Tuesday, September 7, 2021

Yubikey - Quick Review

This is just going to be a (sort of) quick, high level, review of a two Yubico products and some other hopefully helpful tips.  I sort of laid things out as if someone was asking me questions.

What is a Yubikey?

For now I am going to avoid explaining terms like dual-factor authentication, or multi-factor authentication because if you are reading this post you are probably somewhat familiar and interested.  The Yubikey is a hardware token you can use for authentication.  Yubico itself has a "Why Yubico" page ( https://www.yubico.com/why-yubico/for-individuals/ ) with some good high level information about their products.  There are other products out there, I personally decided to go with Yubikey devices but do your own research.

Do I really need one?

Simply put, a hardware token can help protect your online accounts against compromise.  How bad would it be if your online accounts were taken over - not just that someone logged into your account, but they took control of it or erased everything?  Don't forget your e-mail account is often used to gain access to other accounts, so one compromised e-mail account could lead to an even larger impact.  Don't focus on the cost of the device, focus on the impacts you are avoiding.

Which one should I get?

With Yubico, I mainly looked at two options - Security Key NFC and Yubikey 5 series.  This my quick summary of the two options:

1) The Security Key NFC just has one option, that includes NFC and USB-A.  It supports common protocols like U2F and FIDO2, and works with many common providers like Google, Microsoft and Facebook.  Chances are you use at least one of those services.  The device is water and crush resistant, and does not require batteries.

2) The Yubikey 5 Series adds many other options above what the Security Key NFC provides.  Here are a few examples:
  • In addition to FIDO2 and U2F, these also support additional protocols like Smart card, OTP and OpenPGP 3
  • Multiple interface options ( USB-A, USB-C, NFC and Lightning ) and device styles
  • IP68 rated: dust tight and water submersible
Yubico has a quiz ( https://www.yubico.com/quiz/ ) that walks you through the process of picking the best option, and you can also check the catalog of sites that work with YubiKey ( https://www.yubico.com/works-with-yubikey/catalog/ ) to see if your service is supported.  I am not sure the quiz would actually even suggest the Security Key NFC - even when I picked simple options it didn't come up.  This page ( https://www.yubico.com/store/compare/ ) has a good comparison of the various products.

Do I really need a spare?

The quiz does ask if you want to get a spare device.  Imagine if you had a safe with 1 set of keys.  If you lost the key there would be no way to get into the safe.  A second hardware token isn't exactly a crazy idea, but in many cases you can also use other methods as a second authentication option so it isn't required.  No matter what, make sure your plans account for the fact your hardware token could be lost or damaged.  Some accounts let you print "one time use" codes, or provide other authentication options you can consider.

If cost is a factor, the Security Key NFC by Yubico is going to get you into this at a cheaper cost ( around $25 ).  However the Yubikey 5 series has more connector options and supported protocols, and is probably the better option for a tech savvy user that might want to try out some of the additional features.

What did you get and why?

Personally I ended up getting the Security Key NFC as my first device to get my hands on a hardware token, at some point you have to stop reading about it and just go for it.  For the simple use case of tying my accounts to a hardware token, the Security Key NFC did the job but the geek in me wanted to try out the 5 Series since it has extra features.

Yubico Authenticator is one of the features that works on the 5 series but doesn't work on the Security Key NFC.  I tested it out with a few accounts, just to see how it works.  If you already use apps like Microsoft or Google's Authenticator app on Android, then the Yubico app will be very familiar.  I did notice that the Android app does not seem to work on a Chromebook via USB-C, at least when I tested it.  The big difference between Yubico's app and other apps I have seen is that the information is stored on your Yubico token making it easy to move between devices, but I believe there is a limit on the number of accounts.  This page ( https://support.yubico.com/hc/en-us/articles/4404456942738-FAQ#what-is-the-yubikey-s-account-limit- ) you can find information about various limits.

As I mentioned earlier, the Yubikey 5 series has multiple connectors and form factors.  I went with Yubikey 5C with USB-C for future proofing since more devices use USB-C, but I also purchased USB-C to USB-A adapter from Syntech which so far has worked fine on a Windows laptop that only has USB-A ports.  For now I plan to keep my Security Key NFC as the "backup" device, and the Yubikey 5C as one I use to test out some of the new features.

I got one, now what?

If you decide to get a Yubikey, check out these other posts of mine that might help with some tips on setting it up:



Useful Yubico Links:
Quiz to see which device is best for you - https://www.yubico.com/quiz/
Catalog of services that work with Yubikey - https://www.yubico.com/works-with-yubikey/catalog/?sort=popular

No comments:

Post a Comment