Yubico Security Key Review (The complete edition)

yubico_security_key_review

Yubico Security Key is here to challenge everyone else. Does it succeed?

Pros

  • Durable
  • Has support for FIDO2 and U2F protocols that are used  by Facebook, Twitter, Google and others
  • Simple to use
  • affordable

Cons

  • Has no support for other 2-factor authentication systems
  • Zero wireless support

 

Summary

Yubico, with its Security Key, offers users an affordable, durable and simple way to take advantage of two-factor authentication.

Our research shows that this Security Key from Yubico is not the one with the most features compared to the competition.

However, as far as the average consumer is concerned, there is hardly another 2FA key out there that can beat Yubico.

 

Full review

So how does two-factor authentication on the internet work?

If you are reading this review then there is a good chance that you already a bit about terms such as 2FA or two-factor authentication.

Selection_002

In any case, the most popular security implementation, when the user tries to log in to a given account, is the user has to enter a username and a password and then also input a six-digit code that the service (the user is trying to sign into) sends to the user’s mobile phone via SMS.

Sometimes the user can have that generated with the help of an app.

After the user has done that, the service authenticates the user as usual.

Now, a lot of readers would conveniently assume here that the term two-factor authentication comes from the fact that a given service requires a second step to authenticate the user.

Practically speaking, that is true.

However, in theory, it isn’t.

The term two-factor authentication comes from a different concept.

A concept which combines two different types of user authentication from a total possible number of three.

The three authentication types are as follows,

  • Something that the user is
  • Something that the user has
  • Something that the user knows

Generally speaking, the password part is something that is in the user’s head.

Of course, the better thing here would be to have the password in a password manager, but that’s okay.

The point that we are trying to make here is that, the password represents something that you know.

Then there are all those biometric factors such as fingerprint scans.

These are things that you are.

Apart from that, an app or a piece of hardware that has the ability to authenticate the user is something that the user has.

In this review, we will only talk about the hardware security keys.

But readers should know that there are many other methods available for them to add a second authentication factor as well.

If you combine just two things from the list of three that we have mentioned above, then you essentially make it a  lot harder for any hacker to break into any and/or all of your online accounts.

It is within the realm of possibility that someone might manage to steal your password.

Ever heard of mass data breaches?

That is where all the ‘stealing’ happens.

Other folks skip the data breach part and purchase personal information straight off the notoriously dark Dard Web.

Of course, it is another fact that if you are making use of two-factor authentication then any hackers who gets hold of your password would have his/her efforts foiled when the account they have the information for would ask them to enter the user’s second factor of account authentication.

Selection_006

It turns out, various reports have gathered up a lot of data to back up the claim that two-factor authentication really does improve security.

Back in 2017, Google (the technology giant behind services such as Google search engine, YouTube, Gmail, Google Docs, Notes, and Waymo) issued USB security keys to a total of 85000 of its employees.

Once the company went through with the purchase and put all the systems in place, reports that talked about phishing attacks taking over user accounts dropped to almost zero.

A major key for major security

The Yubico Security Key is not the only two-factor authentication hardware that the company offers.

Our research shows that there are at least half a dozen more hardware-based two-factor authentication products that the company behind Yubico Security Key (Yubico) offers to users.

However, the company’s flagship product which is YubiKey 5 series manages to encompass all four of the company’s products.

Our research shows that the official Yubikey 5 NFC makes use of USB-A.

Not only that, it also has the ability to communicate via wireless methods with the user’s Android device by utilizing the NFC technology.

There is also Yubikey 5C.

This product makes use of USB-C.

However, it lacks any kind of wireless capabilities.

There are also the 5C Nano and Yubikey 5 Nano that do not have support for NFC.

However, they are small enough to semi-permanently remain in place in the user’s USB slot.

As far as prices go, currently the YubiKey 5 Series can cost the user anywhere from $45 to $60.

More specifically though, the Yubikey 5 Series offers the 5 NFC device for $45 while the 5C Nano device for $60.

These keys have some features which require the user to download the company’s client software.

Yubico provides all customers with that software without any charges.

On the other hand, users who want to can set up the device via manual device configuration.

Each and every one of the four security devices that YubiKey 5 series offers to users has the same set of features and capabilities when one looks under the hood.

All of the devices support FIDO2 and FIDO U2F which are considered the presumptive and current universal 2FA protocols.

However, the official YubiKey 5 series also offers devices that can serve the user as Smart Cards by making use of Personal Identity Verification.

These can generate those one-time passwords and can support both the OATH-HOTP and OATH-TOTP.

Users can also use these for challenge-response account authentication.

Perhaps this is also a good time to mention the fact that all of the four devices have full support for the three popular cryptographic algorithms namely,

  • ECC p384
  • ECC p256
  • RSA 4096

Yes.

That is pretty much an alphabet soup.

However, if you already have an idea that all of the terms mentioned above mean then there is a high possibility that YubiKey 5 will more or less excite you.

However, even if you don’t know what each of those terms means then it is enough for you to know that these are the current Swiss Army devices.

In other words, they can do anything and everything that the user asks of them.

Of course, we’re assuming here that you actually know that needs to be asked and, most of all, know what you are doing.

We would also like to mention that the Security Key from Yubico is a security device that is radically different from all others.

Why do we say that?

For starters, the device has a plastic shell that is durable and is bright blue in color.

Each and every other device from YubiKey is black.

Moreover, when the user inserts the device to a given USB-A slot, the small key logo on the device starts to glow blue-white.

There is also the numeral 2 which is etched right into the device’s plastic body.

This numeral appears right above the gold disk which is itself touch-sensitive.

Also, this numeral 2, differentiates the Yubico device from the company’s earlier model.

Keeping aside the appearances, the Yubico Security Key comes at a dramatically cheap price than the rest of the Yubikey offerings.

It costs users just $20.

Selection_005

Perhaps the most prominent and critical difference between Security Key from Yubico and others is what Security Key can’t do.

Namely, Yubico Security Key only supports protocols such as FIDO2 and FIDO U2F.

Moreover, it doesn’t have the capability to generate any kind of OTPs, one-time passwords.

Apart from that, it doesn’t even have support for Yubico’s official client software.

Now, our research shows that for the majority of online consumers, these ‘issues’ would not cause them any kind of harm.

In other words, they will be mostly fine.

Besides, most major online services and websites that support various different security keys all have complete compatibility with U2F.

The list of websites that support all U2F protocols include,

  • Twitter
  • Facebook
  • Google

Our research also shows that the Security Key by Yubico accomplishes less than other Yubikey devices but that ‘less’ is enough for the modern average online consumer.

Readers also need to keep in mind that Yubico comes at a price that most security conscious online consumers can afford.

Of course, if you are one of those users who have set their eyes on the laundry list of features and capabilities of YubiKey which are not available in Security Key from Yubico and are also drooling over them and/or reaching over to get your credit card, our advice is to simply skip the Yubico Security Key and simply shell out whatever extra cash is required for Yubikey.

Moreover, if you are actually the head of the IT department and are looking for one single and unique solution to all of your two-factor authentication needs, then it is a good idea to simply skip the Yubico Security Key.

Yubico Security Key appearance and usage

As mentioned earlier as well, the official Security Key from Yubico has textured blue plastic.

It is grippy on the user’s fingers and is, generally, good.

More specifically, the whole security key device feels pretty solid despite the fact that it weighs just over 3 grams.

The material on its body hides the user’s fingerprints along with wear and tear.

And your Yubico Security Key will get plenty of that since, as it is designed, users would probably have it hanging on one of their key rings.

Our research shows that the flat design of the Yubico Security Key also means that it is easy to hang with other things/keys on a given ring.

That feature is in contrast to YubiKey 5C which is bulkier.

However, just like its other YubiKey cousins, the Yubico Security Key is waterproof and crush proof.

It doesn’t have any moving parts.

Hence, theoretically speaking, it will never run out of electricity.

That’s because it doesn’t really have any batteries.

Yubico Security Key does not require the user to have Wi-Fi and/or LTE.

Readers should take those last two features that we have mentioned seriously because they are big advantages.

Especially over other authenticator apps.

Selection_004

As for using the Yubico Security Key, the whole process is pretty much a snap.

All that users have to do is to head towards a given website which has support for security keys to use with two-factor authentication.

Then users should look for that option which enables them to enroll a completely new security key.

After that, the site should prompt the user to insert his/her key into a given USB port.

When that’s done, the user may have to tap the Yubico Security Key’s gold disk thing.

And that is all.

Now, the key should have enrolled.

The next time when the user makes an attempt to log in to that specific site, the site would request the user for his/her password and would then prompt the user to insert and then tap his/her security key.

Once the user has done that, he/she is practically in.

Our research shows that Yubico Security Key should not give any problems to users on sites such as,

  • Facebook
  • Twitter
  • Google

In fact, with such services, we believe Yubico Security Key should work flawlessly.

One other thing that readers should note here is that some online services may, in fact, require them to create some backup codes.

That should not be a problem for anyone because even if a website doesn’t ask you to, it is a good idea to have them someplace safe.

Some online services may require a valid phone number in order to use with backup authentication through SMS.

Some users like to have lots of options available.

And good luck to them because it never hurts to have a number of different ways to authenticate and/or confirm a given account.

Readers should also note that the majority of the modern web browsers now fully support U2F.

However, for reasons of its own Firefox actually disables U2F support because of its default settings.

Click here to go to the official Yubico website and read a guide on how to handle activating U2F support for excellent web browsers such a the one from Mozilla.

On the other hand, even though we have mentioned the U2F protocol a lot of times (and there is no doubt about the fact that more and more services and applications are supporting it), it isn’t really ubiquitous.

A lot of services still do not support it.

A prime example is LastPass.

LastPass, probably the best password manager in town, makes use of the official One-Time Password feature from Yubico in order to secure accounts.

However, LastPass only does that for devices that the YubiKey 5 line supports.

It doesn’t do that via Yubico Security Key.

We don’t mean to say Yubico doesn’t have anywhere to go.

In fact, Yubico has a reasonably long list of websites and online services that have support for different types of YubiKeys.

This is where readers will have to look around for a bit to see which YubiKey model would suit them best by determining the sites they will probably use it on.

One other quick note that we would like to mention here on FIDO2 is that, this protocol is new.

And it is true that some circles on the internet may consider it as a big deal.

In fact, Yubico has officially said in the past how it feels that FIDO2 protocol would one day have everything it needs to replace current passwords and put them out of business.

And we think that is indeed a fantastic idea.

However, it is an idea that most people with enough experience on the internet have heard many times in the past.

Don’t get us wrong.

Selection_003

It is great that all of the Yubico products have the ability to support FIDO2.

We are aware of the fact that the company probably wants to future-proof its products.

However, the thing is that the jury is still pretty much out on the actual utility of FIDO2.

The community won’t have to wait long though.

Microsoft now permits online users to actually log in to any and all of their accounts without ever having to input a password and only using the company’s Edge web browser along with a FIDO2 key.

This, according to us, would be a pretty significant and major test of how this new FIDO2 technology would fare in the future.

Security Key from Google Titan vs Security Key from Yubico

As mentioned before as well, Security Key, when compared to the all the other devices in the Yubico family, is an affordable and simple solution for any average online consumer.

However, trying to compare it with Google Titan Security Key is not really a straightforward task.

It is actually a bit complicated.

Google Titan and Yubico Security Key are fairly similar to each other under the hood.

Both of them support the new protocol FIDO U2F.

However, Google Titan has zero support for FIDO2.

Google Titan also does not support any other login scheme or protocols.

Our research shows that the official Google Titan bundle key actually comes as two devices.

One is a recharge dongle that works via the Bluetooth technology and users can attach it to a micro USB slot and the other device is a USB-A NFC-enabled key.

On the whole, the package is likely to set you back around $50.

That is a lot when we compare it to the $20 that you have to pay to purchase the Yubico Security Key.

Now, readers should keep in mind that the Yubico Security Key doesn’t really support NFC or Bluetooth.

Moreover, Yubico Security Key is a single device.

With Google Titan, users get to have access to two devices.

Our research shows that having a solid pack of two keys provides one with a decent amount of peace of mind.

Users can carry one with them knowing that they have a spare someplace else.

The official Advanced Protection Program from Google also requires the second key.

So there is that.

With that said, it is also true that even if users buy a spare/second Yubico Security Key, it would cost them slightly less than what the official Titan bundle would cost.

Yubico provides discounts to users who buy two Security Keys which can be had for just $36.

Conclusion

Our research tells us that Yubico Security Key is probably the best that YubiKey line has to offer if we factor in the money people have to pay to get it.

It is affordable.

And even though it doesn’t have the same capabilities as YubiKey 5 line, it does offer more accessibility since the majority of the online users wouldn’t really ever make use of all the bells and whistles of the more expensive offering.

 

Zohair

Zohair

Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.
Zohair

COMMENTS

WORDPRESS: 0