yubico key questions

Kade b · July 13, 2022

Hey I am planning on getting a Yubico key (Bio-metric version) I am wondering if this is as safe as I can possibly get online security wise, I already have everything 2fa'ed but I am interested in being even more secure.

Drama Lama · July 13, 2022

2 hours ago, Kade b said:

Hey I am planning on getting a Yubico key (Bio-metric version) I am wondering if this is as safe as I can possibly get online security wise, I already have everything 2fa'ed but I am interested in being even more secure.

Yubico keys can do multiple things

1) Act like simple OTP generator. So it will work like those 2fa generator apps. So the keys are generated by the key and not the device (like a phone). You need to plug the key in a device that has the yubico program and then you can access your 2fa codes.

2) Storing passwords. The Key can, as far as I know, store one or two passwords that get pasted when tapping the key. ( So pretends to be a keyboard and types in the password you saved on the key.) This might be useful for a password manager.

3) FIDO . This is a new standard for 2fa where you don't use some codes generated by an app but instead you just have to insert your key into the device (I think it also works with NFC) and have to tap on it. (You obviously have to activate it in your account settings. ) Some services even allow you to sign in by only using the key. As far as I know the this also doesn't allow you to get phished because the key will only work with the configured sites.

4) Computer login (As far as I know it might only work on Windows). So it's like Windows hello ( fingerprint- or face- unlock) but with the key. All you have to do in order to log into your computer is inserting the key.

The bio version has the added bonus that it only works if it detects the correct fingerprint.

Important : If you lose your key is lost you might not be able to login. I've seen many people recommending getting two keys

That's all I can say about the yubikey

I'd say a yubikey is as secure as it can reasonably get. In some ways it might make things easier because when using FIDO you don't have to type some 2fa codes anymore. You might also find the key useful if you don't want to use your phone for authentication.

I hope that has answered all your possible questions. If not just ask.

Edit: found two good videos about yubikeys

Spoiler

1) About yubikeys in general:

2) About the yubikey bio:

Edited July 13, 2022 by Drama Lama

captain_to_fire · July 14, 2022

5 hours ago, Kade b said:

Hey I am planning on getting a Yubico key (Bio-metric version) I am wondering if this is as safe as I can possibly get online security wise, I already have everything 2fa'ed but I am interested in being even more secure.

While 6 digit 2FA codes are more secure than a password alone, it can still be phished especially through social engineering/spear phishing techniques that are very hard to detect. Hardware based authentication like the Yubikey means that an attacker cannot phish 2FA codes because they need to be in possession of your Yubikey.

Yubikey 5 NFC is one of the best things I've spent money on as someone who was a victim of a well crafted phishing email that slipped past Gmail's spam filters in the past.

captain_to_fire · July 14, 2022

Also some services like Gmail and Outlook now offer phone based authentication but doesn't require 2FA codes. Enrolling via Google's advanced protection program is free and you have the option to use your phone to confirm/deny a login and in Outlook you can use their own Authenticator app to approve/deny logins with your Microsoft account as well.