Disclosure: Privacy Australia is community-supported. We may earn a commission when you buy a VPN through one of our links. Learn more.

Yubikey Review: Useful Way of Protecting Your Passwords

Will Ellis
Will Ellis —

Last Updated on

Share this Post

What would you do if someone were to tell you that only you should be able to log on to your various accounts?

You’d probably sit back and think for a second. After a little confusion, you might ask, “Hey, man. Aren’t I the only one who can log on to my account?

2fa hardware tokenWell, technically. What if someone tries to hack your account? If they do that successfully then you won’t be the only one who can access it.

I know, all of your information is in your various accounts. We want you to want to keep all of your information just as much as you want to keep all of your information.

Besides using a VPN, the best place to start with cybersecurity is a 2FA hardware token.

If you’re thinking about getting one, then you’re in for treat. Today we’ll talk about the most popular and most secure one in the market today, YubiKey.

Stick around, this is a step in the right direction.

What is YubiKey?

In basic terms, YubiKey is a 2FA hardware token made by Yubico. You plug it into your device and when you need to authenticate your identity, you click the button on the YubiKey. It essentially functions as a physical authentication medium without retina scanners, fingerprint sensors or facial recognition.

It’s small and easy to carry around. It can even hang out on your keyring. If you’re one of the cool kids, it can easily attach to your nifty lanyard 😎.

Yubikey

YubiKey is relatively simple to use but it’s still in the stage of early adopter usage. Technologically savvy consumers will find it straightforward.

The main issue with the YubiKey is having to figure out how to use it for specific programs and software. You’ll need to set up the authentication with your various accounts individually. Besides that, it’s pretty simple to use.

Benefits of a 2FA Hardware Token

No Yubikey review would be complete without a list of benefits. Let’s take a look at a few reasons why you’re probably going to want Yubikey to become a part of your security suite.

More Security

You may think that having a physical authentication device puts you in the same camp as security weirdos wearing trench coats. We’re here to tell you that may only slightly be the case.

The fact is that security needs to be taken seriously. With the ridiculous amount of data breaches over the last few years, you can’t be too careful.

Accounts where the YubiKey is used is less likely to be compromised. You’d have to let someone actually take your YubiKey. Spoiler: most hackers won’t be capable of that unless you’re on the bad side of the FBI or CIA. We hope that isn’t the case.

Verify With Ease

To use a YubiKey, you just have to carry it around with you. It’s not exactly heavy, with the YubiKey 5 NFC coming in at a resounding 3 grams and the YubiKey 5C Nano weighing in at 1 gram.

If you don’t have car keys to attach it too then we suggest an arts and crafts session where a YubiKey necklace is the main art project.

Once you’ve mastered the carrying part of this whole process, all you have to do is plug it into your computer or lay it on your cell phone. There aren’t any apps to worry about and there are no explodable batteries to provide any second thoughts.

Disadvantages of Using a 2FA Token

First, you could lose it. That’s the case with most things. If you’re like me and you lose everything, a hardware authentication key might not be the right choice. You’re best option is to use a password manager.

Besides that, you have to figure out how to set it up for each individual account. Account setup ranges from extremely easy to not possible. Luckily, the actual usage isn’t very complicated.

Services such as Facebook and Google are easy to use the YubiKey with. With Google, the company only supports the YubiKey on Google Chrome, which is a huge surprise (that was sarcasm 🙃).

The thing is, that isn’t a rare occurrence for different accounts. The YubiKey might work on one browser with one service and another browser with a different service. It takes some figuring out.

We also can’t forget that using the YubiKey with iOS is still a pain in the butt. It has gotten better with newer versions but it’s pretty annoying to use with an iPhone.

Features

There are a handful of different YubiKey versions at this point. We’re going to cover the features that encompass all of the different versions.

Anti-Phishing and Malware Proof

2FA on mobile devices is great and everything but there still is a slight chance malware can jump on board and mess things up. Same thing with SMS authentication. If someone can execute a man-in-the-middle attack — access granted (for the hacker, not for you).

YubiKey lets you authenticate without any fear of those pesky hackers gaining access to your logins and to your devices.

Simplicity

We know you’re as lazy as we are. Typing in authentication codes is annoying. Really annoying. With a YubiKey, you just have to click a button and you’re in.

Time

TOTP solutions (Time-base One Time Password) have their flaws with time drifts between token clocks and software systems. The YubiKey does support TOTP but it doesn’t only rely on it.

Static Passwords

If two-factor authentication isn’t supported, YubiKey can give you a complex and long password to use.

Sturdy

YubiKeys are pretty dang sturdy. They’re hermetically sealed like a can of tuna so nothing will get in it. They’re also waterproof so you can keep it on you even when competing in a kayak race with your Uncle Bill.

Yubikeys are also allegedly crushproof. We haven’t technically tested this because we’re afraid but if you do crush it, Yubico will probably give you a new one.

Next Generation Protocols

YubiKey supports Yubico-OTP, OATH-HOTP, OATH-TOTP, OpenPGP, Smart Card (PIV Compliant), and FIDO U2F.

Mobile Devices

Given that Yubikey devices connect to a full-sized USB port, you might think that they are incompatible with iPhones and other mobile devices. Android phones and newer iPhones can be used with many brands of Yubikeys. This is done through near-field communication or NFC technology, which was first added by Apple with the release of the iPhone 7.

The iPhone experience still isn’t perfect and can be annoying, but it does work.

When you are prompted to use multi-factor authentication from your iPhone, the Yubikey application instructs you to tap the security device against the corner of your phone in order to connect and verify your identity.

The technology behind Yubikey devices will continue to grow and improve over time. Most manufacturers rely on the OpenPGP standard, which is an encryption method first used for email communication. The standard is open-source and managed by a large online community of developers.

Prices

There are four versions of the YubiKey that are purchasable straight from the Yubico store.

YubiKeyPrice
5 NFC$45
5 Nano$50
5C$50
5C Nano$60

Support

Yubico offers a wealth of information for figuring out how to use the YubiKey. The Yubico knowledge base is full of helpful articles and videos.

Getting started with your YubiKey is easy when following the instructions in the help center. If you have any issues going forward, Yubico will probably have already written about it.

If you’re not in a self-help type of mood you can submit a ticket to Yubico support.

Alternatives

Not all security authentication keys are created equal. Some only serve one function while others serve too many. The following are fantastic alternatives to the YubiKey if you’re not feeling the Yubico created product.

CryptoTrust OnlyKey – Best Alternative for Price and Function

onlykey cryptotrustThe CryptoTrust OnlyKey is a powerful solution for those consumers looking for maximum protection on their digital devices. Like the YubiKey, the OnlyKey is compatible with all major computer operating systems.

What separates OnlyKey is the added bonus of having a password manager run locally on the USB key. The OnlyKey has a larger physical footprint than other competitors because its design includes six buttons labeled with numbers.

How it Works

The OnlyKey’s physical buttons are used for two purposes. First, CryptoTrust requires that every user sets up a PIN when initially configuring the OnlyKey for multi-factor authentication.

When you go to a website or open an application that requires identity verification, the OnlyKey will illuminate and you will be prompted to enter the PIN. This adds a layer of extra security, as your data remains protected even if a hacker manages to steal your computer and authentication device.

Secondly, the OnlyKey’s physical buttons can be used for storing and encrypting up to 12 software passwords.

Normally, when you visit a website and log into an account, you manually type in your email address and password. But with the CryptoTrust solution, you can simply short-tap or long-tap one of the buttons and have it log you in automatically. Pretty cool stuff.

Hardware

Like the YubiKey, the OnlyKey is made of plastic that is waterproof. But due to the number of physical buttons, there is a greater chance of wear and tear over time. It does come with an additional silicon cover that can help to protect the device and allows it to connect to a keychain or lanyard.

Because of the addition of the physical buttons and password storage functionality, the OnlyKey is about the same cost as the Yubikey.

Cost

Besides being ugly, the biggest con against the OnlyKey is that it doesn’t currently include NFC support for smartphones.

Feitan FIDO – Cheap Alternative, Few Incompatabilities

For those looking for a simple, low-cost solution for multi-factor authentication, the Feitian brand is a good place to start. Their FIDO devices will often be available for up to 80 percent off the price that companies like Yubico and CryptoTrust will charge.

Feitian epass

Of course, by choosing a low-cost solution like Feitian you give up some features and functionality. The Feitian FIDO is compatible with the FIDO U2F standard but may not be supported by all websites or applications, especially those run by financial institutions.

On the bright side, the Feitian device does have NFC technology built in, so you use it for authenticating from your Apple or Android smartphone. It has a single button on the top of the USB key. When pressed, the Feitian device will confirm authentication on your computer or phone. Unlike the products from Yubico and CryptoTrust, the Feitian FIDO is not waterproof and can be vulnerable to physical damage.

Thetis FIDO – Lacks Features, But Could Work for the Beginner

Thetis offers a Yubikey alternative that is priced at $20. If design and appearance are important to you, the Thetis FIDO may be a compelling choice.

Thetis fido

The Thetis FIDO is designed like a full-sized USB flash drive with a rotating metal cover that lets you protect the connector port when not in use. It is not waterproof but is made with durable aluminum that makes it resistant to bumps, scratches, and other damage.

Thetis devices are limited to the U2F protocol and do not support any NFC connections for smartphones. It will work for multi-factored authentication with popular social networks and banking accounts, but it may not work with all email clients or other third-party services.

Final Thoughts

You should be using some form of a hardware security key if you care about the security of your online information. If you don’t care about the security of your online information, some people might call you dumb. I’m not some people, but they’re out there… watching you.

looking around gif

The Yubico YubiKey is the best solution on the market today. That isn’t to say there aren’t alternatives. The CryptoTrust OnlyKey not only has a cooler name, but it’s also almost as good in terms of functionality and reliability as the YubiKey.

Any way you slice it, using a physical security key is one of the best ways to protect yourself in 2020.

FAQs

Q: What can I use YubiKey for?

A: The list of services that the YubiKey works for is massive. A full list can be found here. Some popular accounts the YubiKey works with are 1Password, AWS, Binance, Dropbox, Duo, EA, Epic Games, Facebook, Google, GitHub, Instagram, Kickstarter, Linux, MailChimp, Microsoft, Reddit, Salesforce, Shopify, Skrill, Squarespace, Trello, WordPress, and YouTube.

Q: What is the purpose of a YubiKey?

A: The purpose of a YubiKey is to enable stricter security practices for online accounts. It allows anyone who purchases a YubiKey to access their accounts securely by using one-time passwords or by using a FIDO-based key pair.

Q: Which YubiKey is best?

A: The YubiKey 5 NFC has the most functionality.

Q: Is YubiKey secure?

A: Yes, the YubiKey is extremely secure as it is a physical two-factor authentication device. The only risk is if someone steals it from you and has your account information.

Q: Does 1Password work with YubiKey?

A: Yes, it does.