YubiKey: Hardware Security Key

perd1x
5 min readSep 18, 2022

During one of my researches, I came across a very interesting article written by the professionals at Kaspersky that I leave here. I found it inspiring and I decided to share my views about Yubikey.

I’m getting more and more serious about online security and I always end up repeating the same motto a bit, security is layered. The more you have, the safer you are.

In fact, taking security seriously requires at least a passing familiarity with multi-factor authentication or MFA. Single-use codes sent in text messages or emails are probably the most common type of MFA, but that is not the best way and there are more secure methods. YubiKey facilitates several of those methods in a small and affordable package. It’s a pretty great little gadget.

Honestly, everyone should have one of these things.

Hardware Multi-Factor Authentication

It’s not nice to say this, but the truth is that all these years of the internet and technology have taught us that passwords are terrible.

Most are too easy for attackers to figure out and the rest are too long or complicated for humans to remember. That’s why companies have sprung up that offer such management as LastPass or 1Password.

But even “secure” passwords are useless once they’ve been leaked, and leaks are basically inevitable. For these reasons, and more, it’s a good idea not to rely entirely on passwords.

That’s where MFA comes in. With Multi-Factor authentication, you need at least two things to log in: your password, yes, but also something else to prove you are who you say you are like SMS, email codes, or authentication apps.

YubiKey represents a third way of doing Multi-factor authentication: hardware authentication.

Why use YubiKey instead of other MFA?

It enables you to connect with hundreds of applications out of the box and without client software. You connect the key, authenticate, and boom!

Here you have a list of reasons to use it:

  • Convenience
  • Much longer codes
  • Easy to migrate
  • Really hard to hack
Image from Yubico Website

How does it work?

While we might consider it just another layer in your daily security, it is actually the strongest one.

When an app that has it configured is launched, it asks for the password and then prompts you to connect your Yubikey to the device. This sends a unique code that the service can use to confirm your identity.

This is more secure because the codes are much longer, and more convenient because you don’t have to type the codes yourself.

Set up YubiKey

If you are like me and use MFA in (almost) all your applications then you will have some work to do to activate Yubikey in all of them. But for the sake of the security of your accounts, I think it’s well worth the effort.

Here you have the steps:

  1. Plug in your YubiKey.
  2. Head to yubico.com/setup and click your device.
  3. Browse the list of supported apps and find what you want to secure.
  4. Follow the instructions.

It would be complicated to describe here all the steps for each of the applications that this technology allows to be used since each varies per application.

For that same reason, you will certainly find much more detail if you follow the instructions above, and besides that Yubico in most apps has videos explaining the step-by-step, it’s very simple!

Multiple devices

Short and simple answer, Yes!

In fact, all you need to do is connect YubiKey to any computer and log in as you normally would. That’s right, you can log in to all your accounts, just like before. You can use your YubiKey to log in on as many devices as you want, as long as there is a slot for it or if it has NFC.

What if I lose my YubiKey?

Well, if that happens to you it won’t be good but most services that offer MFA have some sort of verification process to log in after you lose your credentials. But keep in mind that the process it’s going to take some time, and it’s going to be a big problem.

It’s much better to be prepared in case this happens, so make sure you have backup codes somewhere safe or a second MFA method configured.

What if someone steals my YubiKey?

Technically speaking usernames and passwords are not stored within it. So anyone who finds yours will have absolutely no way of knowing which accounts you can log into.

This is not entirely true if the attacker who stole it knows it’s yours (in your home or office). But anyone who finds a YubiKey on the street, or at an airport, will not be able to find out whose key it is.

You should have a plan B

However, if it hasn’t happened yet, let me tell you that there are ways to prevent problems like this from leaving you without access to your applications.

  • The vast majority of services that support MFA allow you to create backup code. Make sure you do and keep the codes somewhere safe-ideally offline. A good option is to print them out and put them in a safety deposit box if you have one.
  • You can also add a different type of MFA function to each service you have created with YubiKey. I would say that all applications that allow using Yubikey, have other possible authentication methods. You can check this with each application.
  • Another alternative is to buy an extra YubiKey and add it as an option to all your services and keep it in a safe place.

Conclusions

Yubico (the company that develops yubikey) has been working on this product since 2007, the year it was founded. It is clear that the YubiKey hardware security key is effectively protecting users.

Despite several ups and downs and some more serious problems with model 4 in some circumstances, it seems that model 5 has proven to be much more solid creating a barrier that makes any kind of attacker think twice.

But keep in mind that you should have more than one MFA configured. One of the most important lessons you learn when working with multi-factor authentication is to always have a backup form of authentication.

For example, if you’ve set up a service to use SMS text and an authenticator app on the same phone… oh boy! You’re in a world of trouble if that phone is lost, stolen, or damaged.

There is no universal answer to how we should protect our applications.

But one thing is for sure, the more layers you have, the safer you are.

--

--

perd1x

I am a security engineer and here I express my opinions on various topics. Here you can find the most varied subjects that are part of the cyber security world.