Convenient bulletproof security when combined with a decent password. Go by two of them for yourself now….
Still here? Fine I might as well explain. These little keychain sized devices are used for 2FA instead of a email codes, SMS codes or a app that generates one-time codes. These options are better than nothing but each have their own weaknesses.
- SMS is sent in plain text and can be intercepted
- SMS codes are susceptible to sin swapping attacks
- The apps can have software bugs
This is where Yubikey’s come in, now anyone who wants access to your account will need your password and physical access to your key. Just plug it in or tap it on any device with an NFC sensor. Another common reason people use these devices is to defend against phishing attacks. By not allowing you to use your key to access your account outside of the URL you used during the initial setup, you can’t be redirected to a fake sign in page.
Google forced all employees to use hardware keys after they fell victim to a phishing attack and they have had zero incidents since then.
Which one should you buy?
I’ve only ever used Yubico products but there are all sorts of options with different protocols, features and form factors but the principles are still the same. Have a physical device to access your accounts. The main rules to follow are:
- Can you afford 2 of them right off the bat? Once you link the device to your account if Your one and only key is ever lost, stolen or is broken you’re locked out. Buy a pair of them, set them both up at the same time. Keep your primary one on you or nearby and store the secondary one somewhere safe in case of emergencies. I even go as far as to test the functionality on my secondary key periodically just to make sure everything is in order. Otherwise I need to replace it asap.
- Is this device supported by my primary email provider? A huge amount of our online identity is linked to our email account and I personally think that’s the first thing that should be secured. If your email is compromised an attacker can just pivot and reset the password on any account linked to that email.
- Can it make use of the ports on my devices? Pretty obvious one, if you can’t plug the thing in or tap using NFC it’s useless.
On top of that sometimes certain services don’t 100% support these devices, but depending on which one you buy and with a little bit of configuration you could use it in place of a code generator app.
Things I would avoid
Anything that doesn’t have NFC support. NFC is a good backup if for whatever reason you can’t plug the device to authenticate.
Yubico’s Lightning cable USB-C combo, $75 apiece and no NFC. I would only go down this road if your iPhone’s NFC sensor is broken and you have no other devices. Otherwise your spending way more money than you need to for minimal features and possibly breaking rule one.
Anything with biometrics, I like the philosophy behind it though, “you’re not getting access to my email unless you pry this from my cold dead hands or cut it off”. Unfortunately they are very expensive compared to similar devices with out this feature. There is also a chance biometrics may not be supported. Yubico’s offering is $95 and doesn’t even support NFC. The only situation I would recommend something like this is if you wanted to go passwordless. But cool features are no reason to disrespect rule one. *Note the more I think about it I don’t think it’s feasible for the device to be able to ask for biometrics and be able to scan for NFC at the same time.
Any key like the Yubikey Nano that are designed to be plugged into a computer and left there. I’m cautious because it seems like it’s designed to be a boot device instead of a 2FA token. On top of that the device is so tiny that you can very easily forget that it’s plugged in or what device it’s plugged into. And if I’m being honest this device doesn’t even seem like a entry-level device so it should be avoided anyway At the very least put some sort of loop through the whole and don’t forget about it.
That’s all I got to say about this topic for now, make sure to do your own research and figure out what works best for your use case. Share this with a family member or friend who needs better security.
I hope this helped.