There’s one bit of tech I’ve never actually adopted: a physical key to sign into my accounts. But with Yubico recently releasing the YubiKey Bio FIDO Edition security key, and the password I use for my Outlook account also recently breached by the only other log in I use that password for, I thought it was time I get my act together.
As is the curse of being a millennial too proud to read instructions, I slammed the YubiKey Bio into my Windows PC. This didn’t really do much and I was puzzled by a lack of pop up, then I remembered it isn’t 2004 and there’s no .exe to run. Thankfully, Yubico made a YouTube vid.
Setting up the Yubikey Bio
After resetting my Outlook password (because I clearly forgot the password I set after the previous one was caught up in a breach), I then had to register my YubiKey Bio with Outlook. This was fairly easy, the only frustration was finding where exactly in the settings I was meant to register the device (but that’s a Microsoft problem, not a Yubico one). I set a PIN and named the YubiKey. Easy days.
Next up was Dropbox. After stuffing around in the settings of Dropbox I had to Google due to being unable to find where to register my device. Turns out I had to set up 2FA first, obviously. But this was a very important note: two-factor needs to be on before the YubiKey Bio can be added.
Setting up the YubiKey was pretty straight forward and was essentially the same experience for Twitter and YouTube. I had to add a PIN for each account, in addition to lodging my fingerprint.
Setup did take a little longer than I was expecting across all the accounts that work with YubiKey (there’s so many). I was expecting to register the key with an app then be able to attach accounts that way and move on with my life. But look, once master setup is done, it’s a really cruisy process to sign into everything and it feels way more secure than a simple password. Plus, it’s far less annoying than having to enter the code sent to my phone, particularly when using a PC.
Using the Yubikey Bio
That brings me to using the key itself.
You can choose from password-less, strong two-factor and strong multi-factor authentication methods. The YubiKey uses biometric authentication (fingerprints), and the templates are stored in the key’s secure element. The YubiKey Bio also offers two-factor authentication, where you can use a password and layer additional security on using the authenticator and biometrics.
Using a MacBook Pro this time I headed to Outlook and logged in via the YubiKey Bio.
Tapping my fingerprint on the sensor and entering my PIN was pain-free and absolutely gives me nothing to tell you about. I deliberately used the wrong finger to test what would happen and after the third attempt, I entered my PIN. Also easy days. I guess that’s the problem with devices like these, if they work as they should, you shouldn’t have much to say.
What Yubico says
The proposition for the security gadget is that it’s built for business in that it can be configured for privileged users, a remote workforce and mobile-restricted environments. Yubico has also designed the YubiKey Bio for desktop and workstation applications and says it’s perfect for call centres and shared workspace environments.
For me, I’m using it to protect the spam in my personal email, secure recordings of interviews I keep in Dropbox and prevent anyone else from shitposting on my Twitter, so I can’t help but feel I’m not really maximising the power of the YubiKey Bio.
The YubiKey Bio FIDO Edition comes in either in USB-A or USB-C and is compatible with Windows, Chrome OS, macOS, Linux, Edge and Chrome. It also supports FIDO2/WebAuthn and FIDO U2F. It also features both public and private key cryptography.
Why do I need it?
The benefits of two-factor authentication are clear: a person trying to get into your accounts will need something else besides your username and password, which makes it more difficult to hack you. That something else is often a code sent via SMS or through an app, but the YubiKey presents a better option: a physical security key.
Because you’re using a physical object rather than a code, there’s no chance of you typing the code into a fraudulent website, or having it stolen by another app or by someone reading your screen. Authenticator apps are very secure, but they can be compromised remotely. With a security key, someone needs physical access to you.
You can assign multiple keys to your accounts too. Maybe keep one on your keyring and keep another in a safe place (like… inside a safe). There is, of course, the danger that you’ll lose your key or have it stolen, but it’s the same as a set of keys or with your smartphone. Backup options will be available if you lose access to your USB dongle.
Yubico’s YubiKey Bio, the verdict
I do like it. And I absolutely get the proposition from an enterprise perspective. This little thing is easier to use than I originally had it pinned and it makes signing into my accounts easier. No battery is handy and the fact I can keep it on my keychain is convenient (I just worry the way I treat my keys might result in me wearing down the fingerprint). Aside from that, the device itself seems pretty durable and it’s also water-resistant.
Is it easy to use? Yes.
Do I feel like my stuff is more secure? Yes.
Will I continue to use it? Yes.
Too frequently I change my passwords because I forgot what I have set for each account and it’s much easier to use than something like 1Password and more secure than storing passwords in your browser.
My only complaint is that the accounts that ‘work with’ Yubico kit could make set up a little easier, but that’s all. Do recommend. You can pick up the YubiKey Bio FIDO Edition for RRP $128.50.