Yubico is the market leader when it comes to hardware security keys utilising FIDO U2F and FIDO2 such as the Yubikey, but which one should you buy to suit YOUR needs?
There are actually a wide array of hardware security keys available form Yubico, and it can be quite confusing to try and pick out what you do and don’t need.
I hate purchasing a product and then finding out it is either missing a feature I wanted, or there was something better suited to my needs that I missed…
It turns out that Yubico have just released the new Yubikey 5 series which makes picking up the best key a lot easier. I have therefore updated the article below to reflect this.
Before we begin
If you are looking at this article and you have no idea who Yubico are, or what a hardware security key is, then I recommend you read our previous article which should bring you up to speed.
The Main Yubico Family
The picture above shows the main security keys that are currently available form Yubico. The blue device on the left is the Yubico Security Key, and the four devices on the right are the Yubikey 5 Series keys in different form factors. They all look fairly similar, but in some cases they have very different features, so I will do my best to point you in the right direction.
What’s the difference?
All the keys listed above can deal with both FIDO U2F and FIDO2 (if you don’t know what either of those are take a look at my previous article), which are the main protocols that everyday users will be interested in at the moment. One of the most important new releases is FIDO2 support, which represents the future of password-less login.
From that point is where the differences start to come in. Some have NFC, some don’t. Some have more advanced protocols available, others don’t. . .and as you can see from the picture above they come in a variety of form factors.
So let’s get stuck in!
Yubikey 5 Series
The Yubikey 5 series is the most advanced key Yubico produce in terms of features. If you want all the possible features you can think of in one security key then these guys have you covered.
In terms of the security capabilities of the series 5 keys, all have exactly the same features. The only differences come with the interfaces used for connectivity. So from left to right:
- USB Type A and NFC
- USB Type C (no NFC)
- USB Type A low profile (no NFC) – designed to be very low profile in a laptop or server
- USB type C low profile (no NFC) – designed to be very low profile in a laptop or server
In terms of protocols that the keys can deal with, here it is:
- FIDO U2F
- Smart Card (PIV)
- Yubico OTP
- Storage of long password strings
If you don’t know what any of the above are apart from FIDO U2F and FIDO2, then it is likely you will not need them. If that is the case you may be more interested in the Yubico Security Key, which we will get to later in the article.
I would encourage you to take a look at the uses for each item on the list in case the use case interests you. For example OpenPGP can be used to send secure emails, and encrypt and decrypt files.
Which of the four series 5 keys is the best to get?
This depends on your circumstances, but in general you should opt for the USB type A version.
There are various reasons for this. Firstly the build quality of this key is excellent. It is waterproof and crush-proof.
It is extremely thin, and about the same size as a standard house key, which makes it ideal for key-chains.
…and on top of all that it is the only key that has NFC connectivity. This means that you can not only use this device to secure your logins on your desktop computer, but also your android smartphone or iPhone!
With all that aside, there are obviously reasons you might want to opt for one of the other keys.
For example if you want to have the keys permanently in a laptop or server, then the low profile USB-A and USB-C keys make sense. Also if you predominantly use devices with USB type C ports then the USB type C key makes a lot of sense.
However, as detailed above I think for most people the USB Type A key is just the best all rounder. Rugged, and with the best connectivity options.
Yubico Security Key 2
If your main concern is securing your login into websites such as facebook, twitter, google accounts etc. Then the main protocols of interest are FIDO2 and FIDO U2F. The Yubico Security key 2 covers those use cases without all the other more complicated protocols. As such it represents great value for most people at around half the price of the 5 series keys.
However, the Yubico Security Key does not include NFC.
If you can forgo NFC, and only want FIDO2 and FIDOU2F, then this is a no brainer. At half the price of the 5 series keys you can’t go wrong. However, I think the sensible choice is to use this as a backup key for the USB-A 5 series key which features NFC. If you are not sure why you would need a second key as a backup take a look at my previous article, which explains why.
Yubico FIPS (not pictured)
Yubico has another series of keys that look identical to the 5 series keys. They are called the FIPS series.
As I understand it, Yubico has been seeking certification for FIPS 140 for a while, and it just attained it.
FIPS-140 is basically a set of standards that a hardware security device must meet according to the requirements of US government agencies. The requirements are quite stringent, which proves that the keys on offer by Yubico are indeed top notch.
It was actually the previous series (4 series) keys that were entered for certification, which is why they look exactly the same (please note the 5 series and 4 series keys look literally identical with the exception of the NFC sign on the 5 series USB type A key). What this likely means is that the FIPS keys are based on the old 4 series keys, and so you would miss out on NFC connectivity for example.
The long and short is: you only need the FIPS series keys if you work for a government agency that requires FIPS certification, otherwise it really isn’t worth the hassle.
My Current Setup
Just to give you an idea of what I use my keys for. . .
I actually own three Yubikeys. I decided to buy a Security Key 2 and a Yubikey 4 USB type A originally (see picture below), and I have since purchased a Yubikey 5 Series USB Type A key to take advantage of the NFC capabilities of the new key. For me this is just about perfect.
I have my main 5 Series key that I carry around all the time, which can deal with FIDO U2F and FIDO2 for logins, whilst also holding my PGP keys for server login and file signing and encryption. I then have the Yubico Security Key 2 as a backup for all the FIDO U2F and FIDO2 logins, and the Series 4 Key contains a backup of my PGP keys.
If I was to do it all again I would likely just get two Yubikey 5 Series keys, but I didn’t have that option when I originally purchased them.
For most people I would recommend that you buy one Yubico Security Key 2 device and one Yubikey Series 5 USB Type A. The main reason for this is not so much to use all the extra security protocols of the 5 series, but to get the advantage of having NFC connectivity. You can then use the Security Key 2 as a backup.
This way you get the features you need for less cost.
However, the absolute best for most people would be two Yubico Security Key 2 with NFC. . .but this doesn’t exist yet, so maybe we will have to wait for the Yubico Security Key 3?
Overall, my experience so far has been excellent with regard to FIDO U2F. It really is a breeze to use, but I think the guidance and usage with regard to the more advanced features needs a little bit of work to make it easier to implement.
Either way they are worth the effort to learn how to use as the extra security they bring cannot be understated.