The other day I bit the bullet and decided to buy a yubico key to secure my digital accounts. Here are my thoughts on the product.

Unboxing

The unboxing experience was pretty nice. It comes in a small blister pack which shows if the product has been tampered with, a nifty security feature there. This is shown below:

snazzy

Once the key is out the packing, that's it. It doesn't have any instructions enclosed, although it does have a guide linked on the back. So lets set up some sites to use it.

Setup

Setup varies site to site as it is down to the service to implement, but its generally quite easy. You insert the security key into your computer and enable it on the account. The browser will prompt you to touch your security key, which is a protection built into most security keys. Having to press the security key physically means that it can be left in the computer, but even if someone remotely accesses your computer and tries to login, they will be unsuccessful. Heres an example of what you see when you try and login to a service:

time to plug that badboy in

Plug in the security key, tap the button and boom- you're in! So let us talk about the benefits and drawbacks of the product, then I'll give my verdict.

Benefits

  • Easy to set up and use
  • Supports both FIDO2 (u2f) and webauthn (a new passwordless authentication standard)
  • Supports NFC for authenticating mobile devices
  • Water and crush resistant
  • Relatively affordable
  • Makes account takeovers implausible

I think its important to talk about that last point real quick:

The security key makes account takeovers pretty hard. Since hardware multifactor keys from the Yubico lineup were made mandatory at Google in 2009, they have not had a successful phishing attack against employees since (source). This is some concrete evidence that the security key makes getting into your accounts rather hard. Now before my verdict, lets talk of a few drawbacks:

Drawbacks

  • A sad lack of support by companies for the protocol
  • Although possible, mobile support is also limited
  • If lost, accounts will have to be reconfigured

Overall, I think the Yubico Security Key NFC is worth a buy. It may be limited in support, but it comes at a good price and many accounts can still be secured by it. This model should also be good for a while as since it supports the webauthn standard, which is looking like the future of authentication. If you're interested in buying the product, here's a link to it on Amazon.

Any questions about the Yubico Security NFC? Any feedback? Feel free to contact via the methods on my site. I know it has been a shorter post today, but hey- short and sweet, right? See you next time!