I was really glad to have the opportunity to do this video, Yubikey by Yubico has been on my radar for a long time. A lot of people I speak to are security professionals and it’s really become the norm for them to all be using Yubikeys, but the question is why?
Why do I need this?
Passwords as a concept are now redundant alone, the mix of human nature and computers that can brute force to test thousands of passwords a second have made it increasingly difficult to keep systems secure.
Ideally, we should all be using password managers with randomly generated passwords and a second factor (2FA) of security. The most common types of 2FA are SMS, one-time passwords (OTP), and hardware keys like the Yubikey.
Although any 2FA is an additional line of defense SMS 2FA is flawed, I can assure you that the S’s in SMS don’t stand for secure! But still better than nothing.
Next in line are the OTP’s these are normally generated in apps like Authy or google authenticator, much more secure than SMS, and generally are as secure as the device that holds the app. They work the same as the SMS in that you get a shortcode that you need to input in a short amount of time. A great idea but a bit of a pain in practice, it’s always a rush to get the code in quick or wait for a new code to be generated which is fine every now and again but when you are regularly logging in to multiple systems regularly it can become a bind.
Hardware keys like the Yubikey’s have no need for imputing long codes or use of SMS they just need any available port or NFC and a simple touch of the device sends the full key securely and that’s it. It’s fast easy to use and extremely secure, the only thing you need to do is remember to keep it with you for when you need it. There’s a lot more on why this is a lot more secure than other methods you can find out here.
Does it work?
So in this day and age, I hope everyone knows the risk of Phishing, sending a malicious email, often in the hope that a user will click a link that imitates a website and then attempting to login into the imitation site this happens all the time, it works, unfortunately. With 2FA enabled the password is useless alone without the second factor, even if they collected your code from the above methods they would only have a limited window of time to use the code, and in the case of the Yubikey “replaying” the code wouldn’t work at all.
I’ve said a lot in the review in the video but in short, I really like the Yubikeys, how they work and how easy they are for improving security. If you’ve ever had an issue with your accounts being phished or hacked, this is pretty cut-and-dry the solution to your problems. Easy to set up and easy to use, if I had my way this would be the new normal. If you’ve enjoyed this video and post you might like another infosec one.