YubiKey hardware security key for secure login (review)

The YubiKey hardware security key is a series of security products that use hardware (a physical key) to log into computers, smartphones, and sensitive apps.

Upfront, this is one of the hardest reviews I have had to do because while I understand that a YubiKey is essentially a hardware two-factor authentication device, it is also a passkey and much more. You need the key (in one of its various forms) to log into a device and access YubiKey-aware apps.

I am not sure I am the right person to review this. But in the spirit of never letting a reader down who had requested a YubiKey review, let’s go and both find out. Sorry if some of this is elementary stuff dumbed down to my level.

Why do you need a YubiKey hardware security key?

Over 60% of Aussies (and we think it’s far higher) still use a login and password. The others have turned on two-factor authentication (2FA), where a login requires it. The consumer uptake of a physical key is very low, but it is rapidly growing in business, enterprise and government. Add a key and one other form of authentication, and it’s foolproof.

Company

YubiKey is made by Yubico, founded in 2007 by Stina Ehrensvärd, a Swedish-American entrepreneur, innovator and industrial designer and her husband Jakob, who is Chief Technology Officer. Keys are made in the USA and Sweden.

Security Standards

Multi-protocol support: Fast Identity Online (FIDO), FIDO2/WebAuthn (Force PIN change and minimum PIN length), Personal Identity Verification-compatible (PIV), Universal 2nd Factor (U2F), Smart card, OTP, OpenPGP, and OATH one-time passwords. The keys are not upgradable (for security reasons), so if a new protocol emerges (rare), it’s new keys.

The security token is stored on the physical key, and it cannot be copied. A backup key is recommended. All keys require a physical tap to activate. You can use the same key on multiple devices.

Works with

Thousands of Apps. Microsoft, Google, Amazon, Apple and Meta all support it. The better password managers like LastPass and KeePass support it. Almost any app that supports a smart card will work with YubiKey.

Simple use

All are IP68, have no moving parts and no batteries. They use USB-A, USB-C, NFC and Lightning.

Plug into the USB port or use NFC instead of a login and password. It works with Windows, macOS, iOS, Android, and Linux, and leading browsers. It does not work with Windows on ARM (Windows Copilot PCs) at present.

The basic key weighs about 4g and is 45 x 18 x 3.7mm with a reinforced keyring.

Its latest product is the YubiKey 5 series

Single Factor Authentication (Passwordless), Two Factor Authentication (2FA), Multi-factor Authentication (MFA) with a pin or biometric. The NFC model has an enhanced 6-digit PIN.

It has a Biometric key V5.7 that works with FIDO only.

It has a Federal Information Processing Standards (FIPS) 140-2 validated key for government and high security use.

Setup (we will use Microsoft MS as an example)

Plug the new key into the USB-A or USB-C port, and it will activate it.

• Log in manually (login and password) to your PC
• Click on MS account (icon top left)
• Sign-in options
• Security key

This will enable the YubiKey for all MS apps and devices. It is the same process for Google Android, macOS and iPhone (US-C).

If that is a problem, Yubico has an Authentication app

And make a backup.

CyberShack’s view: YubiKey hardware security key for enhanced security

 Apologies for this short review, but you are either interested in enhanced security or happy to use 2FA and passwordless solutions offered by most banks and businesses, where security is still evolving.

Having a physical key means no one, but you can access your accounts. The more logins and passwords you add, the more you understand the convenience of having the key in your USB port.

You can get the new 5 series in its various interfaces from $100. You should get two!

Be aware that there are older series still sold at lower prices, and they may suit your needs.