What is YubiKey and Do You Need One?

What is YubiKey?

In simple terms, the YubiKey is a USB security key. It’s a little key-shaped fob, developed by a company called Yubico, that plugs into your computer and, along with your password, completes the second half of a MFA web login. It can protect you from phishing and advanced man-in-the-middle attacks, where someone tries to intercept your two-factor authentication.

Why you may need the YubiKey

Having a unique password that is long, includes multiple digits, symbols, upper- and lowercase letters, is important. In fact, the stronger the password, the longer it takes hackers to guess it. (You can check your password strength and create a stronger password using online tools developed by NordPass.) However, having a unique password is only half of the battle and cybersecurity experts will recommend you to set 2FA where possible.

It’s a great way to make your accounts more secure. There are many different types of 2FA. The most common being a 6-digit code sent to you via a text message or generated by apps such as Google Authenticator. However, such verification methods aren’t foolproof. Text messages are the most vulnerable as hackers can intercept them using SIM swapping attacks. Apps, unfortunately, can also be compromised. That’s why Yubico turned to hardware.

The YubiKey adheres to an industry standard called Universal 2nd Factor, or FIDO U2F, which uses hardware and public-key cryptography to authenticate your logins. The YubiKey generates a one-time password of 6 or 8 digits, which matches your account and belongs to that platform only. It’s not a centralized service that can be hacked. In fact, to breach it, hackers would need physical access to your key.

What else is good about the YubiKey is that:

• It protects you from phishing. Spoofed URLs might be difficult to detect as they might look identical to the original website. The YubiKey checks the originality of the website you are trying to log in and only allows you to do so if it’s a match.

• It’s not tied to your identity. It simply wants to know that you are the same user; it doesn’t store information about who you actually are. Therefore, it’s a great security tool for journalists and activists who need to minimize their online footprint.

• It needs physical access. Usually, you need to press a button on the Key or tap your phone with it. This verifies to the website that you are not a bot logging into an account.

• It’s ubiquitous. Yubico knew that people would only use the Key if it’s simple, easily accessible, and compatible with multiple platforms. The Key was developed with the help of Google and Microsoft, meaning that you can use it across most platforms, including Facebook, Dropbox, Github, and popular browsers. You can even use it to sign in to your computer.

How does the YubiKey work

To use the YubiKey, you’ll first need to set it up with the platform where you want to have 2FA. The process might differ from platform to platform, but you’ll most likely just need to go to your security settings. Choose YubiKey as your 2FA and insert it into your USB slot for the platform to recognize it. Some Yubikeys also work over Bluetooth or NFC connection, in case you want to use it with a mobile device or you don’t have a USB port. Now, next time you log in:

1. Enter your account details as you normally would.

2. You’ll be prompted to enter your 2FA passcode. Insert the YubiKey and tap it.

3. It will generate the passcode and will automatically sign you in.

What if you forget or lose your YubiKey?

You may wonder, what if I lose the Key? Will I no longer be able to sign in and will be forever locked out of the platform? No. The YubiKey only provides a more secure and convenient way to complete your 2FA. If you don’t have access to the Key, you can use the same old methods you used before: an SMS text or an app. If you lose it, you’ll simply need to go to your settings and change your 2FA preferences.

How can NordPass help secure my account?

Using a password manager, like NordPass, is the first step towards your accounts security. It’s not just a convenient app where you can find your passwords when and where you need them, but it also:

• Helps you generate strong passwords with built-in password generator;

• Remembers your complex passwords so you don’t need to reuse them on multiple accounts. It’s one the most common reasons why accounts get hacked. Use unique passwords for all your accounts;

• Keeps your passwords in an encrypted vault protected by zero-knowledge architecture. Meaning that your data is encrypted before it leaves your device and reaches NordPass servers. You are the only one who can access and manage your login credentials. NordPass team can’t.

• Allows you to set upM2FA to add an extra layer of protection to your NordPass account.