We are constantly looking for ways to make our online personas safer and inaccessible to people who might steal them for their own purposes. The current gold standard is the use of a unique strong password per account plus a second factor, which are available in different forms, including SMS, software authenticators and hardware keys.
Some services, like Microsoft Account and Microsoft Office 365 are even going passwordless, which is the next step in eliminating one factor that can be easily phished or extracted via malware. These services are using software authenticators and hardware keys to generate unique codes that can’t be easily copied and reused.
Hardware keys are secure because they use cryptography to authenticate and identify you to online services. These cannot be reproduced and are unique for each device and service.
The new Yubikey Security Key and Yubikey Bio series by Yubico are simpler and less expensive than before, because the company focused on a couple of protocols only, namely FIDO2/WebAuthn and FIDO U2F. Previous series (still available as Yubikey 5 Series) also had support for Smart card (PIV), OTP, OpenPGP, making them harder to manage and more expensive.
Both Yubikey Security Key and Yubikey Bio come in models with USB-A and USB-C connectors. The Yubikey Security Key also supports NFC (Near Field Communications) for contactless authentication, while the Yubikey Bio has a built-in fingerprint reader for additional ease of use. These keys work with a variety of operating systems, including Windows, macOS, Chrome OS and Linux.
You will notice the Yubikey Security Key has a golden disc that you touch when asked to initiate the enrolment process or for validation, while the Yubikey Bio has the fingerprint reader in the same position.
These keys work with pretty much all services you can think of. I have added them both to a variety of accounts: Microsoft Account, Microsoft Office 365, Google, Google Workspace, Yahoo, Github, Cloudflare, Twitter, Facebook, Dropbox and more. I have even enabled passwordless login to my Synology NAS using these keys.
The list of services where you can use the Yubikey is pretty long and on top of those already mentioned, it includes some identity and access management services such as AWS IAM, Duo Security, Okta and OneLogin.
The way to add your key to those accounts is pretty much the same: go to your security settings for that account, find the 2FA (or multifactor) menu and add a new hardware key.
If this is the first time using your Yubikey Security Key or Yubikey Bio you will be asked to create PIN for this key. If you are using the Yubikey Bio you will also be asked to scan your fingerprint and the PIN will be used as a fallback.
This fingerprint scan is securely stored in your key and never leaves it, even during authentication. You can later add another four fingerprint scans, for a total of five fingerprints.
You will find an option to go passwordless on your Microsoft Account or Microsoft Office 365 account. This makes your account even more secure but make sure you have more than one way to login in case you lose your key. You can for example use an authenticator app such as Authy to generate unique codes or use Microsoft Authenticator to receive push notifications that require you to confirm the login.
Once associate a hardware key with your account, the login flow might change slightly. If you are used to simply entering a username and password, you will see an additional step where you are asked to insert your Yubikey (or touch it to your phone if using NFC for example) after this first step. You will be asked to enter the PIN for this key before you are asked to touch the golden disk on your Yubikey Security Key or the fingerprint scanner on your Yubikey Bio. Touching the golden disc
In my case, I have more than one Yubikey associated with my account. I carry the Yubikey Bio on my keyring and leave a Yubikey Security Key (which doesn’t need my fingerprint) in a safe place in case I lose my keyring or my family need emergency access to my accounts.
These keys won’t work with some services. For example, LastPass and Microsoft Active Directory (do not confuse with Microsoft Azure AD) don’t support the FIDO/FIDO2 protocols so you should use the old Yubikey 5 or a software authenticator with these services.
Both Yubikey Security Key and Yubikey Bio are water and crush resistant, so carrying them on your keyring or any other holder won't affect its performance.
The Yubikey Security Key and Yubikey Bio are made in Sweden and the USA. These are available now.
