Two factor authentication is an important part of any security regimen, because without it, anyone who has your password has access to whatever is secured by that password. There’s many ways to do two factor authentication – and we’ve talked about it extensively on Ausdroid in the past – including the use of mobile phones to receive SMS, use of hardware tokens, fingerprints, facial recognition and more.
Some 2FA (we’ll use that acronym going forward) solutions aren’t all that secure – SMS is generally considered very easy to use, but not all that secure. If you lose your phone, or have your phone number hijacked, or if someone else can see messages you receive, then your 2FA isn’t worth much.
More secure options, like using a rolling code (e.g. Google Authenticator or Authy) are better, but can be inconvenient if you have your authentication code setup on something that you don’t have access to.
For these situations, being able to use something you always have with you – your face ID or your fingerprint/s – is more convenient, and much harder for someone else to use without your knowledge.
These days, many laptops come with fingerprint and/or Windows Hello face authentication, but there’s many systems that do not, and for those, it’s good to have a way to bring that authentication with you. Enter the YubiKey Bio.
The best bit is that YubiKey Bio integrates with the browsers and operating systems you already use; it works fine with Windows, Mac and Linux, as well as Chrome, Edge, Firefox and others.
It supports the FIDO2 / WebAuthn and U2F standards, and is available in USB-A and USB-C options.
So how is it to use?
Remarkably simple. In fact, you probably already know how to use it if you’ve used Windows Hello because – on Windows at least – it works in almost exactly the same way.
First, you enroll your fingerprint. You do this using Windows Sign-in options, or through your web browser on other systems. This doesn’t take long, and anyone who’s familiar with setting up Windows Hello will know this process well enough.
From there, whenever you access a compatible service you can opt to add your YubiKey Bio to your account – places like BitWarden, LastPass and many, many more support it – and it’s as simple as plugging in your YubiKey and authenticating your fingerprint.
Typically, you will authenticate into such a service with a username or email, and a password, and then be prompted to scan your fingerprint to complete your sign in.
That’s it.
So, the real question is whether you should buy a YubiKey Bio?
At $80 to $85 USD – around $110 to $120 in AUD – it’s not exactly cheap, but if you are frequently using systems that don’t already have some other 2FA built into them (e.g. laptops with fingerprint or face scanners) then it might be a wise idea.
However, this brings me to a very obvious point.
If you do have a laptop that has fingerprint and/or facial recognition, you mightn’t need (nor want) a YubiKey Bio as your authentication method. Granted, you can use it on multiple PCs, but if like most people you really only use one then there’s a very good chance your compatible laptop can do this without any extra purchase.
There’s also the issue of using the key on devices that aren’t PCs. You can’t use this with your phone, for example, and most tablets won’t support them either. This makes 2FA when you’re on the go a little bit frustrating and – as we all know – the harder something is to use in all the situations you need to use it, the less likely it is to be adopted.
Ultimately, this is where I think hardware tokens like YubiKeys fall down – it requires you to remember to carry something with you, and for it to be compatible with wherever you’re signing in from. Great on a laptop, but less so on a mobile, or on a PC which may not have USB ports accessible (think of many public PCs or those in corporate environments where USB may be disabled).
For these reasons, personally, I’ve not adopted use of the YubiKey Bio beyond testing it out; for me, using an authentication code generated by an app on my mobile or watch is far more convenient, works on mobiles, tablets, laptops and any PC that has internet access, and is seamless and quick.
There are plenty of people for whom a YubiKey of some description will be right, but for me it just doesn’t add anything.
YubiKeys are available online from Yubico.com and the Bio starts from around $110 AUD.
Regular Yubikey is fine here for me. Touch ID on my Mac as well as fingerprint scanner on mobile. Smart Lock also on Chromebook is great with Pixel.
The cross platform lack of compatability is why I’ve never looked at YubiKey. They need to urgently fix that lack, to make their product be something that people will want to use, anywhere, and everywhere, on any device people access.