...or something like that.
I am a huge supporter of MFA or Multi-factor Authentication. Nearly all of my accounts have MFA enabled, either through text-message codes or the one-time password app on my phone. This system works great and adds one more layer of security, but when I heard about the hardware security devices available, I knew I needed to take my security to the next step.
Universal 2nd Factor
Universal 2nd Factor, or U2F, is an open authentication standard developed by Yubico and Google. Now hosted by the Fast IDentity Online (FIDO) Alliance, U2F is a similar technology to that of smart cards, but is targeted at the modern web. Supported by Google Chrome and Opera, the U2F standard has been implemented in many commonly used online services as another standard for securing your account in addition to existing methods such as OTP security.
I kept hearing about U2F one place or another over the last few years and always thought it was an interesting idea, but felt content with my OTP codes that I could retrieve from my phone. This all ended, however, when Wired Magazine started their Free YubiKey 4 promotion with a 1-year subscription for $10 (or $5 if you know where to look... and assuming the form is still active).
The sweet deal here is that the YubiKey 4 being offered is $40 on Amazon and is the same fully featured YubiKey you can read up on here.
Long story short, I got the subscription. Although it definitely took all "4 weeks" their disclaimer stated, I did eventually get my YubiKey.
What can a YubiKey do?
"Oh boy, that sounds great! What can't a YubiKey do?" So far I've only set mine up for U2F authentication in the web browser (Google, Facebook, GitHub, etc) as well as logging into my computer with Windows Hello (Whis is awesome, by the way), but you can do so much more. Yubikeys can be configured to work with challenge-response, static passwords, and OATH-HOTP through their YubiKey Manager Application.
"That's a lot of supported methods of authentication Carson! Will I have to get a bunch of YubiKeys to use them?" No! That's another great feature. Most YubiKeys have two "slots" that are activated by a short or long press. By default, only the short-press slot is enabled with Yubico's OTP configuration. Using the YubiKey Manager software allows for easily configuring these two slots for whatever combination you want.
And that's it! Just wanted to do a quick brain dump about the YubiKey and my experience with it thus far. I plan on buying the new YubiKey 5 with NFC in the future to use as my primary key, reserving my YubiKey 4 as my backup key.
