The Yubico YubiKey 4 provides simple, effective two factor authentication, but does it cover all the bases?
For this YubiKey 4 review I tested one of the simplest forms of two factor authentication around. I discovered that it is easy to use, but slightly more complex to setup, than it first appears.
I can recommend the YubiKey 4 Series, but with a few small caveats. Read on to find out why.
Disclosure: this review is based on a free sample of the product.
I’m no stranger to password managers or to two factor authentication:
Lastpass has been my preferred app to hold all my passwords for the past few years. I have used several forms of two factor authentication alongside it, with the exception of the YubiKey. That is, until now.
But what is two factor authentication?
Passwords are still the mainstay of online security, but as we all know, passwords are inherently insecure:
Either we forget them, write them down on paper, or we choose weak passwords that are easily guessed. In other words, we’re human!
A password manager, like Lastpass, will store and remember all your passwords for you. It will also generate strong, random passwords for all your favourite websites, and login automatically when you want to use them.
I’ve blogged before about why I think everyone should use a password manager (hint: because they create strong passwords you don’t have to remember).
But what happens if your strong password gets compromised?
Two factor authentication introduces a second item to login with. This could be an app on your phone that generates random numbers (e.g. Google Authenticator), or pretty much anything else.
To login, you’ll use your password PLUS one of these items that only you have access to …but crucially, a hacker won’t.
For two factor authentication with Lastpass, I started off with their free “grid”.
This gives you a printed table of random numbers and letters. When you go to login to Lastpass, you’re prompted for a grid reference, which you lookup in your, er, grid. You then enter the relevant number or letter combination and you’re in.
The downside is, that you then have to carry the grid around with you, in order to login to websites when you’re out and about.
In an effort to make things more flexible, I moved on to Sesame. This is a small app placed on a USB stick. The idea is simple: plug it into your PC, then login as usual to Lastpass.
This was a good option, as I didn’t need to think much about it. In fact, this is not too much different to the YubiKey, which we’ll talk about in more detail shortly.
Finally I moved on to using an iPhone app called Authy.
Authy is similar to Google Authenticator, but IMO is a better (and prettier) app. When you login, you pick the relevant website or app in Authy, and it displays a one-time string of random numbers for you to enter, alongside your password.
The final nuance to two factor options, is the idea of Trusted devices:
When you first login to Lastpass (or a website) from a given device/browser/two factor combination, you tick the little box that says “make this a trusted device” or “don’t ask me again on this computer”.
Et voila: you no longer need the second factor to login with, in that specific location/browser/whatever. You only need the second factor when you are logging in from a untrusted or public place.
The issue for me, was that these two factor options were mostly only for use with Lastpass itself:
I had to rely on Lastpass to generate strong enough passwords to keep my other online accounts secure.
Occasionally, I’d use the nifty function to change the password of specific services automatically. This was a life saver when I came across those nasty, large-scale security breaches we’ve seen in the press (see LinkedIn and Evernote).
If all that sounds complicated, it really isn’t, at least in terms of day to day use.
In my experience, it’s the initial setup that can sometimes feel a little complicated – read “scary”. This is what puts the general public off investing their time and money.
The YubiKey 4 Series from Yubico aims to simplify the whole thing, from setup to daily use.
So, with that background and context in mind, let’s have a closer look and see if they succeed!
It’s priced between £39-50 ($40-60), depending on the specific model.
On receiving mine in the post, first impressions were good:
The YubiKey arrived in a plain white envelope with Yubico printed in clear green text on the front.
The back of the envelope had a simple message to, “Get started with your YubiKey at yubico.com/start”.
The only thing inside the pack is a blank piece of card, with a plastic insert containing the YubiKey.
In this case, I received both a YubiKey 4 Series and a YubiKey nano for review, although I focused my attentions on the former.
Yubico got their marketing right on this part. The friendly green text says to me “you can achieve something with this”, while the overall simplicity of the packaging speaks calm to the soul – definitely non-scary!
When I plugged in the YubiKey I noticed it feels a little flimsy, and it stands out from the PC a similar distance to a USB memory stick. It looks a bit vulnerable:
Depending on where the USB port is located, you may need to be careful or you could catch it as you walk by.
No doubt this is one of the scenarios the YubiKey nano is designed for. This has hardly any footprint. In fact, you may even forget that it’s plugged in at all – which is a good thing, for a security product.
Before visiting the Start page, I thought I would check out the main Yubico website.
I wanted to see what the YubiKey and two factor authentication was all about, from the perspective of a prospective punter. As far as possible, I tried to pretend that I knew nothing about the subject.
I think the website is nice and clear. Yubico gave good, logical reasoning as to what two factor authentication is, and why it’s useful.
I was also pleasantly surprised by a great little survey to help you pick your YubiKey model, which changes according to whether you say you are tech-savvy or not.
I chose each route and found it very helpful. This is despite the fact there was one question related to security protocols, where I wasn’t sure what some of the answers meant.
It’s likely that if you don’t understand these options, then you don’t need them anyway. But it could have done with an explanation of each one, even for tech-savvy people like me!
On to the Yubikey 4 Start page…
I should begin by saying that Yubico have done a very good job with their SEO (Search Engine Optimisation):
The YubiKey Start page appears first in the Google search results, even above the main company URL, so it’s extremely easy to find.
On the Start page itself, I see photos of the available YubiKey models.
I find a match and the picture confirms I have been sent a YubiKey 4 Series Security Key (affiliate link).
The page tells me that the YubiKey 4 Series is their “Most popular” key and that multiple protocols are supported.
It also comes in various form factors that locate into different USB port types, as well as a small, neat “nano” option, for the space conscious.
On clicking on the relevant image, the Start page displays multiple links that redirect to various 3rd party pages.
In turn, each of those pages explains how to setup the YubiKey as your second factor, for use with that particular service or platform.
Supported services/platforms include:
A click on the “view a more complete list” link shows still more services.
The number of services on show is at once impressive and disappointing:
Impressive that a decent selection works with YubiKey 4.
But disappointing that many or even most of them, are either enterprise software applications (e.g. Salesforce), other security options (Duo, SecureAuth), or well known developer websites and tools (such as Github).
I would certainly have liked to have seen many more services involved for individuals, families, or solopreneurs. I’m thinking particularly of popular social media sites like LinkedIn, Instagram, or Twitter. The latter is a surprising omission, given that Facebook is present.
As another example, I was genuinely taken aback that not one of the multitude of task managers and productivity apps out there, appears in the list.
I would have thought that Yubico’s target market would include exactly the kind of people that are heavily into personal productivity.
After the consumer-friendly beginning, it felt like I was bounced straight back into the corporate world.
I looked through the list of YubiKey 4 services to try to decide which ones would be most appropriate for me.
Being time limited, I decided to pick out the best three.
I’m a heavy Gmail user, along with AdSense and website analytics, so Google seemed an obvious choice.
And of course, I couldn’t forget Lastpass.
It should be noted that the Lastpass + YubiKey combination is only available for Lastpass Premium (or Enterprise) subscribers, so if you’re using the free version, you’ll have to look elsewhere.
That said, at the time of writing, Lastpass Premium is still only $12 per year: a very small price to pay for security peace of mind.
Tip: Lastpass offers a bundle purchase where you can buy a subscription, plus a YubiKey, together.
What about the third service?
I noticed Mac OS in the list, so I thought it would be great to test out an “offline” option.
However, on clicking the link, I discovered that the Mac OS login requires a separate package to be installed on the computer in order to use the YubiKey effectively (and it looks like it’s the same for Windows).
I’m ashamed to say, I chickened out!
But this leads me to an important question:
Who is the YubiKey 4 pitched at? Tech-savvy workers and managers, or non-tech-savvy consumers?
The marketing is speaking to the latter, but the implementation is beginning to tell a different story.
Further to this, I found that you can use the YubiKey with an Android phone via NFC (excellent idea!) – but not with my iPhone (doh!).
All of a sudden, it feels a lot more scary. And remember, I’m firmly in the tech-savvy camp.
I decided to skip the third choice. Since I already had one form of two factor authentication setup for Lastpass, I got to work with my Google account.
The linked Google page was pretty generic.
The instructions themselves seemed clear enough, but they were geared towards any type of second factor, not just YubiKey 4.
Again, this could put casual or non-tech-savvy YubiKey purchasers off.
It could have done with the YubiKey 4 to have its own page, with more specific instructions.
Anyway, here is how it worked out:
Before I could sort out the YubiKey, I had to setup and switch on the general two factor authentication option for Google.
This required me to receive a text message on my mobile phone.
Then I had to plug in the YubiKey and click “Add security key” from a list of options. It had a helpful icon which looked similar to the YubiKey, but when I clicked it, I hit a snag:
I discovered that security keys only work in the Chrome browser and Safari is not supported!
I had to login to Google again from Chrome, and get another number via text, before I could continue.
To find my way back to the Google two factor page, I ended up going back to the YubiKey Start page, then clicked through once more.
Tip: from Gmail, the way back to the two factor options is by going to My Account and then the Sign-in and Security section.
From there you can switch two factor authentication off, if you wish, and change the other options.
You can also revoke a device’s trusted status.
Finally, it went through ok and allowed me to login with my password (pasted from Lastpass), followed by a quick tap on the YubiKey button.
Now it was setup, it was really easy. Here are my observations:
Sadly, I discovered that Google authentication with YubiKey won’t even work in apps on the iMac:
When I opened Spark, my email app of choice, I got a rude message saying “you can only use your security key in Chrome”.
I had to use a text message once again, even though it correctly detected the presence of the YubiKey.
The authentication dialog is an embedded version of the same web page as you would see in the browser.
This is therefore Google’s problem, not Spark’s and they really need to fix it.
Technically, it’s not Yubico’s problem either, but it would be good for them to have more information on their website about it.
If they want more people to adopt their technology, it would behove them to seek better integration from Google. After all, it’s in both companies interests to ensure that all service users have their accounts secured well.
At this point, I thought I should check out Google on my iPhone.
For the iPhone’s generic email app, I needed to use settings > mail, to access and login to my account.
I found I had to login with my second factor separately, for each Google-related app.
Google Inbox and Spark worked fine. Spark was the only one that gave me the “do not ask me for this computer again” option, on the first time through.
Unfortunately, each app required yet another text message, because NFC for the YubiKey is not currently supported on iPhone: it would be great to test this properly with an Android phone.
To be fair, I do use 3 different mail apps, so you may not have such an issue!*
*I have since realised that NFC is supported on iPhone models from iPhone 7 (+ iOS 11) onwards. So this wasn’t really a test of the YubiKey, but of my iPhone (5s).
However, there are limitations to iPhone NFC listed here.
You may want to bear this in mind, if you’re in Apple’s ecosystem, and check compatibility first.
Here’s my initial conclusions for YubiKey + Google:
Finally a heads up:
I got a flurry of email security warnings from Google, as it saw each and every new login as a new device!
Most of this is more the fault of Google than Yubico, but it could easily be made more user friendly.
Come on Google, get your act together.
Feeling a little battered and bruised, I forged ahead and tried to setup YubiKey 4 with Lastpass.
This seemed simpler to setup and this time, had it’s own dedicated page on the Lastpass website (see instructions at bottom of page).
The essence is:
I opened up my Lastpass account options and found the YubiKey option.
I clicked “Enable” with some trepidation, but was relieved to find that the YubiKey correctly entered a password into the Lastpass dialog.
But then I hit another problem: a bug in Lastpass prevented me from entering my Master Password, in order to switch it on.
I had to exit the dialog, thus losing the change. The same happened in Chrome.
Back to square one.
Thankfully, I logged a call with Lastpass support and got a good response: they had been undergoing issues with enabling two factor authentication (of any type), but had now fixed it.
On trying again, YubiKey enabled correctly, first time through. It then worked seamlessly with both my browsers on my Mac, and allowed me to set them as trusted devices.
Now that’s better!
Following my mixed experience with Google and Lastpass (although the latter was just unfortunate timing), I decided to look up the Facebook integration.
It also only works in Chrome or Opera.
At least the Facebook security page lets you know up front, rather than throwing a Google-style error at you, when you attempt to set it up.
Facebook can also use text messages, so if you’re on Safari you can still have a second factor, just not with YubiKey.
However, I have to confess that I gave up at this point.
I’ll stick to the strong passwords available with Lastpass, although I still regard the addition of the YubiKey as an excellent choice for the second factor.
There is one benefit of Lastpass + YubiKey over other two factor options:
Once you have a trusted device, you can ignore the second factor for login until you decide to revoke that status.
This is better than using text authentication on your phone every time, or using the Google/Authy authenticator app. Lastpass + Authy will only allow trust for 2 weeks at a time.
Despite the issues I experienced with setup, I like the YubiKey concept.
YubiKey 4 looks suitably high tech, although it feels a little flimsy when plugged in.
The nano form factor may be better, if permanently sited on one machine.
YubiKey gives you good, strong, two factor authentication, for a one-off payment.
It’s reasonably inexpensive and it works with password managers. And once you’ve set it up, it gets out of your way, while keeping you more secure.
However, not enough third party services are signed up to work with YubiKey.
Without specific two factor options for those services, consumers are forced to fall back on strong passwords alone, to keep them secure.
That YubiKey works well with password managers, like Lastpass, makes things a little better, but it’s still a disappointing situation.
Security is a crowded marketplace, full of companies that want to make our online lives easier. And this is a specialist product, which has a lot of potential.
Yubico needs to work harder with third party companies (Google I’m looking at you!) in order to make it truly useful.
YubiKey also feels like it’s aimed at techies, even though it’s actually less complicated than the equivalent smartphone apps.
I Didn’t Like:
Who it’s for:
I'm Tim Bader, founder of ErgonomicToolbox.com and the Ergonomic Toolbox training course. I am a writer, author, blogger and church leader, and I help people to overcome RSI and live comfortably with technology. When I'm not writing, helping or training people, I live at home with my wife, two teenage kids and Playstation.
Please log in again. The login page will open in a new window. After logging in you can close it and return to this page.