Home > Android, Hardware, Linux, Windows 10 > Yubikey NEO is a $50 USB & NFC Key Used to Secure your Computer and Smartphone

Yubikey NEO is a $50 USB & NFC Key Used to Secure your Computer and Smartphone

YubiKey NEO is a dongle that supports both contact (USB) and contactless (NFC, MIFARE) communications to secure your Windows, Mac OS or Linux computers and/or Android/iOS smartphones using two factor authentication. It supports one-time password (OTP), smart card functionality (OpenGPG, PIV…), as well as FIDO Alliance’s Universal 2nd Factor (U2F) protocol.

Yubikey_NeoThe key can be used in a variety of applications, such as logging into your computer, accessing gmail, github, dropbox, and other accounts, and disk encryption. It also works with password manager such as Lastpass or Dashlane. You’ll need to both enter your password, and connect the Yubikey to your computer to be able to login, and for NFC enabled smartphones, you’d need to tap the key on the device.

In case you lose your key, online services usually have recovery mechanism in places, and some support registration of up multiple YubiKeys. The latter can probably be used for local disk encryption and password, just like you may have a spare key for your car or house.

Yubikeys have been around for a few years, but I’ve just discovered it via a recent Nobert Preining’s blog post explaining how he secured his Debian computer, which now requires the key to login, send PGP signed emails using GnuPG (keys are stored on the key not the computer),  and uses Timed OTP to access services like WordPress, Google, or Dropbox. He also installed OpenKeyChain and K-9 Mail Android apps to send secure emails from his phone using NFC authentication.

Yubikey NEO can be purchased for $50 on Amazon, but if you don’t need NFC, the company recommend Yubikey 4 ($40) or the smaller Yubikey 4 Nano both of which have faster and stronger crypto.

You may want to visit Yubico website for further information.

  1. onebir
    May 17th, 2016 at 19:56 | #1
  2. iamfrankenstein
    May 17th, 2016 at 23:21 | #2

    If you have an old one (with bad gpg) you can get a new one free (so 2 for the price of 1 sort of).

    https://www.yubico.com/2015/04/yubikey-neo-openpgp-security-bug/

  3. davidlt
    May 18th, 2016 at 04:03 | #3

    There are also some new ones coming out, e.g. OnlyKey has a keypad, self-destruct, plausible deniability: https://www.kickstarter.com/projects/1048259057/openkey-the-two-factor-authentication-and-password/description

  4. Sander
    May 18th, 2016 at 05:15 | #4

    https://plus.google.com/+KonstantinRyabitsev/posts/4a7RNxtt7vy says

    “I must, sadly, withdraw my endorsement of yubikey 4 devices (and perhaps all newer yubikeys), as apparently Yubico has replaced all open-source components that made yubikey NEOs so awesome with proprietary closed-source code in Yubikey 4s:”

  5. John S.
    May 18th, 2016 at 05:41 | #5

    The Yubikey NEO is their older model, their latest line is the Yubikey 4, but the NEO is the only one that supports NFC so it’s still being sold. The Yubikey 4 adds support for 4096-bit PGP keys, and is based around nothing except a hardened security chip out of a smart card, whereas the NEO divides duties between a plain-old microcontroller and a security chip out of a smart card, making it possibly less secure.

    Personally, though, I don’t see the value in Yubikey any more. It did provide an “available in single quantities” hardware-based OTP system back in the day when such things were rare. But now with U2F there’s a simpler, more widely-supported second factor authentication system (which is what most were using the yubikey OTP for) and U2F tokens from other companies only cost $6 (on amazon with prime, and that model has a pretty crappy UI but $10 is a common price for most tokens).

    I’ve been playing with U2F devices this past week, and I really like the protocol/standard. Support is built in to Chrome, Firefox support is coming, and devices exist for USB and NFC, all without drivers or setup required on the part of the user. Bluetooth/BluetoothLE is also spec’d but less concrete; I don’t think Chrome supports it yet and there aren’t manufactured tokens available, only prototypes. Apple and iOS provides no support for U2F though, and I suppose with Apple’s current track record with Safari development, that might remain the case for a long time. But on the other hand they don’t support Yubikeys either. Yubico have responded to U2F by putting out a feature-disabled U2F-only version of their USB device but it still costs $20, double what everyone else charges for the same thing.

    And for everything else not 2FA-related, Yubico used to offer the ability to reprogram the device with custom software and had UI to make it easy, but they’ve turned that off now. So it’s just a fixed function U2F token and PGP keystore. So why wouldn’t someone just go with a smartcard pre-loaded with the same set of apps from a company like Sigilance ($15, $25 for the NFC version)? Or if you want the ability to reprogram the device, and aren’t afraid of using software like https://github.com/martinpaljak/GlobalPlatformPro to do it, you can just buy the blank JavaCard for $2-$10 (including NFC) instead, and actually own the keys to your card. Or if you want to have an easy-to-use UI to load apps and don’t mind a company being a gatekeeper (and owning the write keys to your card), you can get Fidesmo’s NFC card for $12 and download their app from the Android store to manage the software on it.

    All of these cheaper, more open options run the same apps as the Yubikey NEO. Literally the same apps, they’re all JavaCard devices, just like the smartcard chip on the NEO that runs its JavaCard apps. Fidesmo ship the Yubikey PGP app on their card nearly unaltered, and have even bought a batch of NEOs which are just reprogrammed with Fidesmo’s own write key and then allow you to load Fidesmo’s other JavaCard apps onto it through their Android client. In other words, it’s all the same hardware, it’s just a question of whether it’s shipped with someone else’s keys to lock you out from installing your own choice of apps onto it.

    Yubico have responded by rewriting the whole stack from scratch on the Yubikey 4, running their own code top to bottom, and saying it’s better because you don’t have to trust the “black boxes” of the JavaCard OS provided by the smart card manufacturer. But all that means to anyone outside of Yubico is that the whole thing is a black box now, apps and all, plus you lose the ability to write and run your own apps on the device.

    As long as it’s all just faceless companies unwilling to provide meaningful data on their website and unwilling to share it if you aren’t going to buy more than a million devices a year, there’s really no difference between the different choices. So I’d rather just go with the cheapest option, and gain the ability to set the master keys myself and run my own apps, even if it is on top of black boxes from company B instead of company A.

  6. John S.
    May 18th, 2016 at 05:55 | #6

    @Sander, Yubico just responded to that at https://www.yubico.com/2016/05/secure-hardware-vs-open-source/

    I view their response as saying that open-source code was never anything more than a pipe between your data and a bunch of black boxes that did all the work anyway. Now that Yubico have rewritten everything from scratch on the Yubikey 4 there are no more black boxes and they can implement their OpenPGP support directly, and so they don’t need to make a little pipe anymore, and so there is no new source code because it doesn’t exist any more. And they aren’t going to open up anything down below, because that was never open before either.

    They say that’s better for you because they weren’t sure if they trusted those giant black boxes before, and now you can just trust them instead (and their enormous black box). But don’t worry, they’ll let you look inside their black box if you agree to buy 1 million yubikeys from them in a single order. That’s totally more friendly than those other guys (NXP), who wanted you to buy millions and millions of chips before they’d open up /their/ black boxes.

    Which basically leaves anyone not buying 1 million yubikeys screwed either way and better off going with the other guys because why would you trust one company more than the other, and at least the other guys are cheaper.

  7. D Rus
    May 18th, 2016 at 10:22 | #7

    “But now with U2F there’s a simpler, more widely-supported second factor authentication system”

    May not be aware, but the U2F open authentication protocol/standard you like was actually co-created by Google and Yubico, with contribution from NXP. https://www.yubico.com/about/background/fido/

  8. MartiniGM
    May 19th, 2016 at 07:29 | #8

    Why would you even want a hardware device for this when you can get a U2F certified app from Entersekt https://gettransakt.com/transakt/ ? Unless you have very special needs a hardware device is not the way to go.

  9. John S.
    May 19th, 2016 at 12:05 | #9

    @MartiniGM – That’s an interesting implementation. There’s no information about it on their site, really, but from youtube I gather it operates via a chrome extension on a PC which must intercept calls to Chrome’s built-in U2F MessagePort and then communicates with an app on the phone over the network for the actual signing.

    If that’s true, I’d suppose there’s no way to actually use it with the phone’s own browser (no extension support on Android), only with a browser on a PC. Also I’d imagine the PC either finds the phone via a subnet broadcast, in which case the PC and the phone must both be on the same local network, which could be something of a pain when traveling, or it requires registering the phone to a specific browser install via some sort of online discovery service, which would limit the flexibility as far as jumping around from PC to PC. It would also be limited to Chrome, rather than also supporting native apps as envisioned by U2F (there is a U2F Linux PAM login module on github, for example).

    If I’m correct, mobile browser support, non-Chrome apps, and the usage of multiple devices (including and especially public terminals) would all be examples of where you might find a hardware device a better option (or even just different software supporting OATH HOTP/TOTP, e.g. Google Authenticator). And, of course, a hardware security token should be expected to be more tamper-resistant. But it’s hard to argue with the price of software, which is usually free 🙂

  10. John S.
    May 19th, 2016 at 12:39 | #10

    @D Rus Yeah, I know, and they publish some good (but outdated) docs on U2F also. But now that it does exist it makes their own products less worthwhile. U2F is quite cleverly designed to allow for minimal storage requirements on the token, allowing for much simpler devices which can undercut the price of anything they manufacture, and it also replaces the appeal of their proprietary OTP system while it’s at it.

    So I do appreciate their involvement in making it happen, but that doesn’t mean that I see the markup they charge as quite worth it. I can understand why they are now more interested in chasing big customer/large quantity orders rather than competing in the world they pioneered of small/single quantity orders and freely-available authentication APIs.

  1. No trackbacks yet.