This was posted 1 year 10 months 20 days ago, and might be an out-dated deal.

Related
  • expired

Yubico 5 Series Keys, USB-C Nano $51.29, Yubikey 5CI USB-C/Lightning $52.32 + Delivery @ F Digital (Direct Import) via Catch

380
Yubico 5 Series Keys, USB-C Nano $51.29, Yubikey 5CI USB-C/Lightning $52.32 + Delivery @ F Digital (Direct Import) via Catch
Go to Deal
Cashback
Mike-A on 02/01/2023 - 12:39 catch.com.au (1460 clicks)
Last edited 02/01/2023 - 13:31 by 1 other user

Two separate deals. One for a USB-C nano & second 5 CI with lightning + USB-C connectors. Great for 2fa, better protection for a variety of accounts such as google and apps such as 1password and if the website or app supports it, password-less login. Can be used with many mobile devices / tablets & PC/Macs, fairly wide support, see the yubico page for specific device or operating system support.

The YubiKey 5 Series is a hardware based authentication solution that provides superior defence against phishing, eliminates account takeovers, and enables compliance requirements for strong authentication.

It offers multi-protocol support including FIDO2, Yubico OTP, OATH HOTP, U2F, PIV, and Open PGP. Users have the broadest options for strong authentication including not only two-factor authentication, but also support for single factor passwordless login and multi-factor authentication in conjunction with user touch and PIN .
See more details here:
https://www.yubico.com/products/yubikey-5-overview/

Here's an example of how these keys acted to protect Cloudflare from being compromised more than they were. https://www.wired.com/story/hardware-security-key-passwords-…

Deal 1: Yubico Nano slimline authenticator https://www.catch.com.au/product/yubico-yubikey-5c-nano-2fa-…
Deal 2: Yubikey 5CI for IOS & other USB-C devices https://www.catch.com.au/product/yubico-yubikey-5ci-2fa-v5ci…

Computing 2FA Lightning Connector Security Key Yubico

Related Stores

Catch.com.au
Catch.com.au
Marketplace
F Digital (Shipped From Overseas)
F Digital (Shipped From Overseas)

closed Comments

  • Shoocat on 02/01/2023 - 12:46
    +2

    Maybe amend the title to say F Digital via Catch? Useful to know this is a marketplace product.

    • Mike-A on 02/01/2023 - 12:48

      Thanks done.

  • soymeat on 02/01/2023 - 13:02
    +23

    For anyone interested, the Cloudflare/Yubikey deal is still on where you can get 4 x Yubikeys for $10/11 USD each. It will take 1-3 days to receive the code though. Shipping is also only $5 USD.

    Instructions on what you need to do in Cloudflare to be eligible for the code are in the top comment:
    https://www.reddit.com/r/yubikey/comments/xrcly7/comment/is0…

    • Mike-A on 02/01/2023 - 13:05
      +2

      Have to be a client of cloudflare first is my understanding.

      • soymeat on 02/01/2023 - 13:06
        +8

        Yes, but you don't have to pay anything. Instructions I linked to will make you eligible after about 5 mins of setup and only requires free Cloudflare services.

        • Mike-A on 02/01/2023 - 13:07

          Ohh that wasn't clear to me. Great find!

    • soymeat on 02/01/2023 - 13:20
      +5

      Also just wanted to add - Cloudflare deal only applies to Yubikey 5 NFC and 5c NFC. So the OP deal is still great if you specifically want a USB-C Nano or USB-C/Lightning model.

    • Link2020 on 02/01/2023 - 13:38

      Cheers, very easy to follow instructions in link.

    • opfi on 02/01/2023 - 15:35
      +5

      I never received any response from cloudflare though i signed up - any one in same boat??

      • efheichr on 02/01/2023 - 16:13

        Yep me neither. The OzBargain post is marked expired so not sure.

      • Telios on 02/01/2023 - 23:20
        +1

        Yup I had Zero trust setup as well.

        Figured it was a closed case.

    • CookieJacker31 on 02/01/2023 - 16:55

      I followed the instructions, set it up but couldn't find anything. Re-ran the offer but no luck..

      Stuck at "add a site".

      IIRC recall they change the offer to require one.

      I did find this and it maybe worked maybe not. Now we see

      https://dash.cloudflare.com/?to=/:account/yubico-promotion

      • CookieJacker31 on 06/01/2023 - 09:28
        +3

        "We’re reaching out as your account did not qualify for the offer during the offer period. The offer period has ended"

        Looks like it is over.

    • THX on 02/01/2023 - 17:41

      anyone experiencing issues adding payment options?

      • Shoocat on 03/01/2023 - 14:58

        You just add a payment method separately before you add the plan type. There's a 'payment method' menu in account settings.

        But as others have said, even following these instructions to the letter doesn't seem to work any more. CloudFlare have possibly closed this loophole.

    • MadMud on 02/01/2023 - 20:04

      Cheers for that, signed up for the free subscription and waiting for an email from yubikey.
      There was some "technical" stuff creating an account but I seemed to have fluked my way through it.
      I've been wanting one of these for awhile but couldn't justify the cost. Until now.

    • Failbike on 02/01/2023 - 21:31

      Thank you for posting this, I had no idea.

    • zujik on 05/01/2023 - 06:22

      Just be prepared for a LONG wait for delivery. I purchased four keys via this deal on October 19, 2022, with dispatch advised as 5-7 days. I received two emails pushing it to end of November.

      When I emailed December 5th for an update I was advised the ETA is mid January. Currently the order is still processing, with an additional 20-30 days shipping (the $5 option) on top of that.

      Order placed Wed, 19 Oct 2022 00:12:55 GMT

      • soymeat on 05/01/2023 - 13:14

        Thanks - might be worth buying from elsewhere (like OP deal) if you're keen to get them soon.

  • maybe a bot on 02/01/2023 - 13:04
    +2

    With security products like this, I would rather get them from the distributor through the CloudFlare deal than buy from a third party seller, as the products could have been tampered with.

    • killingtime on 02/01/2023 - 13:26
      +6

      just fyi (I also bought from cloudflare deal), it's just a discount code with Cloudflare, they don't distribute anything. Its direct from Yubico

  • askvictor on 02/01/2023 - 13:48
    +1

    Why are these so expensive? Is it just because of the effective monopoly yubi has on the market?

    • askbargain on 02/01/2023 - 13:52
      +3

      FIDO2 is an open standard…

    • Mike-A on 02/01/2023 - 14:37
      +3

      No you can get FIDO2 "keys" from other providers e.g. Kensington (biometric keys) Most of the cost comes down to a small processor/chip that does more than just storage, part of it is certification costs, but not many businesses demanding all their users move to this yet, so possibly also just scale to get these out. I suspect the cloudflare deal the math just makes it easier on 1-2 models and Yubico just plan to pump a lot of these out.

      They should be able to get them out around $20 on the regular IMHO, but slightly more expensive with the 5CI model due to MFI (apple) certification.

      • MuddyClear on 03/01/2023 - 00:26

        Kensington Verimark IT offers Windows Hello Biometric but can not be used as a security key.

        Kensington Verimark Guard can be used as a security key but not Windows Hello but does not support Windows 11 yet afaik.

        Price wise these Verimark products are more expensive than Yubikeys

        • Mike-A on 03/01/2023 - 08:37

          Due to the sensor and related functions I suspect they'll never be cheaper than the Yubi;s either. I have seen the kensingtons cheaper than the usual (less than $100) but never in the $50 or less price range. And agree, I don't see why they can't do both things on the same device, must be some weird implementation detail I can't be bothered to look into.
          Regardless I was just bringing it up to identify an easily found alternative to the question OP, there are others competitors out there, but not a whole lot. I suspect this market just isn't that hot yet, so less competition.

  • hamwhisperer on 02/01/2023 - 14:16
    +1

    Why is this a good product for those who already have complex passwords and authy / 2fa?

    Curious what good use it is.

    • Phlume on 02/01/2023 - 14:17
      +4

      Complex passwords can always be compromised from data breaches. This adds another layer of physical security.

      • shaybisc on 02/01/2023 - 16:13
        +1

        So to protect your password manager. That's all I can think of when I look at the works with Yubikey catalog. Since no Australian bank uses them and I'm not running a business I can't see anything else that Yubikey can protect me from that really hurts.

    • spaceflight on 02/01/2023 - 14:23
      +3

      This is a physical security device so it's much harder to have you account compromised when someone needs a physical item to do so.

      • ca6leguy on 02/01/2023 - 16:44

        What if you loose the device?

        • shaybisc on 02/01/2023 - 16:50
          +3

          You're advised to buy two.

        • McFly on 02/01/2023 - 17:15
          +1

          Then you'll need to find another way to tighten your security.

    • Mike-A on 02/01/2023 - 14:51
      +5

      Only adding to the existing comments. You can use this to auth into MacOS (in beta now) as well as into your password manager also. In addition they can be used as a 2fa source themselves that will satisfy google on top.

      Any "software 2FA" in theory can be copied and mis-used. Google auth and others have protections for this, but there is still a theoretical vulnerability.
      SMS auth in Australia isn't as secure as most perceive in my opinion, as has happened already, all you need is some basic identity information, call optus, say you've lost your SIM and ask to send you a new one, then you have someone elses second factor.
      Hardware keys you need to physically have, so unless someone pick-pockets you, much harder to break through. Aside from adding to yubikey (or others) sales, there's a good reason to have 2 hardware keys, one as backup to the primary if lost/stolen. Still we're really getting into edge cases here, likely not needed for the masses, but they're great paranoia insurance :)

      • MagnamoniousRex on 02/01/2023 - 19:25

        People thought their data was safe with Medicare and Optus too.

        If you have a family it's irresponsible in this era to trust your digital security to only a password.

    • ampublic on 02/01/2023 - 15:20
      +1

      To access any account, one needs to authenticate self. This can be done in many ways.

      BY SHARING WHAT YOU KNOW - Most common way - Provide the password.
      BY PROVING WHO YOU ARE - Biometrics - Voice, Facial, Thumb print recognition.
      BY PROVIDING WHAT YOU HAVE - Provide a token/device, that is mapped to the account id/password, such as Yubico keys (of course, there are other providers that offer keys).

      2FA is short for Two Factor Authentication, where one authenticates using at least two ways.

      Google Authenticator, Authy, Microsoft Authenticator, etc. works on similar principle, as they provide a token from a phone that YOU HAVE. Some authenticators are bound to the hardware such as a phone, while others are bound to a phone number or an account (Authy). Phones may get compromised (say through ID hijack and subsequent SIM swap approach).

      Having a phyical key REDUCES the chances of remote authentication. So, some may opine that it is better than authenticators such as Authy.

      Note: Not all accounts support 2FA through such keys.

      • ssfps on 02/01/2023 - 19:25

        This categorization is fairly abstract and arbitrary, and I don't particularly like it despite it being commonly spruked.

        Ultimately the auth is all in software, and as you point out someone can hijack a phone number and they have "that hardware" as far as the SMS goes.
        I'd much rather be allowed to preshare an SSH key, use an offline password managers, and do away with all this 2FA bullshit entirely, so my phone or some glorified USB key isn't a security liability.

        This isn't an argument against anything you said, just opining about the recent frustrating proliferation of 2FA tokens.

        • Mike-A on 02/01/2023 - 20:40
          +1

          Ultimately you're still storing that SSH key someplace, and then, likely, copying & pasting it someplace also. In principal you're correct, software is doing the validation and other elements, so to an extent you can't avoid software in the path. However, when it comes to the storage of SSH keys or even certificates (PKI) these too can be stored on the secure enclave on hardware devices such as the Yubikey (in no way am i shilling for them, i just wanted the newer version of these for myself and saw this cheaper deal).

          Short version, the keys don't need to leave the device, it can do the validation for you, meaning nothing in the clipboard, I believe the yubikey (and others do the same) use a keyboard driver to enter the password (could be wrong on this one) meaning attack methods such as those used against target all those years ago in the US wouldn't work either.
          I don't believe they're a full HSM because they have those as well, but it is generally considered a significant uplift over those stored on disks. They just operate as a PIV smart card is my understanding. The whole point of that is to get around malware searching for SSH keys.
          https://www.yubico.com/authentication-standards/smart-card/
          https://www.ssh.com/academy/ssh/cac-piv-card-smartcard-authe…

          Don't ask about their implementation details I haven't dived in all that hard :)

          • ssfps on 03/01/2023 - 00:28

            @Mike-A: Thanks for the info. They are perhaps more sophisticated than i'd realized, eg loading a purpose-specific keyboard driver, validation on-device rather than on the PC.

            It seems like they do protect against various classes of attack, but are still vulnerable to others. It seems that to be "completely" (reasonably) secure they would essentially need to be a closed system tightly integrated with the computer itself, which brings to mind security co-processors and "trusted computing". I worry about such systems becoming the norm - the more "secure" we get the less we seem to own our hardware.

            • Mike-A on 03/01/2023 - 08:06
              +1

              @ssfps: Agreed, no such thing as a perfectly secure option, however you're now at extremes to break the keys, e.g. loading your own keyboard intercepts when the thing is only plugged in part time via likely a custom driver/dll that didn't fire off all the other windows warnings and in-built protections. So yes, theoretical vulnerabilities remain, just really super damn hard. Frankly if you're using it for SSH, as the private key never leaves the thing, that one I'm struggling to find a pathway to how you'd break that one. However crypto with all the math breaks my brain so i just say yep, must be secure lol.

              If you're curious look into the U2f stuff as well, that these (and others) support, it's really ratcheting up making auth a stronger part of the equation rather than currently one of the weakest.
              .Edit: now with link https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fid…

          • Jiv on 03/01/2023 - 00:44
            +1

            @Mike-A: If I remember correctly their implementation details (aka firmware) is FIPS 140-2 validated, so there is a certain level of assurance.
            The microcontroller is certified to EAL6. That's some serious stuff.

            If anyone can point me to their Common Criteria evaluation document, would really appreciate it. Currently struggling to find it.

            • Mike-A on 03/01/2023 - 08:29

              @Jiv: Unfortunately if you value FIPS & software validation testing, there's a separate series for that, labelled as their FIPS series. I'm personally not interested in those, takes months to patch those things due to that same testing. Great that they have them, I just ponder the value it provides and still have no real conclusion.
              If you want to see the report, I suspect you have to reach out to their sales team, they likely don't publicly publish it, at least my searching didn't come up with anything either.

              If you're curios over the various risks several risk factor descriptions found here, see P27 for strengths of the various auth methods https://www.ssi.gouv.fr/uploads/2021/09/anssi-cible-cspn-202…

              As usual we're working on probabilities, but at least auth generally allows for constrained number of attempts.

        • joelmuzz on 03/01/2023 - 13:11

          SMS 2FA shouldn't even be considered when app 2FA is available.
          It only exists because it is easy and a big improvement on password alone.

          The flaw with general public Authy use is many will go and use Password1 as their master password or same password as the login. Despite SMS weaknesses (SIM swaps, lockscreen message popups) it is better than that situation.

    • camh on 02/01/2023 - 19:02
      +1

      U2F security keys are phish-proof. The TOPT codes (6 digit codes generated by authy) are vulnerable to MITM attacks where you think you are talking to the correct web site, but are talking to an interceptor in the middle. They can relay the 6-digit code and your password to get access to your account. This cannot be done with U2F tokens as the code is tied to the hostname in the URL, so it will not work if you are on a fake site.

      • ssfps on 02/01/2023 - 19:28

        BGP/DNS hijack?

        • camh on 03/01/2023 - 09:41
          +1

          TLS protects against that.

    • joelmuzz on 03/01/2023 - 12:47

      Passwords are always weak regardless of complexity since you can get keylogged in various ways.
      2FA apps are a big improvement, but only as secure as the device they are on and for online synched the master password and possible platform flaws.

      Keys are excellent in professional use where you want the higher security and a physical key which can't be cloned.
      Essential for IT professionals and should be used for corporate networks (though rollout is going slow).

      But for general public I don't think they offer enough to bother. Not enough support in civilian life (banks, phone carriers, MyGov etc).
      Their anti-cloning no backup feature also makes them a hassle for individual use (in corporate the IT dept manages resets and override access).

  • Euthyphro on 02/01/2023 - 14:23

    Will saving the key on a USB drive have the same effect?

    • Mike-A on 02/01/2023 - 14:31
      +2

      Not really, theoretically, someone could copy things off of a standard USB key. These only activate the authentication when the button is pressed. So they are only active when you want them to (keeping the explanation simple, they do more than this, but this is one of the advantages), plus encryption and support for various security protocols for authentication. Theoretically with FIDO2 support it's a possible to end the use of passwords. Some websites already support this.

  • efheichr on 02/01/2023 - 14:42

    Is this the same product? If so, its slightly cheaper in eBay.
    https://www.ebay.com.au/itm/185660600218?mkcid=16&mkevt=1&mk…

    • Mike-A on 02/01/2023 - 14:43

      Yup, same as the Nano one…

  • shaybisc on 02/01/2023 - 17:23
    -1

    Yubikeys are predicated on genius level hackers out to get you - NSO NSA - but as far as I can tell all these hacks/breaches are down to moron level mistakes by users.

    • Mike-A on 02/01/2023 - 18:11
      +2

      Some yes, for sure, totally bad practice & lack of laws in AU means public is poorly protected. But the other way to put it, defenders have to be perfect, bad guys just need to have a new weakness that they're constantly scanning for to find.
      We just need to have these companies not need to store all these details on us.

    • soymeat on 02/01/2023 - 19:04
      +5

      Well, LastPass being somewhat compromised is what prompted me to start looking at Yubikeys. If you're keen on security, a hardware key like this seems to make sense to add further risk mitigation.

    • Jabba the Hutt on 02/01/2023 - 23:45
      +1

      People with moron-level security habits happen to be an ideal use case for YubiKeys, making it somewhat unfortunate that it's chiefly the most security savvy that use them at the moment. But even the latter have their bad moments, and everyone wins if they became the norm. Making that happen is the hard part, but every new YubiKey (or equivalent) owner helps.

  • [Deactivated] on 02/01/2023 - 20:09
    +1

    Found cheaper

    https://www.ebay.com.au/itm/185703868360?epid=23039993744&ha…

  • MuddyClear on 02/01/2023 - 21:35

    The main way people get hacked is via fishing where hackers use social engineering to trick you to click on something you shouldn’t, which will then allow them to access your device. If your device is a phone then they can intercept your 2FA one time code. If your phone has an authenticator then they can wait for you to authenticate which will then give them access to your online account. If you have an iPhone then they can access your keychain passwords and credit card details in your wallet.

    Point is having a strong password and 2FA with authenticator does not make you immune to fishing. This is why we all need yubikeys. Millions of dollars are lost to hackers every day. This will continue unless we all get serious about stopping account take overs.

  • xmagic on 03/01/2023 - 05:57
    +3

    Been a YubiKey user for quite some time. Currently using 5Ci and the blue key gen 2 as daily driver, with other models as a backup.

    My experience - don't buy 5Ci model (the one with lightning port) unless you specifically need it. i.e. You're using an Apple device that has lightning port only with no NFC - that's right, you shouldn't buy 5Ci even for iPhones as you can just tap with YubiKeys with NFC instead. The 5Ci model has two connectors make it very clunky on the keychain, if not prone to snapping.

    Only two reasons I can think of using 5Ci on Apple devices: old iPads/iPod touch(no NFC), have to use Yubico OTP or other keyed-in codes via YubiKeys.

    • MuddyClear on 03/01/2023 - 09:35

      Yubico OTP or other keyed-in codes via YubiKeys.

      Is this used to unlock the iPhone keychain or unlock some authenticator holding passwords etc?

      • xmagic on 03/01/2023 - 09:42

        Nope. It has nothing to do with your phone. I believe the majority, if not all, password managers on iOS platform use either Face ID or just pin.

        Yubico OTP was a solution before everyone start to push FIDO and WebAuthn, as FIDO requires hardware and driver support which makes it even supports passwordless login, while Yubico OTP only requires a text input field and is quite good in regard to compatibility. It is designed to be the replacement to the old fashioned TOTP or HOTP codes.

      • xmagic on 03/01/2023 - 09:55

        BTW even though it’s already kind of considered deprecated, Yubikeys’ two keyboard slots allow you to configure multiple different kind of codes. Apart from Yubico OTP, you can program in HMAC OTP, Challenge-response and even static password (i.e. allow you to type in anything you want on a simulated keyboard).

        Actually I’d say the blue security key is more useful generally - it supports U2F and FIDO2, which is the thing everyone is talking about, in the form of both USB and NFC. The proper Yubikeys have additional features (keyboard code slots mentioned above and PIV and OpenPGP smart card) but for most people they’re kind of useless. Currently I haven’t use Yubico OTP for ages, but is using PIV smart card quite often, as many of my local services uses client certificate to authenticate instead of passwords. Very convenient. But again, FIDO support is what matters for online services we use on a daily basis.

  • shaybisc on 03/01/2023 - 07:24

    I'm a bit dirty on Yubikeys because I had 2 and the only useful thing I could get out of them was log in to Windows. I also tried them on GMail but half of the time they weren't being recognised.

    One day they stopped working and I discovered that the recovery code I had recorded was not the recovery code.

    • MuddyClear on 03/01/2023 - 09:37

      I also tried them on GMail but half of the time they weren't being recognised.

      How strange

      One day they stopped working and I discovered that the recovery code I had recorded was not the recovery code.

      That sounds like a user error

      • shaybisc on 03/01/2023 - 10:02

        How can it be user error when it worked 999 times in a row then stop working on 1000? I didn't do anything different.

        • MuddyClear on 03/01/2023 - 10:04

          You didn’t record the new recovery code.

          Also not sure how both yubikeys stopped working at the same time…strange

Login or Join to leave a comment
Login Join