I am a big fan of the Yubico YubiKeys. I have a couple of YubiKey 4 NEO NFC devices. This post will show the Yubico YubiKey 5Ci
Here are my older posts on the YubiKey 4 NEO’s
- Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software
- Setup two factor authenticator protection at login on Ubuntu or Debian
- Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App
My YubiKey NEO’s have been set up on sites with ether “Insert and Press” (FIDO U2F) or Insert and copy 6 digit OTP code’s (that is valid for 30 seconds).
When a site requires an OTP code I can insert the key and run the YubiKey Authenticator software on iOS, Android, Mac or Windows (and enter an optional password) where I can see all my defined website OTP’s
I have enabled YubiKey “Insert and Press” and or time-based OAUTH-HOTP protections to as many logins as I can (PayPal, GMail, Google GSuite, DropBox, My Servers (SSH), WordPress, Forums etc).
I use the NFC on the YubiKey NEO to login to my NFC printer at work.
OTP or TOTP and FIDO U2F or Insert and Press
I am not going to not bore you to death with technical details here and I will refer to TOTP as OTP and FIDO U2F (FIDO Universal 2nd Factor) as “Insert and Press”.
Insert and Press is easier to explain than FIDO Universal 2nd Factor.
You can read about each here:
- Time-based One-time Password algorithm (TOPT): https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm
- U2F – FIDO Universal 2nd Factor authentication (Insert and Press): https://www.yubico.com/authentication-standards/fido-u2f/
Find sites that use 2FA
https://twofactorauth.org/ allows you to find sites that use (or do not use) 2FA.
You can search for a site (e.g “play”) and see if the matching sites have 2FA enabled to protect logins.
My Google Play, PlayStation and Ubisoft UPlay accounts are protected with 2FA.
You can also view categories and see what websites and services are up to date. This can be handy if you are looking for a product or service (choose the most secure IMHO).
I would recommend you contact website’s that use that does not support 2FA and tell them. If they drag their feet supporting 2FA, I’d leave them.
My NFC Issue
I recently purchased a Flip Wallet/Phone Case with a magnetic back (so I can remove the phone from the wallet), but the magnets cause issue reading NFC on various devices including the YubiKey.
My phone has a poor NFC range at best and my YubiKey NEO cannot be read with my new phone case on. I’ll admit I don’t use NFC anymore on my phone.
Enter the YubiKey 5Ci (with USB-C and Lightning adapter)
Yubico has a YubiKey 5Ci that has a USB-C and Lightning connector for phones and tablets. My phone has a USB C connector and this would work well instead of NFC.
You can buy a YubiKey 5Ci direct here for $70 USD.
YubiKey also make 5CI with transparent plastic
If you are Down Under like me you can order from here https://shop.mi-token.com/#!/public-catalogue and pay in AUD.
YubiKey 5Ci Specifications
USB Type
USB-C, Lightning
NFC-enabled
No
Authentication Methods
Passwordless, Strong Two Factor, Strong Multi-Factor
Productivity & Communication
Google Account, Microsoft account, Salesforce.com | Emerging support for Lightning connector
Password Managers
1Password, Dashlane Premium, Keeper®, LastPass Premium | Emerging support for Lightning connector
Cloud Storage
Dropbox, Google Drive, OneDrive | Emerging support for Lightning connector
Social
Facebook, Twitter, YouTube | Emerging support for Lightning connector
Design & Durability
No Batteries Required, No Moving Parts
Function
WebAuthn, FIDO2 CTAP1, FIDO2 CTAP2, Universal 2nd Factor (U2F), Smart card (PIV-compatible), Yubico OTP, OATH – HOTP (Event), OATH – TOTP (Time), Open PGP, Secure Static Password
Certifications
FIDO 2 Certified, FIDO Universal 2nd Factor (U2F) Certified
Cryptographic Specifications
RSA 2048, RSA 4096 (PGP), ECC p256, ECC p384
Device Type
FIDO HID Device, CCID Smart Card, HID Keyboard
Manufacturing
Made in USA and Sweden
My YubiKey 5Ci
My YubiKey 5Ci arrived in a small but strong package. Wow this is small.
The back of the 5Ci packaging has clear instructions.
I removed the YubiKey 5Ci from the packaging.
A lightning plug is on the left and a USB-C plug on the right. In the middle is a contact to allow activation.
The YubiKey 5Ci is tiny. It is about 4c long with a hole in the middle to allow me to place it on a key chain.
I do not use iPhone’s or iPad’s but my wife and child do so the lightning plug may come in handy.
The USB plug however will be using on my Android phone and will replace my NFC on My YubiKey 4 NEO when I transfer connected websites over.
I can see two metal contact points on each side of the YubiKey 5Ci that I can press and activate when in Insert and Press mode
Insert and Press or Enter OTP Code
What is the difference between 5Ci and Insert and Press when logging into sites?
Google will prompt me to insert my YubiKey and press the bottom to log in.
My Nextcloud install will prompt for a OTP code (to obtain this I need to Insert my YubiKey and obtain the OTP code)
WordPress requires my YubiKey’s to be presented at login
I set up my cloud serves to prompt me for a OTP when I log in via SSH. I use MobaXTerm to connect to my servers.
I need to enter an OTP twice as two connections to the server are created (one for the shell and one for the directory listing)
YubiKey 4 NEO v YubiKey 5Ci
Here is a picture comparing my YubiKey NEO and the 5Ci
YubiKey Neo 4 NFC and a YubiKey 5Ci
My YubiKey 4 NEO has been used a few thousand times, but it wont plug into my Mobile Phone.
YubiKey 5Ci (USB C) plugged into an Android Phone
I can easily plug the YubiKey 5Ci can plug into my Android Phone (USB C Plug)
My YubiKey Authenticator automatically opens after I insert my YubiKey.
I can access OTP codes in seconds.
Android 10 asked me if the app Yubico Authenticator can access the USB device.
The Yubico Authenticator can be downloaded for Android here
YubiKey 5Ci (Thunderbolt) plugged into an Apple iPhone
When I insert the YubiKey 5Ci into my wife’s iPhone I can use the key on the iOS version of the authenticator app (download here)
I am prompted to enter the password I have set on the key (nice)
YubiKey 5Ci (USB C) plugged into a PC
I have a USB C port on the back of my PC
Some PC’s have USB C on the front of the PC.
USB to USB Adapter
I purchased an inexpensive USB C to USB adapter to allow me to insert the USB C plug of the YubiKey to the front of my PC
Now I can use the YubiKey 5Ci anywhere.
YubiKey 5Ci Conclusion
I love YubiKeys and 2FA of any kind and I have a key chain with my YubiKey 4 NEO (the backup key stay’s somewhere else) and my 5Ci.
I also carry 2x USB backups (encrypted) and a Tile tracking token.
Pros
- Works flawlessly with OTP (HOTP)
- Works flawlessly with Insert and Touch (FIDO U2F)
- Works well on iOS, Android, Windows, Mac and Linux.
Cons
- Black shows dust very well, It would be nice to have them in more colours?
Adding hardware-based 2FA is a long journey but a journey that I don’t regret taking one big. Have a look at https://haveibeenpwned.com/ if you are unsure if this should be your journey. Also, check out the weekly Security Now Podcast for all the news on weekly hacks and security vulnerabilities.
Use the Yubico Quiz to find out what YubiKey us best for you.
Troubleshooting
N/A
v1.0 Initial Version