My YubiKeys are here: What now?

A friend of mine bought two YubiKeys and asked me questions about it. Here are answers and suggestions on how you can use them.

Dario Salice

7/5/20233 min read

One morning, I received two emails from a friend who I had recently spoken to about using FIDO Security Keys to protect their work accounts against phishing attacks. The first email contained the photo above with the subject line "They're here!" The second email simply said "What now?".

In this post, I will share my thoughts on common questions about FIDO Security Keys. I will also explain how you can use these keys to protect your own important accounts.

What is a YubiKey? What is a FIDO Security Key?

YubiKeys are a product line from Swedish-American company Yubico. They are the most successful and well-known producer and vendor of FIDO Security Keys. Yubico was also one of the initial companies that defined and opened up the standard for these security keys.
For many people, the YubiKey is synonymous with FIDO Security Keys. This is similar to how Post-it Notes, rollerblades, and Play-Doh are synonymous with their respective categories.

What is a FIDO Security Key?

FIDO (Fast Identity Online) is a set of technical standards that ensure that products that are FIDO certified work together and deliver an expected level of protection and performance. The FIDO Alliance, an industry association, defines and publishes the FIDO standard. Member companies like Google, Microsoft, Wells Fargo, Yubico, and Meta work together to improve these standards and make adoption of strong authentication methods more available to the market.

FIDO Security Keys are mostly used as a method to perform two-factor authentication (2FA), an additional layer of security for your online accounts. They can replace codes sent via SMS or generated by authenticator apps as an authentication method in addition to your password.

Why do I need a Security Key?

If you're concerned about attackers trying to get access to your online accounts, using two-factor authentication (2FA) is a great start. 2FA adds an extra layer of security to your accounts by requiring you to enter a code in addition to your password. According to research, any type of 2FA defends against up to 99% of online attacks.

If you're concerned about more sophisticated attacks, using a FIDO Security Key instead of SMS is a good idea. FIDO Security Keys are physical devices that generate one-time codes that can be used to authenticate your logins. They are more secure than SMS 2FA because they cannot be intercepted by attackers. Additionally, FIDO Security Keys are phishing resistant, meaning that attackers cannot trick you into entering your code on a fake website.

What do I do with these Keys?

If you're in the situation my friend is, and have these two YubiKeys on your desk, and ask yourself "What now?", you're at the right place. First, let's discuss what's on the picture. There are two FIDO Keys, or YubiKeys to be more precise, on the picture above:

  • Left: The nano-key has a USB-C connector and can be used with all devices that have USB-C (the small.newer.fancy USB version).
    The way I use this key is that It's constantly connected to my computer. Whenever I have to login to an account, where this Key is used for authentication, it's there and I don't have to look for it.

  • Right: The USB & NFC key has the capability to be used on devices with USB-C and NFC. NFC (Near Field Communication) is a way for these keys to communicate wirelessly through very short distances (a few centimeters or inches)
    The second key is a good key to always carry with you - on a keychain, or keep in a safe place in case you lose the other. If you have an iPhone, this key is also great as iPhone supports NFC. Since current iPhones don't have USB-C ports, you could use this key thanks to the NFC-functionality.

Now that you know more about these keys, here are things you can do with it.

  • Most services allow you to register multiple FIDO Security Keys, to reduce the risk of getting locked out if you lose one

  • You can register the same FIDO Security Key on many accounts.

  • No personal information about you is stored on these keys

1) Protect your Google account (Gmail and Workspace): If you use any Google services, you have a Google account. FIDO Security Keys are supported as a more secure 2nd factor for Google accounts. More information here.

2) Protect your Microsoft account: If you use Microsoft tools like Microsoft365 or others, you can register your keys with your Microsoft account. Instructions are here.

3) Protect your Facebook account: Facebook supports Security Keys as a 2nd factor, like the previously mentioned platforms. Information about it here.

4) Find more services, where Security Keys are supported on the Yubico Website.

I hope that this is a good overview to help you understand why FIDO Security Keys can be good for your security needs and how they can be used. Don't hesitate to get in touch with us if you have questions.