Privacy and protecting data has certainly moved up in importance on a global scale over the past few months.
A big part of that is the ongoing focus on user privacy because of data leaks, like what happened with Facebook and Cambridge Analytica. But the scandal and disturbing regularity of big hacks has brought awareness of personal data security to a whole new level. You might be thinking to yourself: How can you keep your data safe and make sure your accounts only being accessed by you?
Chances are you’ve heard of two-factor authentication, but it’s not confined just to SMS or apps like Google Authenticator. Two-factor auth (often abbreviated as 2fa) can by physical as well. Yubico is a company that builds authentication devices, and its latest is the YubiKey Neo. The key gives you a dedicated keyfob for 2fa, theoretically granting access only to the person carrying it (as long as they have the password, too, of course).
But does does putting your 2fa on your keychain make sense for most people?
Designed for portability
The YubiKey Neo is tiny. An authentication device should be portable, but the fact that it’s so small might be a concern to some, as you don’t want to misplace it. Luckily, there’s a small hole at the top, which allows you to hook it onto a keychain.
It comes in a dark black color, with some light branding, but overall it has a clean look that won’t add or detract from style, if that’s a concern at all.
The general look is that of a USB flash drive, and the Neo only comes in a USB-A variant. I hope this changes down the line as USB-C is becoming somewhat of a standard on both Macs and PCs.
What can the YubiKey Neo do?
At its core, the YubiKey Neo is an authentication key that connects to devices via USB port or NFC connectivity. It can handle several authentication standards, but the two main ones are OTP (one time password) and U2F (universal second factor) authentication.
You will find that the majority of services out there (like Google, Facebook, Dropbox, and many others) support these, and therefore let the YubiKey Neo act as the 2fa device. But not every single site out there integrates with the system.
A prime example is Twitter; it offers its own 2fa via text message, but at this time don’t work with authentication keys like YubiKey. Compatibility with existing standards is an issue that is found in many sectors of tech, but it’s one that Yubico hopes to solve eventually.
Adding the YubiKey Neo to your accounts and using it is quite intuitive. It’s not magic — you’ll still need to know your username and password (the first factor in 2fa). But the key can replace a text or a separate authenticator app that you might be using now.
But the coolness factor gets turned up to 10, as all you do is plug the key-in and tap the gold metal button with the Wi-Fi symbol. To enable the YubiKey on Facebook, I opened the service on desktop, went into Settings > Security and log in > Two-factor authentication. It gets a little confusing, because, after that, you have to go back to the login approvals menu and add the YubiKey under the security key section. Be sure to have the device inserted, name it, and then tap the gold button, and it will fill out the info for you. The final action is to click enable, and then the next time you log in, on any computer with a USB port, all you’ll need to do, after entering your password, is insert the YubiKey and tap the button.
Confused by any of that? Luckily YubiKey’s full instructions are online, and it has help pages for most supported sites.
NFC? Tell me more.
Yes, the YubiKey Neo is equipped with NFC (near-field communication). And recently, the company launched a mobile SDK make use of this technology on the iPhone 7 and newer. Yubico has taken advantage of Apple giving developers more access to the iPhone’s NFC chip, to some degree, in iOS 11. This SDK means developers only need to add a simple command line to an app to give it this functionality for authentication.
Right now, the NFC authentication on the iPhone only works with LastPass. But that’s better than nothing, so I checked out how it works for a taste.
The setup was pretty simple enough: I logged into settings on LastPass’s desktop site and then navigated to multifactor options. You then select Yubico while your YubiKey is plugged in, and after that the key should be authorized to work with your iPhone.
Similar to using the iPhone for Apple Pay, 2fa occurs by touching the YubiKey NEO to the top left-hand corner when prompted, like in the photo above. You still log in with your username and password, and then 2fa occurs with the YubiKey NEO. I have the option to have my iPhone become a trusted device for 30 days, thus decreasing the amount of time I have to use the NFC feature. Of course, if you don’t have the YubiKey with you and the 30 days are up, you will be locked out.
All in all, the YubiKey’s NFC compatibility gave me a good feeling. I’m looking forward to being able to use it with Facebook’s and Google’s apps, and Yubico is working on getting it into more services.
Should you add an extra piece to the security puzzle?
The biggest advantage of a physical 2fa device is that you don’t have to worry about your phone dying. I’ve had situations where if my phone died, then I was locked out of some work accounts, since I wouldn’t have access to SMS or apps. So instead of getting a code or one time password texted to your phone, it lives on this key. Removing SMS from the equation is particularly good in this age where we’re strongly encouraged to have those messages pushed to many devices (and thus increasing the chances they could be intercepted).
At $50 the YubiKey Neo isn’t as cheap as I’d like, but it’s not something you’ll need to replace regularly. Assuming more services get on board, it’s an excellent way for everyday folks to make 2fa secure and simple without relying completely on your phone.