Yubico YubiKey 5 NFC - Review 2022

Passwords take been the weak point of security since they were commencement introduced. Thankfully, the Yubico YubiKey 5 NFC is here to protect our most of import accounts and much more than besides. The fifth generation of the YubiKey supports FIDO U2F for a secure 2nd-factor authentication and uses NFC to work with your phone. But that's just the starting time of what this remarkably powerful, and remarkably tiny, device can do. If you're simply looking for a simple hardware U2F option, the YubiKey v NFC is probably overkill—consider the more than affordable Security Key by Yubico or the Google Titan Security Keys instead. But if you're already steeped in security wonkiness, you'll love what the 5 NFC has to offer.

How Two-Cistron Authentication Works

While there's a lot you can do with a hardware security key such as the YubiKey, its primary role is every bit a 2nd factor of authentication. In exercise, two-factor authentication (2FA) means having to do a second thing after inbound your password to prove it's you. But the theory behind 2FA is combining 2 dissimilar systems of authentication from a list of three:

• Something you know,
• Something you lot take, or
• Something you are.

For instance: a countersign, is something you know, and it should be only in your head (or inside a password manager). Biometrics—thingk fingerprint scans, retina scans, eye signatures, and then on—count as something you are. Yubico YubiKeys and their ilk are something y'all have.

Using ii factors from this listing of three provides greater assurance that you are who you say you lot are, and that y'all accept dominance to access the thing you're trying to admission. It's also harder for bad guys to break. An aggressor might buy your password from the Night Web, simply she's probably not going to be able to get your security key, too. The authentication provided past 2FA is also ephemeral: information technology simply works once, and commonly for only a limited time, for added security.

This review looks primarily at hardware 2FA, but there are many ways to add together a second factor. Many sites will send y'all codes via SMS to verify your identity. Apps such as Duo and Authy rely on push notifications which are (in theory) harder to intercept than SMS messages.

Whether y'all go with a hardware or software solution or a mix of both, do add 2FA wherever you can. When Google deployed 2FA keys internally, it saw successful business relationship takeovers drop to nix. It'due south that proficient.

The Many Flavors of YubiKey

Yubico has ever offered several sizes and variations of its security keys to fit just about every need. This is great, because consumers and It professionals can go exactly what they demand at a variety of prices. The downside is that browsing the Yubico shop is a frequently overwhelming experience. I'll practice my best to boil down the basics.

There are iv flavors of YubiKey 5 Series devices, including the $45 YubiKey 5 NFC reviewed here, every bit well as iii other form factors: the $50 YubiKey 5 Nano, the $l YubiKey 5C, and the $60 YubiKey 5C Nano. The 5 NFC is the only YubiKey to offering wireless communication, but likewise that the merely difference among these devices is size, price, and USB connector.

The two Nano devices are the well-nigh diminutive devices in the grouping and nestle within your USB-A or USB-C slots, easily within attain if you need them oft. The YubiKey 5C uses a USB-C connector, is slightly smaller than the 5 NFC, and can hang on your keychain alongside the 5 NFC; it lacks wireless communication. You tin can, however, connect either the YubiKey 5C or 5C Nano directly to your Android device.

What sets the YubiKey 5 Series apart from the contest isn't just the variety of form factors. These devices are real digital security Swiss Army knives. Each ane tin role as a Smart Carte (PIV), can generate one-time passwords, support both Adjuration-TOTP and OATH-HOTP, and can be used for challenge-response authentication. All four devices support three cryptographic algorithms: RSA 4096, ECC p256, and ECC p384. These devices can fit so many different roles, ofttimes at the same time—provided y'all know what you're doing.

While the YubiKey 5 NFC is the focus of this review, I accept tested the YubiKey 4 Series devices in the past, and these are physically identical to the USB-C and Nano variations of the YubiKey 5 Serial. All of them are well-fabricated, clad in black plastic that hides clothing, and equipped with hidden light-green LEDs to let you know they're connected and functioning. The USB-A devices have either a gilded strip or disk that yous tap, depending on the size of the device. The USB-C devices, meanwhile, accept two tiny metallic tabs that you tap to authenticate. The USB-A Nano device is harder to remove from a slot than the USB-C Nano device, just the USB-A Nano YubiKey has a tiny hole, so it can be hung from a cord or cord, while the USB-C Nano does not.

Which YubiKey device you purchase volition largely depend on what context you plan on using information technology. The Nano devices are useful if you lot plan on using them with a trusted computer, and yous know you'll need to admission the YubiKey often. The full-size keys are meliorate for hanging on a keyring and keeping close at hand.

Hands On With the YubiKey 5 NFC

To help you get started, Yubico has created a handy guide for new users. Just pick the YubiKey device yous have, and the site displays a listing of all the places and contexts y'all tin use your YubiKey. Some of these link directly to a site or service's onboarding folio, while others provide instructions yous have to follow yourself.

Setting upwardly the YubiKey equally a U2F 2d cistron is very simple. Follow the site or service'southward instructions then insert the YubiKey into the appropriate slot when prompted. Simply tap the gold disk (or metal tabs, depending on the model), and the service enrolls your fundamental. The next time y'all get to log in, you enter your password and you get a prompt to insert your key and tap. That's information technology!

Dashlane, Google, and Twitter are a few of the many sites that support U2F and accept YubiKey five Series devices. In my testing, I enrolled it as a second factor for a Google Account. When logging in on a desktop estimator, I entered my login credentials, and then Google asked me to insert and tap my security key. That'due south no problem, although I did have to use the Chrome browser to log in.

On my Android device, the process is just as simple. When logging in testing, I entered my credentials, and and so my phone prompted me to employ my security key. I selected NFC from a menu forth the bottom, and and then slapped the 5 NFC confronting the back of my phone. It took quite a few tries, merely eventually the phone buzzed an affirmative and I was logged in.

The YubiKey 5 Serial can authenticate you in a number of means, not just via U2F. With LastPass, for example, yous enroll the YubiKey to generate one-time passwords (specifically HMAC-based One-fourth dimension Passwords, but I'll utilise OTP for brevity) with a tap. This is different from U2F but it in practice information technology feels very similar. Log in to LastPass, navigate to the appropriate office of the Settings bill of fare, click on the text field, and tap the YubiKey. A string of letters spews out, and that's it! Now when you want to log in to LastPass, yous'll be prompted to plug in your YubiKey to have it spit out more than OTPs.

Near of you are probably familiar with Google Authenticator, an app that generates six-digit passcodes every xxx seconds. This applied science, more generally, is chosen Time-based One-time Passwords (TOTPs) and it's 1 of the most common forms for 2FA used today. Forth with a companion desktop or mobile app, Yubico puts an interesting spin on the TOTP arrangement.

Plug in your YubiKey, fire up the Yubico Authenticator app, and then navigate to a site that supports Google Authenticator or a similar service. To secure a Google Business relationship, for example, I clicked the option to enroll a new telephone with the authenticator app. A QR code usually appears at this betoken, and the site prompts you to scan information technology with the appropriate authenticator app. Instead, I selected a card option in the Yubico Authenticator desktop app and it capture the QR code from my screen. After a few more clicks, the app started providing unique six-digit codes every 30 seconds.

The trick is that the Yubico app cannot generate TOTPs without the YubiKey. Instead of storing the credentials needed to create those codes on your calculator, the Yubico Authenticator stores that data directly on your YubiKey. Pull it out, and the Authenticator app tin can't make new TOTPs. That's handy if you're concerned about someone stealing the device yous employ to generate your TOTPs. You can also lock your YubiKey with a password, so even if it were stolen from you information technology couldn't exist used for generating TOTPs.

Yubico also offers a TOTP-generating Android app that works with the YubiKey 5 NFC, to take your TOTPs on the route. When you lot open up the app, it's empty, just slap your 5 NFC against the dorsum and information technology begins to generate codes. Quit the app, and the codes disappear; you'll have to tap the 5 NFC over again. That's less user-friendly than storing the data in the app itself, but far more secure.

These were the scenarios I looked at, simply the YubiKey 5 Series can do much more. You can use it every bit a smartcard to log in to my desktop computer. Yous can use it log in to SSH servers. You can fifty-fifty generate a PGP primal and then use the YubiKey to sign or authenticate. Frankly, however, just getting my head wrapped around the TOTP keys was difficult enough.

Although Yubico has lots of documentation and iii split up desktop apps (and three more than mobile apps), it'south very hard to use every facet of the YubiKey without a good dollop of existing knowledge. Yubico has deployed a website to help inform customers virtually what they tin use their cardinal for, and to guide them toward the necessary information. That guidance is great, but it's merely guidance, not the manus-belongings ordinarily provided by tech products. Using your YubiKey for U2F is besides very simple but getting the about out of your YubiKey isn't easy for a novice—or even a security announcer.

YubiKeys vs. the Google Titan Security Key

Yubico has a solution for just about every situation with the YubiKey 5 Series, but cost is an issue. Each private device is priced between $twoscore and $60 for just 1 YubiKey.

Google's Titan Security Key Bundle, on the other manus, provides 2 devices for $l: One USB-A key and a Bluetooth/Micro USB key fob. That gives you a spare right off the bat. On the other hand YubiKey but has more security bang for your cadet (bold you puzzle out how to utilise it all). Both Titan devices can employ NFC merely, as of this writing, back up has not been enabled on Android devices. Google also supplies a USB-C adapter, so you can use your Titan key with only about any device. The Titan keys, however, only back up FIDO U2F. That will work for just about every website or service, just they tin't be used for TOTPs, OTPs, Smart Card admission, and the other protocols supported by YubiKey 5 Series.

Price-witting readers primarily looking for just a U2F device will probable prefer the $20 Security Central by Yubico. This USB-A key has the same silhouette as the YubiKey 5 NFC, merely tin can be identified by its handsome bluish plastic enclosure, a fundamental glyph on the center push, and the number two etched on its top. As the name suggests, this device supports FIDO U2F and FIDO2, but that'south information technology. The Security Primal doesn't support all the protocols of the YubiKey v Series, so y'all can't utilize it with LastPass or as a smart bill of fare, nor tin can information technology communicate wirelessly. It also costs less than half the Titan fundamental bundle or the 5 NFC.

The YubiKey to Success?

The YubiKey 5 Series is a remarkable family unit of devices that fill a dazzling number of niches. Its most basic use is as a FIDO U2F authenticator or an OTP generator, but it tin do so much more. The trouble we've ever had with YubiKeys, and Yubico overall, is simply the challenge of figuring out which YubiKey to cull, among the half dozen the visitor currently offers. Figuring out what you can do with it beyond U2F is doubly challenging. The Yubico devices are first-class, and their documentation improving, but they are definitely designed with security wonks and IT professionals in mind.

If you glance over the laundry list of capabilities the YubiKey boasts and understand them, or are at least curious about them, so this is the device for you. You won't be disappointed in this rugged little device. If yous know yous want to improve secure your online accounts, just aren't sure how to go about doing it, y'all're probably amend off with the Google Titan Security Keys or the far more affordable Security Primal by Yubico.

YubiKeys are an established and mature technology, only we're still exploring this infinite. Every bit such, nosotros're giving the YubiKey 5 NFC iv stars, but are withholding an Editors' Choice accolade until we've examined more options.

Source: https://sea.pcmag.com/migrated-19345-security/29528/yubico-yubikey-5-nfc-review

Posted by: blockthowas.blogspot.com

Share this post