How To Setup & Use Yubikey 5 Series Hardware Tokens - The BEST 2FA Option!
Y'all know I'm slightly obsessed with 2 factor authentication and I want everyone in the world to understand why it's so beneficial. And today, I'm introducing my personal favorite type of 2FA - Yubikeys.
Become a Morse Code Member by checking out the perks linked here!: https://www.youtube.com/channel/UCNofX8wmSJh7NTklvMqueOA/join
LINKS:
https://2fa.directory/ https://www.yubico.com/store/compare/yubikey-5-nfc,yubikey-5c-nfc,yubikey-5-nano,yubikey-5c,yubikey-5c-nano,yubikey-5ci/
https://www.yubico.com/authentication-standards/fido-u2f/
https://www.yubico.com/works-with-yubikey/catalog/#protocol=all&usecase=all&key=yubikey-5-nano
Hak5 Interviews Stina https://www.youtube.com/watch?v=mxmEnL0WIFo
Affiliate links:
Buy a Yubico Yubikey!: https://www.yubico.com/store/?source=pepperjam&publisherId=210103&clickId=3560833294&utm_source=pepperjam&utm_medium=affiliate&utm_campaign=210103
FTC disclosure: Yubico sent me these Yubikeys for review. Thanks, Yubico!
Hey smores, I'm Shannon Morse, welcome to Morse Code.
Y'all know I'm slightly obsessed with 2 factor authentication and I want everyone in the world to understand why it's so beneficial. And today, I'm introducing my personal favorite type of 2FA - Yubikeys.
If this is your first 2FA rodeo - it's actually pretty simple. You know how when you use an ATM you need to put your card in the ATM them type in your PIN code? That ATM needs two pieces of information from you to give you money - the actual card, and the PIN code that's connected to it. That's basically what 2FA is. It's two factors of authentication.
Online, 2FA means that you log into an account with your normal username and password, but it ALSO requires you to type in a code that gets texted to you, or you type in a code that is in an APP on your phone, or you plug one of these little devices into your device and that triggers the login.
This protects you from someone getting into your account if they somehow got access to your password.
Now, I always recommend turning on 2FA if it's available - and it is available on lots of sites nowadays. You can turn on 2FA for your gmail, your password manager, twitter, facebook, instagram, patreon, amazon... all sorts of sites.
And yes, there's a site that you can reference - https://2fa.directory/
My favorite type of 2FA are these little hardware tokens. I discussed hardware tokens before in my Google Titan Security Key review video, but TLDR they are the most secure option for most consumers. The pros are a criminal would need to have access not only to your password but your hardware key as well in order to hack into your online accounts, so it removes the potential for a remote attack. The con is you need to have this on you whenever you log into your account on a new system. So if you don't carry your hardware key around or you tend to lose things, you may want to consider having a backup option.
These hardware tokens or keys are Yubikeys. Yes, all of these. They come in different form factors for all sorts of different devices. Got an iPhone? There's one for that. Got an android - there's USB-C. Want both? You can do that too. Just need one that is regular old USB A? Yup. Want one that can do NFC so you don't have to plug it in? Yup.
So Yubico was founded way back in 2007 in Sweden and creates hardware keys that you can use to log in to any accounts that are supported. They also worked with Google to create a standard for this technology, called Universal 2nd Factor, which is hosted by the industry consortium called the FIDO Alliance. Basically, if a company wants to accept U2F devices for a 2nd factor, they totally can, and you can use any U2F standard key to unlock your accounts. Yubikeys are one of these, and so are the Google Titans.
Hilariously, you can find this REALLY OLD Hak5 video on Yubico's site that describes how they work: but that's pretty much the jist of it.
I share all of this background info because I've known Stina, the founder, for the better part of a decade and you can see the passion this company has for security and privacy and that excitement and passion is so rare. And I share that excitement because stuff like this makes it SO EASY for consumers to be protected. The fact that Yubico has not only created keys but also started a universal initiative with other companies is huge.
So let's go through these and I'll describe pricing and how they work... Yubico did send me these for review but I've purchased PLENTY of these through the years as the USB options have been upgraded over time.
One of these Yubikeys can be used to unlock ALL supported accounts. AND the same Yubikey can be used on multiple devices. So you'd only need to use one unless you have many different devices. I have Androids, iOS devices, and Windows 10 and Linux machines and they have lightning, USB C, and USB A, so I normally buy a couple of them so I'm never locked out. BUT if one of my phones or computers also supports NFC, I could tap instead of plugging in, because several of these support NFC, not just plugging in.
These are all Series 5 Yubikeys - they are a part of the experience pack which retails for $290. All of 'em support U2F, Open PGP, FIDO2, and more. For a user, that means they'll work on a lot of websites and accounts. These can authenticate you when you login up to 4x faster than One Time Passcodes or SMS based auth options. They don't require a battery OR a wifi connection to work.
The Yubikey 5 NFC supports both USB A and NFC. So you can tap this against any NFC enabled devices to log in, or you can plug it into a USB A port. It retails for $45.
The Yubikey 5C NFC is $55 and comes with both NFC and USB-C.
This one is the Yubikey 5Ci, and it includes both USB-C and lightning, so you can plug it into a USB C port or a lightning port and take the little gold contact point in order to authenticate and log into online accounts. This one is $70 and does not include NFC.
All of those ones have a hole to put it on a keyring so you can take these with you.
The two little ones are meant to be kept in your device at all times, assuming your device is secure.
These little ones are pretty cool. First is the Yubikey 5 Nano, $50. This one can sit almost flush inside your usb port, and you press the gold contact whenever you need to log in. Lastly is the Yubikey 5C Nano which is $60 and that one also sits almost flush in the USB C port of your device. Neither of these little ones have NFC. I also have a Yubikey 5C that costs $50. This one is USB C only, and you touch the contact to authenticate.
So, Yubico has a great comparison graph on their site, so you can compare all the different offerings. Most consumers will want a 5 Series Yubico. There's also some that are certified for government use.
So here's how I would use one of these for one of my online accounts.
I'm using the 5Ci for this example demo. On Facebook, Go to Settings & Privacy — Settings — Security and Login — Two Factor Authentication. Click Edit or Enable to turn it on for the first time, and choose Security Key then follow the on screen instructions. You'll notice, if you watched my Titan demo, that the same kind of window pops up but this one also requires a PIN code. Choose a PIN, touch the yubikey while it's plugged in, and it'll be added to your profile. When you log in on a new device, you'll need to enter the PIN, then touch the yubikey while it's plugged in to log into your account.
I set up my 5C NFC by plugging it into my computer and going through the same setup. To log into a new device, like on my Samsung phone, I just have to hold it to the back of the phone til it vibrates. This shows that you can use more than one hardware token on one online account, so if you want to keep one as a backup in your safe or something like that, that would be a good idea in the event you lost the main one you use.
I LOVE using hardware keys, especially with the versatility of the Yubikeys. And I have recommended them for YEARS because they're so easy to use and efficient and highly secure. If you aren't using one yet, get one. Or two so you have a backup. It's a one time cost and they last a long time and add the best security for account authentication.