Almost every significant data breach starts by compromising an end-point device. And the easiest way to do that is to steal some user credentials. It’s why the theft of credentials from Yahoo!, Ashley Madison and other large companies are such a big deal. Many people use the same usernames and passwords on multiple sites. But what if your access to a site was governed by something other than a username and password? This is where the YubiKey fits in.
What Is It?
The YubiKey is a physical device that authenticates you when you log into a service or computer. There are USB-A, USB-C and NFC versions so you can use it with pretty much any computer as well as millions of tablets and smartphones.
I tested two different YubiKey devices; the YubiKey 5C Nano on a MacBook Pro running macOS 10.14.4 and the YubiKey 5 Nano on a Lenovo ThinkCentre running Windows 10.
Yubico, the company that makes the YubiKey, provides detailed instructions for setting up the devices. The process is a little clunky as you need to download two separate things and install them one after the other as well as enter some terminal commands.
If you’re looking for a detailed explanation of how the YubiKey works, there’s a good breakdown of it on StackExchange that provides a good level of detail.
Although the set up process is quite clunky, the documentation is very clear and easy to follow. And once the YubiKey is set up it does exactly what you expect it to do. It won’t allow you to log into your computer unless the key is connected to the computer.
The other neat thing about the YubiKey is that is can be used as a second authentication factor for a variety of services. So, when you connect to social media accounts, online file sync and storage services, corporate SaaS applications and other supported services, you can use the YubiKey to ensure the risk of someone else logging into your account, instead of you, is reduced.
It also integrates with a number of password vault applications so you can secure those further as well.
One of the ways many companies use 2FA (two-factor authentication) is to send a one-time code to your phone. But if a determined attacker SIM swaps you, they can intercept those codes and access your services.
SIM-swapping can happen if someone is able to fool your phone carrier into swapping your number to them. This can happen when a thief has enough personal information about you to answer security questions like address, date of birth or mother’s maiden name – all information that can be found with relative ease by a determined attacker.
This is what happened to a friend of mine when he was burgled and the thieves stole documents including a phone bill.
The YubiKey doesn’t have battery and is waterproof and can take plenty of impact.
It’s worth noting that they YubiKey software is pen source so it’s possible to create your own apps and services that leverage its security credentials.
The set up process is best described as clunky.
Also, there’s no support for iOS devices at this time although I was told that’s coming soon.
Should You Buy It
If you’re serious about protecting your user accounts then you really need to be using two-factor authentication. And having a physical device, rather than relying on one-time codes being sent to you over SMS, is a safer solution.
The YubiKey is a low-cost way of providing 2FA that you have some control over.
You can buy a YubiKey directly from Yubico with prices starting at US$20 and going up to US$60 for a super-small YuibKey 5C Nano that you can leave plugged in all the time.
Personally, I’d recommend either the YubiKey 5C (US$50), YubiKey 5 NFC (US$45) or the $20 Security Key. These can be easily attached to your keys so there’s less chance of the device being left plugged in and used by an unauthorised person.