Simplify and Secure Your Online Logins With a YubiKey (2024)

As we become more dependent upon online platforms for social and professional purposes, it grows increasingly important that we embrace stronger online security measures. One of the most important steps you can take to secure your online services is setting up two-factor authentication. This protocol—commonly abbreviated as 2FA—requires you to type in a password and also provide one other piece of proof that you are who you say you are before you can log in to a service. One of the more common 2FA methods in use today employs six-digit passcodes that are sent to your phone via text message. When a unique scramble of numbers shows up on your phone, you type them into the browser along with your password at the login screen. Combined with a strong passphrase like those generated by password managers such as 1Password or LastPass, a 2FA login is quite effective at verifying your identity.

But no matter how strong a password is, or what level of code-based authentication a website is using, any system that sends codes in a text message can be compromised from afar by a skilled attacker. The best way to set up two-factor authentication is to use a secure app on your phone to generate those six-digit codes or to carry a piece of hardware that can verify your identity.

A device like the YubiKey is just that sort of hardware. These little key-shaped fobs plug into your computer and, along with your password, complete the second half of a 2FA web login. A hacker might find a way to snoop on your passwords or intercept a six-digit 2FA code while it’s being sent to your phone, but they’d be hard pressed to snatch an actual key off your keychain.

We should note that if you already have 2FA set up through an app like Google Authenticator or Duo Security, that's great. A YubiKey will simply provide another, more convenient method of authentication. If you lose your YubiKey or forget it at home, you can use the secure code generator on your phone to complete your 2FA logins.

What Is It?

The YubiKey—like other, similar devices—is a small metal and plastic key about the size of a USB stick. They plug into your computer, and some also connect to your phone. You can use them in either place, along with your password, to authenticate web logins. Think of it as a physical key that, instead of unlocking a door, unlocks your online life.

Several manufacturers make these types keys, and they all basically work the same way. They adhere to an industry standard called Universal 2nd Factor, or U2F. The standard weds hardware-based authentication with public key cryptography—a set of tools that’s extremely difficult to compromise. These U2F keys simplify the process of securely accessing online services like Google, Facebook, Dropbox, Windows, and Mac OS. They also support password managers like Lastpass, Dashlane and Keepass. U2F keys can even be used to unlock your Mac or Windows PC from the home screen.

Which One Should I Get?

There are several models of U2F key to choose from; all of them look like variations on a compact USB stick. We’re concentrating on the YubiKey here simply because it's the most popular option, but you can use the instructions below with any key that supports U2F and the similar FIDO2 standard. Also (full disclosure!) we started giving away YubiKeys to new WIRED subscribers as free gifts earlier this year. If you receive one from us, you may wonder how to use it.

Made by the company Yubico, which helped draft the open U2F and FIDO2 standards, the keys are durable, water-resistant, and battery-free. There are key-shaped models that attach to your keychain, and “nano” models, designed to be less awkward when plugged into a laptop. The full-size YubiKey 4 Series ranges from $40 to $60 and comes in versions for USB-A ports or USB-C ports. For Android users, there's the NFC-compatible YubiKey Neo for $50 that lets you access your online services on your phone. You can also plug it into USB-A ports on your PC or other devices. For something more economical, you can try the brand new Security Key for USB-A ports. It costs only $20, and it’s compatible with any services that support U2F and FIDO2. Finally, government-regulated institutions might be interested in the YubiKey FIPS, which meets common regulatory requirements. To dig deeper into which key is right for you, take Yubico’s quiz here.

Getting Started

Once your YubiKey arrives in the mail, you start by activating it. Go to Yubico’s website and select your YubiKey. Next, choose the services you’d like to use your YubiKey to log in to. Popular services that support U2F and FIDO2, like Facebook, Google, and Dropbox, are listed at the top. Also among the top choices are computer login options for Macs and Windows PCs. You can set up your YubiKey for use with password management solutions like Dashlane and LastPass, and developer platforms like Github and Bitbucket. Just about every service you can access with non-SMS-based two-factor authentication lets you add a YubiKey to your login protocol.

To give you a clear example, let's set up a YubiKey to work with Facebook. Note that for Facebook, the YubiKey can only log you in if you're using the latest version of Chrome or Opera. The hardware keys will work with Mozilla Firefox and Microsoft Edge on some services, but other services are more fickle—check the browser requirements for each of your most commonly used web services. For the ones that don't support your hardware key, you can use a 2FA code-generator app instead.

On the YubiKey setup page, click on Facebook. Yubico will send you to a Facebook page called "What is a security key and how does it work?". To set up your YubiKey, Facebook directs you to Security and Login Settings. Since a YubiKey is one of the factors in a two-factor authentication process, if you don’t have 2FA set up yet, Facebook will guide you through setting that up first. This usually involves providing Facebook with a phone number to text you a one-time passcode. Once that’s set up, go back to the Security and Login Settings page and look underneath where it says "Setting up extra security." Next to the menu item "Use two-factor authentication," click Edit. Under "Security Keys," you’ll find the option called "Add Key."

Simplify and Secure Your Online Logins With a YubiKey (2024)

FAQs

How do I secure my Google account with YubiKey? ›

Simple setup

Easily register your YubiKey with Advanced Protection. Go to Account settings, select Sign in & Security, select 2-Step Verification, and Add Security Key.

Can I use YubiKey for all my passwords? ›

The YubiKey works with Password Safe to protect your passwords using two-factor authentication (2FA). Both a master password and a YubiKey are needed to enable access to your Password Safe file, which contains the usernames, websites, passwords and other information for all of your online accounts.

Why is my Google Account asking for a security key? ›

Security keys also help prevent phishing and verify the sign-in URL before you log in. A security key can be used in addition to other 2-Step Verification methods like backup codes, Google prompts or your phone number. Learn more about 2-Step Verification.

What if someone steals my YubiKey? ›

So, what happens if you lose your YubiKey? In that case, you can still use your Authenticator app (phew!). While you can't create a backup YubiKey, you can always contact Yubico to get a replacement key.

Should I leave my YubiKey plugged in all the time? ›

Do I need to keep my yubikey plugged in all the time? A. No, you only need to insert your yubikey when you are prompted to do so during login. Leaving it plugged in could result in the yubikey being lost or damaged.

Which password manager works best with YubiKey? ›

KeePass Works With YubiKey | Yubico.

Which YubiKey is most secure? ›

The YubiKey 5 FIPS certified security keys meet the highest level of assurance (AAL3) of the new NIST SP800-63B guidelines.

What is the best practice for YubiKey? ›

Best practice is to have multiple YubiKeys set up for your accounts. One on your keychain, or one in your wallet, or one in a safe place at home will help to make sure you've always got a backup YubiKey nearby.

Does YubiKey require an app? ›

The versatile YubiKey requires no software installation or battery so just plug it into a USB port and touch the button, or tap-n-go using NFC for secure authentication.

Do I still need a password with YubiKey? ›

YubiKeys make passwordless possible

Passwordless can be achieved using legacy Smart Card protocols, or modern FIDO2 / Passkey authentication secured by PIN or biometric identification. The multi-protocol YubiKey offers total flexibility, and can store up to 100 passkey credentials.

How long will a YubiKey last? ›

A Yubikey will essentially last forever, and if you stay clear of the insanity that is Passkeys its Webauthn element can support an infinite number of websites. Portability: I have a smartphone, a work laptop, a home laptop, and a home desktop. My Yubikey has USB and NFC, so it can trivially be used with all of them.

Is YubiKey a good idea? ›

The Yubico Security Key C NFC is the best choice: It's affordable and will work with just about every site that supports security keys. If you're already familiar with security keys and need or want more-advanced features, the Yubico YubiKey 5C NFC is a pricier but worthwhile choice.

Does Google accept YubiKey? ›

The YubiKey is a hardware security key that provides strong one-touch authentication, and works seamlessly with Google Accounts.

Can I use YubiKey instead of Google Authenticator? ›

Both Google Authenticator and Yubikey Authenticator present reliable options for safeguarding your online accounts. Ultimately, the choice between the two depends on your specific security needs and budgetary considerations.

Does Google Chrome support YubiKey? ›

Chrome offers a simple, secure, and fast experience to browse the web – with Google's smarts built-in. Chrome automatically protects users from security threats like phishing and dangerous sites, and incorporates native support for YubiKeys with U2F and WebAuthn APIs.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Dong Thiel

Last Updated:

Views: 5503

Rating: 4.9 / 5 (59 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Dong Thiel

Birthday: 2001-07-14

Address: 2865 Kasha Unions, West Corrinne, AK 05708-1071

Phone: +3512198379449

Job: Design Planner

Hobby: Graffiti, Foreign language learning, Gambling, Metalworking, Rowing, Sculling, Sewing

Introduction: My name is Dong Thiel, I am a brainy, happy, tasty, lively, splendid, talented, cooperative person who loves writing and wants to share my knowledge and understanding with you.