YubiKey NEO is a dongle that supports both contact (USB) and contactless (NFC, MIFARE) communications to secure your Windows, Mac OS or Linux computers and/or Android/iOS smartphones using two factor authentication. It supports one-time password (OTP), smart card functionality (OpenGPG, PIV…), as well as FIDO Alliance’s Universal 2nd Factor (U2F) protocol.
The key can be used in a variety of applications, such as logging into your computer, accessing gmail, github, dropbox, and other accounts, and disk encryption. It also works with password manager such as Lastpass or Dashlane. You’ll need to both enter your password, and connect the Yubikey to your computer to be able to login, and for NFC enabled smartphones, you’d need to tap the key on the device.
In case you lose your key, online services usually have recovery mechanism in places, and some support registration of up multiple YubiKeys. The latter can probably be used for local disk encryption and password, just like you may have a spare key for your car or house.
Yubikeys have been around for a few years, but I’ve just discovered it via a recent Nobert Preining’s blog post explaining how he secured his Debian computer, which now requires the key to login, send PGP signed emails using GnuPG (keys are stored on the key not the computer), and uses Timed OTP to access services like WordPress, Google, or Dropbox. He also installed OpenKeyChain and K-9 Mail Android apps to send secure emails from his phone using NFC authentication.
Yubikey NEO can be purchased for $50 on Amazon, but if you don’t need NFC, the company recommend Yubikey 4 ($40) or the smaller Yubikey 4 Nano both of which have faster and stronger crypto.
You may want to visit Yubico website for further information.
Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.
$18 U2F-only version:
Unsure how useful
If you have an old one (with bad gpg) you can get a new one free (so 2 for the price of 1 sort of).
There are also some new ones coming out, e.g. OnlyKey has a keypad, self-destruct, plausible deniability: https://www.kickstarter.com/projects/1048259057/openkey-the-two-factor-authentication-and-password/description
“I must, sadly, withdraw my endorsement of yubikey 4 devices (and perhaps all newer yubikeys), as apparently Yubico has replaced all open-source components that made yubikey NEOs so awesome with proprietary closed-source code in Yubikey 4s:”
The Yubikey NEO is their older model, their latest line is the Yubikey 4, but the NEO is the only one that supports NFC so it’s still being sold. The Yubikey 4 adds support for 4096-bit PGP keys, and is based around nothing except a hardened security chip out of a smart card, whereas the NEO divides duties between a plain-old microcontroller and a security chip out of a smart card, making it possibly less secure. Personally, though, I don’t see the value in Yubikey any more. It did provide an “available in single quantities” hardware-based OTP system back in… Read more »
@Sander, Yubico just responded to that at https://www.yubico.com/2016/05/secure-hardware-vs-open-source/ I view their response as saying that open-source code was never anything more than a pipe between your data and a bunch of black boxes that did all the work anyway. Now that Yubico have rewritten everything from scratch on the Yubikey 4 there are no more black boxes and they can implement their OpenPGP support directly, and so they don’t need to make a little pipe anymore, and so there is no new source code because it doesn’t exist any more. And they aren’t going to open up anything down below,… Read more »
“But now with U2F there’s a simpler, more widely-supported second factor authentication system”
May not be aware, but the U2F open authentication protocol/standard you like was actually co-created by Google and Yubico, with contribution from NXP. https://www.yubico.com/about/background/fido/
Why would you even want a hardware device for this when you can get a U2F certified app from Entersekt https://gettransakt.com/transakt/ ? Unless you have very special needs a hardware device is not the way to go.
@MartiniGM – That’s an interesting implementation. There’s no information about it on their site, really, but from youtube I gather it operates via a chrome extension on a PC which must intercept calls to Chrome’s built-in U2F MessagePort and then communicates with an app on the phone over the network for the actual signing. If that’s true, I’d suppose there’s no way to actually use it with the phone’s own browser (no extension support on Android), only with a browser on a PC. Also I’d imagine the PC either finds the phone via a subnet broadcast, in which case the… Read more »
@D Rus Yeah, I know, and they publish some good (but outdated) docs on U2F also. But now that it does exist it makes their own products less worthwhile. U2F is quite cleverly designed to allow for minimal storage requirements on the token, allowing for much simpler devices which can undercut the price of anything they manufacture, and it also replaces the appeal of their proprietary OTP system while it’s at it. So I do appreciate their involvement in making it happen, but that doesn’t mean that I see the markup they charge as quite worth it. I can understand… Read more »