Over the last few years, we’ve heard a lot of talk about the Yubikey, a physical authentication security key made by Yubico. It’s a little surprising, because it feels like the world is moving towards digital MFA options like SMS, authenticator apps, and push notifications. Despite this, the Yubikey is apparently popular (in 2016, they were even popular Christmas presents). We wanted to learn more, so to start, I took look at it from a consumer perspective.
I’ve never used a physical authentication factor before, so I had a few questions:
- Is it easy to set up?
- Is it fast?
- Does it work across multiple devices and OSes without problem?
- What common apps and services work with it?
Initial user experience
We purchased a Yubikey NEO, which includes NFC for mobile devices and USB for desktops, for $50 from Amazon. It came with no documentation and directed me to the Yubico website to learn how to use the NEO and discover applications it currently works with. I tested it out on several different devices and computers, including my new TechTarget Windows 10 laptop, my personal Windows 10 laptop, a five-year-old Chromebook, and a 2015 MacBook Pro.
The Yubikey doesn’t require much setup and is ready to go from the moment you plug it in. My Windows and macOS laptops recognized it, though it registers as a keyboard. (The MacBook even opened up a keyboard installation window, which I later found out in the documentation [PDF] is expected.) The only annoyance I experienced is that my two-year-old personal Windows laptop kept making the “device attached/removed” noise, even when I left the Yubiky alone (luckily, it still worked anyway). The newer Windows laptop didn’t do that.
Yubikey and apps
With the Yubikey NEO ready to go, it was time to test it with different apps. Instructions for common apps and OSes are curated at the Yubikey setup page. Quite a few apps support Yubikey, and I started with the two most popular, Google and Facebook, and then took a look at Dropbox and LastPass. For each app, after setup, I tried it out on multiple browsers and devices without reading any further instructions, so I could see how easy it is to use. Nobody reads instructions front to back anyway…
Setup is simple, taking just a few minutes from the browser. Once set up from my work laptop, I tried it on macOS, and this is where I ran into my first issue. I use Firefox on my personal computers, and when Google asked me to plug in my security key, Firefox would only give me an error and tell me to try again. I tried Safari next and got a more specific error message explaining that the security key would only work in Chrome.
Here, I discovered that Firefox actually can accept security keys, and across multiple OSes. So, it appears that some companies limit what browsers can access security keys with their site/app, for now. Dropbox was the only app (that I tried) to work in Firefox. It doesn’t work on iOS yet, and requires the Yubico authenticator app on Android to work on a mobile device—which means additional setup on desktop.
Just like Google, it was quick and painless to add the Yubikey NEO to Facebook, but at the moment, it only works with Chrome. Firefox provides the prompt, but doesn’t recognize you’ve inserted the security key.
The password manager I use doesn’t work with security keys yet, so I tried out LastPass. LastPass is only app (at all!) that works with Yubikey on iOS (more on that later). I abandoned it quickly because while you can get a free account, you need a paid one to use Yubikey.
Yubikey and smartphones
Not surprising, sites accessed through a desktop browser work smoothly, but how about mobile devices?
Here’s the biggest stumbling block for Yubikey—it has almost no adoption on iOS yet. It wasn’t until iOS 11 that iPhones could read NFC tags, and in late May 2018, Yubico released an SDK for iOS. So far, only LastPass has implemented support. Google documentation shows that their apps support security keys on iOS, provided you download their Smart Lock app. However, I couldn’t get it to work right as it only provided prompts for SMS 2FA.
I had a Samsung Galaxy S9 handy to try how Android works with security keys. When setting a main Google account on the device, it asks for the security key, which you place against the back of the device. This worked quickly. However, further attempts to use Yubikey with Android apps were inconsistent. Accessing Google (either via any browser or through various Google apps) would only present a digital 2FA option. Dropbox works, but requires the separate Yubico authenticator app.
Yubikey and desktop OSes
Given that many apps don’t currently accept security keys for 2FA, you can alternatively just lock down your desktop with a security key.
macOS High Sierra
First, I looked into setting up Yubikey with my MacBook Pro. What I learned convinced me it wasn’t worth the effort—the 19-page instructional PDF mentions multiple downloads and has screenshots of Terminal. I don’t see the average consumer playing with commands like this. Skip.
The process is much easier on Windows 10 (can be Home, Pro, or Enterprise). I was directed to download the Yubikey for Windows Hello app and follow some prompts—and you’re done. There are a couple additional steps if you have Windows 10 Pro or Enterprise, as you have to mess with local security policies.
Jack has an original 2013 Chromebook Pixel, so I also gave that a try. When I created my profile with my Google account, it asked for my Yubikey right away. However, getting the Chromebook to prompt me to use the security key on subsequent logins took some work (and a little bit of googling) because it’s not obvious. Even then, it still only prompted me to provide the key sometimes—not sure if that’s a bug or the Chromebook continuing to remember me.
Final thoughts after testing
I liked how the Yubikey was ready to go immediately, with no lengthy set up or installation process required to get it working; even adding the Yubikey to apps only took a few minutes each time. I also liked that sites that use Google or Facebook for their login allow you to use the Yubikey for 2FA, widening the support beyond apps mentioned on the Yubico website. And more sites/apps will add support over time (Twitter sent out a tweet about accepting security keys while I was writing this).
Overall, though, the experience is fragmented and frustrating. There’s limited mobile support (something I don’t feel is very obvious when deciding on which Yubikey to buy), and often requires an additional app and setup on desktop to maybe work.
Microsoft Edge and Safari don’t natively support security keys. Microsoft is planning to add FIDO U2F support soon, while Safari users need a plug-in, available from GitHub, that provides limited support for Safari 10+. So, we’re going to have to wait and see if support grows.
There’s also inconsistency regarding whether an app/device asks for 2FA, which some users could certainly find confusing. Sometimes the Chromebook would require the Yubikey, but not always, and the same issue crops up on mobile devices. And while security keys with NFC aren’t widely accepted yet between the two main mobile OSes, even digital 2FA efforts are uneven. Sometimes the device would only require my password, despite telling it not to remember me. Is this some user-friendly UX setting butting heads with my attempts at keeping every app locked down? Or just some simple bug? I couldn’t find an answer.
So there you have it. Yubico’s security key is pretty handy for both consumer and business apps, and will only continue to get better as more companies add support. However, expect to experience friction for now, especially if prefer a browser other than Chrome or have an iPhone. And overall, I’d say that the Yubikey is still too complicated for the average consumer, as it’s not exactly pick up and go. Hobbyists and developers won’t have any issues.