Table of Content
- Why physical security keys?
- What is a YubiKey?
- Why do you need YubiKeys?
- How do you set them up?
- How do YubiKeys work?
A wise man once said, "Passwords aren't safe anymore, we need more" and that's how multi-factor authentication(MFA) and 2 factor authentication (2FA) came into place. Can't say what he might have said led to MFA, but we know what he said is right. We do need more than just passwords- More coffee! How else are we supposed to think of stronger passwords or an improved authentication, per se?
Quite the cliche, but you can save that extra coffee for another hustle. Good for us, another wise man or woman came up with 2FA around the 1990s, and with attacks and threats evolving, 2FA has been evolving too, to mitigate them all.
You can't trust any wise man or woman here, but what we also can't trust is just a password being the only form of authentication. With credential stuffing, phishing, and man-in-the-middle attacks all over the place, even a regular 2FA with an OTP or biometric authentication can't really save you. Here's where you'll need that extra coffee.
Not so bad news; you only need one tiny sip of that coffee and your wallet- You need to get a physical key as your 2nd factor of authentication. If you think buying a security key will burn a hole in your pocket, you're wrong. A breach and the legal guys will, to get your systems recovered. Better safe than sorry is the investment you need to make here.
Why physical security keys?
That's a trivial and well-deserved question by your wallet and your resources (accounts, data, etc). Physical security keys require your physical presence to have you authenticated, and with that, it keeps tabs on phishing attacks and any form of unauthorized access or threats. For instance, with a YubiKey, all you need to do is insert it into your device to login to your account. We'll get into the details in a while, and before we do so, let's address the elephant in the room- The YubiKey that we mentioned a couple of times.
What is a YubiKey?
Manufactured by Yubico, a YubiKey is a small USB or NFC-enabled device serving as a physical security key to access computers, networks, and online services. It's designed to take security up a notch by adding a second factor of authentication beyond just a password. Speaking of authentication, these keys support the following protocols:
- WebAuthn/FIDO2: Enables password-less authentication
- FIDO U2F: Provides two-factor authentication.
- One-time passwords (OTP): Generates single-use codes
- Smart card/PIV functionality: Supports PIV, OpenPGP, and OATH protocols
Why do you need YubiKeys?
We now know that Yubikeys enhance security beyond passwords. They use advanced cryptographic protocols to provide phishing-resistant authentication. Unlike SMS codes or authenticator apps, they cannot be guessed or compromised remotely due to the physical presence of the key being a mandate. With this, you get a higher level of security against account takeovers and unauthorized access attempts. Apart from enhanced security, you need them for the following reasons:
Compliance
We know that YubiKeys provide phishing-resistant MFA, offering a strong authentication measure, which is a mandate to comply with standards such as GDPR, PSD2, and HIPAA.
For instance, Article 32 of GDPR specifies that controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The phishing resistant MFA mentioned ticks the "appropriate technical and organizational measures" box under the article.
We also know that maintaining compliance is a huge green flag for you and your organization. Not only are you securing your resources, you're also avoiding legal penalties as a result of non-compliance. Apart from that, organizations prioritizing compliance maintain good reputation with customers and stakeholders.
Durability
YubiKeys are waterproof, crush-resistant, and do not need batteries to function. That's quite an advantage, given that you can use them in various conditions. The durability also makes them reliable in the long run, and as a result, you won't need to replace the keys frequently. That's a win-win, and with all the time saved here, you can go to a fancy barista and have a fancy coffee in peace.
Versatility
A single key can secure multiple accounts and services, including your email, cloud storage, password managers, etc. As discussed before, YubiKeys support multiple protocols and this support lets you consolidate your security needs into one device. With this, you're simplifying managing your key and minimize the risk of lost credentials.
Offline use
YubiKeys offer several features that support offline usage, giving you enhanced security and accessibility when you're short on internet connectivity. The challenge-response mechanisms allow local devices to log in without access to a network, thus enabling offline authentication.
The keys also support cached logon for Windows workstations, permitting authentication when you're disconnected from networks. They generate OTPs using OATH-HOTP without an internet connection.
Apart from that, their PIV smart card functionality can work offline for authentication and encryption. Unlike SMS or app-based authenticators, these keys don't require network connectivity to function, operating via USB connection and physical touch. In case you forget to pay your internet bills, you can hold on to your keys.(Don't follow this advice; pay your bills)
Password-less capability
YubiKeys enable password-less login flows through their support for the FIDO2/WebAuthn standard. The protocol uses public key cryptography, and while logging in, the user inserts their key and authenticates locally, by pressing the button on it or through an OTP. The key then generates a cryptographic response to the service's challenge, verifying your identity without transmitting a password.
They also store multiple credentials, allowing password-less access to multiple accounts across different platforms and services. With this approach, you're not only avoiding threats and attacks such as phishing and man-in-the-middle attacks, you're also simplifying user experience.
How do you set them up?
Good question. Before you use the keys, you need to first set them up. Here's how you can do so:
- Firstly, plug the YubiKey into your device's USB port or use NFC.
- Navigate to the security settings of the service or account you have decided to secure.
- Now, choose the option to add a security key or 2FA.
- Follow the prompts to register your key. And you're done.
How do YubiKeys work?
We know that YubiKeys need to be inserted into a device from which you log in to your account or service after the first authentication is done. However, that's not the only crux of it. There's more. (Again, however, all you need to do is insert the key and press the button on it.) Here's what actually goes on when a YubiKey does its job as a second factor of authentication:
Wait. Here are a few things you need to know before getting to the authentication:
Firstly, these keys work on the principle of public key cryptography, which involves generating and storing a unique public or private key pair for each account or service they are used with. Here, the private key never leaves the device, while the public key is shared with your account or service for verification.
YubiKeys also make use of the principle of possesion-based 2 factor authentication where 'something you have' is paired with 'something you know' and/or 'something you are', in case you will be needing a 3rd factor of authentication.
The 'something you have' is your YubiKey and the 'something you know' could be a pin or a one time password(OTP). Your alternative or addition to the latter- 'something you are' is a biometric scan(Fingerprint, face recognition).
Let's now understand how the authentication works.
- It starts with you attempting to access your protected account or service, so you insert the YubiKey into your device and tap it.
- Now the key generates an OTP or uses public key cryptography to prove your identity. For instance, identity theft is not a joke. And other risks or attacks concerning your identity.
- The service you've signed up for sends a challenge to your YubiKey.
- The key generates a cryptographic response using its private key. The response or signature is generated using hashing algorithms or AES encryption. This is to encrypt the challenge into a non-readable format. Why the cryptographic response? The main reason is to verify your identity without letting any detail out.
- Now, the response is sent back to verify your identity.
- Now the server verifies your identity based on the OTP or the cryptographic response, given that the OTP you entered or the response is right. And you're good to go logging in.
Speaking of using public key cryptography, here's how your identity is verified:
FAQ
Can YubiKeys be used with mobile banking apps?
Yes, many mobile banking apps support YubiKeys and for ones with NFC capability, you can just tap your NFC-enabled key to the back of your phone to authenticate. For devices without NFC, you can use a YubiKey with a USB-C connector or a USB-A to USB-C adapter. However, compatibility may vary depending on the specific banking app and your device, so you will have to check with your bank for supported authentication methods.
Are YubiKeys compatible with password managers like LastPass or 1Password?
Yes, the keys are compatible with many popular password managers, including LastPass and 1Password. These password managers often support YubiKeys as an additional layer of security to access your password vault. By using the key with your password manager, you add a physical authentication factor, making it much more difficult for unauthorized users to access your stored passwords and sensitive information.
Can YubiKeys be used for securing cryptocurrency wallets or exchanges?
Yes, they can be used to secure many cryptocurrency wallets and exchanges. Many major cryptocurrency platforms support YubiKeys as a form of two-factor authentication. This adds an extra layer of security to your crypto assets, securing them from unauthorized access even if your password gets compromised.