Regardless of how strong a password is, or what level of code-based authentication a website is using, any system that sends codes in a text message can be hacked by a skilled hacker. The most secure way to set up two-factor authentication is to use a reliable app on a smartphone to generate those six-digit codes or to carry a piece of hardware that can verify user’s true identity.
A device like the YubiKey is just that sort of security enhancing hardware. These little key-shaped fobs plug into user’s computer and along with the password, complete the second half of a 2FA web login. A hacker might find a way to lay his hands on one’s passwords or intercept a six-digit 2FA code while it’s being sent to the phone, but they’ll have a hard time to snatch an actual key off user’s keychain. A YubiKey will directly provide another and more convenient method of authentication.
The YubiKey is like other, similar devices having a small metal and plastic key about the size of a USB stick. They plug into a computer, and some also can connect to the phone. It can be used in either place, along with the password to authenticate web logins. It can be thought of as a physical key that, instead of unlocking a door, unlocks user’s online life.
There are several manufacturers that make these types of keys, and they all basically work the same way. They fulfill an industry standard called Universal 2nd Factor, or U2F. The standard combines hardware-based authentication with public key cryptography. This method of cryptography is extremely difficult to compromise. These U2F keys simplify the process of securely accessing online services like Google, Facebook, Dropbox, Windows, and Mac OS.
The YubiKey is made by the company Yubico and meets the U2F and FIDO2 standards. The keys are durable, water-resistant, and battery-free. The full-size YubiKey 4 Series ranges from $40 to $60 and comes in versions for USB-A ports or USB-C ports. For Android users, there’s the NFC-compatible YubiKey Neo for $50.