Jan 4, 2020

The key to good security is NMIC


n today’s world of technology, passwords are the weakest points of security. You buy one compromised piece of hardware and bang! Your security is on the line, along with your reputation. The problem becomes much more serious when you choose a relatively cheap security key, which uses cheap hardware (Hey! We’re not naming any names). And it’s not just us; Security experts like Alex Stamos, Facebook Inc’s former chief information security officer, have been expressing concerns about the security of such devices.

In 2018, Alex Stamos wrote on his personal twitter handle.

“The cost difference between Feitan and Yubico is minimal, considering that you are buying a device upon which you bootstrap ALL OF YOUR PERSONAL SECURITY, and since FIDO means direct communication between untrusted websites and this embedded controller, I'm sticking with Yubico."

Similarly, Yubico itself has been vocal about denouncing any devices using cheaper manufactured technologies. In a blog post they wrote,

Yubico strongly believes there are security and privacy benefits for our customers by manufacturing and programming our products in the USA and Sweden. Google’s offering includes a Bluetooth (BLE) capable key. While Yubico previously initiated the development of a BLE security key and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability, and durability. BLE does not provide the security assurance levels of NFC and USB and requires batteries and pairing that offer a poor user experience.

Reviewing Yubico’s YubiKey 5 NFC

The best thing about Yubico is that their security keys provide not just the password security, they offer so much more than the YubiKey 4, in this article we will be reviewing the fifth generation of Yubico’s Yubikey.

To start with, this made in the USA and Sweden device supports FIDO U2F for two-factor authentication and utilizes NFC to work with your smartphone. So you can secure your profiles against phishing or any other similar online frauds. But that’s just the tip of the iceberg. This remarkably tiny and powerful device is capable of so much more. In case you just want a simple hardware U2F device, this device is probably an overkill because it is expensive. You should instead consider other affordable options by Yubico like a $20 security key. However, if you are already too concerned about security challenges you will love with this little device has to offer.

What is Two Factor Authentication and how does it work

The primary role of a security key like the YubiKey is as a second authentication factor. The 2FA or two-factor authentication means the second line of defense. After entering your passcode, you have to enter a second thing to prove your identity. In theory, 2FA combines two separate authentication systems. The 2FA is usually a combination of something you know, something you have had in the past or something you are.  Using a combination of this information ensures that no one can fake other’s persona. It assures that only you have the authority to access whatever it is that you are trying to access. An attacker may get your password from the dark web, but they will not be able to get through the 2FA. For this review, we will primarily be looking at the hardware 2FA, but there are many methods of adding a software second factor. You should check that out if you want to.

Playing with the YubiKey 5 NFC

Setting up the YubiKey for U2F is a straightforward process. Simply follow the instruction manual and insert the key into its designated slot when the software prompts for it. Then tap the gold disk, it will enroll your key. Next time, when you want to log in, simply enter the passcode. You will then get a prompt asking for you to insert your key and tap the device. Do as asked, and that’s it! You’re done.

Many websites like Google, Twitter, Facebook, Dropbox, Dashlane,  and others support U2F and accept YubiKey devices, so for our testing, we enrolled our device as a second-factor authentication for our Google account. Using chrome browser, we entered the login credentials. Once prompted for the security key, we did as directed and tapped the key. And we were done.

The authentication process is just as simple on Android or iOS smartphones. Enter the credentials, when the phone prompts for the security key, select the NFC from the menu and slap the NFC against the back of your smartphone. In our experience, the process took a few tries, and the process was somewhat slow, but eventually, we were buzzed an affirmative response and logged in without much hassle or software roadblocks. In contrast, if you are using some cheaply made product, the software often hangs at this point. And you are forced to re-do the entire process.

Check it out on Amazon here

Our experience with Google Authenticator

Google authenticator is quite a popular app that generates 6 digit passwords every 30 seconds. This technology is broadly termed as Time-based One Time Passwords or TOTPs. It is one of the most commonly used 2FA methods today. Yubico puts a very interesting spin on this technology for Yubico 5 NFC. Plug in your device and open the Authenticator App and then navigate to a website that has support for Google Authenticator. To secure your google account, for instance, we tapped the option to enroll a new phone with the App. At this point, a QR code appears, and the website prompts you to scan the code with your app. Instead of doing so, we selected the menu option in Yubico Authentication Desktop App and captured the QR code. A few clicks later, our app started providing distinctive 5 digit codes in every 30 seconds.  

Take it on the road

Yubico also supports a TOTP generating Android App that is compatible with the YubiKey 5 NFC so you can take your authentication process on the road. Simply open the app (it will be empty at this point), slap your 5 NFC against the back of the phone, and it will start generating unique codes. Quit the app, and codes will disappear. You will have to tap the 5 NFC device again. It's a bit of a hassle but more convenient and secure than storing your precious information in the app itself.

Other interesting features

You can utilize Yubikey 5 to do much more than the YubiKey 4. For example, use it as a smart card for logging in to your desktop. You can also utilize it to log into your SSH servers. Similarly, you can generate a PGP key and then use YubiKey to authenticate. Moreover, it is FIDO certified, which means it can work with any FIDO compliant application on Mac OS, Windows, or Linux. The YubiKey 5 has a very durable construction. They are also temper resistant, crush-resistant, and water-resistant.

Our only major gripe

The documentation that comes with it is quite extensive. And sometimes it gets rather hard to wrap your head around everything – and that’s my only major gripe with Yubico’s YubiKey. Although they have been improving the documentation with every new major release, It's somewhat challenging to utilize every feature of YubiKey without having a prior understanding of how it works. Even though Yubico has a website to help inform and guide customers, the information can be overwhelming at times. What I am trying to say is, “using your YubiKey is straightforward, but getting the most out of your device isn't easy for a beginner."  

Why get the YubiKey 5 instead of the YubiKey 4

All said and done, if you glance over the features of the Yubikey 5 NFC and understand the most of it, then the device is for you. In case you don't understand, then head over to their website for any help. This rugged little device will not disappoint you. By using this device, you will be able to better secure your online accounts. However, if you cannot wrap your head around the instructions, then we would recommend going for some other Yubico model or even Google Titan Security keys as an alternative is the right choice. For security concerns – like all other security experts – we would strongly recommend against using cheaply made products. They are less reliable as you don’t know where your passcodes may be getting saved or whether or not the device has already been compromised. To stay on the safer side, it is better to invest your hard-earned money in a device that provides peace of mind that your information is not being passed on to third parties.