In two previous blog posts, I mentioned how Yubikeys can be part of your personal cyber security regimen, and described the different types of Yubikeys available. In this post, I will list the four best Yubikeys for personal security. These are the keys I recommend you get.
I explain what each one is good for below. I include the Yubikey 5Ci because it allows physical connection to the lightning port of current models of iPhones, but with the ruling in Europe that all new phones should use USB C ports, this may not be a good option if you want to keep using it several years down the road. You need to balance convenience today with future compatibility on this one.
One last thing before we go to the next section, after choosing the Yubikey that best suits your needs (I recommend getting two, one for everyday use and the other as a backup), the next step is knowing where to buy the actual keys. In the section below I provide a link to the products on Amazon, this is the most convenient option for me, since Amazon ships virtually everywhere and usually offers great prices. Full disclosure though, I use affiliate links, so if you make any purchase using them, I get rewarded financially on qualifying purchases. If you prefer to get them from other online retailers or resellers, yubico has a good resource for that here.
Four best Yubikeys for personal security
YubiKey 5 NFC: This model supports multiple authentication protocols, including OTP (One-Time Password), U2F (Universal 2nd Factor), FIDO2, and NFC (Near Field Communication) for mobile devices. It is best for use with devices that have either a USB A port, or an NFC connection. Most normal sized, as opposed to compact, computers have a USB A port, and NFC can be used with mobile devices. So this model is good for use with “full form” personal computers, tables and phones.
YubiKey 5C NFC: This YubiKey features a USB Type-C connector, making it compatible with modern devices that use USB-C ports. It supports similar authentication protocols as the YubiKey 5 NFC. This is the best key for modern computers, or an iPad Pro, that have a USB C port instead of a USB A port. It’s support for NFC also means it can be used with mobile devices — like phones and tablets. Compact modern computers also tend to favor USB C over USB A.
YubiKey 5 Nano: The Nano variant is designed to be inserted and left in a USB-A port without protruding. It provides similar functionality to the YubiKey 5 NFC, but in a more compact form factor. This is the best key if you want a key connected all the time to your computer — instead of having to plug in one every time you want to log into a service. It doesn’t stick out due to its small size, so you won’t hit it while walking about. It is also more aesthetically pleasing when connected to a computer than its larger siblings.
YubiKey 5Ci: This model offers both a USB-C connector and a Lightning connector, enabling compatibility with both USB-C and Apple iOS devices. It supports similar authentication protocols as other YubiKeys. It is the best device if you want to use it with an iPhone and prefer to connect it physically rather than use NFC — Lighting connectors appear to be set to be phased out in the near future, so this is not the most future proof key.
Are there other Yubikeys?
Yes, there are three main series of keys produced by Yubikey. All of the above keys belong to the Yubikey 5 series, they just come in different form factors. The other two are the Yubikey Security Key family, and the Yubikey Bio (short for biometric) series. The Security Key family, of which this is an example, has the same features as the Yubikey 5 but lack two things — it does not support the OTP protocol (can be serious) and does not have support for lightening port connectivity (not much of an issue, this port will be obsolete in a couple of years anyway).
The lack of OTP support is important, some accounts do not support two factor authentication keys, and so need OTP support if you want to use hardware keys with them — this sort of mimics the one time password some authenticator (google authenticator, authy) apps produce. Of course, you can check if your accounts need OTP using this very good tool provided by Yubikey, but I personally prefer to have all my bases covered and use the Yubikey 5 series — it is compatible with the widest range of accounts at the moment.
The Yubikey Security Key is quite a bit cheaper than the Yubikey 5 series, but, in my humble opinion, choosing it is an example of being penny wise and pound foolish — the broader compatibility of the Yubikey 5 series makes it more likely that you will not need to buy a different key if one of the accounts you want to use in the future only supports OTP.
Finally, the last series of keys from Yubikey is the Bio (short for biometric) series of keys. This series features biometric authentication using fingerprints. Here is an example of a product in this series. While this biometric authentication makes it a very secure option, it does not support OTP, NFC or lightning connections — making it more difficult to use with mobile devices. It is also the most expensive series of keys produced by Yubikey, I am not sure if the extra security provided by biometrics is worth this much of a price increase.
For the reasons outlined in this section, all the four keys that I recommend are from the “5” series produced by Yubikey.
What do all the acronyms above mean?
I threw out a lot of acronyms for security protocols in the section above, so I will try to explain what they mean here to avoid confusion. This section doesn’t change any of the recommendations above, I just like to make sure that everything I mention is properly explained.
OTP (One-Time Password): OTP is a widely used authentication protocol that generates a unique password for each login attempt. YubiKeys can generate OTPs either in static mode, where the password remains the same, or in time-based mode, where the password changes periodically. Example uses: online banking, some email providers, and social media platforms.
U2F (Universal 2nd Factor): U2F is an open authentication standard developed by the FIDO Alliance. It provides strong two-factor authentication by requiring the user to possess a physical key (such as a YubiKey) and enter a password. U2F eliminates the need for OTPs and provides a secure and convenient way to authenticate users. Example uses: Google accounts and GitHub.
FIDO2: FIDO2 is another standard developed by the FIDO Alliance. It combines the Web Authentication (WebAuthn) and Client to Authenticator Protocol (CTAP) specifications. FIDO2 enables passwordless authentication using public-key cryptography. YubiKeys that support FIDO2 can be used to authenticate to online services without the need for a password. Example uses: Microsoft accounts and Dropbox accounts.
The “5” generation of Yubikeys, covered in this post, support all these protocols. This means they will work with most popular websites and services. They have the broadest support for protocols among the Yubikeys and, indeed, among all hardware security keys. This is why I recommend them, in their various form factors, in this blog.
That’s it ladies and gents, go forth and secure your accounts!!