A single layer of authentication doesn’t cut it anymore: passwords are often the primary target of data breaches, leading to users looking for the most effective multi-factor authentication (MFA) measures. Some prefer biometric recognition, others additional verification codes, while hardware devices like YubiKey have an audience of their own. Let’s find out what a YubiKey is, how it works, and how it stands up compared to other authentication methods.
Contents:
How does a YubiKey work?
Simply put, the YubiKey is a security key developed by the FIDO Alliance and manufactured by Yubico. Each YubiKey device is assigned a unique code which, when plugged into a computer, can authenticate the user’s identity. In addition to the USB keys, NFC YubiKeys are used for authentication on mobile devices.
YubiKeys use cryptographic keys to authenticate login attempts. They support a number of MFA protocols, such as passkeys, one-time passwords, and Universal 2nd Factor (U2F), and help protect users from advanced man-in-the-middle attacks, where the malicious actor attempts to intercept two-factor authentication.
How to set up a YubiKey
Unlike traditional passwords, YubiKey holders don’t need to remember a separate code to authorize a login attempt—the YubiKey works when plugged into or tapped against the device, and the user only needs to press a button to activate it. Similarly, to set up the YubiKey as an authentication device, the user only needs to choose it as their preferred option in the account security settings.
What services and applications support a YubiKey?
Although YubiKey authentication isn’t the most popular multi-factor authentication method, it’s broadly available for both personal and business use. It can be used to authenticate login attempts to websites, applications, and databases.
Everyday users can rely on YubiKeys to authenticate login attempts to social media and email accounts, and access sensitive data such as banking information or personal medical records. Services like Microsoft and Google not only support YubiKey authorization, but the tech giants behind them have contributed to the key’s development as a whole.
YubiKeys can work in tandem with password managers. The key can be used to add a layer of security to the password manager itself, while the credentials generated using the password manager can strengthen the first line of defense for the user’s accounts.
YubiKey’s popularity is growing, and the industry is seeing an increase in use cases for YubiKeys. These security keys have already become a favorite for many companies that seek out advanced employee security practices. FAANG companies are issuing employees with personal YubiKeys for work-related authorization, ensuring that all sensitive information can only be accessed by verified users.
YubiKey also adds flexibility for remote and hybrid workers. With a YubiKey, they can easily access databases and work accounts anywhere around the globe without risking unauthorized data exposure. Since YubiKeys don’t need any kind of connection to run, hackers cannot break into them as they would with open Wi-Fi networks.
What are the benefits of YubiKey authentication?
The YubiKey is considered one of the safest multi-factor authentication methods. Its compatibility with mobile and desktop devices makes it a flexible option for individuals and business users alike. The USB version is compatible with common ports found on hardware devices, like USB-C or Lightning, and most modern laptops are built with a designated security key dock.
The YubiKey is physically sturdy as it’s water- and crush-resistant, making it a reliable long-term investment into security. It does not require any third-party applications to operate, although additional applications can be used for custom configurations.
Whenever you log in to an account that uses YubiKey authentication, the key can detect the legitimacy of the website. It only validates the login attempt if the website matches the original link. This protects you from accidentally logging in to a spoofed website and revealing your credentials to cybercriminals.
There’s one caveat to carrying around your YubiKey for authentication. Due to its size, a YubiKey can be easy to lose. So, if you choose a YubiKey as your authentication device, make sure you store it in a secure location. Yubico officially recommends users have a backup YubiKey device that can be activated if the primary key is lost or stolen.
Even if you lose your YubiKey device, you don’t have to worry about any of your personal information being exposed, as the security key does not act as a storage device. If someone steals your YubiKey but doesn’t know your password, they still won’t be able to break into your account.
YubiKey vs. other authentication methods: how do they compare?
YubiKey is one of several alternatives that individuals and companies use as the next step of multi-factor authentication. Let’s see how YubiKey authentication compares to passkeys, third-party apps, and text message codes.
Passkeys
It’s not unusual to see passkeys mentioned alongside YubiKeys in discussions about MFA. Both authentication methods are the brainchildren of the FIDO Alliance, falling under the FIDO2 umbrella. Both offer a passwordless solution to account authentication and protection. And, of course, both are uniquely encoded.
The core difference between passkeys and YubiKeys is the hardware. Passkeys use a combination of biometric verification with cryptographic keys. The process is validated with a mobile phone, tablet, or laptop. Passkeys can also be stored in third-party password managers like NordPass and synchronized between devices at the user’s convenience.
YubiKeys act as passkey storage themselves, albeit with storage restrictions. YubiKey codes cannot be replicated or transferred to a different device, making them less flexible than passkeys.
Choosing between a passkey and a YubiKey comes down to the user’s preference. Both methods follow the FIDO2 protocol, making them strong authentication mechanisms for individuals and organizations.
Authentication apps
Authentication apps are another popular way to support MFA. Apps like Google Authenticator or the built-in NordPass Authenticator allow users to generate time-based one-time passwords (TOTPs) on their devices whenever they log in to a website or app. Codes generated by authentication apps are generally short, averaging 6 characters, and reset after a set period, usually between 15 to 60 seconds.
YubiKeys were initially built to produce highly complex, 44-character unique one-time passwords (OTPs) for account authentication. However, as the YubiKey technology has evolved, it has switched to passwordless authentication. While it’s still possible to produce the OTPs using a YubiKey device, WebAuthn is now the preferred authentication method.
Both authentication keys and YubiKey OTPs offer a similar level of convenience. They require a single device to generate codes and grant instant access. However, as a hardware device, the YubiKey is more resilient to breach attempts. Third-party authentication apps may be prone to cyberattacks or phishing attempts.
Consider a scenario where a scammer contacts a user and tries to extract the authentication code from them to break into their accounts. Upon seeing that the required authentication method is an app, they’d be more likely to carry on. After all, it’s easier to get a user to reveal a 6-digit code than a 44-digit one.
The time-based reset aspect adds a layer of reliability to authentication apps, as the timer makes it more difficult for cybercriminals to get around. The YubiKey authenticator adds extra haste by autofilling the authentication code as you press the button on your key, saving you the time of typing in all 44 characters.
SMS-based 2FA
Although SMS-based authentication is considered one of the weaker methods, it remains popular due to its ease of use. To set up SMS authentication, the user inputs their mobile phone number and receives a one-time password upon each login attempt.
Compared to YubiKey authentication, relying on text messages is pretty flawed. Phone spoofing and SMS swapping are popular social engineering tactics that aim to extract the authentication code sent to your number. In the former tactic, cybercriminals call their targets, pretending to be from a legitimate service, and ask for the SMS code for verification. For the latter, hackers call the target’s phone service provider, pretending to be the victim, to gain access to the number.
The YubiKey cannot be remotely overtaken by malicious actors. It’s an offline device that does not require an internet or mobile network connection. The ease of authentication without needing to reveal or input a one-time password ensures that user accounts are more resilient to phishing attacks.
The YubiKey can also protect your texting apps from within—it can connect to the phone via the USB dock or by using NFC to authenticate attempts to log in to these services. It also saves you the headache of updating all your accounts with SMS authentication if you change your phone number.
Combining your YubiKey with NordPass
Whether it’s for personal or work-related use, you want to maximize your account protection. Combining NordPass with a YubiKey makes it easy to leverage a higher level of security without making things complicated.
NordPass is a secure password manager that lets you generate strong and unique passwords, as well as store and manage passkeys for all your accounts. It uses zero-knowledge architecture and advanced XChaCha20 encryption to protect your sensitive data and keep all your credentials accessible in a vault that can only be accessed with your authorization.
As a member of the FIDO Alliance, NordPass understands the role that passwordless authentication will play in the near future. Lost access to your YubiKey? Don’t worry—switch your preferred authentication method to an authenticator app. From here, you can use the NordPass Authenticator to generate one-time codes along with your passwords. You can even use the YubiKey with your Nord Account, putting your digital security first.
FAQ
Each YubiKey device has a unique code embedded in it, so it can be used on multiple devices to authenticate the same person’s login attempts. If a YubiKey is NCF-compatible, it can be used with both desktop and mobile devices.
If you’ve lost your YubiKey, you can select an alternative authentication method, such as an authenticator app or backup codes provided by the app or website, or use a backup security key. Alternatively, you can request a complete account reset.
If you’ve lost or stolen your YubiKey, you can use a backup security key for future account authentication. Yubico recommends users set a FIDO2 PIN before they start using the device for additional security. If you cannot retrieve the lost key, reset the authentication method on your accounts. If you suspect these accounts have been breached, change your passwords immediately and set up a new MFA method.
Yes, the YubiKey fully supports FIDO2 passwordless authentication.