Readers like you help support MUO. When you make a purchase using links on our site, we may earn an affiliate commission. Read more.
One of the easiest ways to increase your security is to switch two-factor authentication (2FA) or multi-factor authentication (MFA) on. These days, most services offer some form of 2FA protection for your account, adding another layer of security between an attacker and your private information.
Many people ignored the benefits of2FA for a long time, reasoning it took too long or was complicated. But now, that couldn't be further from the truth, especially with the help of a physical hardware authentication key.
Yubico's YubiKey is one of the best hardware authentication tools available, and here's how they work.
What Is a YubiKey?
A YubiKey is a USB-like stick made by the company Yubico. Its latest range of USB security keys is the YubiKey 5 Series, which includes all manner of shapes and sizes, from a regular USB flash drive down to a tiny "nano" version.
At one end of the YubiKey is a USB connection, currently either a USB Type-A or USB Type-C port. You plug your YubiKey into the device you want to use, and then either press the button on the YubiKey when prompted or tap your NFC-enabled device to the YubiKey to grant access to an account.
Yubico designed the devices for ease of use and portability, which you'll note in the YubiKey's size (the same as a regular USB flash drive) and weight (the YubiKey 5 NFC USB Type-A weighs just 2.9g).
How Does a YubiKey Work?
Before delving into how a YubiKey works, consider how most2FA procedures work.
You head to a website ready to sign in to your account. After entering your password, the service sends a unique passcode to a secondary validator, be that your phone, email account, or a physical key generator, like you might use to unlock your online banking portal.
Your account will remain locked until you enter the secondary passcode (known as a one-time password, or OTP) on the original service. If someone has your account password and you have2FA enabled, the attacker will find it much more difficult to break into your account.
We're not going to say it's impossible to break in, because it is simply not true, but 2FA works like a secondary line of defense.
Okay, now you understand how 2FA works, let's look at how a YubiKey makes two-factor authentication much easier.
The YubiKey piece of hardware supports one-time passwords, public-key encryption and authentication, and various one-time password protocols, including:
- Yubico OTP.
- OATH HOTP and TOPT.
- FIDO U2F and FIDO2.
You can use a YubiKey to securely log in to supported accounts with a one-time password or a FIDO-based public/private key pair generated by the device. After entering the key, you press the gold button, and the touch of your finger gives off a small electrical charge which activates the device.
Related:How Does Encryption Work? Is Encryption Actually Safe?
So, instead of the frustrating process of waiting for a 2FA code to arrive via SMS or email, or picking up your smartphone and opening an authentication app (like Google Authenticator), the YubiKey enters a unique and secure OTP at the push of a button.
How to Setup a YubiKey
Yubico has designed the YubiKey to be as easy as possible to setup with a massive range of services. In the following tutorial, you'll learn how to link your YubiKey to your Google Account, but you can also head to the YubiKey Setup page and select the YubiKey model you own to see a comprehensive list of supported services.
- Head to your Google Account two-factor authenticationpage. You need to register your YubiKey as a two-factor authentication option in your account.
- You'll have to log into your account, after which you should select USB or Bluetooth External Security Key. Press Next.
- When prompted, insert your Yubikey.
- A Windows Security prompt may appear. If so, select OK. After a moment, you'll receive another prompt to Touch your security key. Do so. The YubiKey will register your touch instantly, and the setup process will continue.
- Once finished, your YubiKey will show as registered to your Google Account. The next time you log into your account, you can use the YubiKey in place of an authentication code.
Given the additional security using a hardware multi-factor authentication key delivers, YubiKey makes it incredibly simple to setup.
Can You Use a YubiKey with a Smartphone or Tablet?
Yes, absolutely. Android devices have had YubiKey support for a long time. Whereas Apple devices only received YubiKey support with the introduction of the YubiKey 5Ci, a double-ended hardware key with a Lightning Connector at one end and a USB Type-C connector at the other.
The dual-ended hardware key is a great option for iOS users but means you can also use the YubiKey with other devices featuring a USB-C port (which many laptops and tablets support).
Setting up and using a YubiKey with a smartphone (or other portable) device follows the same process as the above section. Head back to the YubiKey Setup page and select the type of YubiKey you have, such as a YubiKey 5C NFC or a YubiKey 5Ci, then browse to the service you want to add protection to.
Follow the on-screen instructions and complete the YubiKey setup process. Depending on the service, you may have to set the YubiKey as your default security key or multi-factor authentication option. Otherwise, the smartphone app or service may default to your previous 2FA setting.
Related:How to Set Up Two-Factor Authentication on Your Social Accounts
Why Use a YubiKey?
As with any piece of technology, the YubiKey comes with its pros and cons.
YubiKey Is Extremely Easy to Use
Setting a YubiKey up is a simple process. You open the service you want to use, insert the YubiKey into a USB slot, and tap the button when it glows. That's it. Now how could anyone possibly get that wrong?
YubiKey Delivers Extra Security to Almost Any Account—and Saves Time
Two-factor authentication is an excellent way to secure your accounts. For a long time, many users thought switching 2FA on was a time-consuming irritation that didn't deliver enough security benefit to warrant the interruption.
The positives of 2FA are well established, and most users expect to enter a second password or passcode to access their account.
Still, that doesn't mean two-factor authentication couldn't be faster or easier to use. Using a YubiKey removes the time spent waiting for a 2FA email or SMS to arrive or just picking up your smartphone to enter an authentication code manually.
Of course, you still have to set the YubiKey up with the account to begin with, but that small amount of setup time will save you heaps down the line.
YubiKey Is Very Difficult to Hack
An account with a weak password is an easy target. An account with 2FA becomes much more difficult to attack, but depending on the type of 2FA, it isn't impervious to attack or breach.
Related:It's Time to Stop Using SMS and 2FA Apps for Two-Factor Authentication
A YubiKey hardware device makes breaching 2FA incredibly difficult to breach. The unique OTP the YubiKey generates is close to impossible to fake. Furthermore, as OTP protocols continue to develop, the security of the YubiKey itself increases.
Your YubiKey Cannot Get Infected
One common question regarding YubiKey regards malware and viruses. Can your YubiKey pick up a virus from your operating system or harvest a keylogger or other malware variant?
Well, rest easy. You cannot write to the YubiKey. The YubiKey firmware isn't accessible, and you cannot transfer files or other data to the hardware key, either. It isn't that sort of USB device. If you find that you can copy files to your YubiKey, it may be that you're using a counterfeit device, i.e. not a genuine YubiKey.
YubiKey's Aren't Expensive
Adding to the list of pro points is the cost of the YubiKey itself. 5th generation YubiKey's range from $45-$70. Given the advantages a YubiKey delivers, it isn't an enormous outlay.
YubiKey's Are Small, Lightweight, and Waterproof
Finally, the YubiKey is supremely easy to carry around with you. The YubiKey 5 NFC weighs just 3g and fits right onto your keychain. Furthermore, it is rated IP68, which means the YubiKey can withstand submersion in water up to 1.5m for up to half an hour.
Use the YubiKey Manager to Manage Your Hardware Keys
Now, when you get up and running with your YubiKey, the YubiKey Manager desktop app can take it to the next level.
Within the YubiKey Manager, you can use the Applications tab to adjust what the touch key on your YubiKey does. By default, Short Touch delivers a standard Yubico OTP, which works with almost every service.
However, you can adjust this for specific services. For example, you can set the Long Touch feature on the YubiKey to insert a specific Static Password, or set a FIDO2 PIN, or load a PIV Certificate.
Furthermore, you can use the Interfaces tab to switch YubiKey interfaces on or off. If you want your YubiKey only to use specific OTP modes while plugged in via USB, you can alter them from here.
What If You Lose Your YubiKey?
Losing your YubiKey isn't the end of the world. It is an issue, no doubt, but one that you can rectify. Most services with 2FA allow you to create backup codes or use a secondary two-factor authentication option to access your secured account.
For example, with a Google Account, you can copy the secret backup security code in your account to a safe place (very safe!) or configure an authentication app such as Google Authenticator or Authy at the same time as you set your YubiKey up.
Even if you don't have either of those options, it is still worth reaching out to any 2FA-secured service to determine if they have an account verification service that will let you unlock the account.
Don't let the fear of locking your account stop you from using 2FA, be that with YubiKey or an alternative method. The security benefits vastly outweigh the risks.
Is a YubiKey Worth It?
Now, onto the big question: is a YubiKey worth your hard-earned cash?
In the name of security, yes, a YubiKey is totally worth the outlay. A YubiKey adds a significant additional level of security to your online accounts, doesn't take long to set up, and isn't a huge outlay.
Two-factor authentication makes an enormous amount of difference to your personal security, and anything that can improve that situation, making it faster and easier to use, is worthwhile.