35
votes
For those who have tried YubiKey for personal use, is it worth it?
I saw people talking about YubiKey here a few weeks ago so I got curious. Unfortunately, I’m not seeing a lot of helpful reviews for it.
I’m personally getting tired of having to take my phone anytime I need 2FA for Okta but I don’t have a lot of super important accounts to secure so I’m going back and forth in deciding whether the 100+ euro investment (to get two so that there’s a duplicate) would be worth it.
How do you use your YubiKey in your personal life and do you think it’s worth your use case ?
Well... The 2FA required by my job is pretty irritating. I have to authenticate to sign in on a number of different products, and due to the nature of my work I end up doing this on three or four machines per day in different locations. Some of those locations have garbage cell service, so for me it was an easy choice and much needed improvement.
I've gotten used to using it at work and at home. It's more convenient than any other 2FA mechanism I'm aware of. So... Yeah, I'm a fan.
Why do you need cell service to use 2FA?
Some 2FA solutions actively prompt you asking if you were trying to sign in. Others like microsoft authenticator do stuff like showing a number on the screen where you try to log in which you then have to type into the pop-up on your phone.
Those solutions obviously don't work without internet, so if you are on the go and your phone can't access a wifi network you really do want cell service.
Usually when you have to enter a number from an app on your phone that's TOTP, which does not require an internet connection, just that the device has a reasonably well synchronized clock. It roughly works by hashing the current time (aligned to 30 seconds or so) concatenated with a shared secret value (that the site / server you're logging into usually gives you in the form of a QR code), when you log in the website compares your hashed value with the one it computes (it saves a copy of the shared secret as well when you enable 2FA).
I am familiar with TOTP, that's not what I am talking about in this instance:
Screenshot.
See also: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-number-match
Ahhhhh, okay, yes. I have seen this on Apple devices too :). I debated mentioning this in my comment, but ultimately made the wrong choice I guess! Did want to make sure that people were aware that TOTP would work even if their phone wasn't connected to the internet for some reason, though.
Yeah but if you require that you're probably not supporting U2F/Yubikey either.
The obvious answer would be that it used SMS for 2FA. I'd be a little surprised for something to support SMS and FIDO U2F and not TOTP (which would work on a phone without cell service) but it's not completely unheard of.
"Worth it" is subjective. I'm absolutely a casual user. For me, I think it's worth it for the peace of mind of having stronger security on my important accounts, and so that I can reduce how often I need to get out my phone for 2FA.
I have four keys today: two PCs I use regularly each have a resident key, one on my keychain, and one backup. Each one is a different form factor - USB C, mini C, NFC C, A. The always-installed keys make it very simple to log in. (note, I'm not so concerned about physical access to the keys so it doesn't bother me that they are always connected. I'm concerned more about people remotely getting access without my knowledge)
It took about an hour or two to get five services set up with each - Google, LastPass, id.me, Vanguard, namecheap. They all work seamlessly across machines. If/when I add more services, it will be kind of a pain to collect all the keys again for setup.
I find it the most convenient and securest way of using FIDO2 and OATH's TOTP. For TOTP, instead of using an app like Aegis or Raivo, I use Yubico which loads my TOTP keys from my physical Yubikey. In essence, I strictly use hardware and even if I lose my keys, you still need my pin to access the keys. If I were to repeat my choice of method from scratch given what I have learned over time, I would still do this as it is my preferred method.
I think in a decade, phones will take over for FIDO2 or whatever standard it will be at the time, and we will make way with passwords or any form of TOTP.
I got a couple Yubikeys and started setting them up with my TOTP codes but then realized there's a limit of 32 codes. I currently have 36 in my TOTP app. I could probably switch some of those over to FIDO2 to get under the limit but that doesn't leave a ton of room for expansion if/when I sign up for new services (which might not support FIDO2)
Yup, the limit of 32 also had me navigating where I could use FIDO2 instead, luckily I'm under that threshold now.
I think in a decade Passkeys will replace passwords in many places. They're already supported on all major operating systems (I think only Linux doesn't support them yet, but it's just a matter of time), and they're more convenient and secure than passwords.
That's what I was referring to.
Oh, my bad, I didn't know what the phrase "make way with" meant, sorry
It's all good, no worries :)
While Yubikeys are the most popular security keys, they are kind of expensive.
I wasn't sure whether I wanted to invest that much either, so I started with a cheap FIDO2-compatible key for around 10€, and later got a different model as a backup around the same price point.
The keys work fine with the providers I have them setup for (GitHub, E-Mail and a few others) -- whenever the site wants you to authenticate, you enter your username and password, and then select the security key option. The key starts to blink until you press the physical "I'm here" button on it, and then you're logged in. It is much more convenient than getting out my phone, starting the TOTP app and typing in the six digit code. I'd say it's worth the 20€ I paid, but I'm not sure if the additional features of a Yubikey warrant the increased price.
If you just want U2F there are cheap options... If you want a fully featured key that supports PGP as well I'm not sure the Yubikeys are notably more expensive than the alternatives. Happy to be proven wrong, though, I'd love some cheaper keys :).
I've been using cheaper Thetis Fido2 security keys, because Yubikeys seem silly expensive to me. I use them for a few different things:
sudoat the shellI find it to be a minor convenience--probably not worth the price of Yubikeys, but definitely worth it at around the ~$25 or less price point per key.
I think in the next 6 months to a year we're going to see passkeys take off in a big way. Passkeys will pretty much completely obsolete yubikeys and all other 2FA methods as they are much more secure. I use yubikeys myself, but I don't think at this moment it would be worthwhile to buy any yubikeys.
Passkeys will basically have 2FA built in. All the major passkey providers store your private key encrypted, and will use biometrics (or at the very least a system password) to decrypt them. Your possession of the private key data and your unlock method provide the separate factors without needing any external hardware.
Biometrics make me super uncomfortable. They're impossible to change if compromised. Law enforcement can compel you to provide them(or just smack you in the head with a mag light and unlock it while you're unconscious). I will resist any use of biometrics to my last breath.
Yes, someone worried about that would want to use a real password.
However, there are other threat models where local-only biometrics are useful. It prevents shoulder-surfing and your account from getting broken into if someone steals your device. Maybe it would stop working if there were black-market databases of biometrics for sale (like there are for passwords and credit card numbers) but that hasn’t happened yet.
I’m not prepared to go up against law enforcement if they singled me out, and maybe this is naive of me, but I’m fairly comfortable with that. Other people will care about different things.
Also, iOS requires you to type a passcode fairly often. It’s not relying entirely on biometrics.
Yes, there is a certain cohort of people for whom passkeys won't be sufficient, whose use of yubikeys extends beyond webauthn. My comment was not directed at you.
In my opinion, the reason the big players are getting to passkeys first is that a passkey manager requires much more system integration than a password manager, and the big players have more resources at their disposal to implement them. Also, the APIs for integrating with the OS and various browsers are still being worked out. MS, Apple, all the third party password managers are spending a lot of resources trying stuff out and working with each other to figure out how to make interoperable systems to allow users to use whatever password manager they want on whatever operating system they want, but it's all still changing very quickly.
For volunteer-run FOSS projects, it's not yet worth the time to start working on these APIs, but once they settle I'm sure we'll see the FOSS clients also take up passkeys. They're just so much safer than passwords, and a much better user experience.
Edit: 1Password with the browser extension has passkey support for Firefox on Linux. I just tried it.
Edit2: For websites that don't do user agent sniffing. Github works, paypal detects that you're using Firefox and won't allow you to use passkeys, even when it has support.
If you have multiple devices (for example, a phone and a tablet) then passkeys should work well. I'm more skeptical that people with only a phone will be able to rely on cloud backup and recovery. A Yubikey makes sense in that case as another way to avoid being locked out of an account.
I have a Yubikey for work, and it's worth it there. But for personal use, I just use Duo wherever it's available (such as Bitwarden). I have too many devices for Yubikey to be a good solution for me for personal use, but 99% of my work is done on my work laptop where my Yubikey permanently takes one of the USB-C slots.
I just have one Yubikey. There are alternative ways of adding redundancy for account login, like printed backup codes in your safe, authenticator apps, and (recently) passkeys.
I tend not to use it much because it’s USB2 and I need to use an adapter nowadays. But I use it as a way of logging into Google on a new device when I buy one.
Compared to typical passwords, passkeys such as yubikey are significantly better. More secure, no need to enforce rotation, typically faster. But in the case of something like yubikey it is a physical device, so now you need to carry around this physical thing on you.
Now 2 reasons I still use a yubikey despite this need to carry it around with me:
However, if you use a single yubikey for everything, it's kind of like using the same password for everything. If someone gets your key, they get access to everything. So losing the key can be devastating and require a lot of time to fix.
But more and more, digital passkeys after becoming a thing. Like Windows can act as a passkey device. Some password managers, eg Dashlane, can also provide digital passkeys. Harder to steal/lose, typically, but with the trade off that if you aren't on your device, you can't easily (if at all) access them.
Personally, I love the nfc+usb-c yubikey, and I love that it's physical because I work from home so I don't typically need to bring it to other places. I also have a separate one just for work so I don't risk losing both personal and work access to things if I take a single key somewhere.
I never quite understood how you're supposed to use them. Does it have a password store like Keepass on it? Do you plug them into your PC? How do I get an OTP from the Yubikey?
How do you use them on non-private computers (like work PC)?
Yes, yes, yes, and it depends on what your employer has set up for that.
In more detail:
*which sometimes leads to amusing results when you forget there's a chat window in the foreground.
Thank you, that clears it up a little.
It looks like a very good thing for security but I think for me, it would just be another thing I can lose or forget. I'd have to carry one with me at all times which is kind of annoying. I always carry my keys, wallet and phones when I go outside but at home I don't have those near me (except for my phone).
I use GoTrust IdemKey with kinda similar service to OpenID - it can be used on various sites to ientify the user and used for login and to fill in data (like contact info in an eshop) and to access... say citizen portal of government sites (I'm no native english speaker, I hope it is clear enough).
Just before writing this I searched for SSH and found a manual how to set this IdemKey to work with SSH. I have to try it.
I don't use it for Google authentication or any other service. I might look this up too. I also have to buy second one for backup purposes.
And believe it or not, I got my IdemKey for free from CZ.NIC. I also got Turris router from them (the first version, blue metal chassis), also for free - well, in exhcange for data collection, you may look it up, it was and is great project and great organization.
If I can ask a related question to people who use a security key for personal use: Which ones are you buying?
Security Keys seem like the kind of thing you want to own multiples of, but that's a tough ask at $50 for a single Yubikey. Especially if you were trying to deploy for multiple people.
If you're just looking to use it as a 2nd factor for logging in to stuff that supports FIDO authentication (all websites, most apps) you don't need to buy the $50 key. You can get the $30 fido-only key. The $50 key has a bunch more features that I don't personally use like being able to store your SSH secret key on it, PIV smartcard, etc.
I don't have a yubikey, but I just want to say I hate 2FA so much. Every single bank, subscription, service, I use has to send me a text or have me put in a code from their app or whatever and I hate it. Yubikey is nice but lots of services (such as my bank) don't support it, I don't really see passkeys taking off (someone steals your fingerprint and now has your "master key" forever?).. I wish there was some kind of actual standard these services all agreed on so I don't have to scramble for my phone every time I sign in somewhere. Or just let me use my password which will never happen.
that's not how it works.
that's what passkeys are.
there's a fuckton of FUD about them going around, but the important part is that they're standards-based.
every "we support passkeys" announcement should really be read as a "we support FIDO2 WebAuthn".
(if you want to know the nitty-gritty details, this video is a 45 minute long conference presentation that goes over the acronym soup of FIDO, FIDO2, U2F, WebAuthn, CTAP, etc)
a passkey is just FIDO2 WebAuthn as a single-factor, without a separate password.
the user-facing rollout of passkeys has been pretty terrible, but the upshot is that support for WebAuthn is becoming ubiquitous, and that's a very good thing.
there are other standardized forms of 2FA (TOTP being the most common). but (the video I linked above does a great job of explaining this) TOTP is vulnerable to phishing attacks.
WebAuthn gives us an open 2FA standard that is resistant to phishing.