As the year draws to a close (this is my last review for 2018), I want to share with you one way to prevent identity theft and improve online security. Yubico sent me their latest YubiKey 5 series hardware-based authentication tokens. YubiKeys are now available for sale in Singapore through the distributor, DT Asia Pte. Ltd, and you can purchase from Lazada.
The Key to 2FA
The term “two-factor authentication” is often mentioned for verifying a person’s identity while handling online transactions. What it means is that two different methods of determining an identity is required – what you have (e.g. a key), what you know (e.g. password), and what you are (e.g. your presence). For instance, most banks issue a special security token which is required when processing certain critical transactions, like adding a new transferer bank account. For other transactions, the banks fall back on SMS one-time password (OTP).
SMS is one of the most common 2FA method because everyone owns a mobile device. But it is not necessarily the most secure. This is because it is prone to man-in-the-middle attacks where a phishing site could mislead the user to provide both the login PIN and the SMS OTP. Still, it’s better than nothing, and I hope you are already enabling 2FA for all of your online accounts, where supported.
Yubico was founded in Sweden 2007 and expanded to USA in 2011. The core invention is the YubiKey, a small USB and NFC security key. They pioneered the design of the first one-time password authenticator to work with a simple touch and with no client software. They also co-created the FIDO Universal 2nd Factor and FIDO2 open authentication standards in collaboration with Google and Microsoft. Their work also contributed to open identity standards organisations W3C, IETF, FIDO Alliance and OpenID.
YubiKey 5 Series
YubiKeys are basically security keys to achieve secure 2-factor authentication. It supports the following protocols: FIDO2/ WebAuthn, FIDO U2F, PIV (smart card), OpenPGP, Yubico OTP, OATH-TOTP, OATH-HOTP, and challenge-response. It replaces other 2-step verification methods like mobile phone SMS OTP. YubiKey 5 series support hundreds of popular brands, platforms and services like Windows, MacOS, Google, Facebook, Dropbox, Instagram, Twitter, Wordpress, RSA, LastPass and others. It works with online services, developer tools, computer logins, remote access, password management, encryption tools.
Ideally, Yubikey works out-of-the-box with no additional software required. Some login platforms might require additional app like Yubico Authenticator to generate instant PINs to authenticate with supported apps, instead of using SMS to receive the PINs. This is because YubiKey relies on open standards of authentication protocol, hence the implementation depends on individual platforms.
If you already have enabled 2FA over SMS, you’re pretty safe. But how is YubiKey more secure than SMS?
With YubiKey, user login is bound to the origin, meaning only the real site can authenticate with the key. Phishing sites are unable to fake the YubiKey or any universal second factor (U2F) security keys. On the other hand, SMS authentication cannot stop phishing and man-in-the-middle attacks. A phishing site can trick you to provide both the password and SMS OTP, and with that, the scammer can gain access remotely. But if your 2FA is YubiKey, they cannot replicate the authentication to pass it off.
YubiKey also supports FIDO2 authentication, including strong single factor passwordless method. This is better than password because anyone who knows your password can login anywhere, but using YubiKey, you need the physical key to authenticate. On the latest Windows 10 (version 1809 onwards), you can simply use YubiKey 5 to log into Microsoft sites without entering your Microsoft password. A PIN is still needed to authenticate with the YubiKey.
USB-C, NFC or Just USB
YubiKey 5 comes in various options, depending on how you use the key. If you always leave the key on the computer, you might want a nano-size key, either in standard USB (for laptops) or USB Type-C (for latest laptops or smartphones). There is also an NFC version where you can read the YubiKey contact-less for authentication.
The upgrade from YubiKey 4 is the support for FIDO2/WebAuthn, so if you do not need this standard, you could still go for this older version.
I tried installing YubiKey on some of the common platforms and here’s how they work.
2FA with Google Account
I tried to set up 2FA with my Google account, and it is a breeze.
When prompted, I plugged in the YubiKey 5 on the USB port and the sign-up process detects the key to let me proceed and complete the registration.
The next time whenever I login to Google, instead of prompting a verification page from my other Android device, I just tap the YubiKey 5, very convenient.
2FA with Windows and Microsoft Account
The YubiKey for Windows Hello App is not compatible with YubiKey 5 Series devices. If you have a YubiKey 5 Series device, you could set up with the Windows Logon Tool. Otherwise, it is not possible to use YubiKey to login to Windows.
I tried to setup passwordless method over Microsoft account, and while you can skip the actual Microsoft login password, it still requires user to enter a PIN which is paired to the YubiKey. Hence, even if you lose your YubiKey, key finder would not be able to just plug in the key and access your account.
I found that there are inconsistencies in Microsoft implementing 2FA. First, only selected browsers and OS versions support security keys. Second, only some Microsoft sites are supported. This makes using security key over Microsoft sites a hassle.
2FA with Facebook
Setting with Facebook is similarly straightforward like Google. Once the setup is done, the browser will prompt for YubiKey to authenticate. On smartphones with NFC, it will prompt to scan the YubiKey 5 NFC.
For browsers and platforms that do not support security key authentication, Facebook will still fall back on other authentication methods like sending email, SMS or authentication apps (like Google Authenticator).
2FA with Instagram
Instagram is not seamlessly integrated with YubiKey 5. The app uses YubiKey to generate time-based PIN which you need to enter separately when prompted during login.
A Legitimate Way to Share Accounts?
If you have a shared social media account, you might need to allow someone to access for short term, and you would have to reveal the account password so that they can login to manage. Over time, the account may become compromised when the password gets passed around. If the account requires a security token like YubiKey to allow 2FA, it could ensure the access is physically controlled. Because only those who holds the security token can login, not just anyone who knows your password.
So, is YubiKey that useful and necessary? If you are concerned with online security, if you are someone of prominence, or a social media personality, you do not want to become the next victim of identity theft. YubiKey 5 offers security for a small one-time price and prevents remote hackers from successfully phishing your social accounts and web services. Once YubiKey is enabled as an authenticator, hackers will not be able to gain access to your online accounts unless he or she possess the YubiKey. To increase security, you can even set up multiple YubiKeys.
I do agree that YubiKey might be an overkill for most of us. Other than security keys, there are other secure 2FA alternatives, like authentication apps, which are basically software tokens. Android Authenticator is a popular smartphone app that generates codes for login to apps. Enabling SMS OTP is better than nothing, but don’t lose your phone.
Hopefully, more users will be more savvy and enable 2FA wherever the option is available on their apps. And hopefully, more apps will support these options to protect our online services. More importantly, these authentication methods should be as secure and easy to use, like YubiKey.
YubiKey 5 Prices
- YubiKey 5 NFC: US$45/ S$70.50
- YubiKey 5 Nano: US$50/ S$109.60
- YubiKey 5C: US$50/ S$109.60
- YubiKey 5C Nano: US$60