YubiKey review: The best hardware security keys for two-factor authentication (2FA)

The diverse YubiKey options enable you to use the best security key for each device. They are more convenient and secure than SMS, email, and authenticator apps, which provides peace of mind that essential accounts are safer from being hacked.

Yubico YubiKey 5C Nano
Yubico YubiKey 5C Nano two-factor security key plugged into an Apple MacBook Pro

Getting hacked is an awful experience, and it can have long-lasting ramifications. While the general public has become better at picking hard-to-guess passwords, too many people continue to use the same password for all of their accounts. That can be a huge problem if one of those sites is compromised. That’s because hackers usually test the stolen login credentials on thousands of other sites. Suppose the same email and password is being used for any of those sites; the consequences can be devastating.

Having strong, unique passwords for every account is considered a bare minimum for online security. Of course, keeping up with all of those passwords in your mind is impossible for most people. That’s why it’s recommended that people use a password manager like 1Password or LastPass. I use 1Password for Families, which provides access to the app for everyone in my family. It also gives me access to my kids’ logins if there’s ever a need to access their accounts for safety reasons.

Why physical security keys are the best method for two-factor authentication

Another way to prevent getting hacked is to use two-factor authentication (2FA). 2FA adds an additional hurdle to gain access to an account. The most common form of 2FA is to send a temporary passcode via SMS or email. However, there are issues with those methods. SMS messages can be intercepted, and if your email has been hacked without your knowledge, it can be used to receive 2FA codes to your other accounts.

A better method is to add one-time passwords (OTPs) to an authenticator app like Authy or Google Authenticator, or a password manager. However, authenticators and password managers also have issues when it comes to 2FA. Passwords protect them, and if someone gains access to the password manager, they will also get access to the 2FA codes. That’s why the most secure 2FA method is to use a physical security key.

What it’s like using Yubico’s security keys for every device

Yubico is the industry leader in physical security keys. The keys are sold under the brand YubiKey, and they have configurations that work with USB-A and USB-C ports and near-field communication (NFC). The keys also come in different sizes.

Yubico YubiKeys

I bought several different YubiKeys because I had different needs for them. I use the 5C Nano on my MacBook, iMac, and iPad because of its low profile.

YubiKey 5C Nano in an Apple iPad Pro

I use the 5Ci with my iPhone because it has a Lightning connector.

YubiKey 5Ci in an Apple iPhone 12 Pro Max

I also have a 5C NFC as a backup key. That key connects using USB-C and also NFC, which works perfectly with the iPhone.

YubiKey NFC

There’s broad support for YubiKey, and Yubico has a non-exhaustive directory of supported sites. I use the keys for every site and service that supports them, including Google, Cloudflare, Gandi, and my password manager, 1Password.

After you turn on 2FA and add the YubiKey to an account, it will request the key the next time you attempt to login. Touching the metal part of the key will complete the 2FA, and you will be logged in.

Cloudflare requesting security key

I keep my YubiKeys plugged into my iPad, MacBook, and iMac at all times. I don’t keep the 5Ci in my iPhone because it’s obtrusive, and I rarely need it on my phone. However, I do take it with me when I travel.

Since the keys are physical objects that can be lost or stolen, it’s essential to keep track of which services the keys have been added to. I use 1Password’s tagging feature. If I ever have a key go missing, I can click on the tag in 1Password and then login and remove the key. Additionally, this is why it’s good to have a backup YubiKey, so you can login and remove the old key.

Using the YubiKeys makes my accounts more secure than using SMS, email, or authenticators, giving me peace of mind. I use the YubiKeys almost every day on different devices, and I highly recommend that you consider using them too.

Lastly, the only thing I wish the keys supported was biometrics. Fortunately, they are already working on that. It will be called YubiKey Bio, and I can’t wait to use it once it’s available.

4.5
4.5 out of 5

What I liked most

  • Multiple options for different needs and devices
  • Easy-to-use and reliable
  • The Nano keys are small enough to leave plugged in

Could be better

  • Having biometrics would make them more secure