I have been using Yubico YubiKeys since 2018. I have blogged a bit about them before:
- Yubico YubiKey 5Ci with USB-C and Lightning connector for mobile devices
- Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software
- Setup two factor authenticator protection at login on Ubuntu or Debian
- Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App
At first, I used my YubiKeys to secure Mac OSX, websites I used then services like 1Password, Dropbox, Twitter. Google Mail, Github, WordPress. Now I have over 80 websites and servers protected with my YubiKeys.
I also used my YubiKeys to secure servers I setup (protecting Command-line SSH Sessions).
Security Basics
Before I begin showing the YubiKey 5C NFC device I would like to explain a bit about…
- a) Strong Passwords, Not Reusing Passwords
- b) Hacked Websites and Data Breaches
(Apologies for click-baiting and not showing the YubiKey 5C NFC right away but I love Security)
a) Secure Passwords, Not Reusing Passwords
Hackers trying to obtain your login and password could use Brute Force Attacks, Dictionary Attacks and other ways to try and break into your accounts.
If you have not heard of or used http://howsecureismypassword.net/ head over there now and enter your password (or enter a part of your password if you do not trust them).
I entered an old password I used a lot in 1990’s and https://howsecureismypassword.net/ said it a computer will take 1 day to guess/generate my password.
I entered a more complex password generated in my password manager (1Passwsord) and now it will take 68 quattuorvigintillion years for a computer to guess/generate my password.
That sounds good but it is not, computers are getting faster and websites can still be hacked directly (bypassing complex passwords). When a website is hacked data is sold far and wide in minutes. Anyone who obtains or buys hacked usernames and passwords will try and use those credentials on as many sites as possible.
TIP: Do not use the same password across different websites, if one site is hacked an attackers will know your password on other sites. Even if the hacked website used encryption to hash your password before storing it hackers can use Rainbow Tables to know the real password to speed up obtaining your password.
b) Hacked websites and Data Breaches
How do you know what sites have been hacked?
Enter https://haveibeenpwned.com/
Go to https://haveibeenpwned.com/ and enter your emails address and click “Pwned?” to see if your email has been obtained in past known data breaches. You can also check your password too.
https://haveibeenpwned.com/ at (great expense and complexity) indexes hacked data (called pastes) from known website breaches in as little as 40 seconds of the information appearing online. Hacked data from websites are published online to validate the hacker’s valuable data (in order to sell it) or to show a hackers achievement.
https://haveibeenpwned.com/ is a safe site run by https://www.troyhunt.com/ and is an industry-standard for sharing information about hacked websites in order to protect exposed in those hacks.
I entered my email address into https://haveibeenpwned.com/
My email address has been found in multiple hacks
A full list of hacked websites with my email and password is displayed.
When sites I was using were hackled only 1% of the sites bothered to notify me. You could have been hacked in the past and you may not be aware of it.
Subscribing to be notified when your emails(s) are seen in pasted in highly recommended (and it’s free).
fyi: Awesome Security Now Podcats
If you want to stay up to date with online security and the never-ending race for security check out the free Security Now Podcast that has been running from 2005 to 2020. Steve and Leo do a great job ant breaking down very very very complex security topics for non-tech geeks every week.
Password Manager + YubiKey
You are still reading, good. I know this is bad news but you need to know this stuff.
So I hear you say how can I generate (different passwords per site) and store those passwords securely? This sounds like a plug (it’s not) but I use 1Password password manager.
1Password is an awesome password manager I use to generate and store secure passwords and best of all it only costs $2.99 USD a month (or $39.47 AUD paid annually). Here is a 3-year-old post of mine showing an older version of 1Password. I like 1Password because it’s super secure, integrates with YubiKeys and https://haveibeenpwned.com/ and works well on Windows, MacOS, iOS and Android.
1Password integrates with HaveIBeenPwned and 1Password 🙂
@1Password just keeps getting better and better. Ping: @troyhunt pic.twitter.com/qTtE6XyoXb
— Grant Harrington (@harringg) May 22, 2018
1Password is the right price for me and for the features it provides.
1Password allows you to generate strong passwords.
fyi: Here is a list of all password managers (some free) at Wikipedia.
Of you can use https://www.grc.com/passwords.htm to generate really strong passwords manually.
Why Use YubiKeys
If you use a really simple password, reuse a password (I know you do) or you know a site will be hacked one day a YubiKey can be a physical thing you have that a hacker does not have.
Think of the YubiKey as a physical password that hackers cannot steal.
Well, you can be mugged and your YubiKey could be stolen but will they have your email and password that is needed with the key to log in to a site?
My YubiKey’s
- YubiKey 4 NEO (Left)
- YubiKey 5Ci (Middle)
- YubiKey 5C NFC (Right)
My YubiKey 4 NEO (on the right) has been used about 5,000 times and it is still going strong.
YubiKey 5Ci (for Mobile)
If you need a YubiKey with a Lighting and USB C plug (without NFC) check out this review.
Yubico YubiKey 5Ci with USB-C and Lightning connector for mobile devices
Why use NFC?
Why is NFC so good? The USB Standard only allows for 10,000 inserts and removals before the pins wear out. The Wireless nature of NFC has no impact on lifespan.
YubiKey 5C NFC
On the left, you can see my YubiKey 5C NFC compared to the YubiKey 5Ci (in the centre) and the YubiKey 4 NEO (on the right).
YubiCo YubiKey 5C NFC Welcome Video
The YubiKey 5C NFC has a USB C plug and NFC. For me, this is the perfect key.
The YubiKey has a selection of covers that (for all keys) that you can stick onto the keys to stylize them and tell the difference between when you have multiple keys.
I went with a Polka Rainbow Cover
My cover application was not a perfect application by me but it’s Wabi-Sabi enough for me.
YubiKey Authenticator
When you use a YubiKey on a site that supports them you will either be prompted to Insert and Tap they key after the traditional login process
Or enter a 6 digit code that is randomly generated in the Authenticator App (and valid for 30 seconds). To obtain this code you will need to install the YubiCo Authenticator for Windows, MacOS or Mobile (iOS or Android)
Download the Free Authenticator App here: https://www.yubico.com/products/services-software/download/yubico-authenticator/
Inserting or Tapping the key will display the linked sites and 6 digit codes.
I have many websites OTP’s stored in my Keys 🙂
How to use the YubiCo Authenticator App Video on the YubiCo YouTube channel
How to find sites that use 2FA/MFA
Head on over to https://twofactorauth.org/.
https://twofactorauth.org/ allows you to find sites that use (or do not use) 2FA.
For example, you can search for (e.g “play”) and see if the matching sites have 2FA enabled to protect logins.
My Google Play, PlayStation and Ubisoft UPlay accounts are protected with 2FA.
You can also view categories and see what websites and services are up to date. This can be handy if you are looking for a product or service. Go with the most secure provider.
Common Site 2FA Instruction Pages
Here is a list of common social media sites and their instruction pages for enabling 2FA
- Buffer: https://blog.bufferapp.com/introducing-the-safest-social-media-publishing-on-the-web
- Dropbox: https://help.dropbox.com/security/enable-two-step-verification
- Facebook: https://www.facebook.com/help/148233965247823
- GMail: https://www.google.com/intl/en-US/landing/2step/features.html
- Google Drive: https://www.google.com/intl/en-US/landing/2step/features.html
- Linked In: https://www.linkedin.com/help/linkedin/answer/544
- One Drive: https://support.microsoft.com/en-us/help/12408/
- Pinterest: https://help.pinterest.com/en/articles/two-factor-authentication
- Reddit: https://www.reddithelp.com/hc/en-us/articles/360043470031
- Snapchat: https://support.snapchat.com/en-US/article/enable-login-verification
- Skype: https://support.microsoft.com/en-us/help/12408/
- Tumblr: https://www.tumblr.com/docs/en/two_factor_auth
- Twitter: https://support.twitter.com/articles/20170388
- Yahoo Mail: https://help.yahoo.com/kb/SLN5013.html
- WhatsApp: https://www.whatsapp.com/faq/en/general/26000021
- WordPress: https://en.support.wordpress.com/security/two-step-authentication/
- Zoom: https://support.zoom.us/hc/en-us/articles/360038247071
Using the Yubico 5C NFC on a Computer with no USB C Plug?
My Windows 10 PC has a USB C Plus but its on the rear of my PC.
It is a pain plugging my key into the USB C plug at the back of my PC so I ordered a $5 USB 3 to USB C adapter so I can plug this into the front of my PC
I have an 8 way USB 3 (externally powered) USB Hub under my monitor to easily connect my many dongles and USB devices into.
The YubiKey 5C NFC sits high in the adapter but it allows me to use it easily on my PC when needed and more importantly I can use the USB C plug on my phone without an adapter.
USB (standard Plug, Lightning or USB C YubiKey have you covered.
Risks of Hardware 2FA
If you damage or lose a YubiKey you could be locked out of a website or service. When possible I use multiple YubiKeys so you have a backup device to login with.
I can add multiple YubiKeys to Dropbox
Sites will also provide a list of recovery codes you can use in case you lose your YubiKey’s. Save these codes in a safe place (you will only be given them once)
1Password is great for storing backup codes.
Purchasing a Yubikey 5C NFC
You can buy YubiKey’s from…
- Trust Panda: https://www.trustpanda.com.au/products/yubikey-5c-nfc
- Mi-Token: https://shop.mi-token.com/#!/public-catalogue
- YubiCo Direct :https://www.yubico.com/store/
- M. Tech: https://mtechpro.com/product/yubico/
- Sektor: https://www.sektor.com.au/Product/MSYK335
- Sektor (NZ): https://www.sektor.co.nz/cybersecurity
- YubiKey Resellers: https://www.yubico.com/support/shipping-and-buying-information/resellers/
Conclusion
My new YubiKey 5C NFC is sitting proudly in my YubiKey collection. I use One key for work, one key for Home (PC Use) and one key for Mobile use.
YubiKey 5C NFC Pros
- NFC (I use this a lot on mobile and at work on NFC printers for authentication)
- No batteries required
- Durable
- Multiple usage modes (6 digit codes or insert and press)
- Works well on my Android Phone with USB-C Plug
- Physical security to back up my online credentials
YubiKey 5C NFC Cons
- You need to opt-in on sites to use it (not really a con)
- You need a PC with USB C plug to easily access the YubiKey 5C NFC.
The YubiKey 5C NFC comes at a time when “Human Malware” related phishing attacks continue to surge. I have thousands of hack attempts on my website and email daily so I know I need to stay a step ahead of hackers.
I know companies who were hacked, could not care less if my username and password were breached.
YubiCo YubiKeys allow me to feel safer online
Links
- YubiStyle Covers: https://www.yubico.com/product/yubistyle-covers/
- Security Now Podcast: https://grc.com/securitynow (2005 to 2020)
- http://howsecureismypassword.net/
- https://haveibeenpwned.com/
v1.0 : Initial Draft