SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Hands-on review: Quick and easy authentication with YubiKeys
Wed, 12th Dec 2018
FYI, this story is more than a year old

Consumers tend to believe that setting up two-factor authentication puts them at the height of cybersecurity best practice – but this belief is misled.

Mobile text-based two-factor authentication is no longer a trustworthy second factor as it isn't effective against phishing attacks.

Social engineering scams can and do target text messages to route to cybercriminals' devices, porting the second factor to a mobile device owned by a criminal.

Instead of text-based two-factor authentication, one of the most secure options available to consumers available is a security key like Yubico's YubiKeys.

YubiKeys uses a hardware chip to provide safe and secure authentication – use of YubiKeys are mandatory for all Google employees.

As someone who has been aware of how easily text-based two-factor authentication can be compromised for a while, I was really excited about the opportunity to review a YubiKey.

What it did well

I decided to use the YubiKey 5C, which is compatible with USB-C ports.

The YubiKey is easy to set up from any web browser, with a start page that links you to setup instructions for several of the most likely services you will probably want to use it on.

I found some services easier to set up than others, with most requiring you to set up a mobile number for two-factor authentication (the exact thing I was trying to avoid) before allowing you to set up the YubiKey and delete my mobile number as a factor.

However, in all cases, the YubiKey was detected and registered by my laptop and the service easily.

Once set up, authentication with the YubiKey involves plugging in the key and touching the gold button on the key.

I liked the simplicity of this one-touch process, and I can see it how it can be adopted easily by even those who don't consider themselves to be tech-savvy.

I was also surprised to see how wide the variety of platform supporting the YubiKey was, ranging from enterprise platforms like ESET, RSA, and Salesforce, to the opposite end of the spectrum with gaming platforms such as Nintendo and Electronic Arts.

The YubiKey is also made to be highly durable – it's crush- and water- resistant.

NFC and Passwordless 

The Yubikeys also have a YubiKey 5 NFC version that can be used with NFC-enabled mobile devices.

As an iPhone user, I wasn't able to test this feature. However, having an NFC-enabled security key brings a new level of convenience to two-factor authentication on mobile devices that don't need to be tied into SIM cards.

For enterprises whose employees have multiple endpoints, this is a great way to provide passwordless tap-and-go authentication to services such as Microsoft Accounts.

YubiKeys also come in nano versions, with extremely small form factors compatible with USB and USB-C ports.

Yubico says the nanos are designed to be semi-permanent inside a USB drive or USD-C drive so they don't fall out of machines like laptops, which get moved around a lot.

This correlated with my experience, and I found that the nanos were highly unobtrusive and virtually invisible once plugged into my laptop. 

Yubico's aim with the nanos is to provide a seamless user experience that is easy to use, fast and reliable and is proven to significantly reduce IT costs.

Additionally, the 5C Nano can also work with supported mobile devices via their USB-C ports.

Verdict

Two-factor authentication was meant to make it easier to secure online services, but cybercriminals have found a way around text-based authentication.

YubiKeys offer a highly simple and secure alternative two-factor authentication token that is easy to set up for both consumers and enterprise users.