CHOICE verdict
Two-factor authentication (2FA) is essential for keeping your online accounts safe from phishing, hacking and theft. Basically, it requires using two forms of proof to confirm that it’s actually you trying to get into your account. For most people, this has meant getting a code sent to your phone via SMS, but this isn’t considered secure anymore. For the ultimate protection from phishing, hacking and account hijacking, you can’t beat a hardware key. Even if someone has your password and details, without physical access to your hardware key, they stay locked out. The latest YubiKey 5C NFC model lets you use a wireless connection to your NFC-enabled smartphone for top-class security. YubiKey models also have different connectors, so they can be used with all your equipment – a highly convenient device in a little package.
Price: From $99
Contact: yubico.com
About shopping links on CHOICE.
The key to security
We tried out the latest YubiKey 5C NFC hardware security key, courtesy of Yubico, and found that it can provide the peace of mind that only comes with strong security, once you've got your head around the concepts and set it up with your accounts.
Each YubiKey comes with a hole designed to keep it handy on your keyring.
The key itself is tiny but feels very solid and well made – it should last everyday rough and tumble usage for a long time. Being so small, it's advisable to use the provided hole to keep it on your keyring for ease of use and so you don't misplace it.
The idea behind 2FA (two-factor authentication) is that it provides a second method of proof to prevent a criminal trying to access your information.
Apart from an SMS, it's commonly an OTP (one-time password) code generated automatically in an authenticator app such as those by Google, LastPass, Microsoft or many others, but it might also be a fingerprint or even facial recognition.
While any form of 2FA is a step in the right direction, software methods aren't foolproof. But adding a hardware key for secondary approval closes that loophole.
YubiKey 5C NFC bridges the security gap by using a USB-C connector for your computer and wireless NFC for your smartphone.
And that's where the YubiKey shines. Using a YubiKey replaces the need for SMS messages and authenticator apps, and is far more secure because the hardware key has to be connected to your computer to enable access to your protected accounts.
Once set up, it's easy to use. There's no battery or network required. Just insert the key into your computer and tap it when prompted to authenticate to get access to the accounts that you've set up to use it.
Note, when setting up some services, you might need to set up 2FA first using SMS, but go back and deactivate this once your key is set up.
There's no battery or network required, just insert the key into your computer and tap it when prompted to authenticate
Hardware authentication is the sort of thing that large enterprises, international companies and other security-conscious organisations commonly use to keep their user accounts safe. But a YubiKey can be used by the everyday person for better online security.
YubiKey is designed to work with all major web browsers and platforms including Windows, macOS, Android, iOS, iPadOS, Linux and Chrome OS, as well as services by Dropbox, Facebook, Google, Twitter, Salesforce, and many more (though we didn't test it with all of these).
The YubiKey family now includes six keys with connectors for all types of devices, including wireless NFC on some models.
Which key should I use?
There are several types of YubiKey, which vary with the type of ports you need to plug it into, such as USB-A, USB-C or Lightning port.
The latest 5C NFC model has the most wideranging compatibility of the lot, because as well as connecting via the very common USB-C, it also wirelessly connects via NFC (near-field communication), which is built into many smartphones.
The YubiKey 5C NFC works with NFC-enabled smartphones for quick touch-and-go access
Simply tap the NFC area on your smartphone to the key, which gets around needing a port on the smartphone. The other YubiKeys are the 5 NFC, 5Ci, 5C, 5 Nano and 5C Nano. The nano versions are tiny and designed to sit unobtrusively in a computer port without sticking out like the larger models.
The NFC versions work with NFC-enabled smartphones for quick touch-and-go access. There's also a YubiKey Bio version on its way which uses fingerprint identification rather than just touch for extra security.
All YubiKeys support an alphabet soup of internationally recognised security standards, including FIDO2/WebAuthn, U2F, smart card, OTP, PIV and OpenPGP.
The YubiKey 5C NFC pack comes with several coloured stickers, which you can apply to your YubiKeys to help you tell them apart.
The dangers of SMS authentication
One of the greatest benefits of hardware keys is preventing the growing problem of fraud via smartphone SIM swapping (SIM porting).
This is used by cyber criminals to steal mobile phone numbers, move them to a different SIM card, and then use the stolen number to gain access to the victim's other personal information, including their bank and MyGov accounts.
Basically, with just your account number and date of birth (which is fairly easy to obtain), a criminal can ring your mobile carrier and pretend to be you asking to swap your number to another SIM (as you might do when buying a new phone).
Once the SIM swap is done, they can hack your accounts as many services send an SMS for authentication. The criminal will receive the SMS as they have control of your SIM.
But fortunately, more services are allowing security authentication other than SMS, including mobile authentication apps, biometrics and hardware (physical) systems such as Security Keys.
The bottom line is that using SMS as a form of authentication should be avoided in favour of an authentication app, or even a hardware key for the most secure solution.
Even if you lose your key, it's of no use to anyone as none of your information is stored on the key itself
You may find that you actually need more than one YubiKey to cover different devices – for example, if you have devices with USB-A and USB-C but not on the same device.
If you're not sure which YubiKey to buy, check out Yubico's online quiz. Whichever you go for, keeping a spare key (or two) is recommended in case you lose one. But even if you lose your key, it's of no use to anyone as none of your information is stored on the key itself.
The YubiKey 5C NFC pack comes with several coloured stickers which you can apply to your keys to better tell them apart.
Shopping links on the CHOICE website
CHOICE is an independent, non-profit organisation dedicated to helping consumers. Clicking a link will take you to a retailer's website to shop. While we make money if you buy through some retailer links, this doesn't influence any of our rankings. 100% of the money we make goes straight back into our non profit mission. We're currently testing this service and will consider providing more shopping links in the future. Tell us what you think.
Stock images: Getty, unless otherwise stated.
