With the number of hacking incidents increasing day by day, everyone should be using two-step/two-factor authentication (2FA). It adds a bullet-proof layer around your online account, which makes it extremely difficult, if not impossible, for a hacker to penetrate.
But many people are put off from using 2FA, simply because of the inconvenience of having to get a second code from their phone, every time they want to log in. So people either disable the feature, or don’t bother setting it up in the first place. But you should, as many companies are now getting on board with the idea.
If you count yourself in the “easily inconvenienced” group, then you’ll be happy to hear that there is another option instead of 2FA. This option keeps your account just as secure, but all you need to do is press a button and you’re in. It’s called the YubiKey, and after a few days of using it, I am already converted. Baby, you had me at hello.
What Is a YubiKey?
A YubiKey is a USB-like stick, made by the company Yubico. They make various products, all of which do similar jobs. But for the purposes of this article, I am going to focus on the Fido U2F, (Universal 2-Factor) which is the one I received. It’s easy to set up and use, and is apparently indestructible.
“All YubiKeys are nearly indestructible. The standard-sized YubiKey (such as the YubiKey Standard, YubiKey NEO, YubiKey Edge, and FIDO U2F Security Key) is made of injection-molded plastic encasing the circuitry, while the exposed elements consist of military-grade hardened gold. Waterproof and crushproof, the standard-sized YubiKey attaches to your keychain alongside your house and car keys”.
It’s quite a small, delicate looking thing, and you would be forgiven for doubting the “indestructible” claim. Weighing only 3 grams, its measurements are just 18mm x 45mm x 3mm. But this little key, along with storing all my passwords in KeePass, has suddenly made signing into accounts pain-free and annoyance-free. Google and Facebook use the YubiKey for employee credentials, so the concept has some very heavy hitters behind it, backing it up. Google introduced it for their users in 2014.
How Does It Work?
The YubiKey is a piece of hardware which supports one-time passwords, public key encryption and authentication, and the Universal 2nd Factor (U2F) protocol developed by the FIDO Alliance. You can use it to securely log in to your supported accounts by using a one-time password or a FIDO-based public/private key pair generated by the device. After entering the key, you press the gold button and the touch of your finger gives off a small electrical charge which activates the device.
How Do You Set It Up?
A YubiKey is very easy to set up, as you will see below. A U2F key works for Google Accounts, Dropbox, Github, and Dashlane. For the purposes of this article, I am going with Google accounts, but the others will more or less follow the same procedure. Just different screenshots.
Head towards your Google 2-Step Authentication page, and click on the Security Keys tab.
This then takes you into the setup page. Follow the instructions as laid out on the page. It’s all very basic and straightforward.
When the key has been successfully registered, the “Register” key at the bottom will turn green and show “Registered”. If it doesn’t, start again from the beginning until it does.
You can check to see if the key has been successfully registered by going back to the Security Keys tab.
And that, ladies and gentlemen, is it.
What If You Sign In Using a Smartphone or Tablet?
This was one of the first things that came to mind. I sign into all of my Google accounts a lot on my iOS devices. My iDevices are wonderful and all, but the one weakness they have is they have no USB port. So where does the YubiKey go when it asks me?
After checking with the company, it seems that if you log into your account via a phone or tablet, the YubiKey detects this, and the login screen will automatically default to y0ur 2 factor authentication method (SMS, Authy, or Google Authenticator). The YubiKey itself will only be requested if it detects you are using a desktop computer or laptop, something which will have a USB port.
It is also worth noting that if you route your email through a local client such as Apple Mail or Outlook, then neither the YubiKey or 2FA is supported. In this case, you would need to use a special app password from the app in question.
Let’s now run through a few of the advantages of using a key like this.
It’s Extremely Simple To Use
There really is no way to mess something like this up. Once it has been properly configured, just insert the key into the USB port, and press the glowing button once. That’s it. Now how could anyone possibly get that wrong?
Your Account Has Extra Security Without the Annoyance
As I previously mentioned, 2FA is good – but it can be annoying. When I speak to someone who doesn’t have 2FA, the normal excuse is invariably “it’s too much of a hassle“. But my counter-argument is always “and how much hassle is involved in trying to retrieve a hacked account?“. But nevertheless I still get it. 2FA involves signing into your phone, getting the code and entering it. Doing it once is no big deal, but when you do it on a regular basis, it starts to get tedious. Even I’ve been tempted on several occasions to turn the whole thing off and not care that someone can break into my accounts, and I’m not alone in this.
A YubiKey removes that annoyance and makes you more inclined to use the extra protection. However, you will still need 2FA set up if you access your online accounts via a smartphone or tablet. So you can’t escape 2FA entirely.
The various YubiKeys on offer are all of varying price ($40-$50), as each one does a certain job (see the “Disadvantages” section for more on this). However, the U2F is really cheap ($18 on Amazon), as it does less than the other keys. To get your feet wet with the device, starting off with the U2F is ideal. Think of it as learner wheels on a child’s bicycle.
It’s Impossible To Get Virus-Infected
One of the things I have noticed the most online, when reading about YubiKeys, is people shrieking “and get it infected in a public Internet terminal? NO THANKS!“. Well first, you shouldn’t be using public Internet connections for security reasons, and secondly, the YubiKeys can’t get viruses as it is impossible to move any files onto it. It’s not that kind of USB device. Add to that the fact that the information contained on the key is all write-protected, and the computer recognizes the key as a keyboard. So there’s no need to worry on that score.
Although the YubiKey is a great device in my opinion, there are still some notable disadvantages you should be aware of.
It Only Works In Chrome
As of this writing, YubiKey only works on Google Chrome, version 38 or later. So tough luck users of Firefox, Safari, Opera, and Edge. It’s very possible that they will come on board in the future, but right now they don’t support the YubiKey. For the life of me, I can’t understand why only Chrome is being supported. It kind of alienates a large number of browser users.
Different Accounts Require Different Keys
Yubico makes 7 different products, and they all do different things. For example, my key, the Fido U2F, only opens accounts on Google, Dropbox, Github, and Dashlane password managers (premium accounts only).
But – and here’s the really big but – if you want to secure your operating system, Paypal, Evernote, or WordPress accounts, then you are going to need different YubiKeys. If all you need however is something to unlock your Gmail account, then the U2F is sufficient. Anything else is like using a tank to swat a fly.
The YubiKey 4 pretty much does everything, but at $50 it might prove to be a bit too expensive for someone just wanting to get into their email.
If Someone Gets Your Key & Account Password, Your Account Is Compromised
The thing with 2FA is that any intruder would need physical access to your phone, in order to get the SMS or Google Authenticator code. If you have a passcode on your phone (which you should, especially in light of the showdown between Apple and the FBI), then access to your 2FA codes would be impossible to an unauthorized third-party. Unless your code is something extremely obvious (such as your birthday), and the intruder knows you well enough to guess that.
But if someone gets a hold of your YubiKey, and also knows your account password, then they would be into the account faster than a hot knife through butter. They would have no smartphone passcode to bypass. That’s assuming you have a passcode on your phone to begin with. If not, well then there’s no difference between using 2FA and using a YubiKey.
The best way to fix this problem is to use a very long, hard-to-guess account password (and keep it in an encrypted password manager). That way, even if the key fell into the wrong hands, figuring out the account password would be extremely difficult, if not impossible. Without the password, the key would end up being a useless piece of plastic.
Are There Any Alternatives To YubiKey?
After looking around, the only alternative to YubiKey seems to be Nitrokey. Approximately the same price as the YubiKey, NitroKey is made in Germany, and prides itself on being open-source. It also seems to do a lot more than a YubiKey, which is making me consider buying one and testing it to compare. The product was previously called Crypto-Key and was reviewed by Danny back in 2012.
But it’s nice to see that at least one other company is making a rival product and in the process, advancing the whole concept of a security key. Rivalry promotes research, and research ends up in better products (usually).
Peace-Of-Mind Or Convenience?
The whole exploration of the YubiKey concept has brought up, for me anyway, the whole question of what we should be prepared to put up with in the name of security. 2-Factor Authentication is an excellent way to make sure your account is locked down, but as I mentioned, it can be a real pain in the butt. This leads many people to say “sod it, I’m turning this off!”.
On the other hand, something like a YubiKey or a NitroKey makes the whole process convenient. Press a button and you’re in. But if you lose the key, and someone can easily guess your password, then you are going to have a very bad day. So peace-of-mind (and going a few extra steps of hassle) or pressing the button on a key and saving 60 seconds? Which camp do you fall into? Tell us in the comments.