YubiKey Review: A hardware solution to a password problem

YubiKey Review
  • Price
  • Build Quality
  • Ease of Use
  • Features
  • Usefulness

Summary

The YubiKey is a small and unassuming hardware password solution that features static password, one time password and two-factor authentication options.

4.2

Passwords, they’ve become the bane of our lives. No longer do we simply have one password for our email account, but we now have a ton of passwords to remember.

The inconvenience doesn’t even stop there, no longer can we simply use our name and date of birth, we’re now told to use a combination of characters than not even a magician could remember, couple that with the fact we have to use a different one of those randomly generated passwords on every website we use.

It’s just too much, after the 10 or so main sites we use regularly from our bank to social media there are a ton of shopping sites, forums and whatever else that all want us to “log in securely” and don’t even get me started on this two-factor authentication malarkey!

Joking aside, the average person has a mass of passwords to remember and, unfortunately, the human brain isn’t up to the task. I’m a little old school when it comes to password storage and have about 30 or more all handwritten on a piece of paper. While not the most secure method, I figure the chances of my house getting broken into to steal my Paypal password is slightly more remote than my computer being broken into.

Old School password manager

Yes, that really is my current password solution (blurred of course).

For the past few weeks I’ve been using the YubiKey, a small unassuming hardware device that aims to take the hassle out of the password conundrum that plagues most of our lives. Read on in this YubiKey review to find out if it really is a hassle free password solution.

What is the YubiKey

A YubiKey is a small keyring sized device that you register with a service or site that supports two-factor authentication. Two-factor authentication means that each time you log in, the service will request proof that you have your YubiKey in addition to your regular username and password.

Phishing, malware, and other attack methods don’t work because they would need both your YubiKey and your passwords to breach your accounts.

There is a handful of different editions of the YubiKey, but I tested the YubiKey Edge that retails at around £25.00 which is also available in a Nano sized edition no bigger than your thumbnail.

Yubikey with Nano

YubiKey Edge and it’s smaller brother, the Nano.

The purpose of the device is to add an extra layer of security to your online accounts. The device itself does not store all your passwords but instead offers a selection of choices that include, static password, one time password (OTP), two-factor authentication (FIDO U2F) for sites such as Google and challenge-response.

To experience the full benefit of the device it should be paired up with a software password manager such as LastPass Premium. The software solution will store all of your passwords, but the YubiKey will store the master key to accessing those passwords either in static or OTP mode.

The YubiKey set-up

Having no previous knowledge of the YubiKey, I went into this review blindfolded. The device comes with a small booklet pointing you in the direction of the Yubico website. From here you download their YubiKey Personalization Tool.

I’ve been using computers my whole life and while no expert in all areas I also consider myself to not be a novice especially when it comes to everyday devices aimed at the public. The YubiKey Personalization Tool is rather overwhelming so where better to start than watching the introductory videos from Yubico to better understand the set-up procedure.

Depending on your use of the YubiKey the configuration tool can be rather confusing and I had envisaged a more novice friendly approach. While it certainly isn’t overly complicated and the video guides give a good view of what to do, I do feel that the extreme novice could struggle to set the device up and a more user-friendly step by step tool would be advantageous.

Set-up and writing of password configurations are handled through the personalisation tool which is available for Windows, Mac, and Linux.

Using the YubiKey

The YubiKey works on any device which has a USB port that can accept a USB Keyboard. In essence, the device functions as a keyboard but with one key that outputs your password. There is no battery in the device and it does not need installing which makes it simply plug in and play. I successfully used it on both my desktop and laptop/tablet hybrid.

YubiKey Tablet

Works effortlessly with desktop or tablet.

The YubiKey NEO, a more expensive option also features NFC meaning it can be used with your mobile by holding it or swiping it across the device.

Static Password

From within the personalization tool you have the option to either type a password of your choosing or can use the advanced options to generate one. The advanced options are rather in-depth and most new users will be best sticking to the easier “Scan Code” option.

After choosing the configuration slot, it’s simply a case of entering your password followed by pressing Write Configuration for the password to be written to the YubiKey.

YubiKey Personalization Tool

The static password can be used in a multitude of situations from being a single access for a specific site such as your bank or a VPN provider but works best in tandem with a password manager.

Usage is simple, visit the site of the password you’ve stored, enter your login, insert the YubiKey and press and hold the small gold circle on the device for a few seconds, your password is then automatically entered for you.

A handy tip I read elsewhere was to type a portion of a password that was memorable and then finish it off with the auto input section from the YubiKey. This ensures if you ever lost the key, someone who found it would need to know the memorable portion too which is extremely unlikely. I thought this was a superb tip and certainly worth mentioning.

A static password on the YubiKey would be susceptible to a key-logger so it isn’t a fool-proof solution for slack security on your part.

One Time Password (OTP)

OTP is set to work well with services such as LastPass especially the Premium edition. Upon logging into LastPass the process is the same as normal except an added layer of security is enabled by touching the YubiKey to generate a one time password.

This allows you to login securely and safe in the knowledge that not only would someone need to know your login and password but they would also need access to your YubiKey to generate the OTP.

A static password would be susceptible to a key-logger but a OTP would avoid this issue as after the password is used it can never be re-used to login again.

Two Factor Authentication

The area the YubiKey really comes into its own is two factor authentication which is used by sites such as Google to provide an extra layer of security to your account. As per usual you have your standard login and password but a second factor requires another layer to gain access.

The YubiKey is that second layer. The set-up was extremely simple. All it entailed was logging into My Account at Google, locating the 2-step verification settings and adding the YubiKey, one press of the device and set-up was complete.

Any future attempts to login to your Google account from a system other than your own, not only will you have to enter your password but you’ll also have to quickly tap the YubiKey button to login.

The process is effortless, fast and foolproof adding an extra layer of security to your account with minimal effort.

With Google having so many facets such as GMail, Google+, Adwords, Adsense, Analytics and a whole host of other apps having your password stolen will no longer be the end of the world because without the YubiKey no one can access your personal account.

If you’ve got the premium version of LastPass you can enable two-factor authentication (2FA) on this as well as a range of other systems that support the YubiKey.

Final thoughts

The YubiKey is a small, relatively cheap and practically indestructible password security tool. It has a multitude of uses and can solve a manner of password and authentication related issues.

YubiKey and YubiKey Nano

YubiKey and YubiKey Nano side by side.

While the system isn’t as easy as it could be to set-up in some cases and novices may struggle, once configured it was a joy to use.

I attached the device to my keyring that got thrown in all manner of pockets, bags and on various hard table surfaces. Apart from a few minor scratches from the keyring when first attaching it the device remained intact and is extremely robust. Trying to bend the device by hand is basically impossible (I know, I tried, YubiKey 1 – Hand 0).

Having an added layer of security for my Google account really does give peace of mind and the fact anyone attempting to login would need my YubiKey really is a weight off my mind.

With password security becoming ever more prevalent and simple passwords often being the weakest link in security either from poor password choice or company database hacks, having a second protection layer is important in an ever more connected world.

For the relatively inexpensive price I’d seriously recommend considering picking up a YubiKey and if you make use of a password manager such as LastPass, KeePass or one of the other large managers then it is certainly a requirement to protect your security.

Beginners may struggle to understand the set-up but for everyone else it really is an essential tool.