FIDO U2F Security Key - the original and trusted security key from Yubico, co-creator of the FIDO U2F standard
Get free shipping
Free 5-8 business-day shipping within the U.S. when you order $25 of eligible items sold or fulfilled by Amazon.
Or get 4-5 business-day shipping on this item for $5.99. (Prices may vary for AK and HI.)Learn more about free shipping
Fulfillment by Amazon (FBA) is a service we offer sellers that lets them store their products in Amazon's fulfillment centers, and we directly pack, ship, and provide customer service for these products. Something we hope you'll especially enjoy: FBA items qualify for FREE Shipping and Amazon Prime.
If you're a seller, Fulfillment by Amazon can help you increase your sales. We invite you to learn more about Fulfillment by Amazon .
- Enter your model number to make sure this fits.
- Protect your online accounts with strong two-factor authentication
- Works with Google, Facebook, Dropbox, Dashlane, GitHub
- USB Type A compatible; 3mm thin key, fits nicely on a keychain and inside a wallet
- Extremely durable; crush and waterproof, no moving parts; Works with a simple touch
- Made in the USA and Sweden
Frequently bought together
Customers who bought this item also bought
Customers who viewed this item also viewed
Have a question?
Find answers in product info, Q&As, reviews
Please make sure that you are posting in the form of a question.
Two-factor authentication made easy!
Yubico's FIDO U2F Security Key is a USB device you use in combination with your username/password to prove your identity. With a simple touch, the FIDO U2F Security Key protects access to your Google, DropBox, and Dashlane accounts. Keep one on your keychain with your house keys, and a second backup key in a safe place at home in case you ever lose/misplace your house keys.
Easy-to-use FIDO U2F Security Key performs the FIDO Universal 2nd Factor security protocol.
Easier and safer than authenticator apps: No more reaching for your smartphone to re-type passcodes you receive via SMS or from an authenticator app. Just plug in your FIDO U2F Security Key and tap to securely log in quicker than with SMS or authenticator apps.
Works out of the box to with popular consumer applications: Protect your Facebook, GMail, DropBox, and Dashlane accounts.
Using your FIDO U2F Security Key: Go to yubico.com/start for instructions on how to register your FIDO U2F Security Key with applicable services. Steps to enroll your FIDO U2F Security Key may differ from service to service. Yubico has provided steps based on their own testing, and links to those services for full instructions.
USB Type A compatible: Plugs into USB Type A ports. Purchase adapters for devices that feature USB-C ports.
Extremely durable (IP67 class rating by IEC 60529): High quality, crush-resistant, and water-resistant.
Attaches to house and car keychains.
Manufactured in the USA with high security and quality.
Looking for more functionality? Check out multiply YubiKey 4, YubiKey 4 Nano, and YubiKey NEO
Top customer reviews
There was a problem filtering reviews right now. Please try again later.
Know my password (it's a pain for me to remember, imagine for them to guess?)
Have my U2F key (which is on my car keys DEEP in my pocket)
Or if not, figure out how to make a computer think a U2F key is plugged in (not easy or likely)
And even if they DO fool Google and the computer into thinking the key is inserted, you have to physically touch the key to activate it.
Layers upon layers of security, and since the key can be associated with more than one service at the same time, it's an all-in-one authentication device that I hope more companies start using.
Attached is a picture of the Key, with a quarter for size reference.
U2F is an open standard but the main sites implementing this are Google (all their employees receive two of these when they join and all their services can use these), Dropbox, and Github. Hopefully more will follow. Your web browser needs to have U2F support to facilitate the transaction - Google Chrome has support, other browsers do not as I write this.
Using security keys is insanely simple. To register the key with the site you enable it in the account security settings then insert the key and press the blue light when prompted. After the key is registered, you can log into the site by entering your user name, password, and inserting the key and pressing the blue light when prompted. Google in particular will remember that you authenticated with the key and will not prompt you for it again for several months or until your clear cookies.
One key can be used with multiple accounts at multiple sites. Multiple keys can be used at the same site. There are no serial numbers so your access at various sites can not be tracked by the key.
If you lose or damage the key, or log into a site without Google Chrome, you can still log in with other 2nd factors such as Google Authenticator or printed codes.
The key arrives with absolutely minimal packaging and no instructions - there is plenty of help on Google's site though. I was disappointed that I scratched min while putting it on my keyring, but it is solidly constructed and survives life in my pants pocket with my house keys well. If it ever gets dirty you can clean the contacts by gently rubbing an unused pencil eraser against them.
Note: The key doesn't tell you if you're being phished or somebody's trying to execute a man-in-the-middle attack against you; it simply won't work in those cases. So, if you try using it and your authentication fails, think long and hard before switching to a backup second factor on the same machine. I don't think any U2F key will tell you if you're being attacked at this point.
Note 2: Nothing, including a U2F key, can stop you from logging into a site from a compromised computer/device. In that case, the attacker won't get anything from the U2F key, but can still piggy-back on the session you authenticated to carry out their bad intentions through your device.
Yubico was also brilliant in their implementation. Remember that I mentioned that a single key can be used with an unlimited number of websites? The protocol allows a key to generate a private key, encrypt it, then have the website's server store it. When you login, the server then sends the private key back to the key, which decrypts it and signs the required bits, which it then sends back to the server for authentication. Yubico's implementation DOES NOT do this. Instead, it re-generates the private key every time based on information about the website.
So far I'm seeing few technical downsides to this device. This key doesn't support NFC, so you can't connect it to your phone; you need the YubiKey Neo for that, which supports NFC. However, I almost never need to use a second factor on my phone since most apps only ask for authentication when they're first set up. Just keep some backup codes or Google Authenticator lying around for those situations. It also doesn't support USB-C, which can be troublesome if you have computers that don't support USB-A. And finally, only the Chrome and Opera browsers have native support for U2F. Firefox supports it with a plugin. Native Firefox and Edge support are on the way, but I haven't seen an ETA.
In terms of other downsides, not enough websites support U2F yet, including, surprisingly, LastPass, which supports 10 second factors. Not even Microsoft and PayPal, which are members of the FIDO alliance, which designed the U2F protocol, support it yet. A quick Google search turned up no bank that supports U2F, but that's not surprising since, for years, most people have been able to make their email accounts more secure than their bank accounts. Vanguard does support U2F, but requires users to use SMS as a backup, which is a horrible second factor (look up how hackers redirected SMS as part of a scheme to drain funds from accounts in Europe), but is easy to implement. So, I'm hoping U2F becomes much more popular over the next few years.
Another downside, though not the fault of U2F, is that using a U2F key doesn't stop attackers from using a backup factor you've enabled to get into your account or using social engineering to get customer service to grant them access. However, I don't see a good way for us consumers to only use U2F as a second factor. You could have several U2F keys associated with an account, and still find yourself in a situation where you need account access. Whereas, even if you've lost your phone, you can go to your carrier's nearest store and quickly get a replacement, and SMS will get you back in as long as it's enabled as a backup.
In conclusion, I strongly suggest that everybody who can starts using U2F wherever possible, whether it be with this key, another YubiKey that supports U2F (look for the logo), or some other U2F key. Despite its downsides, it can, if you use it right, protect you from phishing and man-in-the-middle attacks (see my first note above). It's currently the best second factor you can use for authentication, even if you have others enabled.
Note: Some websites may require a specific U2F implementation, such as Vanguard's, which only supports Yubico's. You can be pretty confident that most/all current and future websites that support U2F will support Yubico's implementation since they, in collaboration with Google, developed the original protocol.
I'll report back if I run into trouble, but so far, I'm loving this thing!