Comments about Yubico - YubiKey 5 NFC - Two Factor Authentication USB and NFC Security Key, Fits USB-A Ports and Works with Supported NFC Mobile Devices - Protect Your Online Accounts with More Than a Password USB

Yubico - YubiKey 5 NFC - Two Factor Authentication USB and NFC Security Key, Fits USB-A Ports and Works with Supported NFC Mobile Devices - Protect Your Online Accounts with More Than a Password USB
SECURITY KEY: Protect your online accounts against unauthorized access by using 2 factor authentication with the Yubico YubiKey 5 NFC security key. It's the world's most protective USB and NFC security key that works with more online services/apps than any other.
FIDO: The YubiKey 5 NFC is FIDO certified and works with Google Chrome and any FIDO-compliant application on Windows, Mac OS or Linux. Secure your login and protect your Gmail, Facebook, Dropbox, Outlook, LastPass, Dashlane accounts and more.
FITS USB-A PORTS: Once registered, each service will request you to insert the YubiKey PC security key into a USB-A port and tap to gain access. NFC-ENABLED: Also get touch-based authentication for NFC supported Android and iOS devices and applications. Just tap & go!
DURABLE AND SECURE: Extremely secure and durable, YubiKeys are tamper resistant, water resistant, and crush resistant. The YubiKey 5 NFC USB is designed to protect your online accounts from phishing and account takeovers. Proudly made in the USA.
MULTI-PROTOCOL SUPPORT: The YubiKey USB authenticator includes NFC and has multi-protocol support including FIDO2, FIDO U2F, Yubico OTP, OATH-TOTP, OATH-HOTP, Smart card (PIV), OpenPGP, and Challenge-Response capability to give you strong hardware-based authentication.

Share on Facebook Share on Twitter Share on Google+
This key is awesome, VERY user friendly, unless you don't know how to insert a USB into your computer or turn on NFC on your phone (then you are in need of help beyond this key). Most if not all people can do these basic steps. I really can't believe the people giving this 1 star reviews, it's quite absurd.

If you are serious about 2 factor authentication, then this is a great product!

While this device is capable of more complex functionality, generally speaking, the average user will only have to plug the device in to their USB port and configure their respective accounts.

Most large companies such as Microsoft and Google will support this key natively within their account security settings. You can only count on support growing in the future. The odds are high that iOS 13 will introduce native support for FIDO2 authentication within Safari over NFC... and Yubico has a lightning version in the works currently.

That being said I’m puzzled at the one-star reviews. It shouldn’t take hours or even days to plug in a device to your USB port, and paying for LastPass Premium has absolutely nothing to do with this product.

Just about perfect. I used a previous Yubikey for a Chromebook and thought about this upgrade. It worked on the same Chromebook so I turned to Lastpass. Got it working on the same Chromebook, my Win 10 desktop, and my Android smartphone through NFC. No hassles.

NOTE: If you buy a YubiKey and don't know where to begin, search for the YubiKey Manager GUI from Yubico. There are numerous tools that work with YubiKeys, but some are outdated or overly complex. The manager has a simple, clean interface.

In short, I think it's a really neat device, which can help improve your digital security, if you're willing to invest the time/energy to research it. I bet your identity is worth more than $45.

* Very versatile, lots of features
* Cutting edge security, WebAuthn is now a web standard (March 2019)
* Backed by significant tech players
* NFC wireless connectivity
* Should work with most Android devices
* Durable build

* Documentation is limited and scattershot, you will need to teach yourself
* More expensive than some alernatives
* Limited FIDO2/WebAuthn support right now (April 2019)
* Limited iOS/iPhone support right now
* Many overlapping, confusing tools available
* Only some functionality exposed in GUI tools, there is much, much more on command line and via APIs
* No firmware upgrades
* Can't backup or copy a YubiKey
* Closed source, proprietary design -- no possibility of independent audits

The documentation is admittedly scattershot, so here is a summary of what I've learned. Think of the YubiKey 5 NFC as having three separate, built-in apps: 1) FIDO, 2) CCID, 3) OTP. Each of these apps has multiple functions.

--1) FIDO app--
* FIDO2: The newest standard, supported by most web browsers now, expect to see more websites transitioning to FIDO2/WebAuthn logins in the coming years. DropBox and Google are two notable websites that support it today.
* U2F: The old pre-FIDO2 approach, partially supported by some browsers and websites.

--2) CCID app--
* OATH: Install the Yubico Authenticator to configure this. Similar to Authy, Google Authenticator, etc. TOTP provides time-based one-time passwords, HOTP provides counter-based one-time passwords. More secure replacement for the SMS- and email-based 6-digit login codes you may be receiving now, if you have 2FA enabled on your accounts.
* PIV smartcard: Can be configured for logging into some computers.
* OpenPGP: Useful for email encryption, signature verification, SSH logins.

--3) OTP app--
* You get two configurable slots, they can be: Yubico OTP, challenge-response, static password, or OATH-HOTP.

To summarize, you get FIDO2, U2F, OATH, PIV, and OpenPGP apps out of the box, plus you can choose how to configure two *additional* slots to suit your needs. One of them is pre-configured with Yubico OTP, which requires internet access and registration with Yubico.

The most useful feature to the average user will be the FIDO app, although currently (April 2019) there is almost nowhere to use it. Buying this today is like being on the bleeding edge, although Yubico contributed to the FIDO2 standards. WebAuthn means websites don't store passwords anymore (not even encrypted), and phishing becomes far more difficult, as your authenticator device is only associated with a single website. The idea is to use devices like the YubiKey, an optional PIN, as well as biometric data (fingerprints, iris scans, etc) to identify the user, instead of relying on a shared password. The YubiKey can store "unlimited" FIDO credentials.

The second most useful feature is the OATH app. To use this, you must install the Yubico Authenticator app on your computer or mobile device. When you insert the YubiKey, you will see the list of one-time passwords. However, there is a limit of only 32 slots. NOTE: OATH-HOTP uses a counter and will eventually roll over, so it has limited uses, but TOTP is time-based and should work indefinitely.

Equally useful is the static password option, which you can enable in an OTP slot. This lets the YubiKey "type" in a password on your computer, in many situations where other authentication isn't possible. For example, you can type your own easy-to-remember password, and then add the YubiKey static password at the end. This should work universally on devices supporting USB input.

The other options are more specific and for the advanced or power user with some IT background. Configuring OpenPGP properly is not trivial, nor is it likely to be used by the average person. However, if you are in IT or need the added security, you can add your encryption, signing, and even authentication keys to the YubiKey (once stored, they cannot be retrieved). I've successfully logged into SSH servers and committed to GitHub using this technique -- it works perfectly. You will need GPG or similar installed to configure this.

If you don't know what PIV smart cards are, you likely won't have a use for them, however you can configure Linux and Mac boxes to take advantage of this for logging in, as well as on Windows domains. I imagine this is more useful in large organizations.

The downsides are not inconsiderable. You are essentially trusting a closed, proprietary device, but it has been proven time and again that "security through obscurity" doesn't work. If there's a critical bug in the design, you are stuck with it, as there is no way to upgrade the firmware. You cannot retrieve secret data from the YubiKey, but this means you can't make a backup or copy once it has been configured. You need to duplicate the key *during* configuration, or save a record of all the secret data. Keep that in mind.

A final note is that the YubiKey has both USB and NFC connectivity. If your smartphone supports NFC, you can simply hold the YubiKey against it to authenticate. If you can't use NFC or don't want it, you can disable it with the YubiKey Manager. You can selectively disable USB and NFC for each app. NOTE: you can buy a cheap USB OTG adapter and still use your YubiKey with your smartphone, to an extent.

Glad to see this model being offered on Amazon now. Worked great. Have it setup for my Google and Facebook account and a bunch of other sites through the Yubico authenticator app which works seamless with the NFC function of this Key. Will probably buy a 2nd as a backup key.

I recently purchased a Thetis 2FA key, but discovered it does not work with mobile devices like my Android phone. After doing some research I found this one which supported NFC, so I decided to give it a try.

In a nutshell, this is perfect, and I recommend it over other 2FA keys.

YES, I would recommend you buy this.


* Works right away with websites, applications, and services that support 2FA Yubikeys. For example, I am able to add it to all my Google accounts within minutes. Just plug it into your USB port and press the button when prompted on the service login page.

* Works with the Yubico-provided Android authenticator app and NFC phones for any sites that support 2FA authenticator applications. For example, if you have an account with GoDaddy, who supports an authenticator app but NOT Yubikeys, you can use this! All you have to do is go to your GoDaddy account settings, then add the "Authenticator app". Then open the Yubico authenticator app, press the + (add) button, scan the GoDaddy QR code, then tap your Yubikey to the back of your phone. The app will now create a rolling key to be used on GoDaddy. Next time you log in, GoDaddy will ask for a code. Open the Yubico authenticator app, open the GoDaddy entry, tap the key to the back of your phone, and enter the displayed code on GoDaddy.

* It's VERY small and thin. My Thetis key was pretty small, but still cluttered up my keyring. I'm a minimalistic kind of guy and hate having a ton of things on my keychain, so I really appreciate the slim profile.

* The website has support topics for just about anything you need. At first I did not understand how to use the Yubikey with NFC and a website, and found out you need to install the Yubico authenticator app, and then everything was a breeze.


* While not a "Con", per se, you should have a second backup key in case you lose or damage your first one. Then register both keys with each service you use. Store the second key somewhere safe.

Great item and safe but very tecnical if you like to change your settings. Yubico customer service is terrible. No phone to get help with. All by email it takes 24 to 48 hrs to be answered. Great idea but the company has a long way to go with customer service.

Getting the key out of the package was harder than actually using it. Zero issues.

However, on Debian/Ubuntu/Mint (perhaps on RPM-based Linux distros too), you may have to add a udev rule (this wasn't my first rodeo, so I didn't need to...). If the key is flat-out just not recognized, then Google [ ubuntu /etc/udev/ rules ] or similar. Note that this may (or may not) require some trial-and-error, some simple command-lines, minimal modifications to system configuration, perhaps "intermediate" level Linux; if "nano" (or "vim") and "sudo" are familiar words, then you're all set.

It was only after reading an article on Linux Journal & finding documentation on the Yubico website for configuring the Yubikey with Ubuntu (despite all the mentions on the Yubico site how it works with Windows & Mac) that I'd give it a shot on Ubuntu Linux. It was very easy to set up. The documentation ( walks you through enabling the Yubikey for both sudo & login access. And it only took another quick search to figure out how to enable the Yubikey with LastPass. (FWIW, when you configure the Yubikey through the LastPass website/browser extension, you configure it for your mobile device at the same time. I popped out the Yubikey from my laptop, enabled NFC on my Pixel 3XL, and after entering my password was prompted to hold my Yubikey near my phone. It chimed & that was it! (It will now prompt me to hold the Yubikey near my phone every 30 days & I can login to LastPass & disable all logins at any time if someone ever got my phone.)

While everyone--and I mean EVERYONE including your mom--ought to have & use one of these, most people probably won't get why they should use a security key much less use one. I do think that anyone who travels & has to carry laptop(s), phone(s), & other electronic devices with sensitive company information ought to protect their devices with a Yubikey. (Using one would make it difficult if not impossible for customs agents to look at the data on your devices because if you give them your password but don't have the Yubikey, they aren't going to be able to access the contents.)

Not sure why there are reviews saying it's hard to use. I didn't need to look at any "documentation."

I just plugged in it and tapped it. Done.

If you are not familiar with how these keys work, here are some basics (I just learned about these keys this week).

1. Navigate to the online service you are wanting to protect. (Be aware, that not all online services offer you the option to use a security key. Here are some that do: Google, Facebook, Twitter, Dropbox, Github. And... password managers. I use Dashlane.)

2. Be aware that some services may require that you first set up 2FA (2-Factor Authentication) and select SMS (text messages) as the method, BEFORE you can connect your physical key to the account. Some services -- like Dashlane -- require that you *also* connect an authenticator app first (I used Authy) before you can connect your physical key. It's easy to do so -- the service will prompt you to fill in some blanks and you're done.

(Authy has a desktop app as well as mobile app.)

It's well worth it to take whatever steps the service asks you to. Plus, as a benefit, you'll have 1 or 2 backup methods for accessing your account in the event that you lose your key.

Note: I first bought the HyperFIDO but then set up Dashlane as my password manager. When I read that Dashlane is set up for compatibility with Yubikey, I thought I needed the Yubikey in order to use it with Dashlane. Turns out that's not true -- you can use any 2FA or U2F key with Dashlane. As it is I'm happy with my purchases because I now have 2 keys and can use one as a backup.

And I wanted a Yubikey because I know they're the industry standard. Another deciding factor was, after I received the other company's key, I checked out their corporate website -- it didn't list any leader or staff names. That was slightly off-putting. Yubikey's site, by contrast, had full transparency which increased my trust.

I haven't yet tried out the advanced options that come with this key but when I do I'll add to this review.

  • bowtiesmilelaughingblushsmileyrelaxedsmirk
Security: *
Protect online accounts against unauthorized access by using two factor authentication with this security key. Works with Gmail, Facebook, Dropbox, Twitter, Dashlane, LastPass and hundreds of other services Extremely secure and durable - YubiKeys are tamper proof, water resistant, and crush
Protect online accounts against unauthorized access by using two factor authentication with this security key Works with Gmail, Facebook, Dropbox, Twitter, Dashlane, LastPass and hundreds of other services Durable & waterproof Fits USB-C computer ports and designed to stay in port Multi-protocol