Yubikey 5C NFC review: Can a USB key really lock down your online accounts?
We live in a world where it’s entirely feasible to do just about anything online. I can well remember the days of queuing in banks, waiting in government offices for registration papers and a million other physical real-world annoyances that always somehow had to be done within standard business hours – mostly now replaced by simple web interfaces that are available 24 hours a day, 7 days a week.
The convenience of those services has genuinely changed the way we work and live, but with them they’ve brought a looming spectre of security issues, because increasing quantities of online services bring with them an increasing need for more passwords and locks to keep that valuable information secure. I love being able to check my bank balance at 3am (if I happen to be up) or pay a bill just after I’ve had breakfast. I’d like the idea of my bank balance being compromised while I’m chewing my toast a whole lot less.
I’ve written in the past about the basics of security around passwords – stuff that’s endlessly repeated but no less vital about not using dictionary words or the same passwords across multiple sites and services – as well as the use of password management software to keep it all to a sane level, but recently I’ve been testing out a different method of secondary authentication, via one of Yubikey’s authentication devices – specifically the Yubikey 5C NFC.
It’s a tiny key shaped device that looks rather like a USB flash drive, but it’s not about storage, but security. While I’ve been using it as a secondary authentication device, it more formally fits into what’s usually called “multi-factor” authentication, because it adds a step to my logins that increases its security by a very large factor for a very small added quantity of complexity. Typically speaking, authentication levels are usually defined as something you know, something you have, or something you are. That “know” level is the password that every system will insist upon anyway, while that “are” level is usually a biometric measure, like the FaceID on iPhones or fingerprint sensor on some laptops and many Android phones. The Yubikey 5C NFC fits within the “have” category because it’s something you have on you. So even if someone guessed or otherwise located your password, they’d still need that secondary (or tertiary) factor to gain access to an account.
What makes the Yubikey 5C NFC interesting is both its level of encryption and, frankly the level of ease of use across multiple devices, which isn’t always a reality for security devices. It supports a wide array of encryption protocols to keep its own security tight, although you may be at first bewildered by the jargon in play. Thankfully Yubikey has some pretty decent guides to step you through what’s needed for each account type you want to lock down. A lot of systems are supported, from consumer-facing social networks such as Facebook through to cryptocurrency trading platforms, blogging platforms, online cloud storage – and even some password management software apps as well.
The model I’ve tested with was the Yubikey 5C NFC, and it comes with a USB C type connector, but USB A models are also available. Either way, you can authenticate on a PC or Mac by plugging it in (once it’s set up for an account type) and then tapping on the small finger sensor on it to indicate that a human is using it. It’s also NFC enabled, and what that means is that if you’ve got an NFC-enabled smartphone – which is basically any of them that can handle payment systems such as Google Pay or Apple Pay – you don’t have to plug anything into anything, because the same NFC that handles your contactless payments can also be used to authenticate you.
The Yubikey 5C NFC is a solid little product, but it might be overkill if you’re only using it to protect very simple accounts of small value, and it’s worth keeping in mind that it’s only as secure as you keep it.
If, for example, you used it but had an awful and obvious password, then all someone would need to gain access to your accounts would be to steal your Yubikey and guess that password (or locate it if there’s been a breach elsewhere and you’ve used the same password across multiple sites) and they’d have full access. It’s a smart step to take your online security into the real world – but you need to keep it secure there, too.