Security Key by Yubico – Review 2018

Decades of consumer computer products have taught humanity one thing: Passwords are bad. To make passwords acceptable again, we’re now turning to password managers and two-factor authentication to better secure our online accounts. Security Key by Yubico is a USB-A key you insert and tap when prompted to confirm your identity. Working in conjunction with a traditional password, it’s a powerful tool to stop scammers and identity thieves in their tracks. The Security Key by Yubico doesn’t have all the bells and whistles of its cousins and competitors, but—at less than half the price—it’s an easy solution at a bargain price. For its low price and ease of use, it’s our Editors’ Choice for two-factor authentication security keys. For a more feature-filled device, look to the YubiKey 5 series, which is more expensive and likely harder for the average person to get their money’s worth.

How Two-Factor Authentication Works

By this point, you’ve probably encountered or at least heard of two-factor authentication, or 2FA. In the most common implementation, when you go to log in to an account, you enter your password and then are prompted to enter a six-digit code sent via SMS or generated by an app. Then you’re authenticated as usual.

It’s easy to assume that it’s called 2FA because it’s a second step in authentication, and while that’s true in practice it’s not actually the theory. The name comes from the concept of combining two different kinds of authentication from a possible three:

  • Something you know,
  • Something you have, and
  • Something you are.

A password in your head (or, better yet, in a password manager) is something you know. A fingerprint scan, or some other biometric factor, is something you are. A piece of hardware or an app that can authenticate you is something you have. While this review looks at hardware security keys, there are other methods for adding a second factor.

By combining two things from that list, you make it much harder for someone to break into one of your accounts. Maybe someone stole your password during a mass data breach, or just purchased it off the Dark Web. Any attacker who uses that pilfered password will be foiled when they are asked to enter their second factor of authentication.

We actually have some data to back this up. In 2017, Google issued USB security keys to its 85,000 employees. Once they did, reports of account takeovers from phishing attacks dropped to zero.

Security in a Major Key

The Security Key is actually one of about half a dozen hardware 2FA products offered by Yubico. Some are enterprise-only, but the flagship YubiKey 5 series encompasses four different products. The Yubikey 5 NFC uses USB-A and can communicate wirelessly with your Android phone via NFC. The Yubikey 5C uses USB-C, but lacks wireless capabilities. The Yubikey 5 Nano and 5C Nano also lack NFC but are tiny enough to remain semi-permanently in your USB slot.

The YubiKey 5 Series prices range from $45 for the 5 NFC to $60 for the 5C Nano. Some of the features of the keys require client software provided for free by Yubico, or manual device configuration. All of the four devices in the YubiKey 5 series have the same capabilities under the hood. They all supported FIDO U2F and FIDO2, the current and presumptive universal two-factor protocols. But the YubiKey 5 series devices also can serve as Smart Cards using Personal Identity Verification, can generate one-time passwords, support both OATH-TOTP and OATH-HOTP, and can be used for challenge-response authentication. All four devices support three cryptographic algorithms: RSA 4096, ECC p256, and ECC p384.

That’s a lot of alphabet soup. If you already know what it means, then the YubiKey 5 will excite you. If not, just know that these are Swiss Army devices, and can do just about anything you ask of them, provided you know what to ask and what you’re doing.

The Security Key by Yubico is a radically different device. For starters, its durable plastic shell is bright blue, where all the other YubiKey devices are black, and a tiny key logo glows blue-white when inserted to a USB-A slot. A numeral 2 is etched into the plastic, above the touch-sensitive gold disk, which differentiates it from an earlier model. Appearances aside, the Security Key is also dramatically cheaper, costing only $20.

The most critical difference is what the Security Key doesn’t do. It only supports the FIDO U2F and FIDO2 protocols. It can’t generate any one-time passwords, nor will it work with any of Yubico’s client software. For most people, this will be fine. Most major websites that support security keys at all support U2F. That list includes Google, Facebook, and Twitter. The Security Key does less, but it does just enough for the average consumer, and at a price they can afford.

If you’re looking over the laundry list of YubiKey capabilities left out of the Security Key and find yourself drooling or reaching for your credit card, skip the Security Key and shell out the extra cash. If you’re an IT department head, looking for a single solution for your 2FA needs, skip the Security Key.

Hands On With the Security Key by Yubico

The Security Key’s textured blue plastic is good and grippy on the fingers, and the whole thing feels solid despite weighing just 3 grams. Its material hides fingerprints and wear and tear, which it will get from hanging on a key ring, as designed. The flat design of the Security Key means it hangs easily with other keys on a ring, unlike the bulkier YubiKey 5C.

Like its YubiKey cousins, the Security Key is crush proof and waterproof with no moving parts. It will never run out of power, because it has no batteries. It doesn’t require LTE or Wi-Fi. Those last two points are big advantages over authenticator apps.

Using the Security Key is a snap. Simply head to a site that supports security keys for 2FA, and look for the option to enroll a new key. You’ll then be prompted to insert your key into a USB port and then tap the gold disk. That’s it! The key is now enrolled. When you next go to log in, the site requests your password and then prompts you to insert and tap your security key. Once you do, you’re in!

I tested the Security Key by Yubico with Google, Twitter, and Facebook accounts, where it worked flawlessly. Note that some services may require you to create backup codes (you should, even if it’s not required) or enroll a phone number for backup authentication via SMS. I like to have options, and typically have a few different ways to confirm any account.

Note that while most modern browsers support U2F, Firefox has it disabled by default. Yubico has a handy article on how to activate U2F support for Mozilla’s excellent browser.

While U2F is becoming more and more common, it’s not used everywhere. LastPass, for example, uses the Yubico One-Time Password feature to secure accounts, supported by the YubiKey 5 line but not by the Security Key. Yubico has a pretty solid list of sites and services that accept different kinds of YubiKeys, so look there when you’re trying to determine which model will best fit your life.

A quick note on FIDO2: it’s new, and it might be a big deal. Yubico says a lot about how this protocol will one day replace passwords altogether. That’s a great idea, but it’s also one I’ve heard before. I’m glad that all Yubico products support FIDO2, as a future-proofing measure, but the jury is still out on its utility. Microsoft now allows users to login to their accounts without a password using a FIDO2 key and the Edge browser, which will be a major test of this new technology.

Security Key by Yubico vs. the Google Titan Security Key

Compared to the rest of the Yubico family, the Security Key is the simple and affordable solution for the average person. Comparing it to the Google Titan Security Key (pictured below) is a bit more complicated.

Under the hood, the Security Key and Titan key are very similar. They both support FIDO U2F, but the Titan key doesn’t support FIDO2. Neither supports any other protocols or login schemes.

The Titan Key bundle includes two devices—one a NFC-enabled USB-A key and the other a rechargeable bluetooth dongle that can be attached via micro USB. That’ll set you back $50, compared to the $20 for the Security Key. The Security Key, however, doesn’t support bluetooth or NFC. It’s also just one device, compared to the two Titan keys. Having two keys is good peace of mind, since you have a spare, and it’s also required for Google’s Advanced Protection Program. But buying a second Security Key still costs less than the Titan bundle, at a discounted $36 from Yubico.

The Best, for Less

The Security Key by Yubico is the best of the YubiKey line, at a price many can actually afford. What’s lost in capability is gained in accessibility, since most people aren’t going to use all the bells and whistles included in the YubiKey 5 line. The Security Key also beats out the Titan Key, an excellent product bundle that’s just a little too pricey.

If you’re a human being with a Google or Facebook account and have grown increasingly worried about data breaches, the Security Key by Yubico is the best protection at the lowest price. It’s an Editors’ Choice based on its affordability, although we heartily recommend both the YubiKey 5 series and the Google Titan key as capable, versatile options.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *