YubiKeys are neat

I recently picked up a YubiKey, because we use them at work and I was impressed with how simple and easy-to-use they are. I’ve been really happy with it so far – enough to write a blog post about it.

Photo of my YubiKeys on a keychain on a table

Basically, YubiKey works like this: whenever you need to do two-factor authentication (2FA), you just plug this little wafer into a USB port and tap a button, and it types out your one-time pass code. Interestingly, it does this by pretending to be a keyboard, which means it doesn’t require any special drivers. (Although it’s funny how Mac pops up a window saying, “Set up your keyboard…”)

The YubiKey Neo, which is the one I got, also supports NFC, so you can use it on a phone or tablet as well. I’ve only tested it on Android, but apparently iOS has some support too.

YubiKey is especially nice for sites like Google, GitHub, and Dropbox, because it runs directly in the browser using the FIDO U2F standard. Currently this is only supported in Chrome, but in Firefox you can also set security.webauth.u2f to true in about:config and it works just fine. (I use Firefox as my main browser, so I can confirm that this works across a variety of websites.)

One thing that pleasantly surprised me about YubiKey is that you can even use it for websites that don’t support U2F devices. Just download the Yubico Authenticator app, plug in your YubiKey, and now your YubiKey is an OTP app, i.e. a replacement for Google Authenticator, Authy, FreeOTP, etc. (Note that Yubico Authenticator doesn’t seem to support iOS, but it runs on desktops and Android, and is even open source on F-Droid.)

What I like the most about Yubico Authenticator is that it works the same across multiple devices, as long as you’re using the same YubiKey. This is great for me, because I have a weird Android setup, and so I’m frequently factory-resetting my phone, meaning I’d normally have to go through the hassle of setting up all my 2FA accounts again. But with YubiKey, I just have to remember to hold onto this little device that’s smaller than a stick of gum and fits on a keyring.

One thing I did find a bit annoying, though, is that the NFC communication between my YubiKey and OnePlus 5T is pretty spotty. To get it to work, I have to remove my phone from its case and the YubiKey from my keyring and clumsily mash them together a few times until it finally registers. But it does work.

Overall though, YubiKey is really cool. Definitely a worthy addition to one’s keyring, and as a bonus it makes me feel like a 21st-century James Bond. (I mean, when I plug it in and it “just works,” not when I’m mashing it into my phone like a monkey.)

If you’d like to read more about YubiKey and security, you might enjoy this article by Maciej Ceglowski on “basic security precautions for non-profits and journalists in the United States.”

Update: In addition to U2F, there is also an emerging standard called WebAuthn which is supported in Chrome, Firefox, and Edge without flags and is supported by YubiKey. So far though, website support seems limited, with Dropbox being a major exception.

4 responses to this post.

  1. Posted by nathan on September 15, 2018 at 11:07 AM

    I thought about getting one of these a while back but I think I’m more likely to lose it and get locked out of my account than I am to get hacked. It would be different for a business, but for personal use wouldn’t you need to go to undue trouble printing and storing backup codes for your sites, and keeping track of multiple backup keys?

    I still want to get one out of curiosity, just maybe not for an important account until I’m more comfortable with it. If you lose a house key, you can get a locksmith to let you back in

    Reply

    • Yeah, backup codes prevent you from getting locked out permanently, which is why you want to store them regardless of 2FA method. Even with phone authentication, you can easily lose your phone, break it, brick it, etc.

      I figure I’m less likely to lose my keys than to lose or replace my phone, but I suppose for others it may be the other way around.

      Reply

  2. I got 2 in a two-for-one deal, so I have a backup key that stays at home in a relatively safe place. But even without that, sites that support 2FA should give you a set of backup codes. You can write them down and keep them in your wallet, or give them to a friend or something. That’s enough to get you in and disable or change your 2FA settings.

    Reply

  3. Yubikey is very cool. FIDO2 really needs to gain adoption sooner instead of later.

    However, the recent compromise of Newegg seems to be yet another example that strong authentication is not the same as strong session security. I hope you can someday write an article with tips reminding people what Content-Security-Policy option in HTTP headers are and what impact they have on javascript. It seems like one of the best way to avoid repeats of Newegg is to educate more website maintainers how critical a strong CSP is and that website security extends beyond just having Trustwave and Norton doing frequent scans.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: