Tech review: YubiKey 5 key a glimpse into a world without passwords

With the YubiKey 5 series and a compatible Windows 10 device, users can sign into their Microsoft accounts from the Edge browser without a password. PHOTO: YUBICO
With the YubiKey 5 series and a compatible Windows 10 device, users can sign into their Microsoft accounts from the Edge browser without a password. PHOTO: YUBICO

I am a big fan of Google services like Gmail, Maps, Photos, Drive, Chrome, YouTube, Google Pay. Even the non-Google services I use know me by my Gmail address.

Losing my Google account would be a serious inconvenience. Thus, I have enabled two-factor authentication for my Google account to require a verification code via SMS or a sign-in prompt on my smartphone.

But SMS messages can be intercepted. A more secure way is to use a physical security key, which is a small USB device (no battery required) that inserts into a computer's USB port to sign into an account. It works when you do not have a cellular network or your smartphone. Companies, like Google, have also adopted these security keys to secure their employees' work accounts.

The good news is that Yubico, the creator of the popular YubiKey security key, recently made its products available in Singapore via its official distributor DT Asia. Previously, you had to buy them from overseas retailers.

The firm launched its new YubiKey 5 series in September, which comes with new features like Near-Field Communication (NFC) support and the FIDO2 web authentication protocol.

FIDO2, which is supported by major browsers like Chrome, Firefox and Safari, lets users log into FIDO2-compliant websites using a security key like the YubiKey instead of having to enter a possibly-weak and insecure password.

Notably, users can now log into their Microsoft accounts with a FIDO2 security key like the YubiKey 5 series on a Windows device running the latest Windows 10 (version 1809) and the Edge browser - without typing their passwords.

  • SPECS

    Price: From $62 at dtasiagroup.com

    Connectivity: Varies, depending on type of YubiKey. Options include USB Type-A, USB Type-C, NFC

    RATING

    Features: 5/5

    Design: 5/5

    Performance: 4/5

    Value for money: 3/5

    Overall: 4/5

Other popular online services that support YubiKeys include Google, Facebook, Dropbox and Twitter.

In addition, popular password managers, such as Dashlane and Lastpass, can be used with a YubiKey (for the paid version of the password manager) for greater convenience and security.

The YubiKey 5 series come in four flavours that differ in form factor and connectors. The Nano variants are designed to be small and intended to stay in a USB Type-A or USB Type-C port on a computer for long periods.

The version I tested is the YubiKey 5 NFC, which supports NFC so you can simply tap it against most smartphones. It also comes with a USB Type-A connector to work with computers.

It is well-built with a sturdy and waterproof plastic body that feels rigid and seemingly unbreakable. The exposed USB connectors are said to be made from military-grade hardened gold. It has a small keyring hole.

It was easy to set up the YubiKey to secure my Google account - similar to how you would configure two-factor authentication, except you choose the option to use a security key instead of the usual SMS method. Yubico's website contains plenty of useful guides and helpfully directs me to the relevant documentation for supported websites.

Besides the major websites mentioned above, hundreds of other websites work with the YubiKey, though many are geared for a tech-savvy, developer-centric audience, such as GitHub and Docker.

In fact, I have probably only scratched the surface of the YubiKey's potential uses. For instance, it can also be used to generate a time-based one-time password (six-digit codes) with the Yubico Authenticator app (for Linux, Mac and Windows computers, Android mobile devices). But there is no iOS support at the moment.

So you can use the YubiKey with websites that support two-factor authentication via an authenticator app. And because the credentials used to generate the passcode is stored in the YubiKey instead of the smartphone app, it cannot be compromised if the phone is hacked.

Verdict: Its main functionality is suitable for anyone who is concerned about the security of their online accounts, though its more advanced features will likely appeal only to the tech-savvy user.