At some point you start managing access to services (both online and offline). Years ago this was probably when you opened your first bank account and had to create a PIN for ATM access. These days it is more likely to be when creating an email address - the one modern thing practically everyone with an online presence needs to have before being able to access any other services - including social networks, school accounts, utilities, job hunting and even bank accounts.
Pretty much every modern online service uses a security system that is based on you identifying yourself through an email address and providing a (usually self-selected) password to access the service.
Some of these services offer low-value rewards for anyone other than you accessing the system - why would anyone bother using your account on a newspaper website where you post comments? This obviously doesn't compare to someone using a social network account under your name to ask friends or family to send money or even accessing your bank account.
Most people will just reuse a password over and over, with different services. Some will not only reuse passwords but use passwords that are easy to guess - based on "123456", "password", "1111" are top of the list of most common passwords. The problem here is that not all services are 100% secure and sometimes data is extracted and made available in black markets. The most sought after are obviously datasets that expose the combination of email address and passwords. In reality bad actors need only to have email addresses to keep trying access to a system by repeatedly attempting to login to services using a list of most common passwords - and not all services rate limit (or are even aware) of invalid attempts.
The first obvious thing to do is to make sure you use random and unique passwords for each service you use online. Even so, passwords leak. This can happen either because a service is breached or because someone entered their login credentials on fake ("phishing") websites.
This is why two-factor authentication (2FA) was created. Two-factor authentication comes in many forms. Some systems send a random code via email or SMS, while others use a software-generated time-based code that is discarded after some time (using apps like Authy, Google Authenticator and others). These codes are entered after you confirmed your identity using the email/password pair and the idea is that only you would have access to this code so it will be an extra layer of authentication.
Another type of 2FA is implemented through hardware-based keys, such as the Yubikey. These serve a similar purpose - being something only you have - and are for all intents a lot easier to use than most authenticator apps.
For example, the new Yubikey 5C NFC is a hardware-based key. The device can be used with multiple different platforms thanks to having support for both USB-C and NFC, making it useful as a second-factor when you use computers or phones.
The way it works is pretty simple, from the user's view: you login into a service that supports hardware-based keys, enable the 2FA option and follow the instructions to insert the Yubikey 5C NFC in the USB port. You then touch the little metal circle on the key so that it sends out a string of characters that will uniquely link this device to your account. The next time you want to login into that service you will be asked to present the same device again (via USB or tapping on the NFC-enabled area on your phone). This way the online service will know it's you because it trusts you kept the device safe and only you have access to it.
That's how simple it is. Behind the scenes, there is a multitude of protocols, standards and software involved but you are not aware of it.
The list of services that support hardware-based keys is always growing, but it is still behind those offering support for software-based authenticators. But in general hardware-based keys offer a higher level of portability as can you can keep your key always around, hanging from a keyring and ready to be used, even if you left your phone at home.
Another benefit for the user is speed - in general inserting the key and touching it is faster than opening an app, searching for the service you want and then copying or typing the numbers shown on the screen.
Using a physical second-factor also allows you to access an online service without having to rely on an SMS or mobile app-generated code - think of crossing borders and the possibility of a mobile device being taken away for inspection, making it impossible to login to services that would require that mobile code. In this case, having a key would allow access to cloud-based services from whatever device is available once you reach your destination, providing you remember the password to your service (or at least access to your email, which should also be 2FA protected for complete safety).
The Yubikey 5C NFC is durable, with a fibreglass reinforced body that makes it water and crush resistant. It's very light and fit on any standard keyring.
In general you don't need any special software to use the Yubikey 5C NFC. It is the epitome of plug-and-play. It is recognised by modern operating systems including Windows, macOS, Linux and Chrome OS while working with both iOS and Android devices via NFC (or in the case of Android devices with USB-C you can also plug it).
Consumer services that work with the Yubikey 5C NFC include Google, Github, Docker, Facebook, Twitter, LastPass, Dropbox and many others. Some services allow you to have multiple keys associated with your account, while others are more strict and limit this to one key only. Having multiple keys is handy in case you need to access a service and left the main key somewhere else (or lost it). If you have multiple keys, keep them separate for backup emergency access to accounts.
To manage your key - setting up a PIN, configuring FIDO2, OTP and PIV functionality and selecting which services are offered, you can use the Yubikey Manager. This is a small bit of software that you can install on Windows, macOS and Linux machines and allows you to control your Yubikey 5C a bit more.
You can also set what happens if you light touch or long touch your hardware key, with options to assign different credential types to each of those two e.g. OTP, Challenge-response, OATH-HOTP and Static Password.
The Static Password allows you to use the Yubikey 5C NFC as a part of your password scheme. For example, instead of having a completely different password for each service, you could create the password starting with a sequence of characters that are easy to remember for that service plus a constant but random set of characters that are generated and stored on your Yubikey 5C. This way you could create pseudo-random passwords that are easier to access when having the key.
These devices all offer a list of functions that include OATH-HOTP/TOTP (similar to the software authenticators), SmartCard, OpenPGP, FIDO U2F and FIDO2. These are called "USB interfaces" and pretty much covers the gamut of additional authentication standards. It also supports the new WebAuthn standard, a part of the FIDO2 project.
If you want to go a bit deeper, the Yubikey 5C NFC gives you more options such as OpenPGP but that will require you access to a command-line tool to either create your keypairs or import an existing one. It's not a couple of steps but the process is well documented so it is easy to do. The same command-line tool can be used to configure those "USB interfaces" separately. This makes the Yubikey 5C NFC extremely configurable and secure.
When using the TOTP authentication you will use a mobile app to read the private keys stored on the Yubikey device and show the code based on the current time.
I highly recommend the Yubikey 5C NFC as a great security device that is actually easy to use and fast.
