Net Privacy Pro

Password culture has traveled a long way since the early days of online security. Computer systems were once disconnected islands that required physical access to gain control over them. With the advent of the internet and wide-spread online connectivity, everyone suddenly got access to everything. Passwords were the last barrier between user accounts and malicious hackers. Over time, passwords grew more sophisticated (through e.g., password managers), but so did hackers’ tools to overcome them. Eventually, Two- (or Multi-) Factor Authentication (2FA/MFA) was invented. Account logins required an additional step when logging in, making access a lot more difficult for malicious actors. In this article, I will be looking at one very popular MFA-solution widely available: YubiKeys, made by the company Yubico. I will show you how you can secure your online accounts with the YubiKey Series 5 devices, the latest in Yubico’s product lineup.

Specifically, I will present to you two device types: The YubiKey 5 NFC, which works via USB-A or wirelessly via NFC, and the YubiKey 5Ci, which you can plug directly into your iOS device (via lightning) or USB-C device.

Both keys come in a neat, lightweight packaging. All YubiKeys feature a very small, handy form factor. The backside of the packaging leads us to the key setup website: yubico.com/start. This opens a guidance page which explains how to set up each key type. We’ll go into the setup for the 5 NFC and the 5Ci later in this article.

Getting to Know the YubiKey Series 5 NFC and 5Ci

Both keys, the 5 NFC and the 5Ci, weigh almost nothing. They come in a sleek black, have a hole for your key chain, and feature touch areas used for physical confirmation to log in. For the 5Ci, that’s located on the sides as small metallic bits, the 5 NFC has a large’ish touch area in the center of the front face.

Supported Protocols

Both key types support a wide range of authentication methods and protocols. In fact, with the protocols implemented in these keys you will be able to authenticate at the majority of services you come across today. Either key can be configured to authenticate using any of the following seven methods:

  • OTP (One-Time Password): A secure authentication method where a unique password is generated for each login session, preventing the reuse of passwords and enhancing security.
  • FIDO U2F (Fast Identity Online Universal 2nd Factor): A standardized method for two-factor authentication that uses a physical device (YubiKey) to provide an additional layer of security beyond the username and password.
  • FIDO2 (Fast Identity Online 2): An advanced authentication protocol that enables passwordless login by using public key cryptography, enhancing both security and user convenience.
  • Smart Card (PIV): A security feature that uses the YubiKey as a personal identity verification (PIV) card, enabling secure access to systems and data with cryptographic protocols.
  • OpenPGP 3: A feature that allows the YubiKey to securely store OpenPGP keys, enabling encrypted email communication and digital signatures.
  • OATH-TOTP/HOTP: Time-based (TOTP) and event-based (HOTP) one-time password algorithms that allow the YubiKey to generate and manage OTPs for multifactor authentication. The YubiKey generates a unique password valid for a short period (typically 30 seconds), commonly used with authenticator apps for two-factor authentication.
  • Challenge-Response: A security mechanism where the YubiKey generates a cryptographic response to a given challenge, providing secure verification of identity and data integrity.

OTP and OATH are very closely related, but not the same feature. OTP on a YubiKey can be a general one-time password generated by the device, while OATH-TOTP is a specific type of OTP that is time-synchronized and widely compatible with authentication apps.

Differences between the YubiKey 5 NFC and 5Ci

While both key types offer the same basic functionality, they cater to different audiences and use-cases.

YubiKey 5 NFC: Ideal for computer and mobile authentication, allows for convenient wireless logins

Connectivity:

  • USB-A: Compatible with a wide range of laptops and desktops, making it versatile for traditional computer users.
  • NFC: Enables wireless authentication for NFC-enabled mobile devices, providing ease of use for smartphone and tablet access without needing to physically plug in the key.

Device Compatibility:

  • Broad Compatibility: Works with most devices that have USB-A ports, including older and current computers.
  • Mobile Access: Compatible with NFC-enabled mobile devices, making it ideal for users who need to authenticate on the go without cables.

Use Cases:

  • Cross-Platform Authentication: Perfect for users who need to switch between different types of devices frequently, such as moving from a desktop computer to a mobile phone.
  • Convenience: NFC capability allows for quick, contactless logins, enhancing user convenience and experience.

YubiKey 5Ci: Great if you own an iOS or modern USB-C device

Connectivity:

  • USB-C: Designed for modern devices, including the latest laptops, desktops, and some tablets and smartphones, ensuring future-proof compatibility.
  • Lightning: Specifically catered to Apple devices like iPhones and iPads, allowing for seamless integration into the Apple ecosystem.

Device Compatibility:

  • Modern Devices: Works with devices that have USB-C ports, which are increasingly common in newer electronics.
  • Apple Ecosystem: Perfectly suited for users with Apple devices, providing a single authentication key for both their iPhones/iPads and their MacBooks or other USB-C devices.

Use Cases:

  • Apple Users: Ideal for users heavily invested in the Apple ecosystem who need a single, versatile authentication key for all their devices.
  • Tech-Savvy Individuals: Great for tech enthusiasts and professionals who use the latest devices with USB-C ports, ensuring they have the latest and most convenient technology for secure logins.

Managing Your YubiKey

You can comfortably manage your YubiKeys from desktop and mobile apps on all major operating systems. This includes Windows, macOS, Linux, and the mobile operating systems iOS and Android. All client software can be found on this website. Below, I will show you how to use a selection of apps: The Windows desktop app, and the mobile apps on iOS and Android.,

Desktop App

The Yubico Authenticator app on Windows can be downloaded from the Yubico website. You can choose to either download a local installer package, or install it from the Microsoft Store.

A YubiKey 5 NFC inserted into an USB-A slot of a laptop

In either case, after you installed and opened it, it will show you the connected YubiKey security keys:

Here, you have access to various details regarding your key. Similar to the mobile apps below, you can manage accounts, passkeys, and configure settings. The Accounts view shows the currently configured accounts on your YubiKey.

When selecting “Toggle applications” on the home screen, you can enable or disable specific authentication methods if required. This includes the OTP interface (see the Yubi Sneeze section below for more on why you would want to disable it).

If you select the “Slots” section, you can configure what happens when you press the YubiKey’s touch area for a short, or for a long period of time:

This allows you to customize the key to your needs, and manage whatever settings you have configured on it. The desktop apps for different desktop operating systems are very similar and offer the same feature set. If you use Yubico’s security keys, you should definitely install these desktop apps on your computer to have full control over your YubiKeys!

Mobile App: iOS

The Yubico Authenticator app is available from the iOS App Store. With just 3.6MB in size at the time of writing, it’s no burden at all for any half-way decent mobile device. This app is pretty capable for its size: It allows you to connect both, Lightning based and NFC based YubiKeys. You can use it to generate your acocunt-protecting OTPs, and you can manage different accounts on your YubiKey.

Once you start it, you are greeted with a welcome screen suggesting you insert a Lightning-based YubiKey, or pull down to open the NFC-based scanning mechanism.

Using the Lightning-based YubiKey 5Ci with the Mobile Yubico Authenticator App

Getting started with the YubiKey 5Ci on the iOS mobile app is a breeze. You just open the app, plug in the key, and you’re done. The first thing you will see is a screen telling you that (in case of a fresh key) you don’t have any accounts stored on this device. Tapping the little three dots menu button on the top right and selecting “Configuration” reveals the details of the device you plugged in.

Here you see the type, firmware version, and serial number of your YubiKey. You can also configure various settings on your device. This includes whether you want to enable or disable the OTP interface. This feature prints out an OTP via a keyboard interface on the USB device when touching its side buttons. Beyond that, on the “Passwords and reset” screen, you can set a password for each individual YubiKey (or remove it again). This screen also allows you to reset the entire key in case you want to give it away or replace it. Always be sure to not leave accounts attached to your physical keys before replacing them.

The YubiKey can also be used in conjunction with smart card services. External apps can install smart card certificates on your key and use it for authentication. This feature is beyond the scope of this article though. There is also a section for NFC settings. This will be important in the next section, when we look at using the 5 NFC key with the iOS mobile app.

Using the NFC-based YubiKey 5 NFC with the Mobile Yubico Authenticator App

The NFC keys in the YubiKey 5 series are very handy devices. You just hold them close to your phone, and they talk to the Yubico Authenticator app. For iOS, when the app is closed, you will get a popup about the key being near.

The NFC keys have a special feature for first use. When you first hold it close to your phone, they will bring you to a landing page that explains how you can activate your key. Before being able to use it, it has to be connected to a USB port for at least 3 seconds. This is a security measure put in place by Yubico to protect your key in transit before it arrives at your place. The key won’t give away its identity/signature before it has been activated. After you plugged it into a USB port, it triggers an NFC tag event on your phone when held near it. That event actually leads you to the Yubico Authenticator app if installed. Your key can now be used.

Beyond this security feature, the key behaves very similar to the 5Ci described above. When the app is open and the key doesn’t show up, pull down the screen and hold the key close to it. This will reveal an OTP. When operating on the settings screen, you have to pull down and hold the key close again to display its stats or settings.

The NFC settings apply to this type of key. How you want to configure them exactly depends on your specific needs and preferences.

Mobile App: Android

The Yubico Authenticator app is available from the Google Play Store as well. It functions very similar to the iOS app described above.

When you first open the app, it asks you to insert or tap your YubiKey (depending on whether you use USB-C or NFC). When you first insert a USB-C YubiKey, the Android OS will ask you to allow the use of the key. After you confirmed that, you can use it just like in the iOS app above. The options screen is also very similar to the one shown above: You can administer the general behavior of the app.

After you confirmed the key’s use in Android, the Yubico Authenticator app allows you to add OTP accounts to manage your 2FA keys. You can also add passkeys, which aim to replace passwords entirely. In the below case, you can add a total of 64 OTP accounts to the YubiKey 5Ci. This should be ample space for securing your access.

The Android app is small and fast – just like its iOS counterpart. Managing your YubiKeys (USB-C and NFC) is easy and well-supported by dialogs in the app.

Two-Factor vs. Multi-Factor Authentication

Two-Factor Authentication (2FA) involves two layers of security: something you know (like a password) and something you have (such as a YubiKey or a phone app). This additional step significantly increases security by ensuring that even if a password is compromised, the attacker cannot gain access without the second factor.

Multi-Factor Authentication (MFA) extends this concept further by incorporating additional factors, which could include something you are (biometrics like fingerprints or facial recognition), or something you do (behavioral biometrics). The combination of these factors makes unauthorized access exponentially more difficult.

YubiKeys are at the forefront of supporting these concepts. In the next sections, you will learn how to integrate the security keys into some common services to support your day-to-day personal digital security.

Integration Into Operating Systems

Modern operating systems like Windows 10/11 and many Linux distributions offer ways to integrate physical security keys into their sign-in flow. Windows offers the “Windows Hello” service that aggregates all kinds of sign-in methods (PIN, facial recognition, security keys, etc.), while Linux distributions make use of the PAM (“Pluggable Authentication Modules“) infrastructure. In this section, we will be looking at both, and how YubiKey security keys can be integrated into either sign-in procedure.

Windows Hello

Windows 10 and above offer a sign-in experience called “Windows Hello“. This feature aggregates different sign-in methods into one easy to manage framework. It is extensible using so-called Windows Authentication Packages and Credential Providers.

Yubico offers a package called Yubico Login for Windows that integrates with the Hello framework on Windows 10 and 11. The process isn’t necessarily difficult, but requires some careful consideration of configuration options and best practices. Please refer to Yubico’s guide for Login for Windows for how to set it up correctly.

Linux PAM

Linux distributions offer an extensible authentication framework called Pluggable Authentication Modules (“PAM“) that aggregates different kinds of authentication mechanisms. In its purpose and general usage, it is very similar to how Windows Hello handles the same use-case. PAM’s configuration can vary between distributions and has different settings to consider based on your system.

Like for Hello, Yubico offers their own PAM module: yubico-pam. You can view the source code on GitHub. For setup and configuration, please refer to Yubico’s guide for yubico-pam to make sure everything is configured correctly for your use-case.

Integration Into Services and Apps

Many websites, apps and alike, offer ways to protect your account through 2FA and MFA methods. In this section, I’m going into some of the most prominent ones: GitHub, Google, and Microsoft. Each of these accounts can be equipped with a 2FA YubiKey sign-in method and benefit from the additional layer of protection. The below guides assume you’re using Google Chrome, but other browsers have similar security key and passkey integrations available.

GitHub

Integrating your YubiKey with GitHub is a breeze. Yubico themselves have a pretty good article on that here. I’m outlining the major steps here with a tad more detail though and you should be set up in a breeze.

Setting up Your YubiKey for GitHub Account Protection

To reach the 2FA settings for your GitHub account, click your account picture in the top right after logging into GitHub, and select “Settings“. This will open a page with a long list of configuration sections. Open “Password and authentication“. Scrolling a bit down reveals the below screen for managing the Two-factor authentication options for your account (as explained above).

In the above picture, no 2FA options are configured yet. Before you can set up your YubiKey as 2FA device, you need to register an authenticator app. This can be done through the Yubico Authenticator app or other designated password management apps like 1Password. After you set up an authenticator, you are presented with the option to add hardware keys, as shown below.

Here you see which 2FA method you currently have set up and what else you can configure. On the top, the default method currently selected can be seen and changed. For adding a YubiKey to your account, click “Edit” on the “Security keys” row.

This item expands and offers a “Register new security key” button. After clicking this button, you can enter the name for the key you want to add. This is a vanity feature and helps you distinguish the keys you register, but doesn’t have any functional impact beyond that.

After you’ve done this, and assuming you use Windows and your browser supports security keys, a new popup will open:

Now plug in your YubiKey into your computer if you have not done so yet. Confirm this dialog afterwards. If your YubiKey is fresh and hasn’t been used yet, you will be prompted to set up a PIN for it.

After choosing a PIN, you need to physically touch your YubiKey. This is a great security measure all YubiKeys support. Where to touch your key depends on which one you use; for the two types described in this article, I explained that above.

This confirms and concludes your key setup for your GitHub account. You can now select the YubiKey security key as the default sign-in 2FA method:

This setup is very similar for other services, and if you set up other websites’ logins with your YubiKey, this should feel very familiar.

Logging into your GitHub Account with your YubiKey

To log into your GitHub account using your newly configured security key, simply go to the GitHub sign in page. Attempt to log in as usual, using your username and password.

You will be greeted by this new screen. If you didn’t configure a security key, this step would now ask for your also newly configured authenticator token. The method displayed here is determined by the preferred authentication method you selected above. The alternative methods can be seen below the security key button above. Click “Use security key” and you will see these two new prompts from your browser (assuming you use Chrome):

If you haven’t already, you will ne asked to insert your security key into a USB port. After that, you need to press the touch area on your key. Once you do that, you will be logged in to your GitHub account.

Congratulations, your GitHub account is now protected by a physical YubiKey security key!

Google

Just like your GitHub account described above, you can secure access to your Google account with a YubiKey, too. Yubico has a great explainer page here. The setup is straight forward though and you’ll have your YubiKey configured on no time. To do this, head to the Security section of your Google account. You will see a row titled “2-Step Verification“:

Clicking on it will ask for your Google password, which you should confirm. There is an option to set up a passkey directly, too. Don’t click that. For some reason, this will direct you to set up the passkey with Windows Hello instead of your YubiKey, which is not what you want. On the newly opened screen, croll down until you see the line “Passkeys and security keys“. Click on it.

You will see a screen asking you to confirm that you want to add a passkey to your Google Account. Select the option “Use another device“.

If you have services like 1Password installed, it will attempt to create the passkey inside itself. There is a little key device icon on its popup. If you click that, it will direct you back to setting up a security key (YubiKey in our case).

You will now see a series of prompts you are familiar with from the GitHub step by step instructions from above. Confirm them and enter the PIN you set up for your YubiKey (or set one up in this process if you haven’t already).

The passkey is now being created for your Google Account. A confirmation dialog will pop up and tell you that the device is now tied to your account and is ready to be used.

If you want to manage your YubiKey passkey for your Google Account, refer to the new line of registered devices inside your account:

The sign-in experience is very similar to what I described for GitHub above. Simply plug in your YubiKey into a free USB slot, and confirm any PIN and physical touch requests to sign in.

Microsoft

You can attach YubiKey security keys to your Microsoft account to protect it better, too. Yubico has a great article on this available. I’m outlining the major steps below though. To get started, sign into your Microsoft account. Open the “Security” settings section:

Here, select “Advanced security options“. Scroll down until you see “Add a new way to sign in or verify“.

Clicking this reveals a popup dialog asking what kind of method you would like to add. You want to add “Face, fingerprint, PIN, or security key“. Select this option.

This will trigger a confirmation dialog sequence similar to the Google Account description above. You will be asked for your YubiKey device PIN, need to confirm that you want to let the Microsoft page access its model and details, and need to physically touch it. Finally, a “Continue setup” dialog will ask for confirmation for setting up the key. Confirm this as well.

The Microsoft Account page now has access to your security key and can generate a passkey for you. You will be asked to name your new security key, which will be confirmed right after.

After you completed this step, you will find the newly created passkey in your Security section of your Microsoft Account:

From here, you can view its activity, details, or remove it again. Great, your Microsoft Account is now protected by a YubiKey device!

To OTP Or Not To OTP: Preventing the Yubi Sneeze

The physical touch area on the YubiKey devices is their prime feature for ensuring physical access to the device you’re trying to authenticate on. They are easy to use, very accessible, and reliable. All too often though, you might accidentally touch the metal surface and trigger an OTP print-out. The OTP interface in this case acts as a keyboard, and types the OTP characters into whatever windows you have open, followed by a press of Enter. This causes the OTP to be accidentally added to documents, typed into chat windows and being sent, or replacing whatever text you currently have selected. Informally, this is referred to as a Yubi Sneeze.

Since the large majority of authentication methods offered use the OATH (or the FIDO) interface, you can safely disable the OTP interface on your key. Both, the mobile app and the desktop app offer to turn off this feature, as described above. If you don’t have a specific use-case for OTP, or run into trouble without it, you can disable it if the Yubi Sneeze is an issue in your day-to-day interaction with your security key.

Conclusion

In summary, YubiKeys represent a robust and versatile solution to enhance your online security through Two-Factor and Multi-Factor Authentication. As technology advances and online threats evolve, having a reliable and secure method to protect your accounts is more crucial than ever. The YubiKey 5 NFC and YubiKey 5Ci offer distinct features tailored to different user needs, whether you require compatibility with a broad range of devices or seamless integration with modern USB-C and Apple ecosystems.

Setting up and managing your YubiKeys is straightforward, with comprehensive support for various platforms and services. The wide array of supported protocols ensures that you can use your YubiKey across numerous applications, providing a unified and secure authentication method.

If you’re looking to bolster your digital defenses and simplify your login process, YubiKeys are a highly recommended choice. Their small, durable design and powerful security features make them an invaluable tool in today’s digital landscape. Try a YubiKey today and experience the peace of mind that comes with enhanced security.

Disclaimer: The products reviewed in this article were kindly provided by Yubico. All opinions expressed above are my own, and I have received no further compensation (monetary or not) for writing this review.

If you liked this article and want to share your own thoughts or experiences, comment below to get the conversation started!

Leave a Reply

Your email address will not be published. Required fields are marked *