Yubico YubiKey 4 – Review
I’m a big fan of 2FA (2 Factor Authentication) and with the amount of news about data breaches, everyone else should be too.
There are several ways of getting 2FA up and running and practically all modern services support some method of securing your accounts. The majority use your phone in some manner, either for a text, email or even a 2FA app which generates a code or provides an on-screen prompt you need to acknowledge.
Enter Yubico with the YubiKey. A physical 2FA device that you plug in to your device in response to these prompts.
I have 2FA on most of my accounts, opting for the choice of an app on my phone to generate a code that I enter at the required prompts. A phone which you will probably understand I always have on me.
Being a physical device, it doesn’t rely on having a signal or access to a network or a charged device to give you access to your accounts, which is a plus over other configurations like a phone app, or SMS. You simply plug it in, occasionally press the button and go.
When the YubiKey 4 arrived, I must admit that I expected a bit more than what was in the packet, after emptying the carboard envelope a small plastic wallet fell out with the YubiKey 4 sat inside.
The back of the envelope simply points you on to https://www.yubico.com/start/ to begin the process of setting up.
This is where you find out that you can link a lot of apps and logins with the YubiKey. A list that is only getting larger and larger as more and more sites/services start adding U2F (Universal 2 Factor) authentication support.
(One thing to note is that the list although growing, does heavily favour business platforms such as Salesforce, Citrix and DUO)
However, there are still plenty of options for those wanting to use it at a more home user level.
For example, one of the primary uses I set it up for was for a secondary authentication for my LastPass account. Which was as simple as going into LastPass and following the steps to add the YubiKey
I have the YubiKey set up alongside my usual 2FA method on LastPass so that should I need it on my phone I can still use generated codes to unlock it.
I also have it set up to log into my Laptop using the associated Yubico app which allows you to login via Windows Hello and I was impressed at how simple this was to setup..
After these initial setups it became plug in and go or a simple enough press of the button to sign in
Though I do have some reservations about just how simple it is to login with this method…
Before using the YubiKey 4 I was a bit hesitant about having a device that doesn’t rely on a pin or another layer of protection to prevent someone from having access to your info (beyond already having your password that is)
To be honest I still am a bit wary of such a device. There are strengths to having a physical 2FA device such as a YubiKey over a smartphone app. With the main one being that it needs to be plugged in and the button pressed to gain access.
Some of the implementations can be a bit at odds with a security conscious mind and offer a semblance to having the key to the kingdom, especially the Windows login app, which seems to aim towards being more of a convenience than security in my mind.
This all puts the YubiKey in an awkward position, it costs around $40 for the one I have here on review (with other models costing a slight bit more) and whilst it offers support for a lot of services, as a consumer there are several free apps that offer enough functionality with the same services.
One thing I do like is the robustness of the YubiKey 4 Yubico say that it is crush-resistant and waterproof. This toughness is helped in part because there are no moving parts or batteries inside and the design of the moulded casing that shields soft and squishier innards.
As a Sysadmin (day job), a device like the YubiKey offers a far more interesting proposition. The Yubikey becomes a bit more useful in the sense that there are lots of corporate 2FA solutions that support it which aim to protect against malicious logins and leaked credentials whilst also simplifying user login.
Yubico are correct in saying that a large amount of help-desk calls are password related, so having a device that takes the place of a password that users can attach to a keyring without having to worry about it taking a knock or two is a godsend in my eyes.
As more and more news articles about phishing and social engineering come about, something as simple as the YubiKey 4 in a corporate environment with a companion service like DUO make for a very compelling pair to help offer that extra layer of security.
In fact, just recently the company I work for have started rolling out DUO and whilst it has not been decided on a YubiKey style device. I was able to pair up my YubiKey 4 and begin using it to authenticate my logins.
DUO’s implementation is a bit more secure than the Windows Hello version available directly from Yubico as it still requires your password to login to Windows, before you authenticate.
All in all, the YubiKey 4 is a solid piece of kit. For personal users it is a bit rough round the edges due to the level of support in applications and how the U2F is implemented, but it still has several uses, that certainly make it worthwhile to me.
For corporate use there are more supported configurations, which depending on solution can help the support staff that decide to use it.
I haven’t yet linked it with any other accounts, but I am keeping an eye on Yubico’s site for any other services I use. All the ones I have added it to so far, have been extremely easy to setup.
I would like to thank Yubico for sending the YubiKey 4 out to me for review (sorry it took a bit of a while to get this finished)
If you are interested in the YubiKey 4, or other devices from Yubico. Head on over to https://www.yubico.com/why-yubico/ for more info.