Yubico – YubiKey 5Ci – Two-factor authentication security
Yubico – YubiKey 5Ci – Two-factor authentication security key for Android/PC/iPhone, dual connectors for Lighting/USB-C – FIDO certified
Key features
| Hardware security key | The strongest form of two-factor authentication (2FA). |
| Securely manufactured | Made in Sweden and USA and packaged in tamper-evident, safety sealed packaging. |
| Asymmetric cryptography | Uses public and private key cryptography. |
| Yubico OTP | Simple & strong authentication mechanism that works with Yubico Authenticator. |
| Durable (IP68 rated) | Injection molded, crush resistant and water resistant body. |
| Configurable | Easily configure multiple protocols across computers, networks, apps and services. |
| Multi-protocol | WebAuthn, FIDO2, FIDO U2F, smart card (PIV), Yubico OTP, OpenPGP, OATH-TOTP. |
| Password managers | Increase the security of your password manager with the support of a YubiKey. |
Highlights
| |||
|---|---|---|---|
FinancePacked with modern cryptography and security protocols, YubiKey secures banks, employees, and their customers’ accounts. | HealthcareThe healthcare industry and other regulated industries use YubiKeys to secure accounts and IT infrastructure in Cerner and other EHR technologies. | DevelopersDevelopers keeps their projects safe with the FIDO2 protection in YubiKey 5 – the only security key endorsed by GitHub. | EnergyThe energy sector uses YubiKey 5 to secure authentication for applications, data, and infrastructure to withstand cyber threats. |
Technical specifications
| Connector | USB-C, Lightning |
| NFC-enabled | No |
| GTIN | 5060408461969 |
| Authentication methods | Passwordless, strong two factor, strong multi-factor |
| Design & durability | Water resistant, crush resistant, no batteries required, no moving parts |
| Device type | FIDO HID Device, CCID Smart Card, HID Keyboard |
| Manufacturing | Made in Sweden and USA |
| Dimensions: | 4.03 x 1.2 x 0.5 cm; 3 Grams |
| Model: | Y-291 |
| Manufacture: | Yubico |
| Dimensions: | 4.03 x 1.2 x 0.5 cm; 3 Grams |
| Origin: | Sweden |
Highly recommended for anyone looking to add an extra layer of security.
This is a crucial step as you might be prompted for a PIN mid-setting up an account like Apple which would be set automatically without you realising (hence forgetting / not-knowing what the PIN is later).
– Easy to setup
– Small form factor so easy to carry anywhere
– Works flawlessly with NFC on mobile devices
– Supported by tons of applications
Not only is a physical key more secure, it is also faster (for websites that implement it correctly) – you just simply tap on it and you’re done. No need to dig out your phone and find the authentication code, or wait for several minutes for the text message to arrive.
One major let down for me personally is that the YubiKey authentication app does not work on macOS High Sierra (I will buy a new Mac soon with the latest OS, but I can’t upgrade this one because I have critical apps on it that will stop working!).
I would definitely recommend getting this product though (and another one for backup purposes) as I am sure it will become the standard over time. If you’re not sure which one to get, just remember you can also spend a few extra quid on a USB convertor (e.g. USB A to C) and the YubiKey will still work fine. Personally, I went with the USB C type because it seems that USB C is now becoming the standard over USB A, so I wanted to future proof it, but I also had to buy a USB A to C adaptor – no big deal!
The openPGP interface is fantastic. It works very well with it being impossible to extract the private key from the card, it’s PIN protected and the card is wiped if you get it wrong.
Key can be used for 2FA but it’s worth it just for OpenPGP.
Absolutely fantastic product. I use this key as my primary security key on my password manager and important accounts. Worth purchasing the Security key edition as a backup to accompany this key. Ideally you should setup the key so a short press is used for key authentication and a long press for your password managers master password. After exploring it’s features I believe it to be worth the cost. Gives great peace of mind for my online account security.
Great extra layer of security to manage all your password. Very easy to setup up and easy to manage all your passwords. I do like the fact to link a cold device to validate important and sensitive accounts. I do recommend it.
Is pretty good. Was hard to set up though (I did read the instructions on the back of the project packaging)
But overall good value of security and decent price.
I also wanted to secure my Facebook, Insta, EBay and Reddit accounts. Until I discovered that I would also have to download an authentication App to use along side my Yubikey. I did try to use the Yubikey app but I am not tech savvy and was scared I would be locked out of my account.
I have used 2FA for a few years now. Most sites offer the ability to use an Authenticator app like Authy or Duo. However, some either only allow 2FA via an SMS or the SMS is the ONLY backup option. If you’re here and reading this, you probably already know that this is a security flaw or vulnerability.
Herein lies the problem with security keys. Firstly, not that many sites allow the use of security keys. The list on Yubico’s website include sites that use the Yubico authenticator app. Granted, the Yubico authenticator app is pretty decent and does allow tokens using your Yubico Yubikey but the fact you have to use an authenticator app is defeating the purpose.
Secondly, some sites force you to sign up to SMS 2FA backup or download backup codes. I would prefer to avoid both of these methods, hence why I paid for TWO security keys. Personally I would rather use an Authenticator app than SMS codes but I’d rather not use either.
Summary; I fully understand that this is out of Yubico’s hands. The 2FA security services websites offer, including authenticator apps or SMS codes, is the choice of the website. Whether it’s convenience, ease of use for the end user, or not caring about their users security. Yubico’s hands are tied. Having said that, they aren’t very transparent about that information. Maybe it’s my fault, maybe I should have researched more.
To close. The Yubico Yubikey is a fantastic piece of idea and security assurance. The Yubico Authenticator app is decent and works well. It’s just all let down by lazy non-caring websites. Including Amazon and PayPal.
The idea behind a security key is a solid idea. To access an account you activate 2FA, enroll your security key and any future logins require your username, password and security key (or backup key). However upon purchasing two keys, I soon discovered that not that many sites allow the use of a security key.
I have used 2FA for a few years now. Most sites offer the ability to use an Authenticator app like Authy or Duo. However, some either only allow 2FA via an SMS or the SMS is the ONLY backup option. If you’re here and reading this, you probably already know that this is a security flaw or vulnerability.
Herein lies the problem with security keys. Firstly, not that many sites allow the use of security keys. The list on Yubico’s website include sites that use the Yubico authenticator app. Granted, the Yubico authenticator app is pretty decent and does allow tokens using your Yubico Yubikey but the fact you have to use an authenticator app is defeating the purpose.
Secondly, some sites force you to sign up to SMS 2FA backup or download backup codes. I would prefer to avoid both of these methods, hence why I paid for TWO security keys. Personally I would rather use an Authenticator app than SMS codes but I’d rather not use either.
Summary; I fully understand that this is out of Yubico’s hands. The 2FA security services websites offer, including authenticator apps or SMS codes, is the choice of the website. Whether it’s convenience, ease of use for the end user, or not caring about their users security. Yubico’s hands are tied. Having said that, they aren’t very transparent about that information. Maybe it’s my fault, maybe I should have researched more.
To close. The Yubico Yubikey is a fantastic piece of idea and security assurance. The Yubico Authenticator app is decent and works well. It’s just all let down by lazy non-caring websites. Including Amazon and PayPal.
This is a great size YubiKey to fit around your keyring
It could have been nicer & come pre attached to a small keyring as the loop is large and tough to fit onto some
The small tabs on the side light up when inserted you push them to authenticate the device
It’s quite brilliant, I love the concept, since it’s a physical USB it’s never gonna be hacked as it requires a physical touch and it’s interesting to learn about the new technology involved, I’ve secured my Google and Binance. Granted it doesn’t work for free on every service. BitWarden charge a subscription to open the feature for example, not all websites offer YubiKey protection as well, but those 2 are important to me. Adds another layer of security to 2FA and account recovery options. I won’t lose it because it doesn’t leave my room, it has key chain hole if you do want to travel with it, I haven’t needed to, but a professional employee might find it useful to have 2 instead of 1, for the workplace, also it could benefit from wider adoption to even securely login to devices without an onscreen password, like a key card type function, keeping the USB as it is so stolen hard drives, USB sticks and laptops prove useless to physical thieves and set option to lockout for some time or data wipe if wrong YubiKey is used, a little bit pricey but I think the technology has a lot more scope and potential than just Internet accounts to protect from physical theft and sale of stolen devices as well. It lives up to the hype imo well worth it. I’m glad to have it.
I bought this as I was looking to test out FIDO2 authentication.
For all things considered the unit works great and whilst it is dependent on the services you use supporting it the key itself is very robust and even has some extra features where it can be used to unlock a TOTP app for iOS and Android.
The app element itself could use some work however it is a nice added extra.
Would definitely recommend if you need a FIDO2 key
This is a really simple but effective security key that does the job that is expected. However, due to not many companies currently supporting 2FC Security Keys it can not meet it’s full usefulness. The company, Yubico, has made a workaround via an Authenticator app which allows you so store and access 2FC security codes which ca be unlocked by using the key.
Currently, this is a better to have to future proof your accounts.
After a dodgy encounter with a scammed online, i decided to beef up my security. Its comforting to know that my yubikey is the only way to access all my data now. The product arrives quickly and works exactly as intended. I just wish my laptop had NFC!
I picked up a couple for some additional security, one for daily use and a backup sync’d to all the same accounts which is kept in another location just in case the daily one is lost, broken or the house burns down.
The software was easy to install on Win10, Linux and Android, the authenticator app is easy to use after a quick bit of research.
So far I’ve been able to integrate them with my password manager, mail accounts, hosting accounts, some accounts that allow 3rd party authenticators and some servers I SSH into.
Super impressed with how easy it was, just wish my banks would catch up and allow them over SMS messages.
The only problem with this solution is that you need redundancy and backups, 3 Is the way to go, i would like to see the price more in line with the competition as you are paying a premium which is not justified.
A short while of working out how to use this and the app with my computer and phones has rewarded me with some peace of mind. Having been told by an app to check if my email had been compromised I was told the password was available online. I changed the password and bought this. Now i have no fear of my email being stolen, 2 factor authentification means having my password is the easy part. Now even my amazon account is protected with this device. Being bluetooth version when asked i just touch it up to my phones or can plug it into a usb on my compute
Works very well, delivers an additional level of security which gives peace of mind.
Its a really good implementation of a 2fa bit of kit, I’d be lost without it, always on my keyring I am only replacing my last one as I lost my keyring it was on.
I bought this as I needed this for my password manager for 2FA. It is fine and works correctly. But there are not too many companies that allow you to use a security key so this is a little expensive.The main problem I have is with the PC which is windows 11. It will only work if you change you account to a local rather than miscrosoft account. Hopefully, in future, more companies will allow you to use security keys for 2FA (especially the banks!)
I have a few of these, but this one sits in my Mac constantly. There’s a real peace of mind that comes with using a device like this as it completely locks down the account that you are using with it, in my case I use it with a number of different services, the main one being BitWarden where I store my passwords.
I’ve not had any issues with the device, you touch it and it types the OTP as if you’d entered it yourself.
Well worth the money, especially this USB-C version if you’re a laptop user.
Works great for USB. I use it for Windows logon and for Yubico Authenticator app for sites that have OTP codes. It’s also supported by Lastpass and Google.
Of course, you’ll probably want to get two of these as a backup in case you lose one. I have one permanently at home and the other on my keyring for mobile/laptop use when out and about.
The one slight drawback as by design, many sites that support 2FA, only allow you to register one code.
Ideally, you would register separately for each Yubikey, rather than having to set up the same on both Yubikeys at the same time, this way, if a Yubikey is lost, you can revoke the 2FA only for the lost key.
One small drawback is you’ll need both Yubikeys to hand every time you set up or remove a 2FA, to update both, as may sites/apps don’t let you see the QR code again once it’s been set up.
This is perhaps offset by the useful ability to plug the Yubikey into any device, securely use your 2FA/auth, and then unplug it, rather than having to set it all up again for every device.
It takes a bit of time to set up and get used to, but you’ll be in a much more secure once it’s done.
The NFC feature never worked on my Huawei/Honor Play phone, despite all sorts of fiddling around with the NFC settings, so I had to use an adapter to USBC to use the YubiKey with this phone, but I just upgraded to a Google Pixel 6 and it works pretty well once you get the technique of how to hold it behind the phone. (doesn’t need to physically make contact, just hold quite close to the back)
I haven’t got SSH/PGP working with it yet as this seems quite complicated to do on Windows and the documentation is somewhat lacking in this area.
I bought this for my mum who has no mobile signal at home. Many sites now require 2fa normally using OTP via SMS. This device allows her to authenticate without SMS OTP.
This small USB C Yubikey is awesome, perfect to take your 2 factor offline improving your security many times over. Pretty much stops the possibility of being able to be hacked if you get sim swapped. You can have a password on it as well. The issue I have is with the price especially because you pretty much have to buy 2 in case you lose or damage one. Overall. I won’t go back to using a phone authenticator and I don’t really use the touch log in feature because it doesn’t work with everthing. You have to download the yubico authenticator app and physically plug in the yubi key to your phone and type an optional password in before your 2 factor codes will appear in the app. You have to also redo all your 2 factor codes with all your logins on both ubikeys which it pretty easy using QR codes on all your online accounts. Overall again, this is a great product to protect your accounts online but they price should be lower.
Great for using when buying Bitcoin or other cryptocurrencies, this security stick will definitely keep your bitcoin from fraudsters.
Works great for extra security, and easy to use just stick it in and touch it!
So good I purchased two. Mainly as a backup if I lost the first one as I’ve managed to set it up as a mandatory requirement to a) login to my Windows desktop computer and b) decrypt my hard disks with a certificate stored it using Windows bitlocker.
So easy set up and to use and I am really happy I have a second layer of protectio
The real thing unlike the cheaper copies. And it’s evident in that there is no button to break (happened with my first FIDO key). Bit pricey but I guess you get what you pay for.
Excellent product for keeping my social media sites safe and secure. Easy to use once you know what your doing. I got a bit confused at first with how to set it up but I got there in the end.
I don’t understand some of the poor reviews, I can only imagine that some people may not know how to use it properly
This thing is tiny – very easy to use – a must have if you want to lock down your google. window, twitter etc etc account – as good as using 2FA authentication apps –
can be a bit sensitive. you have to know what you are doing
Firstly, it’s a MULTI-FACTOR device, it’s not supposed to replace passwords (yet), hence the term MULTI-FACTOR, there are MULTIPLE FACTORS to your login procedure, the first one being your username and password, the second being this key.
Secondly, it doesn’t type out your password on screen, it types a cryptographically-calculated string which changes each time and is specific to the hardware key itself. The interaction of touching the device is in place to work with your chosen software when it prompts for a U2F device, where you need to press the key to activate it. This is to stop automated log ins when the key is connected, it requires a human to physically activate it. Pressing the key at any other time will output a meaningless code onto your computer, which means nothing to unconfigured software, so this is not a security risk.
Thirdly, not all services support hardware keys yet. New hardware and software takes a VERY long time to be supported by all platforms and always starts with the biggest (Google, Microsoft, Amazon, Facebook, etc). You should check that the services you want to use this for actually support hardware keys.
Lastly, this is supposed to be small. If you’re complaining about it’s size when there are other options available like the standard Yubikey 5 or Yubikey 5C, then that’s your problem not the product’s. This is supposed to be a static key that can be removed if necessary, such as for a personal laptop, and should be used in conjunction with another 2FA method as a fallback e.g. mobile authenticator app.
This is a great product that does the job it’s designed for. It’s working well with Yubico Windows login software and a number of online accounts.
Purchased this to provide a backup for two factor using the hardware key (where supported) or one time password generator, as I was concerned that it would be difficult to gain access to my accounts if my phone was ever lost or stolen.
This works both with the iPhone app as well as on the PC app.
If you want to use this on the iPhone (mine is a 12) it works absolutely great. I originally had the older blue security key but had to send that back as the NFC would not work on the iPhone. This Yubico 5 was a breeze to set up and works flawlessly on NFC on the iPhone. Great level of extra security for the major password managers
So ill start this by saying the yubikey is fine and super easy to set up and works exactly as intended.
The issue i have and something iPhone users should be aware of is the usual Apple restricting certain access which can mess up your workflow
I got this mainly to increase the security on of my password manager vault. The set up of that was easy and works perfectly on mac and pc with my browser.
For iOS i want to use autofill but have it periodically require yubikey auth. This is a feature that is restricted in iOS the password manager works perfectly with yubikey but autofill doesnt work. The work arounds are all a ballache so i have set it to just lock and require master password.
This obviously makes the yubikey a bit pointless for my use case
As i say the product is perfectly good but wanted to let others know of a feature that isnt currently workable
Unfortunately the concepts are a bit mysterious to the average user as there is no discussion in the vendors site about the different types of protection this device can offer (FIDO2/U2F, etc) or how they differ.
Even if you only use it to replace Google Authenticator it’s an improvement as it takes the keys off your phone and onto this device, meaning it’s no longer such a nuisance to swap phones.
Do some research before you take the dive, and then you will be more likely to make best use of this.
Warning – does not work with iPad, but works great with Android via NFC, touch the key to the back of your phone to activate.
I purchased one of these to test out increasing the security for all of my online accounts. After checking out many Youtube videos and writeups, Yubikey seemed like as good a product as many and slightly better as they were one of the leaders in creating this technology. I would say that is fairly easy to set up if you have a little computer skill although not so simple that you could give it to someone as a gift and expect them to thank you 😉
The software that you need to enable using it (a bit like the google authenticator app) works well and better than the app because it auto copies the generated code to your clipboard so you can paste it without mucking about. However the separate software needed for altering the settings on the Yubikey is quite old and feels neglected. One big caveat as mentioned in the title, once you have locked up your data using this key, if it ever gets lost, destroyed or stolen, you will be locked out for good! (If you have done it properly 🙂 so always get a second key and once they are cloned, store that in a secure place physically distant from the main one. That way if the unexpected happens, you can get your life back on track.
This little device pushes all my buttons. OTP? check. Auth? Check. 4096-bit GPG private key? *excited shudder* check.
Imagine teenages with real hentai girls. That’s what it is like for us ultra paranoid security nerds.
If you are looking at this item, why havent you bought it yet?
It ideally (if not really) needs to be run on a (mains) powered USB 3.0 hub, otherwise it wouldn’t (really) have enough power it requires in order to detect your finger (if not other things it does internally as well inside the nanochip, beneath the gold-colour-coated USB interface surface), bearing in mind that the YubiKey is a ‘Nanocomputer’ of its own.
I didn’t and assumed that the USB-C compatibility would work with my iPad Pro 2018 but it doesn’t! Likewise with the 5Ci (lighting & USB-C connectivity) so if you REQUIRE a Yubikey to work with a USB-C iPad then this isn’t it (I don’t think there even is one but haven’t checked exhaustively).
It seems to be working well on my 2018 MacBook Pro though so far.
WINDOWS 10 LOGIN – You can add several Yubikeys which is nice. You still have to type in your Windows username and password, if an enrolled Yubikey is not present in one of your USB ports, Windows 10 won’t log you in (which is cool). However, it only works with local accounts, not domain accounts or Microsoft ID. So if you login to your laptop or PC with your Microsoft Account (email address) then you’ll have to convert your account to local (which is actually really easy and it just means your wallpaper and stuff won’t sync to other Windows 10 machines). Secondly, you’ll need to install the Yubico Login Configuration tool to set this up.
AMAZON SHOPPING/PRIME – You can add several Yubikeys which is great but you can’t just login by having the key plugged into a USB port and touching the button. You still put in your credentials and then use the MFA code from the Yubico MFA app (which lists the codes associated with your key). So basically, I ditched the Microsoft Authenticator app, the Google Auth App and another one I was using, installed the Yubico auth app and enrolled MFA again for my critical apps and services.
PAYPAL – You can only add one MFA method at a time and have Mobile SMS as a backup. So you have a choice, risk a single Yubikey and if you loose it, you’re stuck. Or, use a weak mobile secondary text message service as a recovery option! – Bit pointless in my opinion!
LINKEDIN – You can only have one MFA method – Again, single Yubikey and it’s not a case of plugging it in/tapping it on your phone via NFC. You still have to enter your creds, unless auto-saved/populated by the app or device or browser and then copy the MFA code from the Yubico MFA app (desktop or mobile).
FACEBOOK – The most accommodating and best experience, second only to Windows 10. You can several keys and it’s just a touch to login. You must have an MFA auth app setup as a backup which can be anything, but as I was using the Yubico MFA app I just used that for FB too. You’re not force to use a weaker mobile SMS as a backup/recovery option and you’re not asked for creds all the time.
RECOMMENDATION – Use in conjunction with a great credential manager like LastPass or KeePass – Thank me later!
I hope that all makes sense, in summary it does add security but that comes with complexity. The amount of security you get depends on what website, app or service you are looking to integrate this with. I think these are over priced to be honest, you would get much better value from having LastPass + LastPass MFA app, having a different robo-generated password for each thing you use and ditching mobile recovery options and all other MFA apps, plus you can’t miss-place a password keeper solution.
IMPROVEMENTS NEEDED;
1) Prompt, yes/no, allow/deny in the Yubico MFA app(s).
2) Better integration and awareness with common third parties.
3) Further simplification, although easy for me, my mum would give this 5 minutes of effort and throw it in the bin.
The only downfall is that it’s still not accepted by all applications. It really does get me that banks haven’t adopted this technology. I love my yubikey and I also have a backup in case I loose one. It’s super great for setting a one-time password and using it in-conjunction with a master password.
This is typically the type of key it prints.
cccccckvtkrttgvgkeenrncfjtlgjjkklrgrdivdvlhc
I recommend using this with LastPass or another password management tool.
There isn’t a great deal of information on how to use when you receive it which might be a big issue for some users however I was already familiar with how these work as we use one at work. I’m really glad I bought it. I use it for everything including MFA for Google, Amazon etc and I also use it as a GPG smart card to store my secret key for authentication, encryption etc. When set up, it’s really cool that you need to physically plug something in to be able to SSH into a server or decrypt a file. You may want to consider buying 2 of these to have a backup incase you break or lose one. Although I must say it’s unlikely that you would be able to break it. But it’s not strictly necessary as most services offer a backup code as a secondary MFA method and you can just securely store them on a USB drive or similar. Definitely worth buying for the security/privacy conscious.
That was the good. There is also the bad: unless you are doing U2P or Fido or something that the installed utility automates for you, expect to spend several hours researching the internet to figure out how to configure these properly. The documentation IS out there, but it’s spread around, and there will be a fair bit of head scratching until you figure it out for the actually far more useful use cases which these will do, but for which nobody has automated the configuration for you yet. As much as all the manual configuration with gnuk, including telling the token to enable its capacitive button per gnuk crypto operation, is a pain, once it’s done then it’s done. The tokens “just work” thereafter.
One major tip I learned the hard way: never buy one of these, always buy at least two. Configure both, and put one of them somewhere safe. Then if you lose the other one, or one breaks, you aren’t locked out of *everything*.
The product is fine and does exactly what it is supposed to – however it has a keyring hole and there is no protection for the usb-c part which is fragile – mine got squashed – it would be perfect if it had some protection over this part.
Beefing up my online security together with a 2FA app, this really is the last line of defense. I’ve had no hacks or account takeovers, but I like having the benefit of the doubt. I’ve set this up to almost anything I can, and knowing that I have that extra layer of security makes me feel a lot more confident. I wish more companies and services would integrate this. Will be buying more!!!
UPDATE – check whether your email addresses have been pwned. I review the security of all my online accounts on a regular basis, and can see suspicious login attempts. But with those accounts linked with this Yubikey, I can safely say that the attempts have been thwarted off. Do not hesitate – buy some now!
I will make no pretence, using this device is not for the feint hearted, but if you want two factor authentication and a PGP smart card then this is for you. If you just want FIDO, then you’ll probably be better served with the blue, cheaper ones, but it is great value for money
note: I haven’t been able to get the NFC working, but i was trying on an old device, so it’ll probably be that and not the key itself
note2: if you want to use it as a GPG smart card i reccomend drduh’s guide on github
This products brilliant security is do important in todays world and yubikey offers that. And yubikey authenticator is great easy way to use totp across devices compared to say sms or Google authenticator as you don’t have to type it manually.
You can also use it for signing and encrypting data which is fantastic for developers etc.
One issue is lack of support not yubikeys fault but websites and windows support for fido2 leaves much to be desired but that is getting a lot better as times going o
I am from an IT background and struggled on certain aspects in setting the key on my mobile. I don’t see anywhere mentioned at the time I purchased on their website on how to configure the key with the 2 factor authentication app “yubico authenticator” on android phone. Well there are instructions on how to install. So if you plan to add a 2 factor for any website, the first thing you need to do is to scan the QR code first on the app and not to scan the yubikey as it states in the app screen. Once you have scanned the QR code, it will prompt you to scan the yubikey. Once the yubikey is scanned, the account is set. Every time you need a code, just open the app and scan the yubikey to your phone’s NFC. Sometime it will throw the communication failure error where you have to try scanning again. I did not have issues anywhere else in setting the key.
This is an excellent 2FA item; I wanted additional security beyond apps such as Authy (which is excellent) and a hardware solution fitted the bill for me. Yubico have an excellent and well earned reputation which is why I selected a yubikey. It’s extremely small and simple to use once setup; I have the app on my iPhone to access my codes and on my PC. I also use it (paired with some memorised alphanumerics) to input a much stronger random Veracrypt key on my PC so that is genuinely secure.
There’s a lot of functionality in this key, more than you’ll probably be able to use right now as most providers just aren’t there yet with there security setup (Amazon insists on using SMS as it’s 2FA-the least secure method). I highly recommend this little gadget for security conscious and moderately technical people.
For a non-technical user, it’s hard to know even how to explain all the things this Yubikey does.
You can use it for smart card authentication, additional website authentication (2FA), store PGP keys, even use SSH keys with some experimentation.
The setup is fairly complicated, even for a technical user who understands encryption.
Once you’ve installed the software, as long as you’re comfortable with command-line tools and GnuPG, and you’re inquisitive, it’s interesting to explore how to use this device. But you have to follow the instructions carefully, and probably make mistakes too before you get the hang of it.
If this sounds intimidating or just incomprehensible, this device is possibly not for you.
The black Yubikey 5 provides a lot of extra features over the basic blue one which only a minority of people would need or use.
I’m using it to store GPG keys, as a FIDO2 authenticator and to secure LastPass.
I love tinkering with it; it appeals to my nerd brain. And anyone who works with and understands the acronyms thrown around in technical descriptions of the Yubikey will find it useful.
For someone less technically-minded who wants an authentication tool, it might be better to consider the cheaper blue Yubikey instead, or just stick with authentication apps from Google, Microsoft and Authy that produce a six-digit code.
I’ve been keeping my eyes on YubiKeys for the past few years whilst the technology matures and I think it’s fair to say it’s gotten to a point where they’re “mature” enough. Having ubiquitous on any NFC-support Android support and support in iOS since iOS 13 (though apps may require updating) combined with a growing web presence; now is the time to start grabbing these.
Generally setup is fairly easy, following whatever process a website has which is typically clicking a button, tapping the gold disc and giving it a tag. I can see these easily replacing TOTP apps and SMS OTPs in the future: in some cases many businesses are already doing this, an example being Google who has issued all of their employees with a hardware security key!
Another benefit of this key comes in a particularly unique way: it’s a physical way to identify you’re at the PC and secondly even if you were to lose this and someone were to find it – they would have no idea what sites or even what accounts it works for!
If you’re on the fence due to price: Either nab yourself a Yubi Security Key (which is about half the price at time of writing) or question, can you really put a price on good solid security?
Not that easy to install but I think it is the concept that makes it hard to get your head around more than the fault of the product, at least that was what I felt. Works great on Google account, also have it on my password manager which is a big plus and it also generates OTP codes for the likes of Amazon by simply putting the key to the NFC reader on my phone. Overall really pleased with what it does. I have a Google Titan as a back up but that needs a bluetooth key as well for your phone so the Yubikey 5 NFC wins hands down.
The contemporary internet environment is hostile. Faceless criminals and malign actors seek to access and control our information for their own purposes, and seem to have access to incredibly intelligent people who assist them in their seemingly wicked ways. This activity looks to be rising commensurate to the pace that we un-wittingly intertwine our lives with technology, trading security for convenience, often in the misguided belief that service providers will provide us with sufficient protection.
You are likely to know someone who has been a victim of some kind of remote or local attack and if like me you would like to reduce the chance of becoming a victim, the price of two yubikeys is a small price for the peace of mind that they provide.
Configuration can be a bit tricky for the more IT illiterate of us, but well worth investing the time and effort to read-up on the matter. Yubikey could do more to provide easy to use documentation and guidance to assist those who otherwise would not take the time to learn to configure the keys correctly.
Highly recommended even if it comes with a learning curve.
Look on YouTube for tutorials. There’s a user caled TutsTeach who covers this for the basic benefits. I encourage you to search “TutsTeach Yubikey” and learn how to use it. These keys can seem overwhelming, until you get to know the YubiKey and understand what you can do.
Excellant for increase your online security. Some sites like google and lastpass support it without much hassel. I use these to also secure the login to my macbook. Now even if a thief steals it and knows my password he/she still wont be able to login to it without the hardware key. For other sites that dont support YubiKey directly, you need to setup Yubic Authenticator to configure 2FA (six dig one time generated pass codes). Now that apple as opened up NFC on the iPhone’s in IOS12 and 13, just wish they launched the YubiKey Authenticator for the iPhone. At the moment, when I add the 2FA for a website on my Mac, I also add it at the same time by scanning the barcode with my phone to my IOS 2FA app (works with google authenticator and freeOTP.)
Important, you should consider factoring buying two of these, not one. They are not indestructible (though they are tough) and are generally attached to something else that often goes missing – or permanently borrowed – namely your keys. You *could* use something like a software MFA, but that defeats the point of using one of these. The other should be locked in a safe place – such as a safe – and only used when absolutely necessary.
Everyone should be using MFA, but this method may be a little bewildering to less tech savvy people – or at least those who aren’t comfortable searching for what their new widget can do. I would start with a software MFA – such as Authy.
I’ve used MFA for a while now, mostly sticking to Google Authenticatior but I was getting increasingly frustrated with having to switch between applications on my Android devices when authenticating with LastPass (on some lower spec’d devices it actually proved impossible to switch between the apps quickly enough before the code expired).
This little key has solved all my problems.
I can simply hold it up to the NFC reader on my phone and authenticate with ease.
It’s easy to tell when the key is active thanks to the lovely little LED on the front and the metal ring is a nice touch to ensure the loop doesn’t break when attached to a key ring.
Overall great product! 🙂
This product, easy to use, but setting up was a bit of trial and error having found partial instructions for what I wanted to do.
The best feature of this product is how seamless it is to use especially with Open PGP for signing, encrypting, authentication or certifying. I used Gpg4win to create the keys, uploaded to a key server then using OpenKeychain on an Android device I imported the public key then tapped the YubiKey against the NFC reader and the private key was linked. The great thing is that all the secrets and private keys remain on the YubiKey itself and of course the YubiKey can be protected too. I do recommend purchasing another so you have a backup just in case you loose it or its stolen.