What is a YubiKey?
Yubico, the parent of the Yubikey has been around since 2007. Several years ago, Google and Yubico worked together to develop a security key. Simply put, they developed a device that is an enhancement to, and in some cases eliminates a user login/password combination. Both Google and Yubico went on to independently develop their own versions of their joint efforts. Google’s version is called Titan. Yubico’s version is called YubiKey.
Why Use A Security Key?
I have websites, and as well, like most of us, spend a good deal of time on the Internet. As Man-in-the-middle attacks and phishing emails have become more sophisticated, user login information can be stolen and Two Factor Authentication (2FA) can be defeated. Defeating 2FA is a real concern. For example:
You log into one of your web services. First, you get a page requesting your user name. Once entered, another page appears, asking for your password. You enter it too. Your web service offers 2FA. You have enabled it, and the web service has now loaded yet another page asking for your 6 digit code. For this, you open your trusty Google authenticator, locate your web service’s name and enter the corresponding code on the web service page. All these pages and their entries are normal. You are safe, right?
You might be safe, or you might not be. A phishing hack could have taken place. Each page where you entered data, is an exact, or nearly exact copy of the real page; however, in this instance, the pages and data entered therein have been redirected to the Hacker. The Hacker simply enters your login information, and hurriedly enters your authenticator code (they only last for 30 seconds) into the real pages, and now has access to the web service, as YOU.
While researching this topic, I ran across an article from Business Insider that stated in 2017, Google provided a security key to each of its 85,0000 employees and contractors and made its use mandatory. In a year’s time, none of the 85,000 employees and contractors had their accounts compromised [1].
After several hours of research, I decided that a security key was a must-have for protection, and YubiKey was the key for me.
YubiKey Features
One of the reasons I opted for the YubiKey is that it is the most feature-rich key I could find (numerous protocols and its own authenticator). Here are some of YubiKey’s features [2]:
YubiKey: Hardened against attacks; anti-phishing features
Analysis: Mobile devices allow users to install apps, which also provide avenues of attack for malicious entities. Malware installed on a mobile device can compromise the security of its 2FA authentication, and any site or service it protects. SMS authentication is susceptible to man-in-the-middle attacks. YubiKeys, on the other hand, are built to withstand malware, phishing, and hacks.
YubiKey: Simple, automatic entry of a one-time password (OTP); no need for manual entry
Analysis: Time-based hardware tokens, SMS and mobile phone software require the user to physically enter a code each time they wish to authenticate. YubiKey authentication is completed with one touch of a button or tap via NFC removing user error and allowing for instant entry of longer, more secure OTPs.
YubiKey: No client software or drivers to install; nothing needed except the key
Analysis: Other authenticators rely on drivers and client software to complete their solutions. YubiKey is a standalone device that acts as a keyboard when it is plugged into a USB port or is used as a contactless device communicating over NFC. The YubiKey is compatible with authentication protocols already supported by many existing applications and services.
YubiKey: No need to administer time synchronization
Analysis: Time-based solutions including hardware tokens do not have an easy way to resolve time drifts when the system and token clocks fall out of sync. While the YubiKey can support time-based authentication, the device is not restricted to TOTP. In fact, YubiKey supports multiple protocols on the same device allowing for the best solution for any situation.
YubiKey: Near Field Communication (NFC) functionality; contactless support
Analysis: While some smart cards may offer an NFC option, YubiKey integrates NFC into both OTP and smartcard (CCID) mode. This allows for greater flexibility for delivering the second factor of authentication. (Note: NFC is available in the YubiKey NEO, YubiKey 5 NFC, and YubiKey 5ci models only.)
YubiKey: Can provide a complex static password when 2FA not available
Analysis: Other authenticators don’t offer this feature, which allows a complex and long password to be used when two-factor authentication is not supported.
YubiKey: Crush and impact resistant — stands up to abuse
Analysis: Other authenticators can’t take the same level of abuse as waterproof, crushproof, and hermetically sealed YubiKey. In addition, the YubiKey does not have a battery or moving parts.
YuiKey: Designed with the next generation protocol (FIDO U2F) built-in
Analysis: Other devices are generally single purpose, single protocol authenticators, while YubiKey works with all protocols we support without the need to make any changes to the device or change any configuration. YubiKey supports Yubico-OTP, OATH-HOTP, OATH-TOTP, OpenPGP, Smart Card (PIV Compliant), and FIDO U2F.
What Is The Right Key For Me?
YubiKey makes a number of keys. For most of us, the right key will be one in the “5” series. Here, these keys have in common the full assortment of Yubico’s currently available protocols. Differences can be found in physical dimensions of the keys and type of access port (varying combinations of USB-A, USB-C, and Lightning) being used by the device that the key is inserted into.
If you have a computer that is several years old or multiple computers of different ages then the YubiKey 5 NFC might be the one for you. This one uses the USB-A port. On the other hand, should you have a new computer with either Lightning (Mac) or USB-C ports, then the YubiKey 5C Nano or 5 CSI might be a suitable option.
Setting Up Your YubiKey.
When you purchase a YubiKey, you should purchase two them; keeping the second key for a backup in case you lose or damage the first key. Also, as you set up web services for use with a security key, you will save time by having the second key set up the same time as you set up the first.
There are a growing number of Web sites where the YubiKey can become easily integrated into the login process of the site itself. Unfortunately, there are also a lot of sites that do not offer this integration.
For integrated compatible sites, you can go to yubico.com/start. Here you will find all the available web sites for this configuration, and available written and video instructions. For example, here is a video showing the setup of YubiKey on Google:
For web sites that do not offer security key integration, the Yubico Authenticator can be used. After reading this, some readers are probably thinking, “Why do I need to use a security key then, because I am already using Google Authenticator?” There are two reasons why the Yubico Authenticator is a better choice:
- When you set up 2FA on a Web service, you scan a QR code. This code is installed on your device. Malware on your device can challenge 2FA. When using the Yubico Authenticator, the code is installed in the key.
- Most of us that use authenticators have them installed on our cell phones. Should you lose or damage your cell phone, you could also lose all of your codes, – meaning you will have a lot of work to do to regain access to your web services.
Setting Up The Yubico Authenticator
The Yubico Authenticator app is available for Mac, iOS, Android, Linux, and Windows. The app is downloadable for the App Store, Play Store, etc. Once installed, open the device, and you will see a screen similar to the one below (iOS):
Unlike other authenticators, as a security measure, none of your web services and codes are visible once the app is opened. To add a web service click on the “+” on the upper right-hand corner.
Once you click on the “+”, a pop-up screen appears asking you to either scan the QR code offered by the Web service or enter the code manually.
Now, you are asked to scan your YubiKey. As this example concerns a new Web service being added to the authenticator, the site’s QR code is now installed on the key. From the iPhone 6S, iPhones are NFC (Near Field Communication) enabled. In some of the earlier models, you have to turn on NFC from “Preferences”, later models have NFC on by default. So to scan your key, simply set it next to the back or top of your phone.
You will now see the new Web service in the authenticator’s list of Web Services.
Using The Yubico Authenticator
- Open the Authenticator on your device and you will see the “blank screen” as shown on the very first picture from the group above.
- On iOS devices, from roughly the middle of the “blank screen”, with one finger swipe down.
- Now you will see the same pop-up screen as shown in the third picture, asking you to scan your key. Using NFC, place your key to the back or at the top of your phone.
- As in the last picture above, you will now sell a list of your Web services. Find the Web service requesting the 6 digit code and enter it into the page on web site.
Conclusion
As with any security device on your computer and website, the implementation of a security feature often diminishes convenience at the same time. If that bothers you, then I might add that being hacked is also an inconvenience and one that can be very costly in terms of both time and money. To me, using a security key is a must.
Hands down, the YubiKey is the best security key solution available at this time. It has more protocols, making it very flexible. In this article, I have only touched the surface of what the key is able to do. Both the key and the software are well thought out and engineered.
The only critique I have is with the documentation. It is wanting. To me, the key was initially targeted for skilled users like developers and IT professionals. For this group, the documentation is sufficient. For use by people with substantially fewer computer skills and experience levels, setting up the key and authenticator might be challenging.
The bottom line is that if you spend any time on the Net at all, you need to be using a security key. The best key at the moment is the YubiKey.
Sources
[1] Business Insider | Kif Leswig | 7/23/2018 |https://www.businessinsider.com/none-of-googles-employees-get-phished-because-of-yubikey-security-key-2018-7
[2] Authentication Features Comparison | https://www.yubico.com/features/