The Wonderful World of Yubikey: U2F and FIDO2

At a certain point in your security journey you'll hear about hardware tokens as a second factor of authentication. You'll probably hear that they are god-tier 2FA and if you aren't using one you'll forever be a resident on Noob Island.

That was me. Noob Island wasn't a place I wanted to live forever. So I got a Yubikey and then........

You can use  your Yubikey in a number of different ways and chances are you can use it for most sites/platforms in one way shape or form. We'll be exploring all the different ways you can use a Yubikey. This list is ranked from Simplest/Most Practical -> Does anyone actually do that?

U2F and FIDO2. Just press the button

The simplest and most common thing you will do is enroll your Yubikey itself as the second factor of authentication on a site or platform. This is a great second factor because this physical thing you have is negotiating the second factor of authentication behind the scenes. The "secret" that's making that transmission possible only lives on that particular Yubikey. There is no way to copy it or clone it. Yubikey has combined the security of a unique physical thing that only you possess with the simplicity of "just plug it in and press this button".

Even if you mess up and accidentally press the button in a chat, that code is useless. Every time you press the button you'll get a different code.

However, the simplicity and security of Yubikey's U2F is only useful if the site or service you're using supports U2F and/or FIDO2. A lot of the "big ones" do. Google, Coinbase, Twitter and Github all do. But a lot of others don't. Your bank probably doesn't, Discord doesn't, Reddit doesn't, Linode doesn't and Digital Ocean doesn't... Certainly not as ubiquitous as we'd like.

One way to address this adoption gap would be to take a service that offers single sign on (SSO) like Google and use that to access services that don't offer hardware backed 2FA. So you would "Sign in Using Google" and use your Yubikey with Google and Google to sign in to this other service. Not an ideal solution but something to consider.

What about Mobile?

My experience using Yubikey on mobile has been mixed. Having tried both iOS and Android devices I can say that it's not as reliable on mobile as it is on desktop. (This might not be Yubikeys fault but instead a lack of support for the underlying protocols that Yubikey is using.) To the point where I would not rely on it for apps/services I need to access on mobile. This may improve in the future, but for now I'm relying on TOTP (authenticator app) for my mobile services. Good news: If a site/service supports U2F they almost always support TOTP as well.

Backup strategy

What about backups? You've now staked your second factor of authentication on this very unique physical thing you own. You should never rely on just one method of 2FA. If you're going all in on hardware backed 2FA then you'll need to have more than one piece of hardware. Yep. Buy more Yubikeys and store at least one in a safe place. If a site supports Yubikey you can generally enroll multiple keys as a second factor (or any other U2F device. Trezor hardware wallets for example). Keep in mind though, the more keys you enroll the more "loose ends" you will have hanging out there. What if one of your many backups goes missing? You can unenroll a key but this is dependent on you noticing that it was gone.

So, buy lots of Yubikeys is one backup strategy. However, a more robust 2FA strategy would include a mix of hardware backed 2FA as well as software backed. Which brings us to the next use of your Yubikey...

Stay tuned for the next drop in this Yubikey series. In part 2, I'll be exploring Yubikey as TOTP  authenticator app manager.

Further Reading

U2F as explained by Yubico

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.