 19, 2016 at 6:36 pm

    YubiKey is not a solution for those wishing to remain Google-free.

    • Mark O'Neill
      March 20, 2016 at 4:55 pm

      No I grant that if you are with another email service, such as Yahoo or Outlook, then you are out of luck with a YubiKey. The fault for that would lie with these companies for not signing up to the YubiKey protocol.

  5. Nat
    March 19, 2016 at 12:40 am

    I've had a Yubikey for over 3 years. I use it to access LastPass. I use two-factor with Dropbox & my Google accounts but I use SMS for those--the U2F standard didn't exist when I got my key. (It helps having a smartwatch so I don't have to dig out my phone to see the SMS.) You didn't mention LastPass : the cheaper Fido won't work with it.

    • Mark O'Neill
      March 20, 2016 at 4:51 pm

      For Mac OS X, and Android platforms, you can see your SMS messages pop up on the screen. So anyone without a smartwatch can normally see their texts that way, instead of always digging the phone out.

  6. johnbuk
    March 18, 2016 at 7:03 pm

    I use Google Authenticator on my phone for Google, Lastpass, Evernote and Dropbox. On all bar Lastpass I always "trust" my Chromebook so the only time I need 2FA is when starting up Lastpass and if I log in to any of the others via a different medium.

    I certainly don't find the process laborious so, whilst I'm interested in the Yubikey IVO the fact it doesn't support Lastpass then it isn't a valid alternative for me. I could change my mind if the cost came down though.

    • Mark O'Neill
      March 20, 2016 at 4:50 pm

      Well if you "trust" your Chromebook, then yes you will have less incidents of needing to use 2FA. But typically these "trust" functions only last 30 days, so you will still have to use 2FA once a month, and also when you log in from other computers.

      I would say $18 is a reasonable price for a YubiKey. $50 however is definitely not.

Leave a Reply

Your email address will not be published. Required fields are marked *