Yubico FIDO U2F Security Key by this is the older version of Security Key
We don't know when or if this item will be back in stock.
- Enter your model number to make sure this fits.
- This is the older version of the Security Key by Yubico
- If you are looking for a Security Key for Google's Advanced Protection Program, please search for "Security Key by Yubico" on Amazon.
Have a question?
Find answers in product info, Q&As, reviews
Please make sure that you are posting in the form of a question.
This is the older version of the Security Key by Yubico
The newer version has the same functionality as the original but with added capabilities including support for FIDO2 and FIDO U2F security protocols. The Security Key by Yubico is a USB device you use in combination with your username/password to prove your identity. If you are looking for a Security Key for Google's Advanced Protection Program, please search for "Security Key by Yubico" on Amazon.
Top customer reviews
There was a problem filtering reviews right now. Please try again later.
Know my password (it's a pain for me to remember, imagine for them to guess?)
Have my U2F key (which is on my car keys DEEP in my pocket)
Or if not, figure out how to make a computer think a U2F key is plugged in (not easy or likely)
And even if they DO fool Google and the computer into thinking the key is inserted, you have to physically touch the key to activate it.
Layers upon layers of security, and since the key can be associated with more than one service at the same time, it's an all-in-one authentication device that I hope more companies start using.
Attached is a picture of the Key, with a quarter for size reference.
U2F is an open standard but the main sites implementing this are Google (all their employees receive two of these when they join and all their services can use these), Dropbox, and Github. Hopefully more will follow. Your web browser needs to have U2F support to facilitate the transaction - Google Chrome has support, other browsers do not as I write this.
Using security keys is insanely simple. To register the key with the site you enable it in the account security settings then insert the key and press the blue light when prompted. After the key is registered, you can log into the site by entering your user name, password, and inserting the key and pressing the blue light when prompted. Google in particular will remember that you authenticated with the key and will not prompt you for it again for several months or until your clear cookies.
One key can be used with multiple accounts at multiple sites. Multiple keys can be used at the same site. There are no serial numbers so your access at various sites can not be tracked by the key.
If you lose or damage the key, or log into a site without Google Chrome, you can still log in with other 2nd factors such as Google Authenticator or printed codes.
The key arrives with absolutely minimal packaging and no instructions - there is plenty of help on Google's site though. I was disappointed that I scratched min while putting it on my keyring, but it is solidly constructed and survives life in my pants pocket with my house keys well. If it ever gets dirty you can clean the contacts by gently rubbing an unused pencil eraser against them.
Note: The key doesn't tell you if you're being phished or somebody's trying to execute a man-in-the-middle attack against you; it simply won't work in those cases. So, if you try using it and your authentication fails, think long and hard before switching to a backup second factor on the same machine. I don't think any U2F key will tell you if you're being attacked at this point.
Note 2: Nothing, including a U2F key, can stop you from logging into a site from a compromised computer/device. In that case, the attacker won't get anything from the U2F key, but can still piggy-back on the session you authenticated to carry out their bad intentions through your device.
Yubico was also brilliant in their implementation. Remember that I mentioned that a single key can be used with an unlimited number of websites? The protocol allows a key to generate a private key, encrypt it, then have the website's server store it. When you login, the server then sends the private key back to the key, which decrypts it and signs the required bits, which it then sends back to the server for authentication. Yubico's implementation DOES NOT do this. Instead, it re-generates the private key every time based on information about the website.
So far I'm seeing few technical downsides to this device. This key doesn't support NFC, so you can't connect it to your phone; you need the YubiKey Neo for that, which supports NFC. However, I almost never need to use a second factor on my phone since most apps only ask for authentication when they're first set up. Just keep some backup codes or Google Authenticator lying around for those situations. It also doesn't support USB-C, which can be troublesome if you have computers that don't support USB-A. And finally, only the Chrome and Opera browsers have native support for U2F. Firefox supports it with a plugin. Native Firefox and Edge support are on the way, but I haven't seen an ETA.
In terms of other downsides, not enough websites support U2F yet, including, surprisingly, LastPass, which supports 10 second factors. Not even Microsoft and PayPal, which are members of the FIDO alliance, which designed the U2F protocol, support it yet. A quick Google search turned up no bank that supports U2F, but that's not surprising since, for years, most people have been able to make their email accounts more secure than their bank accounts. Vanguard does support U2F, but requires users to use SMS as a backup, which is a horrible second factor (look up how hackers redirected SMS as part of a scheme to drain funds from accounts in Europe), but is easy to implement. So, I'm hoping U2F becomes much more popular over the next few years.
Another downside, though not the fault of U2F, is that using a U2F key doesn't stop attackers from using a backup factor you've enabled to get into your account or using social engineering to get customer service to grant them access. However, I don't see a good way for us consumers to only use U2F as a second factor. You could have several U2F keys associated with an account, and still find yourself in a situation where you need account access. Whereas, even if you've lost your phone, you can go to your carrier's nearest store and quickly get a replacement, and SMS will get you back in as long as it's enabled as a backup.
In conclusion, I strongly suggest that everybody who can starts using U2F wherever possible, whether it be with this key, another YubiKey that supports U2F (look for the logo), or some other U2F key. Despite its downsides, it can, if you use it right, protect you from phishing and man-in-the-middle attacks (see my first note above). It's currently the best second factor you can use for authentication, even if you have others enabled.
Note: Some websites may require a specific U2F implementation, such as Vanguard's, which only supports Yubico's. You can be pretty confident that most/all current and future websites that support U2F will support Yubico's implementation since they, in collaboration with Google, developed the original protocol.
I'll report back if I run into trouble, but so far, I'm loving this thing!