Reviewed by Janine Rumble
Yubico is a company that produces devices that offers two-factor authentication when logging into websites that require a password, such as Google and Facebook, to keep your accounts safe. The website states that ‘Usernames and passwords are not enough to keep online accounts safe. Two-factor authentication is now recommended to secure login to Internet services and protect against phishing attacks and credential theft. The YubiKey is supported by hundreds of the most popular online services including Google, Dropbox, Facebook and many more.’ It also says that ‘the YubiKey offers strong authentication with one touch or tap. Unlike two-factor authentication using SMS, the YubiKey does not require network connectivity or access to a mobile device. Just touch or tap the YubiKey to authenticate.’
I received my YubiKey in the post, all the way from Sweden. The only information it gave as to how to use the key was a sign on the back of the envelope that stated “Get started with your YubiKey at yubico.com/start” so I followed these instructions and was met with a very informative website, where I could either choose to find the right YubiKey for me or set up the YubiKey I had been sent. Ever the researcher, I first clicked the button that said it would find the right key for me, the key that would suit my needs best. This took me to a page that explained that YubiKeys come in all shapes and sizes and to find the right key for me I could take a quiz. It then asked me if I was an individual, an IT professional or a security expert. It then asked me what usb port my computer has. It then asked me if I used the key with an android phone or a tablet. It then asked me if I used any of the following password managers: Lastpass, Dashlane, Keepass or other, I have never heard of any of these, so I clicked on the button that I don’t have a password manager. It then asked me whether I wanted to leave the key in the machine all of the time or have it portable. It finally asked me whether I wanted to unlock my PC or MAC, as I did not understand what this meant I opted for no. The response to my answers was that I required a their ‘most affordable YubiKey! The FIDO U2F Security Key is durable, easy-to-use, secure, and comes in a rugged form factor you can take with you everywhere you go (even underwater!). This YubiKey protects your accounts on Facebook, Google, Dropbox, Dashlane, and more with a swift touch of your finger. PRO-TIP! This YubiKey also works on a USB-C port using an adapter.’ Good to know that I was sent the right key.
The website then gives further details on the key: Description: The FIDO U2F Security Key by Yubico provides strong hardware based second factor authentication to Facebook, Gmail, GitHub, Dropbox, Dashlane, LastPass, Salesforce, Duo, Docker, Centrify and hundreds more U2F compatible services. No additional software is required and authentication is easy, fast, and reliable. Simply insert to a USB-A slot and authenticate with a simple touch. It is reliable two factor authentication that does not require a battery nor network connectivity, so it is always on and accessible.
I then followed the instructions to set up my YubiKey and was promised that it would be a simple 2 step installation, to some degree, this was the case, upon inserting it into my computer the computer worked its magic and accepted the YubiKey. I then had to select an application e.g. Google, Facebook etc. I chose Google, I was then informed that I had to log in to my account to set up the key by going into my account and selecting two-factor authentication in the settings. This was easily done, but I then had to add my password and I, like many people, have long since forgotten the exact password as my computer remembers for me, so I then had to go through the rigmarole of resetting my password. I then added my new password and had to press the gold plate with my finger, I naively assumed that this would then recognise my fingerprint for future use. I then logged out of my account and logged back in to see what would happen. After adding my login details and password, I was then asked to insert my security key and press the gold plate, I had my Dad press the gold plate to check whether anyone else could access the website using the key and Google opened my account with no trouble, so I am guessing that the gold plate does not recognise individual fingerprints like my apps on my iPhone. I then used it on Facebook and again I had to insert the key and press the gold plate, again I had my Dad press the plate and again the website opened. I would have thought that it would have some sort of fingerprint recognition to provide even more security. My concern now is what happens if I lose the key, can I access the website? How would I do that?
The key itself is made of a strong plastic, but the gold connector parts which go into the computer are not covered and if attached to my keys could possibly become scratched, if this were to happen, would my key still work?
I like the idea of having extra security for my passwords, but as my computer knows the passwords and I have not kept a record, I now face the task of resetting all my passwords to use the key, but I am sure this will be worth the effort in the long run knowing that my accounts are secure. Then the use of the key, I worry, will become more of a hindrance when I want to surf the web quickly, as I will need to have this with me to enable me to access my chosen website. Also, my other concern is that most of these websites I also access via my mobile phone, will this make them difficult to access without the key? And if so, how do I get around this? Is there a way I can also secure these accounts using a key? Looking on the Yubico website, as my phone is not an Android phone, it would appear not, which is disappointing.
I would recommend this security device for people who require an extra form of security and are happy to set it all up. It does give peace of mind knowing that someone can now no longer access my part of a website through just using my password, but that they would need to have the key to authenticate themselves too. I guess in time it will become more useful and the more that I use it, then the more it becomes second nature.
RRP: £40 (YubiKey 4)
For more information visit www.yubico.co.uk.
Available to buy from Amazon here.