ZDNet editors pick the products and services we write about. When you buy through our links, we may get a commission.

YubiKey hands-on: Hardware-based 2FA is more secure, but watch out for these gotchas

Adding a hardware key as an additional authentication factor for online services is a great way to ratchet up your security. But be prepared for a bit of a learning curve and some frustration, especially on mobile devices.

YubiKey 5 NFC and YubiKey 5Ci hands-on: Hardware-based 2FA security
9:36

One of the most important security precautions you can take with any online service is to turn on two-factor authentication, or 2FA. (Some services refer to 2FA as multi-factor authentication or two-step verification, but the underlying technology is the same.)

ZDNet Recommends

Best security keys in 2020: Hardware-based two-factor authentication for online protection

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

With this extra protection enabled, anyone who wants to sign on to a service on a new device must supply a second form of identification in addition to the password. That extra step, at least in theory, prevents an attacker from using stolen or phished credentials to sign in to a service.

The most common second factors are SMS text messages and codes generated by an authenticator app installed on a smartphone. (For more on authenticator apps, see "Protect yourself: How to choose the right two-factor authenticator app.") But there's an additional option: a hardware-based security key that plugs into a USB port or connects with a tap on an NFC-enabled mobile device.

Disclosure: ZDNet may earn an affiliate commission from some of the products featured on this page. ZDNet and the author were not compensated for this independent review.

YubiKey 5 NFC and YubiKey 5Ci

Hardware-based 2FA security

yubikey-5-nfc-ci.jpg

For the past week, I've been testing out two security keys supplied by Yubico, a well-established player in the field. The YubiKey 5 NFC ($45) is a thin but sturdy device that fits in a standard USB Type-A port and also supports NFC connections. The YubiKey 5Ci ($70) is smaller but equally sturdy, with a USB Type-C connector on one end and an iOS-compatible Lightning connector on the other end; it does not support NFC.

View Now at Amazon Yubico

Why pay for this sort of security when the software-based options are free? Primarily because hardware-based keys are significantly more secure than SMS- and software-based options. That's especially true for journalists, activists, and people who work for high-value targets like banks and defense contractors. As the FBI warned just a few months ago, SIM-swapping and other attacks can make it possible to bypass 2FA protection.

Hardware-based security, on the other hand, is much more difficult to successfully attack remotely. To sign in, you have to supply your credentials and then insert the key and tap it in response to a prompt to submit your additional proof of identity.

The Yubikey devices I tested support hundreds of services that use a handful of standards, including FIDO2 Web Authentication (WebAuthn). A full list of supported services is available on the Yubico website, where you can search and filter to find the ones that interest you. (Yubico makes a full range of security keys in different form factors, including very small footprint Nano dvices designed to be kept in a USB Type-C or Type-A slot full time.)

It's worth noting that support for hardware-based authentication is considered a premium feature for many services; for example, if you use the password managers LastPass, Dashlane, or Bitwarden, you must upgrade to a Business, Premium, or Enterprise plan to enable a security key as a second factor. And, surprisingly, very few banks or financial institutions outside the cryptocurrency world support hardware-based 2FA.

I tested both YubiKey devices with a representative sample of the kind of services you're likely to use regularly, including 1Password, Dropbox, Namecheap, GoDaddy, and Twitter. I also used the hardware key to secure Microsoft and Google accounts, as well as to sign in to a local account on a MacBook Pro.

In general, the setup process was quick and easy and the security keys worked well on either a Windows 10 PC or a Mac, using any modern desktop browser. I used the Chromium-based Microsoft Edge and Google Chrome on Windows 10, and used Edge, Chrome, and Safari on the Mac. Firefox and Brave are also compatible with these devices.

In every case, the setup process is similar. Open the website for the service, authenticate using whatever 2FA options are currently set up, navigate to the security settings page, and choose the option to configure a security key. That triggers a request like the one shown here; follow the instructions, including tapping the designated contact point on the hardware, to save the credentials on the key.,

yubikey-enroll-with-microsoft-account.jpg

When you enroll a hardware key as a 2FA factor, the service (in this case a Microsoft account) stores the required credentials on the device itself.

For some sites, I was able to configure both keys, but others, such as Twitter (shown below) support only a single hardware key. To replace the key, you have to disable that method, then re-enable it and run through setup again.

twitter-2fa-settings.jpg

Twitter offers a choice of up to three 2FA methods; note that I've disabled SMS for authentication. 

Yubico also makes an authenticator app that works like any other TOTP code generator except that it requires a tap of the hardware key to activate.

Azure AD: Some assembly required

For most situations, configuring a hardware key as a trusted second factor is fairly quick and straightforward. However, I ran into two applications where I had to do some extra work before I was able to use the YubiKey.

The first was with a Microsoft Azure Active Directory account used with an Office 365 business subscription. Consumer Microsoft accounts support hardware keys directly, but for business accounts, multi-factor authentication using hardware keys is still officially a preview. To enable it, I had to go to the Azure AD administration center, then click through security settings to get to the Authentication Methods page shown here.

azure-ad-setup-fido2.jpg

To use a hardware security key with Office 365, an administrator first has to enable this method in the Azure AD admin center. 

Once that task was complete, it took a few minutes for the setting to propagate to my test account. After signing out and signing back in, I was able to go to https://myprofile.microsoft.com, sign in with the Azure AD account, and create the new security settings.

azure-ad-setup-by-user.jpg

Once the necessary support is enabled, users can enroll a security key for Office 265 and other Azure AD services.

MacOS: There's an app for that

The other place where I needed to do an unexpected amount of work was to set up signing in to a MacBook Pro using the YubiKey 5Ci as a smart card. For that process, I had to download the YubiKey Manager app and run through a three-step process using the Privilege and Identification Card (PIV) application.

yubikey-manager-app-mac.jpg

You'll need to use the YubiKey Manager app to set up a YubiKey as a smart card for signing in to a Mac.

It's a pretty straightforward process that involves replacing the default user PIN for the smart card emulation, then generating a pair of keys. But after that setup was complete, I was able to skip typing my long, complex password to sign in. Instead, I just tap the YubiKey and then enter a six-digit PIN.

If you use a PC running Windows 10, that might sound familiar, because it's essentially a variation on Windows Hello. The difference is that Windows 10 treats the device and its TPM chip as a smart card, allowing you to sign in with a PIN or biometric authentication. But if you want to skip Windows Hello and use an external hardware device, you can do that in Windows 10 as well.

The mobile experience

The experience wasn't nearly as smooth on mobile devices, unfortunately.

You would think that the dual-head design of the YubiKey 5Ci, with USB Type-C on one end and a Lightning connector on the other, would be ideal for modern mobile devices, which universally use one of those two ports. Alas, that wasn't the case.

Yubico points out in its documentation that the Lightning connector has "emerging support." I found that to be the case when, for example, I tried to sign in to the GoDaddy app but received an error message that the authentication method wasn't supported by either the browser or the app. Likewise, trying to authenticate in the Namecheap app resulted in an error message.

yubikey-godaddy-error-message.jpg

Using hardware security keys can be frustrating on a mobile device.

I was successful at signing in on the iPhone to Namecheap, Twitter, and the GSuite admin panel in a browser using the YubiKey 5 NFC, once I learned how to tap the key against the NFC reader on the iPhone. On an OnePlus 7 Pro running Android, the security key failed to authenticate me in Microsoft Edge but worked flawlessly in Chrome. Making that NFC connection wasn't nearly as easy as on the iPhone XS, however, because of the placement of the NFC reader on the OnePlus.

The lack of support for that Lightning connector on iPhones is a real point of frustration for anyone who also uses a MacBook Pro or a Windows PC that has only USB Type-C connectors. The YubiKey 5 NFC works with a USB A-to-C adapter or dongle, but that's considerably less elegant than the compact YubiKey 5Ci.

Conclusions (and a note on the importance of backups)

One of the most important lessons you learn when working with multi-factor authentication is to always have a backup way of authenticating. Almost every site that supports 2FA offers the option to print out backup codes that you can use in the event your other authentication methods aren't available. For example, if you've set up a service to use SMS text and an authenticator app on the same smartphone, you're in a world of trouble if that phone is lost, stolen, or damaged.

I was able to confirm this lesson while testing Namecheap's support for hardware keys. Although the domain registrar supports three different 2FA methods, you must choose one and only one. When I incorrectly set up a hardware key during testing, I was extremely glad that I had printed out recovery codes, one of which let me back in immediately.

These two YubiKey devices are designed to fit on a keychain, which means for most people they're always close at hand. Because I mainly work at the same location (especially during the current lockdown) I prefer to keep the YubiKey in my laptop, so I don't have to fumble for my keys when I need to approve an authentication request. For that application, the $50 YubiKey 5 Nano or the $60 5C Nano might be a better choice. But that option means giving up the NFC support with mobile devices.

As I said at the beginning, the main reason to use a hardware key is to avoid the risk of using a phone number that can be SIM-jacked. For services that allow you to turn off authentication via a phone number, the combination of a hardware key and a smartphone-based authenticator app, with a set of backup codes locked in a file drawer, is the ideal solution. For services that won't allow you to disable SMS as a 2FA method, this isn't possible, unfortunately.