Yubikey is a hardware device that you plug in to the USB port of a computer to improve the security of authentication processes.
Password theft is a common problem on the Internet in these days. Attackers use numerous ways to steal login credentials from users: this includes phishing attacks via email, brute force attacks that try to guess the password, trojans and computer viruses, or keyloggers that record every keystroke of the user.
The best forms of protection against those kinds of attacks are the use of strong passwords, an up to date computer system with security software installed, and an open educated mind that uses caution and common sense whenever passwords or other personal information is entered on the Internet.
Some security software programs can aid the user in protecting the data. Software programs like Last Pass or KeePass, password managers that can generate secure passwords and remember them for the user, are examples of this.
But those applications do not change the system itself. All that is needed to log into a service are the username and password of a user. Yubico changes this.
Yubikey is offered as a USB compatible device that offers strong authentication by adding an extra layer of authentication to the login process of several popular applications and Internet services.
Supported are among others password managers like Last Pass or KeePass, content management systems like WordPress or Drupal, the popular encryption software True Crypt and other services like Google Apps or OpenID.
Yubico, basically, adds another layer of security to the login process in most cases. A login to the Last Pass master server for instance requires the user's Last Pass email address and password just like before but a second step is added to the process by Yubico. You need to enter the Yubikey into an USB port of the device to complete the authentication process and sign in to the account.
The Yubikey comes with a button on the device that will authorize the request on the screen whenever it is pressed. This is used in the authorization process. In other words; no sign in to the service without access to the Yubikey. An attacker who manages to steal a user's username and password can't use the information to sign in to the account.
The Yubikey password consists of a static and dynamic part which makes this solution excellent for battling keyloggers and other eavesdropping techniques as the password is only valid for one time and void afterwards. This password can be changed to a very long static password for offline usage (for example required to make it work with True Crypt during system boot).
This means that an attacker would need access to the user's email address and password but also access to the Yubikey device to gain access to the service similar to how other two-factor authentication systems work.
Take a look at this video for additional details
Yubikey adds another security layer to the authentication process. It is Open Source, does not require installation, is compatible will most popular operating systems, works with lots of popular services and can be easily carried around in a wallet or on a key chain.
This is the perfect device for web users who work with WordPress, Google Apps, Dropbox, GitHub, password managers, OpenID or other services and applications listed on the Yubikey Wiki website. Interesting enough, Yubikeys work also as a second layer for logging in to Windows, Linux or Mac OS X devices.
Update: Yubico, the company behind the Yubikey devices released new versions of the Yubikey since our first review. The following devices are available:
The two device families support the same set of features, and the only difference between them is that one connects to a USB-A port and the other to a USB-C port.
If you want the broadest range of support, select a Yubikey 4 or 4c device. Nano versions are smaller in size and ideal for traveling or keeping in the device at all times.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.