• out of stock

Yubico Yubikey 5 NFC OTP USB-A Security Key $49 + Shipping @ Shopping Express

650

Looks like shopping express has a great weekend deal on the Yubico YubiKey 5 NFC OTP Two-Factor Authentication USB-A Security Key @ $49 plus shipping.
These are normally US$45/AU$64 + shipping direct from Yubico.
Normally when Yubico offers deals they are multi-buys so finding a special on single units is a change.
Shopping Express isn’t listed as an official distributor or reseller on the Yubico website, but I don’t think that list has been updated for years.
No deals on the USB-C versions.
Also, the website says the discounted price for 2 or more is still normal, but I ordered two for $98.
Edit: For more info on what security features the key supports, head to https://www.yubico.com/ to find out more.
For services/sites that don't utilise the built-in protocols, there are two 'slots' on the key and you could store a password to a password manager in the second slot (activated by a long press on the button).

Related Stores

Shopping Express
Shopping Express

closed Comments

  • +3

    Can you use this with Aus banks? From mobile app?

    • +19

      AUS banks seem to think mfa is multiple things you know.
      Password, security number, captcha, mfa ftw.
      Kind of concerning.

      • Well a yubikey (or equiv) is technically something you have not just something you know.

      • +13

        Yep agreed……AUS banks have no concept of cyber security. For e.g. ANZ does not allow customers to use special characters in their password. Had an argument with a branch manager about it and their argument many customers will forget password and will be hard to manage. Well then don’t enforce it, atleast give it as an option.

        • +4

          Yep, pretty crazy.
          My VoIP provider, a small qld company supports TOTP MFA but my bank only recently allowed passwords more than 8 characters long and has no MFA support.

          • +5

            @gunslinger: Yep totally!!
            In addition, ANZ does not support more than 10-12 characters from memory.
            ANZ says customers can enable 2FA (https://www.anz.com.au/security/protect-your-virtual-valuabl…) but SMS PIN to a mobile number is not 2FA; That's 2-step verification (2SV).
            No technical understanding of security!!

            • @tomvghs: They have their own ANZ Shield app for two factor authorisation of transactions. No two factor authentication though.

        • My partner was with Westpac. Their password requirements were insane! Password had to be exactly 6 characters long and include a number.

          • +3

            @teslacoil33: 1Password has a freak out with storing Westpac banking passwords. It won’t even allow you to randomly generate a password that small.

            Banks have most likely done the sums and worked out the cost of people forgetting passwords (Of course you don’t have to enforce it) as well as changing legacy systems that don’t necessarily support passwords that complex. It is probably cheaper for them to cover any potential fraud than to change their platforms.

        • They spend millions in cyber security each year. It doesn't start and stop with a password field to online banking.
          There's 101 other controls in place around the detection of unusual behaviour, suspicious transactions etc.

          • @whichwhatwho: Seems to me like you constantly get locked out due to over the top suspicious systems, might be actually useful from a security point of view, except to allow people to actually get any banking done they allow it to be bypassed by phoning up and giving them your mother's maiden name.

        • I think because the way they setup the database having special characters would allow people to do SQL injections. Kind of like how you can't have symbols or custom words like null is a custom car plate.
          But upgrading to a DB that would accept symbols would mean they would have to rewrite some code and do extensive testing. So this is more of a scalability issue.

      • +1

        Laughs in Westpac.
        6 character alphanumeric.

        • To be fair the most recent hacks target email and phones and just reset passwords.

          Most people don't have 2FA on email and even if they do its setup incorrectly with the recovery process still with txt verfication.

    • Want to know this. So how to use it on any mobile phone apps?

      • The mobile app needs to support it otherwise you can also use them to generate TOPT 2FA codes.

        • Use the physical key or use yubi app to replace my laspass authenticator app?

          • @CyberMurning: If the app, site or service supports FIDO2/U2F then yes

            Otherwise you can use the key to 'secure' a software HOTP/TOTP generator

          • @CyberMurning: The Yubikey app needs to be used along with the key. All your TOTP secrets are stored on the key while the app just decodes it. When you open the Yubikey app it has nothing in it by default so no one with your phone can easily get a TOTP code from it. When you tap your Yubikey on the back of the phone it will ask for a password you've set and only then it will show the codes stored on the Yubikey itself.

    • +9

      As far as I can tell no major Aus bank support a standard 2fa method, if they even do 2fa, it'll be through sms, their proprietery app or hardware fob (which actualy is nod bad, but a bit inconvenient).

      From a quick look, I found no reports of any banks here that support

      • HOTP/TOTP (2FA via a "number generator", i.e. Google Authenticator app, Authy)
      • FIDO2/U2F (which most hardware 2fa keys use)

      Main support of these I've seen is from the usual big tech companies (Microsoft, Google, Facebook), here's Yubico's list of known compatible sites

      https://www.yubico.com/works-with-yubikey/catalog/

      • Thank you mate

      • +1

        That was a very useful link. It helped me finally arrive at a decision about Yubico products.

        Not for me. I'll stick with 2FA via SMS. Just need to take due caution about SIM swaps.

        • +10

          Do you have a separate phone number for sms 2fa that you don't tell a single living soul? That's the only way to take due caution if using sms 2fa.

        • 2FA by text should honestly be avoided.
          If you plan to use it on the same device thats even worse.

          Another problem is what happens if you lose your phone, malware or sim swap.

          With the authenticator key they can reset your password on most services. Your device may not even require a login password for email.

          • @shadowangel: While I agree that SMS is not the most secure method of 2FA. It's still 100 times better than no 2FA.

      • Rabo bank always had a separate totp generator device. Haven't seen any other bank offer anything like it for retail accounts

        • hsbc does, long time ago. a little device that generates code.
          i hated it.

    • LOL

  • Anyone got it working for Up freedom account? Recently signed up.

    • +2

      What's an Up freedom account? I'm with Up bank, but have never heard of this.

      • My bad, obviously new if I can't even remember the correct name, Up everyday.

    • +6

      Yubiright mate

    • +2

      Here, save your fingers …..
      https://en.m.wikipedia.org/wiki/YubiKey

    • +6

      Sure they don't cost much to make (even though they're made in the west). But you know what does cost a lot? The engineers who designed the cryptography, the marketers who advertise it to businesses and the designers who create the finished model plus all the IP and rights they need to license.

    • +1

      You are paying for the respected brand. There are DIY solutions but you wouldn't want some AliExpress POS providing security because it could actually go backwards.

  • I'm really interested but reading the wiki I see something about yubi version 4 and then 5.
    So my question, when in the future there is yubi 8 for example, means all the previous gen will be useless?

    • +3

      Not at all. The previous generations just won't have support for some of the newer technologies which you're unlikely to come across for a while. Newer versions also just bring in other features like NFC or USB-C connectors.

  • +2

    I could not get it work fully with my android NFC. Last year I have this and was told it only support very early android firmware.
    To me, it cost me more time to use this than just using long password that I remember with rhythm etc.. and my phone as 2nd authentication. Not worth it.

    • +7

      Working fine on my Galaxy S20 Ultra. Also this doesn't replace your passwords, it's for 2FA only.

      • +2

        YubiKeys support FIDO2 passwordless logins too but there's very few practical applications of this at this time.

  • And I found on Amazon
    YubiKey U2F FIDO2 Security Key (USB-A/Two-Factor Authentication)
    Only aud32.
    Yes it doesn't have NFC but I'm strugle to understand the other differences between yubi 5 and that cheaper key

    • +4

      The black YubiKeys support U2F, Smart card, OpenPGP and OTP, whereas the blue keys only support U2F. If your only use case is 2FA on the web, then U2F on the blue keys should be sufficient (however, as you mentioned, no NFC).

      • Or if you intend to use it (the YubiKey with NFC) with your phone without having to plug it in…

      • That's where I lost. Openpgp otp I have no idea. Will Google more later

  • -4

    what;s thus

  • thanks op; lost my last one ages ago and i've been looking to replace it so this deal's somewhat worthwhile

  • Got two for $5 through the wired subscription last year. Bought a USBC key, and would highly recommend. They are more solid, smaller, and work straight on phone without adaptor.

    • I have the USB-A version linked on this deal and the NFC works great on my iPhone - for me it seem that NFC would be more convenient than plugging it into my phone.

      • Yes except for size. I can plug the USBC into every laptop, PC, Mac and Android. I don't even have NFC or USBa on my laptop haha

        • Gee that $5 deal is so good I wish I can buy at that price. You shouldve bought 10.

          • @CyberMurning: Was limited by physical addresses. I have to carry around adaptors for my phone which is kinda annoying

        • So no issues at all for you using yubikey neo with androids and mac?

          • @fuzzy wuzzy: Haven't used it on my USBC only MacBook yet, works great on my pixel, galaxy, windows PC, work Linux PC.

    • Neither?

    • not everything is a conspiracy

      do u even know what cryptography is?

    • +1

      Let me guess: you seem to have no idea what's going in the world because you watch news and nothing else.

      So that means means you voted for constant metadata surveillance by the Labor and Liberal Parties.

      That's a typical Australian: a person talking about fictional foreign surveillance while voting for a police state in which their Government surveils them while they watch news and know nothing about it.

  • Yubico's only issue is the proprietary part , i prefer Gotrust although it support lesser key size.

  • +1

    Hmm can annoy one vouch for the legitimacy of These considering they are cheaper than wholesale or the actual brand manufacturer. I’ve heard of cheap knock offs with Yubikeys or similar named ones. It’s the kinda thing I wouldn’t want to cheap out on as they might be buying from the Alibaba listing where they are $4, cheaper than the company that actually makes them….
    If you care about security i’d recommend googling “Where can I buy a Yubikey” to get a proper seller.

  • Does one key works with all account ? Or it’s one key and one account thing ? Like - one kep working with Facebook, google, office365, lastpass !!

    • +2

      One key for multiple accounts of course. If it was one key and one account that would be a horrible deal.

      • +3

        Note you should either:

        1) buy 2 x YubiKeys though and enrol/register each "account" twice for U2F: once per YubiKey; just keep the 2nd YubiKey in a super secure place since it won't be with you
        2) setup backup 2FA with TOTP or backup codes; both of these have their disadvantages vs U2F but is still common with most services

        Otherwise, all hell will break loose if your one and only YubiKey is lost, stolen, or fails.

        Note: Some services don't support registering multiple YubiKeys at all so you're stuck with option 2.

        • Also no way to use the key on iPad so you have to have TOTP backup if you need to work on iPad. I’m not even sure the NFC key is supported on iPhone either.

    • One key to rule them all? And in the darkness find them?

  • I wish soon we can have passwordless experience.
    Just go to any sign in page, insert this key and fingerprint or retina scan or both, and boom we are in. No need to type username. Any website.

    • Guess you haven't heard of Google Authenticator.

  • What's the use case for these?
    Who authenticates the generated TOTP/HOTP?

    • +2

      Maybe be bothered reading through this thread like I just did? The answer to your question is in here.

  • Can you use one Yubikey on multiple devices?

    • Yes of course that is the main purpose, you keep one key with you all the time to access your website's at many devices

  • What is wrong with just fingerprint authentication? Is it not so secure?

  • This thing is great to stop me impulse buying on amazon

  • I've had a couple of Yubikeys for years but don't find them particularly useful. It locks my home pc, great, but that's about it. I had it on Gmail as second factor but it played up a lot and was a pain.

    What do you use it for?

    Oh, I also had it on Last pass but it intermittently played up there too so I switched back to authenticator- less hassle.

    • +1

      That's strange, can you describe how it was playing up?

      I use it for everything that supports it and haven't had any problems whatsoever. I've found it way easier to just tap on the Yubikey or use the NFC reader to log in than going to an Authenticator app, scrolling until I found the code and having to paste it in. I know most people praise the security of the keys but I've found the convenience to be the bigger benefit of using them.

      • Google, often, and LP, less often, were not recognising the Yubikey.

  • Configure Token based authentication (google Authenticator) along with YubiKey - possible?
    Like, if I don’t have hardware key with me, I can use Authenticator app or sms based?

    Not sure if it’s possible to have 2 MFA when having hardware key. At least SMS + Authenticator app works well for some cases.

    • +2

      Yeah it's doable with most accounts. I can't say for all of them but the ones I use all support using a Yubikey as well as TOTP like Google Authenticator.

  • Reading googling more and got more confused.

    The ubikey nano, does it have fingerprint reader too? Is it 100% same as the standard ubikey except size and NFC?

    • +1

      It does not have a fingerprint reader. It's 100% same as the standard Yubikey except size and lack of NFC. I use one at my desktop PC, it's good for having a Yubikey that you will rarely remove from the system (it's quite difficult to remove it).

      The Yubikey Bio (which isn't out yet iirc) will have a fingerprint reader.

      • Uh I thought touching the current yubikey is reading fingerprint but actually just a way of presenting human elements. So anyone can touch it to login.

  • I don't get the "reality check" utility of these things when it comes to securing personal account access. U2F would probably be the main security benefit (also available on cheaper, one trick pony devices) but I imagine most services in 2020 would still either (a) support a less secure fallback or (b) not support U2F at all (such as banks). So at the moment you're really only saving time.

    And if you're protecting something serious like nuclear launch codes, you're also putting a lot of faith into a manufacturing and delivery process you didn't audit. Well probably as much research you did into those closed source services you use with end-to-end encryption…

    Keep in mind I haven't actually looked into all the features of this device and my net assets probably match the value of the product in question. Oh, and my subversive activities are very mild in nature.

    • Google supports it with 0 other 2FA like SMS, so the security benefit is that you need to have your Yubikey to log into GMail with no other way of getting in. This is pretty good since email is one of the most vulnerable parts that will be targeted

    • +1

      Many large tech companies have some form of mandatory U2F supplied by Yubico, and one would think that they would have to survive a pretty rigorous security audit before they're allowed to supply keys to their employees.

      A year after Google mandated security keys for all its employees, phishing rates have basically gone down to zero. I would consider that a pretty resounding endorsement of Yubico and U2F in general. If they can keep most of their internal company secrets secure with Yubikeys, then most people should consider it good enough to protect their accounts with.

  • There is a perfect article to explain what it is and how to use it - https://paulstamatiou.com/getting-started-with-security-keys

  • +2

    Does anyone know if these YubiKey 5 NFC has the latest firmware (5.2.3+)? I need to use ECC (Curve25519)

    https://support.yubico.com/support/solutions/articles/150000…

    YubiKey firmware is NOT upgradable… that's why the ask.

  • Any 2 factor authentication is good. Yubikeys are just another way of doing the 2 factor authentication (over a phone app, or a phone notification or SMS). While it can be more secure than other methods, it is an inconvenience and not worth the $$ IMO. Adoption is very limited today for consumer apps.

  • +5

    Some random tidbits of info I gathered from YubiKey and YubiKey 5 in general:

    Why use YubiKey over Google Authenticator?
    https://www.reddit.com/r/security/comments/b2ikab/why_would_…
    https://www.reddit.com/r/security/comments/9oru2e/what_i_lea…

    • Even if a hacker gets remote control of your PC, they can't generate 2FA codes from Yubi Authenticator because they need to "touch" the key physically before it generates 2FA codes (apparently only YubiKey 5 has this option?), see: https://www.youtube.com/watch?v=UjyaGdab_Bg
    • 2FA codes to websites are stored on the YubiKey, unlike apps (ie: Google Authenticator) where data is stored on the device/cloud. If something happened to your phone and you had no backup key saved, well you just lost all your 2FA login codes!
    • Yubikey startup password is stored on YubiKey. Startup password is required to load Yubi Authenticator app on Windows/Mac/Android/iOS.
    • Use multiple Yubikeys for 2FA, that way if you lose primary key, you still have backup key(s), see https://www.reddit.com/r/yubikey/comments/hcaazo/register_bo… or https://www.reddit.com/r/yubikey/comments/atdi7r/planning_to…
    • Yubikeys only have capacity to store 32 TOTP/2FA keys
    • Check if YubiKey is genuine here: https://www.yubico.com/genuine/
    • Yubikey has no firmware updates. This is to prevent hacking on the device. It's a security feature. If there's new version, you have to buy new keys.
    • It's virtually impossible to get phished if you use Yubikey to authenticate (via U2F).
    • Can a YubiKey user be tracked from site to site? No. A unique key is generated for each site using a random number and the site URL (among other things) along with the hardware key. There's no mathematically feasible way to determine the hardware key from this.

    Info gathered above may be outdated or incorrect. DYOR!

    In general if you value your data (email, cloud data, crypto assets) you DEFINITELY need a YubiKey.

  • Out of stock. Here seems to be the next best places to get their range. https://www.rstassured.com/where-can-i-buy-a-yubikey/

  • Too much trouble. SMS MFA is enough for me.

    • +3

      Not considered very secure due to number porting risk. Not sure that is as much a concern in Australia as in the USA though.

      • Now for every porting request Will send SMS to the existing number and ask for approval, is this right? So it's almost impossible for hacker to port our Sim out I think

    • +1

      Here's why SMS MFA is not 100% secure:
      * Someone could social engineer their way to getting another copy of your sim card to read the SMS
      * Silent JS attacks via Websites, Portal Settings, BIO and even Email
      * Valuable apps which allow for SMS to be read
      * A tool for which I won't name obviously which allows you to read the SMS of a the targeted device silently by getting the user to do something innocent.
      * Having a Rooted Android device or Jail Broken Device
      * People for some reason also have ADB debugging enabled and Bluetooth and Wifi ADB Debugging

  • got mine today in the mail; verified on yubico website and it's genuine

  • I use the Kensington Verimark Fingerprint USB key, which can be attached to a keychain. How is Yubikey different?

    • +1

      Yubikey has NFC, GPG, TOTP… but for simple U2F it looks equivalent. The Kensington is quite a bit more expensive though.

      • I saw $20 USB dongle fingerprint reader on AliExpress. May buy it one day to try. It says compatible with windows hello. My laptop doesn't have fingerprint reader.

  • I have one of these, can confirm it works well with the services it's supported on (Dashlane, Google, FB, Twitter, Microsoft etc)

    Recommend getting the NFC one though to auth on phone easily.

Login or Join to leave a comment