Security Stuff

3 min read

...or something like that.

I am a huge supporter of MFA or Multi-factor Authentication. Nearly all of my accounts have MFA enabled, either through text-message codes or the one-time password app on my phone. This system works great and adds one more layer of security, but when I heard about the hardware security devices available, I knew I needed to take my security to the next step.

Universal 2nd Factor

Universal 2nd Factor, or U2F, is an open authentication standard developed by Yubico and Google. Now hosted by the Fast IDentity Online (FIDO) Alliance, U2F is a similar technology to that of smart cards, but is targeted at the modern web. Supported by Google Chrome and Opera, the U2F standard has been implemented in many commonly used online services as another standard for securing your account in addition to existing methods such as OTP security.

I kept hearing about U2F one place or another over the last few years and always thought it was an interesting idea, but felt content with my OTP codes that I could retrieve from my phone. This all ended, however, when Wired Magazine started their Free YubiKey 4 promotion with a 1-year subscription for $10 (or $5 if you know where to look... and assuming the form is still active).

Wired cover image for their promo

The sweet deal here is that the YubiKey 4 being offered is $40 on Amazon and is the same fully featured YubiKey you can read up on here.

Long story short, I got the subscription. Although it definitely took all "4 weeks" their disclaimer stated, I did eventually get my YubiKey.

Front of the YubiKey
Back of the YubiKey

What can a YubiKey do?

"Oh boy, that sounds great! What can't a YubiKey do?" So far I've only set mine up for U2F authentication in the web browser (Google, Facebook, GitHub, etc) as well as logging into my computer with Windows Hello (Whis is awesome, by the way), but you can do so much more. Yubikeys can be configured to work with challenge-response, static passwords, and OATH-HOTP through their YubiKey Manager Application.

GitHub Authentication Process... It's that easy!

"That's a lot of supported methods of authentication Carson! Will I have to get a bunch of YubiKeys to use them?" No! That's another great feature. Most YubiKeys have two "slots" that are activated by a short or long press. By default, only the short-press slot is enabled with Yubico's OTP configuration. Using the YubiKey Manager software allows for easily configuring these two slots for whatever combination you want.

The YubiKey Manager's interface

And that's it! Just wanted to do a quick brain dump about the YubiKey and my experience with it thus far. I plan on buying the new YubiKey 5 with NFC in the future to use as my primary key, reserving my YubiKey 4 as my backup key.

Carson Seese

Carson Seese

Read more posts by this author.