Geekzone: technology news, blogs, forums
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

Yubikey 5 review

Posted on 18-Feb-2019 15:34 by M Freitas | Filed under: Reviews

Yubikey 5 review

Doing a review of security keys without going into why they even exist is pretty pointless, so we will start with a word on current state of online services security. Managing one's access to services in general (online and offline) is something everyone does in their lives but not many consider the implications around chosing weak passwords, the problems of reusing passwords, the lack of security by design in some services and so on.


Every service these days require some sort of authentication, lest someone else impersonate you and obtain services or credits by deception. It is current best practice (but not enforced in most services) to offer a second authentication method - something you would have, making it harder for Bad Person (TM) to access your accounts. This multi-factor authentication can be in the form of a SMS or a time-based code generated by an app. There are also smartcards (which require special readers). And there are portable generators like the Yubikey devices I am looking at here.


The Yubikey devices are USB (and NFC) devices that provide you with a selection of authentication standards that can be used by mobile, web and desktop apps and act as an additional form of authentication. The Yubico website offers a handy questionnaire that guides you until it can determine which type of device is the best for your needs.


The company behind the Yubikey devices has just announced their New Zealand presence and I have been using a couple of their devices to protect some of my accounts. Wherever possible I use a second factor with my online account (and you should too). Most are using a mobile app-generated time-based code but more are now offering the option of using physical keys. You can find a list of compatible services on the Yubico website, including popular services such as Google, Github, Dockeer, Facebook, Twitter, LastPass, Dropbox, Norton and others. You will also find many enterprise identity providers offering integrations with the Yubike devices too.


Using a physical second-factor will depend of your use case. For example if you want to be able to access an online service without having to rely on a mobile app-generate code then it is ideal - think of crossing borders and the possibility of a mobile device being taken away for "inspection", making it impossible to login to services that would require that soft code. In this case, having a key would allow access to cloud-based services from whatever device is available once you reach your destination.


These devices all offer a list of functions that include OATH-HOTP/TOTP (similar to the software authenticators), SmartCard, OpenPGP, FIDO U2F and FIDO2. This pretty much covers the gamut of additional authentication standards - althoug since the devices themselves don't have a clock an additional app is required for TOTP functionality (in this case the private keys are stored on the Yubikey device and the app reads the keys to show the code based on the time).


The Yubikey 5 series comes in a variety of form factors: a couple of USB-A devices - including the standard sized "key" that has NFC capabilities and can be attached to a keychain, and a "nano" device that is more suitable for use with laptops and not really intended to be removed. Similarly you have two different sized USB-C models, although those don't have the NFC options.


Using those is pretty easy. The USB versions can basically act as a HID device (a keyboard) that you can insert into a USB slot when one-time password is required, and will generate a code when you touch the device. This code is then inserted into the browser/app field and validated against the server side. Depending on the service and standard it can also integrate directly with the browser for a more complex two-factor authentication use case.


If using with a NFC-enabled smartphone then you just need to tap the key on your device for authentication.


No other software is need for the basic functionality to work, unless you want to extend this by using the device to store PGP keys, or change other settings. In the first case you can use GnuPGP to manage on-device keys, and on the second you can download the configuration software diretly from Yubico.


How you use the device will vary from service to service. Some will allow you to have multiple keys linked to your account, while others will have only one key per account. Having multiple keys is handy in case you need to access a service and left the key somewhere else (or lost it). If you have multiple keys, keep them separate for backup emergency access to accounts.


While the key works out of the box with Chrome, current Firefox releases require you to enable FIDO U2F support, which is quick and won't affect other features.


Compatibility with Microsoft Edge is a different - and complicated story. Yubikey devices currently do not work with Microsoft Edge as a second factor but they can be used as a passwordless login option for Microsoft accounts (including, Office, Skype, OneDrive, Xbox Live, Bing and more) on this same browser only. This means that if you are using Microsoft services and Microsoft Edge then you can login to the Microsoft account using a Yubikey - remember though the device won't be available as a second-factor for any other service on this browser since Microsoft Edge does not implemente the require FIDO2/U2F support yet. In addition, Yubikey 5 devices cannot be used as a Windows Hello sign-in device for online accounts at the moment, as Microsoft has announced the Companion Device Framework used by Windows Hello will be deprecated at some point. For Windows local accounts you can configure the Yubikey for login and the documentation is quite clear that you have to create multiple copies of the key as losing yor only copy will lock you out of the computer (think of these as actual keys!)


Overall the enhanced security offered by a second authentication factor is something everyone should consider, and having a hardware token can make things easier - not harder - depending on your specific needs.