Yubico YubiKey 4
Strengths: Size, ruggedness, open source compatibility and ridiculously easy to use.
Verdict: When it comes to universal, low cost, small second-factor authentication, there really is nothing to complain about. Every organisation considering two-factor authentication should have a very close look at YubiKey. For its low cost of ownership, easy customisation and rugged good looks we make Yubico YubiKey 4 our Best Buy.
We love these folks. Some years ago, when the crew of Yubico were introducing their first product, we met them at RSA and they were handing out some of their first YubiKeys. We still have some of those museum pieces and, in fact, they still work for some things. The YubiKey 4 is slick and, while it has not changed materially over the years, it has added some new features and has become more reliable, if that was possible.
The YubiKey is an odd, little touch-sensitive second-authentication factor. It can be used as the entire authentication but, because it is not biometric, we don't advise that. It is best used with a PIN or password.
There are several modes for the YubiKey. In one mode, for example, you can generate a pass-code that the tool will store statically. When you place the YubiKey into the USB port and touch it, the key generates the static code as if you were filling in the password from your keyboard. In fact, you can generate the password and see it in Word or Notepad or similar. We use two of the old ones in this way along with a prepended PIN for something we know and something we possess.
Another way you can use YubiKey is to generate a one-time passcode. Setting that up can be very simple, depending on the application with which you want to use it. For example, we keep about 100 or more passwords in a neat little app called Password Safe. It's free, works on Androids and Windows, and you can copy/paste passwords from it to whatever you want to log into. It even will generate passwords to fit the password policy you set up. So, the idea is that you can have a nearly unlimited number of good passwords for those applications that can't take strong authentication.
But the problem is not the passwords stored in the Password Safe. It is the password for the safe itself. Enter YubiKey. Password Safe is set up for YubiKey, so when we got our samples this year, the first thing we did was register a YubiKey to the Safe. Now when we go to log into the Safe, there is a little YubiKey button. We enter our Safe's password, click the button, touch the YubiKey and we're in. Without the YubiKey, it's no go. Also, each passcode the YubiKey generates is different, and the codes are quite long and not predictable.
YubiKey U2F (Universal 2 Factor) provides authentication so you can do some pretty neat stuff with it. There is no limit to the number of U2F applications that you can access from a single YubiKey. So Dropbox, Google, etc., all are serviced from your single key. Because it's open source-compliant, building authentication apps to take advantage of it is a walk in the park.
There are several form factors, but we looked at the Nano and the standard YubiKey4 device. The standard device is about the size of a very small USB stick. There is a touch-sensitive area in the middle of it and the keys are very rugged. We actually took the standard one and drove over it with a car...no damage. The down side to the Nano, if there is one, is that it could be pretty easy to lose. We keep ours on the cord that comes attached to it and link that on a bunch of USB keys. If we lose those, we lose much more than the YubiKey. But just to make sure, we have a spare ready to go so the Password Safe doesn't get locked forever.
Yubico's website is first-rate. The full documentation set is available for download as is some open source software for developers. Pricing is very attractive, even for one-off users, but it gets even nicer as the quantities go up. Support is email or online trouble ticket, but there is so much support material on the website that contacting the help desk should be rare.