That's a trivial and well-deserved question by your wallet and your resources (accounts, data, etc). Physical security keys require your physical presence to have you authenticated, and with that, it keeps tabs on phishing attacks and any form of unauthorized access or threats. For instance, with a YubiKey, all you need to do is insert it into your device to login to your account. We'll get into the details in a while, and before we do so, let's address the elephant in the room- The YubiKey that we mentioned a couple of times.
Manufactured by Yubico, a YubiKey is a small USB or NFC-enabled device serving as a physical security key to access computers, networks, and online services. It's designed to take security up a notch by adding a second factor of authentication beyond just a password. Speaking of authentication, these keys support the following protocols:
We now know that Yubikeys enhance security beyond passwords. They use advanced cryptographic protocols to provide phishing-resistant authentication. Unlike SMS codes or authenticator apps, they cannot be guessed or compromised remotely due to the physical presence of the key being a mandate. With this, you get a higher level of security against account takeovers and unauthorized access attempts. Apart from enhanced security, you need them for the following reasons:
We know that YubiKeys provide phishing-resistant MFA, offering a strong authentication measure, which is a mandate to comply with standards such as GDPR, PSD2, and HIPAA.
For instance, Article 32 of GDPR specifies that controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The phishing resistant MFA mentioned ticks the "appropriate technical and organizational measures" box under the article.
We also know that maintaining compliance is a huge green flag for you and your organization. Not only are you securing your resources, you're also avoiding legal penalties as a result of non-compliance. Apart from that, organizations prioritizing compliance maintain good reputation with customers and stakeholders.
YubiKeys are waterproof, crush-resistant, and do not need batteries to function. That's quite an advantage, given that you can use them in various conditions. The durability also makes them reliable in the long run, and as a result, you won't need to replace the keys frequently. That's a win-win, and with all the time saved here, you can go to a fancy barista and have a fancy coffee in peace.
A single key can secure multiple accounts and services, including your email, cloud storage, password managers, etc. As discussed before, YubiKeys support multiple protocols and this support lets you consolidate your security needs into one device. With this, you're simplifying managing your key and minimize the risk of lost credentials.
YubiKeys offer several features that support offline usage, giving you enhanced security and accessibility when you're short on internet connectivity. The challenge-response mechanisms allow local devices to log in without access to a network, thus enabling offline authentication.
The keys also support cached logon for Windows workstations, permitting authentication when you're disconnected from networks. They generate OTPs using OATH-HOTP without an internet connection.
Apart from that, their PIV smart card functionality can work offline for authentication and encryption. Unlike SMS or app-based authenticators, these keys don't require network connectivity to function, operating via USB connection and physical touch. In case you forget to pay your internet bills, you can hold on to your keys.(Don't follow this advice; pay your bills)
YubiKeys enable password-less login flows through their support for the FIDO2/WebAuthn standard. The protocol uses public key cryptography, and while logging in, the user inserts their key and authenticates locally, by pressing the button on it or through an OTP. The key then generates a cryptographic response to the service's challenge, verifying your identity without transmitting a password.
They also store multiple credentials, allowing password-less access to multiple accounts across different platforms and services. With this approach, you're not only avoiding threats and attacks such as phishing and man-in-the-middle attacks, you're also simplifying user experience.
Good question. Before you use the keys, you need to first set them up. Here's how you can do so:
We know that YubiKeys need to be inserted into a device from which you log in to your account or service after the first authentication is done. However, that's not the only crux of it. There's more. (Again, however, all you need to do is insert the key and press the button on it.) Here's what actually goes on when a YubiKey does its job as a second factor of authentication:
Firstly, these keys work on the principle of public key cryptography, which involves generating and storing a unique public or private key pair for each account or service they are used with. Here, the private key never leaves the device, while the public key is shared with your account or service for verification.
YubiKeys also make use of the principle of possesion-based 2 factor authentication where 'something you have' is paired with 'something you know' and/or 'something you are', in case you will be needing a 3rd factor of authentication.
The 'something you have' is your YubiKey and the 'something you know' could be a pin or a one time password(OTP). Your alternative or addition to the latter- 'something you are' is a biometric scan(Fingerprint, face recognition).
Let's now understand how the authentication works.
Speaking of using public key cryptography, here's how your identity is verified:
Yes, many mobile banking apps support YubiKeys and for ones with NFC capability, you can just tap your NFC-enabled key to the back of your phone to authenticate. For devices without NFC, you can use a YubiKey with a USB-C connector or a USB-A to USB-C adapter. However, compatibility may vary depending on the specific banking app and your device, so you will have to check with your bank for supported authentication methods.
Yes, the keys are compatible with many popular password managers, including LastPass and 1Password. These password managers often support YubiKeys as an additional layer of security to access your password vault. By using the key with your password manager, you add a physical authentication factor, making it much more difficult for unauthorized users to access your stored passwords and sensitive information.
Yes, they can be used to secure many cryptocurrency wallets and exchanges. Many major cryptocurrency platforms support YubiKeys as a form of two-factor authentication. This adds an extra layer of security to your crypto assets, securing them from unauthorized access even if your password gets compromised.