YubiKey 5 vs Security Key for Multi-Factor Authentication

There is a subset of my readership that understands approximately two of the concepts in the above title ("vs" and "for"). I encourage members of that first group to give this entry a try, because my intention is to aim my explanations for you.

There is a subset of my readership that not only understands every concept in the above title, but knows more about this stuff than I do and can predict every conclusion I will reach. Maybe this entry will be useful in documenting my experience with YubiKeys in The Real World (tm), or at least at the University of Waterloo? You can read the section labelled "My Experiences" for that information.

I will start with some (hopefully brief) background on passwords and multi-factor authentication, then explain where YubiKeys come into this, and then document my experiences in using them so far.

Background: Passwords and Multi-Factor Authentication

The first observation is that we tend to use passwords for logging into things. You probably have several (or several dozen) passwords for email, banking, logging into personal and work computers, and so on.

The second observation is that passwords are terrible. The rule of thumb is that any password you can come up with. There are a number of reasons for this:

Humans are pattern monkeys, and we are fairly predictable. The words we choose for our passwords are fairly predictable. This is the same reason text prediction on smartphones works well -- it is pretty easy to guess what we will type.
We are not good at remembering big long random strings, so we choose passwords and phrases that are easy to remember. Those are usually easy for computers to guess.
We tend to reuse passwords (sometimes with small variations between sites). This is okay until one of those passwords leaks and is added to a big list of known passwords (see, for example, https://haveibeenpwned.com/). Then hackers can just try the passwords in the leaked list. If your password is on it (or somebody else has chosen the same password as you and it is on that list) then you are sunk.
In principle, passwords represent something you know. If somebody else knows the same thing, they can access your account even if you are in Canada and they are in Russia. A lot of accounts get hacked this way.

There are a few different solutions to this:

Somehow use better passwords
Have computer programs called password managers remember long and random passwords for you
Do not depend upon passwords alone for securing your accounts

(Current) Password Best Practices

The computer industry is moving away from passwords, which is probably okay except that password replacements (facial recognition, biometrics) are themselves creepy.

I do not know what the current best practice is around passwords. Here are my current guidelines:

Never reuse passwords for any account. Don't depend upon small variations in passwords across accounts.
Longer passwords are more secure than shorter ones. "Longer" currently means "dozens of characters"
Having to change your password every three months is not that effective if people just choose patterns for their updated passwords.
It is okay (although not ideal) to write passwords in a secure place (your wallet, a day planner, a security box, but not on your monitor or under your keyboard). It is better if you do not associate these passwords with their accounts, but this does not matter a lot -- if you lose the paper you need to change those passwords anyways. This technique is okay but does not scale for many passwords.
It is better to use a password manager to store your passwords for you. Then you need one strong password you can remember to open your password manager, and then your password manager can have completely random passwords for all your other accounts. I do not know what to recommend as a password manager. BitWarden seems to have a good reputation, but I feel more secure with a password manager on my computer, not one that is hosted on a website. This makes me a dinosaur.
There are different classes of passwords:
- Passwords you can paste in from your password manager. These can be completely random gibberish. I use the password generator at https://random.org to get the raw data for this, and then copy and paste random sections from several generated suggestions to form my new random password. Your password manager may have a password generation function as well. I try to make these passwords 50+ characters. Most of your passwords are in this category.
- Passwords you need to remember, probably because you have to type them in. I currently lean towards the approach advocated by this infamous XKCD comic. In particular I use the word generator from https://www.useapassphrase.com/ (which, incidentally, has an well-written explanation of password security that is worth reading). Then I take generated words from a few rounds of password generation and maybe separate them with punctuation, such as "Wrist:Pony:Voyage:Treachery:List" . Instead of five words I will often use six or seven, and I will add digits if the online service requires it.
- For some typeable passwords I am still using suggestions from the apg program. I think that this is relatively secure, although they are definitely less friendly than the XKCD approach.

My passwords go into my password manager so I do not forget them, but if I always end up pasting the password from the password manager anyways, then they should be random gibberish.

The common theme is that these passwords are all random, not things you think up from your pattern-loving imagination.

Are these guidelines secure? I do not know. I feel they are more secure than advice we have been giving out for decades. I feel there are probably big vulnerabilities in my thinking that will render some (much? all?) of this guidance useless in a few years.

Multi-Factor Authentication (MFA)

This gets us to multi-factor authentication, often abbreviated MFA. A related term is "Two-Factor Authentication", often abbreviated 2FA. The idea behind these terms is that you need multiple things to get into your account. One can be a password, but another can be something you own, whether that be biometrics (your irises, the blood flow in your palm), or an external device (a cellphone, or a YubiKey). If your bank texts you a code you need to enter when logging into your account, then you are using multi-factor authentication.

Multi-factor authentication is great. Even if your password is bad then MFA protects you a lot, because a hacker needs to know your password AND (in principle) needs access to your irises/blood flow/smartphone/YubiKey to log into your accounts. (This is not quite true -- the hacker needs the digital representation of these other factors, which is not the same thing as having the actual factors. For example, it used to be possible to fool some facial recognition systems by showing the system a photo of the victim.)

The reality is that when done right, MFA makes it much more difficult for hackers to break into your accounts. So why do we not all use it?

The Problem

There are actually a number of problems here.

The first problem is that if you lose all of your extra factors, then you lose access to your online accounts, perhaps forever. In particular, if you lose your smartphone then it can be a big pain to get access to your accounts again, so you had better not be depending on your phone alone.

The second problem -- and the bigger one for me -- is that I do not have a smartphone, and almost all MFA schemes in use today assume you have a phone as your second factor. I think this is stupid for a lot of reasons, but one is that phones are expensive, and I am a cheapskate.

A third problem is that smartphones are complicated devices that are juicy targets for hacking. I do not trust them as security devices.

YubiKeys solve some of these problems.

Why YubiKeys?

A YubiKey is a small device that looks a little like a small flat USB flash drive. It has a button on it which everybody thinks is a fingerprint reader, but is actually just a capacitance button that detects whether it is pressed. I plug in my YubiKeys into a USB port on my computer and use it as a second factor in multi-factor authentication.

YubiKeys are a form of hardware token. Unlike smartphones, they are special-purpose devices. The form factor is similar to old-school keys that unlock front doors, and they are intended to be stored on keychains along with your other keys. (There are also tiny YubiKeys that live in a USB port of your computer permanently, but I do not use those.)

As a second factor, YubiKeys are pretty great. For whatever reason, I trust them more than I trust a cellphone. Unlike a cellphone, they do not become obsolete every 18 months. They are not super-cheap (mine were $25 and $50USD respectively) but those are one-time costs and I do not have to pay for a data plan. Unlike biometrics they are not associated with my identity.

YubiKeys are not the only hardware token available, and they are not open source, but they appear to be the market leader. They are manufactured by Yubico, which I think is a Swedish company.

Standards: U2F, Fido, WebAuthn, TOTP, HOTP

There are a number of different mechanisms YubiKeys use to authenticate you to your accounts. I call these protocols. There is an entire alphabet soup of protocols. I honestly do not understand what how these protocols interact or even what they are, but from what I can tell there are two different categories of authentication that have come up in practice for me:

WebAuthn, U2F, Fido2 are a set of protocols that let me log in via a web browser. The web browser pops up a window that asks me to insert my security key and press the button. I do so and then I am authenticated. At UW I can register U2F keys myself.
TOTP, HTOP are forms of "One Time Passwords". My Yubikey generates some kind of password into a text field, which the authenticating service somehow checks is correct and associated with my particular key. Each time I press the button to reauthenticate, a new password gets generated, which is where the name "one time" comes from. Setting these protocols up is a pain: the Yubikey contains some secret key, which I have to share with the authenticating service (!) so they can synchronize the passwords. At UW I had to set up OTP services with staff members.

Note that a single YubiKey (in particular the YubiKey 5) supports both these families of protocols, so I can (and did) register my YubiKey 5 twice with UW -- once for U2F, and once for TOTP.

Blue vs Black YubiKeys

Yubico sells a wide variety of YubiKeys. There is cheaper one called the "Security Key". It is blue, so I think of it as my "Blue YubiKey". There is also a more sophisticated key called the "YubiKey 5 Series" which is black, and supports more protocols. I think of this as my "Black YubiKey". There are other fancier and more expensive keys out there, but I do not yet know why I would need them.

You can see the differences between different keys on this comparison chart.

The blue Security Keys support the WebAuthn/U2F/Fido2 protocols but not the HOTP/TOTP protocols. The black ones support both.

There is another technology called NFC ("Near Field Communication"). This is a wireless communication technology that would allow you to use a YubiKey with a phone without plugging it into a USB port directly. Instead you hold your YubiKey close to your phone and press the button, and then the phone wirelessly communicates with the YubiKey to do its authentication magic. Although I probably shouldn't, I mistrust NFC because it is wireless and thus creates a greater attack surface. Also I did not need (nor want!) NFC because I don't have a cellphone, and all the devices I want to use for authentication have USB ports! So I was very happy to see that the blue Security Key was offered without NFC support. Sadly, it looks as if all Security Keys for sale now come with NFC.

I opted to purchase some YubiKeys of my own. I bought two YubiKeys -- a blue Security Key and a black YubiKey 5. I bought two keys because I was worried about losing one and being locked out of my accounts. I bought a blue one and a black one because I wanted to know what the practical differences were between them.

YubiKeys at UW

I dragged my feet on getting YubiKeys until the University of Waterloo forced my hand. They decided to make two-factor authentication mandatory for their web services. Most members of UW have smartphones, and somehow used their smartphones for authentication with the new system. I am a cheapskate dinosaur. The authentication system UW went with (called "Duo") even supported calling a landline, but that did not help me either.

Fortunately UW is aware that some of its staff members are dinosaurs, and they did a smart thing: they offered black YubiKeys to any employee who did not have a cellphone. I took advantage of this, and thus in principle I did not need to get my own YubiKeys. I am glad I got my own YubiKeys, though, because I had to give back the UW YubiKey when my contract was over, which would have meant I would have been locked out of (most of) my UW accounts when my contract ended. That would have been bad for a number of reasons (including my students contacting me after the term ended).

I registered both my blue and black YubiKeys to the system. I registered the black key to use both WebAuthn/U2F/Fido2 and TOTP/HOTP as separate entries.

There is some management software available for YubiKeys. You can use this to disable NFC interactions and to find the secrets you need to register the YubiKey for TOTP/HOTP access.

My Experiences

Mostly, the WebAuthn authentication works fine. There were a couple of notable exceptions where only TOTP/HOTP worked:

The UW VPN (virtual private network) software uses something called "Cisco AnyConnect". This only works with the OTP password options, so I could not use my blue YubiKey for this.
For some reason the WebAuthn authentication works only with web browsers? In particular, the desktop client for Microsoft Teams (which is just a web browser wrapped in a standalone desktop shell??) does not work with WebAuthn. I can only use OTP with it.

There is an option to "Remember me for 30 days" so that I do not need to authenticate every time I logged in. I did not enable this (it seems counterproductive to me), which means I was using my YubiKey every day.

I kept my black YubiKey on my keychain. It is supposed to be robust, but is definitely showing wear and tear compared to my blue YubiKey, which I keep in a more protected/secure place. There were a few times when pressing the button on my black YubiKey did not seem to register anything. YubiKeys last a long time but they are not indestructable, and I feel my black one will likely fail in a year or two if I keep it on my keychain.

I lost the blue YubiKey once and freaked out a little. I was very glad to have the black YubiKey at that time. I was going to purchase a third YubiKey so I would have another backup (and unregister the blue YubiKey from my account) but fortunately the blue YubiKey turned up in my laundry. I had accidentally run it through the washing machine (natch). As far as I can tell it is fine.

I am glad I got the YubiKeys in different colours. I do not know how I will distinguish multiple keys of the same colour easily. I am thinking of paint, or maybe engraving an identifying rune into each key if that is safe.

Blue or Black?

I like the simple blue Security Keys a lot, not least because they are half the price of the black YubiKey 5 devices. But because it turns out I need OTP functionality, and because the blue Security keys come with NFC, I think the next key I purchase will probably be a black one.

I have not tried this but apparently the black keys also support protocols to log a person into their computer (Mac/Windows/Linux) automatically with no password. I do not think I personally would benefit from this, but I could see it being really handy. As a single factor, I feel a YubiKey is probably more secure than a password.

Other Considerations

I have a few other thoughts about my YubiKey experience.

Market Considerations and Monopolies

Yubico is not the only manufacturer of U2F hardware tokens. I went with them because they are the market leader, which means that if an online support has any hardware token support, it is likely to be a YubiKey.

I am also protectionist and bigoted in my thinking. A bunch of the cheaper U2F tokens come from China, and I am not sure whether I should trust them.

I think I am willing to try a different manufacturer of hardware tokens, but I would be inclined to keep a YubiKey around as the key that "just works". My online accounts are too important for me to jeopardize by squeezing pennies. On the other hand I worry about Yubico becoming a monopoly in this space. They seem like a pretty good company now, but good companies can turn evil quickly.

Migrating Other Accounts

As of this writing I have not added multi-factor authentication to any of my other accounts. I feel I probably should, but I have hesitations. Most of my accounts use strong random passwords. That does not protect me if there is a data breach, but in most other ways I am protected.

I am especially scared of enabling MFA on my email accounts, although this is exactly what I should be protecting the most. If my email gets hacked, then all of my other accounts are in jeopardy because the hackers can use "Forgot your password?" functionality everywhere else to reset the passwords for those accounts.

I do not love the inconvenience of finding my YubiKeys and putting them in my computer every time I want to check email or access an account, even though it is not all that much hassle.

One thing that will definitely be a hassle is fixing all my accounts if I lose a YubiKey.

Despite all these caveats, I think there are definitely a few accounts I should be locking down with MFA.

Backup Keys

I think getting multiple YubiKeys is definitely best practice. I think having one key in a safety deposit box is a good idea, provided you keep that emergency key registered with all your accounts. At the very least you should have two keys. I suppose having a cellphone as one factor and a YubiKey as a backup works as well.

Website Support

I was quite grumpy with the Canada Revenue Agency because they require multi-factor authentication on their website, but they did not support YubiKey as a second factor. I called them and got them to revert my account to password-only, but then they came up with a different mechanism for MFA which I might blog about later.

Support for Yubikeys as a second factor is not terrible, but my understanding is that there are still many websites (including banks!?) which do not support them. I do not like this.

Security

I feel that YubiKeys are probably one of the best second factors you can get overall. They are relatively private (because they are not tied to your biometrics). They are relatively easy to use, and my understanding is that they are pretty secure and hard to spoof.

My understanding is that the most common form of multi-factor authentication (sending codes via SMS to cellphones) is fairly insecure.

I especially appreciate that hardware tokens are limited in scope. They are supposed to do one thing and only that one thing. In fact, I prefer the blue Security Keys because they are simpler than the black ones. Simpler keys mean that there are fewer ways they can be attacked.

Should You Get a Pair of YubiKeys?

Sigh.

If you are in the subset of my readership who is technically sophisticated but for some reason does not practice good password security already (or maybe does not have MFA already) then I think that YubiKeys are a good solution, and I would recommend them. If you have some other better MFA solution then maybe you do not need a YubiKey solution in addition.

If you are in the subset of my readership who did not understand the title but somehow read through this entire article, then my advice is mixed. I feel that YubiKeys might be a good solution, but it is complicated:

These days I do most of my computing on computers I own, not public access computers at the library. You have to make sure those public computers have the right kind of USB ports that your YubiKeys can work with.
You have to know whether the web services you care about will work with YubiKeys. This is not always straightforward.
You need to get at least two YubiKeys and set them all up, and then keep one in a safe place. Losing access to your accounts is the big danger here.

My original advice was that improving your password practices (generating better passwords, and using a password manager if you can) would be more beneficial short-term solutions than enabling MFA with a YubiKey, but I am not sure that is true. If you can technically handle the complexity of dealing with a YubiKey and the websites you depend upon support YubiKey authentication, then overall it would be better for you to use MFA to log into your accounts, and then it is less important that your passwords are secure. I still feel that improving your password practices has benefits.

I worry about the additional complexity YubiKeys introduce, and (selfishly) how much additional support I would have to do to help you use them properly.

If you have a smartphone then using an authentication app (such as Google Authenticator or Authy) might be the way you should go. That is how most other people do multi-factor authentication, and so it is well-supported.

I feel that YubiKeys are a good solution for me. I would be willing to discuss whether they are a good solution for you, but there may be other good solutions for you.