Currently the best option for account security if a website offers support. There is an Android app to support normal Time based 2FA(TOTP) which can be unlocked via NFC.
I recommend you purchase 2, set them both up and safely/securely store the spare.
You can order up to 3 'individual' keys, just add them seperately to your cart. (not as a pack)
This deal may apply to the other Yubikey variants, let us know if it does.
The NFC version seems ideal for use with mobile devices.
I'm sure I hit preview and not submit…
Postage seems to be $5 USD(included in title AUD price)
The Security Key NFC should be enough for U2F and FIDO2.
Yeah, the security key is a nice entry point depending on what you need/want.
I suggest anyone looking at buying one to check out the comparison chart.
https://www.yubico.com/products/yubikey-hardware/compare-yub…
The comparison chart shows the only difference between them is the usb plug type and the NFC.
Yeah, the comparison only shows the related 'version', there's some hyperlinked text above the chart for security keys and their other devices.
The deal I've been waiting for! Thanks OP!
Have also been waiting for this - they don't often have sales. I was also waiting for Google Titan to show up on the Aus Google Store, but nothing yet. Yubikey it is! Thanks OP!
Feitian bundle $61.51 + $8.14 postage
https://www.amazon.com.au/Feitian-Multipass-ePass-FIDO-Bundl…
Feitian is the OEM for Google Titan…
https://www.cnbc.com/2018/08/30/google-titan-made-by-chinese…
Oh nice! Thanks Baron-K! :-)
What is this for?
It's a form of 2FA (two factor authentication) that is much more secure than SMS.
So for websites and devices that support it you enter you login and then a code that the device generates instead of an SMS code. The infrastructure and protocols that supports SMS was exploited long ago and is increasingly being used by criminals in financial crimes such as accessing bank accounts and stealing the money.
Ok I have problems with my yahoo emails. Would this make only me (owner the yubikey) is the only one can access my yahoo? (Even if someone else know the user and pass)
It looks like Yahoo only offers 2FA via SMS, I suggest you move away from Yahoo.
EDIT: Set up sms 2fa,it isn't the best but it's better than nothing.
@Failbike: Yeah found articles saying yubikey is not for yahoo PayPal banks. I have way too many emails on Yahoo (at many different folders). Is there an easy way to transfer them all to my Google emails?
@CyberMurning: Apparently you can set up TOTP with Paypal, with some screwing around.
https://medium.com/@dubistkomisch/set-up-2fa-two-factor-auth…
Yahoo and Banks, no such luck.
People still use Yahoo?
@Snoovey: Nope. Never run into an issue. Have to Gmail's, one for spam, just keep changing the words after the + to suit the site etc or number of accounts. Never had an issue signing up.
Yahoo security has always been severely broken.
If you still need the account then setup a forwarder and lock it down as tight as it allows with proper random password. You should never need to go back there.
@joelmuzz: agree. but I have way too many emails on Yahoo (at many different folders). Is there an easy way to transfer them all to my Google emails?
It also has a U2F mode which is more secure than TOTP, but for that you'll need Chrome (Firefox may have beta support), and the website you're using will need to support it too (Google, Github do).
Also will this works at office computer? For example I want to access Gmail from office environment (obviously secured). Currently I can. Just password. And USB ports are working too.
Yes this will work. When you are prompted to input the key, you just plug it in and out inserts the password into the app/browser.
You can use it with Chrome. With Gmail (Google login), you'll use the U2F (Universal 2nd Factor) mode, not TOTP (Time-based One Time Password). In this mode, the browser talks to the security key directly to negotiate the login.
If you don't have Chrome, you could use the TOTP mode. In this mode, the security key acts as a keyboard and sends the 6-digit TOTP code as though you typed it in.
This is from memory for an older version. I can't imagine this has changed though.
Even if your workplace doesn't allow USB devices it actually installs itself as a keyboard
I know of some places(usually public) that have any unused or accessible usb ports disabled.
RDP is also apparently an issue.
Otherwise yeah, it's pretty plug and play from what I've found.
A large part of my job is MFA I've tested it quite thoroughly and swear by my yubikeys.
Good to know!
Love my YubiKey, going to upgrade to the USB-C NFC one soon.
How does this compare to authy/google auth that is free?
If your phone runs out of power, gets stolen, or you didn't write down your google auth key you're screwed.
With yubi you can buy 2 keys, leave one in a safe somewhere and have one on your keychain / on your desk to authenticate into gmail, facebook, lastpass, dropbox etc. Basically it's impossible for hackers to login even if they have stolen your account password since they need to "physically" have the yubi to authenticate. Furthermore, you can duplicate the keys as many times as you want and give one to your parents or relatives for safe keeping. Once you "tap" and authenticate, services like Gmail, FB, etc you will no longer require you to authenticate since that PC is now regarded as "safe", of course this is only if you choose to select that option (usually presented on the screen when you authenticate with yubi".
To me, it feels like using the phone as a key is safer as they are normally password protected to get into the google auth app.
Whereas if you lose your yubikey, hackers have direct access already. On top of that, you need to buy 2 ($100) in case you lose one. With authy, you can also backup your keys so that's not a problem so I don't really see the advantage of carrying an extra thing around with you all the time when your phone can do the same job.
Probably the safest thing would be to use authy for everything but protect that authy account with a yubikey that never leaves home (safe deposit box), so you have the convenience of still just only needing your phone to carry around but maximum protection.
That would work as well. It really depends on your use case scenario. Yubi keys are good for those who frequently need to authenticate at the touch of a button to multiple services, whreas authy requires turning on phone, unlocking it, opening authy, entering pin, waiting for timer, get passcode, paste it into X service. Now imagine if you had to do the same for Gmail, Lastpass, Facebook, Dropbox multiple times a day? Same thing on yubi key = touch & authenticate.
Whereas if you lose your yubikey, hackers have direct access already.
They would need to know your login + account password first, so having on keychain won't pose an issue, unless hacker stalks you back to office+home and steals those credentials. With phone, a hacker will bruteforce and if they successfully enter, everything they want is there.
@noshopping: I guess it's more useful for work/public purposes if you do need it frequently.
But it does seem less safe when all you need to do is insert the yubikey? With a phone you need to unlock the device first to access the app but no such thing with yubikeys. With authy you can even put additional pin codes on top of the initial phone unlock as well.
@[Deactivated]: I think you'll find that the majority of hacks come from remote phishing/password theft. So this is really designed to be mass deployed to staff easily (can you imagine setting up hundreds of Authy accounts for staff?)
btw, if you lose a yubikey, the person who picks it up will have absolutely no clue what account its attached to. You can't sniff a yubikey, for example you can't look to see what Facebook, Gmail account it's attached to. The person picking up the Yubi key will need to know what account its attached to, e.g. [email protected], plus also know the account password, only then can they authenticate with the Yubi key.
Now imagine if you had to do the same for Gmail, Lastpass, Facebook, Dropbox multiple times a day?
Why would you need to do it multiple times a day?
All of those services keep you signed in unless you are using a new device.
The idea is that your phone is still online and is hackable(so is authy). These devices you need to physically hold, so it would need to be stolen along with your passwords etc.(good luck to them if the hackers live overseas)
Google auth is unfortunately necessary until websites catch up.
The yubikey TOTP app might be considered more secure as it requires authentication with a key to access the time codes.
I tend to agree with @masster, to use the google authenticator app; as it is less hassle than connecting a physical device to the computer.
I got YubiKey from Wired, I then setup my personal account with it; but due to the recent laptop refresh (upgrade to USB-C); my YubiKey (that has a USB-A connection) requires an extra step to validate (plug-in USB-C to USB-A converter cable, and the YubiKey itself).
With the phone, I just need to unlock (with fingerprint authentication obviously) and run the app and type the key.
Don't get me wrong, I like the idea to secure the account to the max, but looks like the method is too convoluted, if I introduce this to my partner, who does not have an IT background (and lovely in managing another aspect of life), she would definitely have divorced me if I force her to use it :)
Also, one thing I don't get is, once you plug in the yubikey and press the physical button, it seems it keys in the same password (random keys) again and again; I suspect this is a common behaviour consider it is passing the public key?
"In 2017, the tech giant began giving out physical security keys to all 85,000 employees, according to KrebsOnSecurity."
https://www.dailymail.co.uk/sciencetech/article-6115783/Goog…
Basically after forcing employees to use these rebadged Yubikeys, Google have completely eliminated staff accts from being hacked/phished, etc.
I had a bad experience with Yubikey which was provided by Mt.Gox years ago. Since then I've never used any Yubikey, may try to use it again soon.
What happened?
lost money
What does yubikey got to do with an exchange being hacked though?
@[Deactivated]: They provided the customers with the Yubikey to secure the account, but my account got hacked somehow and I lost the money. I complained and no one at Mt.Gox care, I guess they stole my money.
how would you use 2 simultaneously? is the 2nd one a backup? wouldn't you just have one key to carry around as your main form of authentication?
yes people on internet said, buy 2, one is backup/spare
You don't. You just use one to authenticate. Think of these as USB keys.
When using services like Gmail, you have the option from within Gmail to assign multiple Yubi keys to your account so if you lose one, you can just use another one, login and delete the one you lost.
Couldn’t recommend 2FA less. It’s not the tech that is an issue, because it is excellent (when implemented properly) but it’s just not practical. Most users will enjoy the illusion of greater privacy for a while, and then later down the track, lock themselves out of their account because they lost a key or cant access one “right now” for one reason or another.
It is WAY more likely to lock out genuine users.
Passwords are enough IF you’re making them unique and strong. If so, you have VERY little to worry about. Most services are protected against bruteforce. Those that aren’t and get cracked, leak only one password anyway and won’t compromise the whole chain. Hint: with almost no exceptions those services that are susceptible, usually won’t offer 2FA anyway.
A lot of services, further, aren’t encrypting your account a second time, it’s just a sort of… superficial shell access layer. Meaning, there’s usually a backdoor. Your data would still be safer, but not as dramatically as you might think. That is basically to say, most services have a “if you forgot your 2FA” sort of workaround. If you can use it, so can a hacker. And that’s probably the same method they got the password initially, so, there’s that.
All of that to know, that if I slipped and dropped my key in a drain some day, I’d not have access to my system? At least not until I find a spare key, if I don’t have one then NEVER? Not for me.
The devices are neato and the “theory” is great. I just worry about laymen using them in practice out in the real world.
Interesting comment, im curious for the reasoning of those who are negging?
I didn't neg the comment but it has a lot of misinformation.
Whilst you should use strong unique password, it doesn't protect you if your password gets compromised. In this day and age there are many ways for this to happen. 2FA/MFA is not perfect but it's definitely more secure than just having a password. The fundamental idea being it is a lot harder to find a way to exploit the multiple factors than just finding a way to obtain your password.
There is obviously a level of inconvenience if you forget your yubikey, phone or whatever, but it's doing the job it was designed for, which is keeping anyone out who doesn't have that extra factor even if its you. And btw the whole point of 2FA/MFA is extra security NOT privacy
You should use what level of security you deem appropriate for what you are doing and access the risk(s) you are willing to take. As a example you might just use a unique strong password for ozbargain, but perhaps use password + software based 2FA from your phone (which most people generally bring around with them these days) for your email but password yubikey if need something stronger for some other service you are using or potentially more…
There is no misinformation. I will grant I accidentally used the term "privacy" where I meant security once, but data security and privacy are loosely linked - but I didn't say that you are protected if your password is compromised. I simply stated that the risk is very small, which it is. And that risk can be reduced by strong, unique passwords, which it is!
By all means you should assess your level of required security accordingly for each account and for many users that will vary. But frankly speaking, most people can barely manage their FIRST layer. If they want to juggle two: go ahead! But I could never reccommend it to a tech novice. Accessibility is usually just as critical as security.
Indeed, the more sensitive your account is, most likely the more important it is for you to have unimpeded access.
Password Manager > Software 2FA (TOTP) > Hardware 2FA (U2F or FIDO2)
I think you mean the other way, unless that's a scale about convenience
This is why people recommend getting two. Just like the keys for your car, one you use, one for spare.
Couldn't agree more. I got locked out of my own laptop, because the damn finger print was not recognized :@
Using Authy for 2FA avoids the flat/broken/lost device problems since you can still access the website from any other browser capable device.
So for day to day users that is still a great improvement without too much inconvenience.
Yubikey does have the loss problems and compatibility problems with cheap phones so for general use yeah it's a pain.
Especially when most of the important banking sites still support nothing better than SMS and are easily tricked into password reset by a phonecall.
Using tough, unique passwords are pointless if the sites database gets dumped and hackers use those logins to access your account.
Check if your email has been compromised here: https://haveibeenpwned.com/
https://securityledger.com/2019/01/four-more-collections-700…
https://www.thenational.ae/business/technology/over-20-milli…
Every day more and more companies get hacked. 2FA, GoogleAuth/Authy/Yubi keys ensure that even if hackers "know" your login + pass, they still won't get access unless they physically have the device or authenticate with codes.
A sites database getting dumped is one of the primary reasons to use a unique password. If you are using the same password everywhere and a database gets dumped, then your password to every service is compromised (and possibly discovered with the prevalence of "combo lists"). If you use a unique password, only that account is compromised*. I know which I'd prefer.
(* And if a site has all their users passwords dumped, then the prudent thing to do for that website would be to invalidate everyone's passwords and make them set a new one. That said, that kind of security prudence probably isn't a quality of someone running a site that stores plain-text passwords, so it's likely a moot point.)
I use LastPass, and its awesome!
Requires premium sub to use UFA / Yubikey.
might be worth while getting a list of services/providers that support TOTP/NFC.
if the banks aren't using it, and that's where most people put money in, then do we really need it? I'm guessing no.
because they are always late to the party..
Even Microsoft, just announced support for Yubi 5 around 4 months ago.. As of Nov 2018 you can now use Yubi 5 to auth with Skype, Outlook, Xbox, etc. Its just a matter of time all banks will onboard. It is far more efficient than those RSA H/W tokens because you don't need to enter numbers and you can use 1 Yubi key with all services (e.g. imagine using Yubi to access Commbank, Westpac, Skype, Gmail, Dropbox, etc). Saves having to use multiple RSA H/W tokens.
https://www.yubico.com/2018/11/passwordless-login-with-the-y…
Well you can use it with Lastpass or Keypass, and store a really complicated password and then get disappointed when you realise the bank doesn't support the password.
Thanks OP purchased 2. Been eyeing a YubiKey off for a while now.
When will Xiaomi come to the party? Anyway I cannot wait for this and bought 2 as recommended for $106 with bank West card. Thank you op.
If you are primarily an Apple user, iPhone MacBook (2016 onwards) etc it could be worth waiting for the lightning enabled key to launch
https://www.wired.com/story/yubikey-lightning-ios-authentica…
Yes, and it will costs more as Apple won't implement this feature unless they are also being paid.
No doubt, but they're not cheap at their current price anyway.
all the online services that work with Yubi catalog:
https://www.yubico.com/works-with-yubikey/catalog/
If those rumours of iPhone adopting USB type C is there a point to releasing a lightning version considering you currently can support it using the dongle?
I use LastPass, and its Best
I could not get the yubikey 5 nfc to work with my android to enter a fixed password. It did not work for OATH-HOTP either. Just an empty URL for demo.yubico.com/yk/. The support website is poorly written with scanty information. It gave me an impression it was written for someone working in their support department rather than for consumer. Very disappointed.
so, include postage or not ?