One of the most important security precautions you can take with any online service is to turn on two-factor authentication, or 2FA. (Some services refer to 2FA as multi-factor authentication or two-step verification, but the underlying technology is the same.)
With this extra protection enabled, anyone who wants to sign on to a service on a new device must supply a second form of identification in addition to the password. That extra step, at least in theory, prevents an attacker from using stolen or phished credentials to sign in to a service.
The most common second factors are SMS text messages and codes generated by an authenticator app installed on a smartphone. (For more on authenticator apps, see “Protect yourself: How to choose the right two-factor authenticator app.”) But there’s an additional option: a hardware-based security key that plugs into a USB port or connects with a tap on an NFC-enabled mobile device.
Disclosure: ZDNet may earn an affiliate commission from some of the products featured on this page. ZDNet and the author were not compensated for this independent review.
Hardware-based 2FA security
For the past week, I’ve been testing out two security keys supplied by Yubico, a well-established player in the field. The YubiKey 5 NFC ($45) is a thin but sturdy device that fits in a standard USB Type-A port and also supports NFC connections; the YubiKey 5Ci ($70) is smaller but equally sturdy, with a USB Type-C connector on one end and an iOS-compatible Lightning connector on the other end.
Why pay for this sort of security when the software-based options are free? Primarily because hardware-based keys are significantly more secure than SMS- and software-based options. That’s especially true for journalists, activists, and people who work for high-value targets like banks and defense contractors. As the FBI warned just a few months ago, SIM-swapping and other attacks can make it possible to bypass 2FA protection.
Hardware-based security, on the other hand, is much more difficult to successfully attack remotely. To sign in, you have to insert the key and then tap it in response to a prompt to submit the proof of identity.
The Yubikey devices I tested support hundreds of services that use a handful of standards, including FIDO2 Web Authentication (WebAuthn). A full list of supported services is available on the Yubico website, where you can search and filter to find the ones that interest you. It’s worth noting that support for hardware-based authentication is considered a premium feature for many services; for example, if you use the password managers LastPass, Dashlane, or Bitwarden, you must upgrade to a Business, Premium, or Enterprise plan to enable a security key as a second factor.
I tested both YubiKey devices with a representative sample of the kind of services you’re likely to use regularly, including 1Password, Dropbox, Namecheap, GoDaddy, and Twitter. I also used the hardware key to secure Microsoft and Google accounts, as well as to sign in to a local account on a MacBook Pro.
In general, the setup process was quick and easy and the security keys worked well on either a Windows 10 PC or a Mac, using any modern desktop browser. I used the Chromium-based Microsoft Edge and Google Chrome on Windows 10, and used Edge, Chrome, and Safari on the Mac. Firefox and Brave are also compatible with these devices.
In every case, the setup process is similar. Open the website for the service, authenticate using whatever 2FA options are currently set up, navigate to the security settings page, and choose the option to configure a security key. That triggers a request like the one shown here; follow the instructions, including tapping the designated contact point on the hardware, to save the credentials on the key.,
For some sites, I was able to configure both keys, but others, such as Twitter (shown below) support only a single hardware key. To replace the key, you have to disable that method, then re-enable it and run through setup again.
Yubico also makes an authenticator app that works like any other TOTP code generator except that it requires a tap of the hardware key to activate.
Azure AD: Some assembly required
For most situations, configuring a hardware key as a trusted second factor is fairly quick and straightforward. However, I ran into two applications where I had to do some extra work before I was able to use the YubiKey.
The first was with a Microsoft Azure Active Directory account used with an Office 365 business subscription. Consumer Microsoft accounts support hardware keys directly, but for business accounts, multi-factor authentication using hardware keys is still officially a preview. To enable it, I had to go to the Azure AD administration center, then click through security settings to get to the Authentication Methods page shown here.
Once that task was complete, it took a few minutes for the setting to propagate to my test account. After signing out and signing back in, I was able to go to https://myprofile.microsoft.com, sign in with the Azure AD account, and create the new security settings.
MacOS: There’s an app for that
The other place where I needed to do an unexpected amount of work was to set up signing in to a MacBook Pro using the YubiKey 5Ci as a smart card. For that process, I had to download the YubiKey Manager app and run through a three-step process using the Privilege and Identification Card (PIV) application.
It’s a pretty straightforward process that involves replacing the default user PIN for the smart card emulation, then generating a pair of keys. But after that setup was complete, I was able to skip typing my long, complex password to sign in. Instead, I just tap the YubiKey and then enter a six-digit PIN.
If you use a PC running Windows 10, that might sound familiar, because it’s essentially a variation on Windows Hello. The difference is that Windows 10 treats the device and its TPM chip as a smart card, allowing you to sign in with a PIN or biometric authentication. But if you want to skip Windows Hello and use an external hardware device, you can do that in Windows 10 as well.
The mobile experience
The experience wasn’t nearly as smooth on mobile devices, unfortunately.
You would think that the dual-head design of the YubiKey 5Ci, with USB Type-C on one end and a Lightning connector on the other, would be ideal for modern mobile devices, which universally use one of those two ports. Alas, that wasn’t the case.
Yubico points out in its documentation that the Lightning connector has “emerging support.” I found that to be the case when, for example, I tried to sign in to the GoDaddy app but received an error message that the authentication method wasn’t supported by either the browser or the app. Likewise, trying to authenticate in the Namecheap app resulted in an error message.
I was successful at signing in on the iPhone to Namecheap, Twitter, and the GSuite admin panel in a browser using the YubiKey 5 NFC, once I learned how to tap the key against the NFC reader on the iPhone. On an OnePlus 7 Pro running Android, the security key failed to authenticate me in Microsoft Edge but worked flawlessly in Chrome. Making that NFC connection wasn’t nearly as easy as on the iPhone XS, however, because of the placement of the NFC reader on the OnePlus.
The lack of support for that Lightning connector on iPhones is a real point of frustration for anyone who also uses a MacBook Pro or a Windows PC that has only USB Type-C connectors. The YubiKey 5 NFC works with a USB A-to-C adapter or dongle, but that’s considerably less elegant than the compact YubiKey 5Ci.
Conclusions (and a note on the importance of backups)
One of the most important lessons you learn when working with multi-factor authentication is to always have a backup way of authenticating. Almost every site that supports 2FA offers the option to print out backup codes that you can use in the event your other authentication methods aren’t available. For example, if you’ve set up a service to use SMS text and an authenticator app on the same smartphone, you’re in a world of trouble if that phone is lost, stolen, or damaged.
I was able to confirm this lesson while testing Namecheap’s support for hardware keys. Although the domain registrar supports three different 2FA methods, you must choose one and only one. When I incorrectly set up a hardware key during testing, I was extremely glad that I had printed out recovery codes, one of which let me back in immediately.
These two YubiKey devices are designed to fit on a keychain, which means for most people they’re always close at hand. Because I mainly work at the same location (especially during the current lockdown) I prefer to keep the YubiKey in my laptop, so I don’t have to fumble for my keys when I need to approve an authentication request. For that application, the $50 YubiKey 5 Nano or the $60 5C Nano might be a better choice. But that option means giving up the NFC support with mobile devices.
As I said at the beginning, the main reason to use a hardware key is to avoid the risk of using a phone number that can be SIM-jacked. For services that allow you to turn off authentication via a phone number, the combination of a hardware key and a smartphone-based authenticator app, with a set of backup codes locked in a file drawer, is the ideal solution. For services that won’t allow you to disable SMS as a 2FA method, this isn’t possible, unfortunately.