Yubico is the market leader when it comes to hardware security keys utilising FIDO U2F and FIDO2 such as the Yubikey, but which one should you buy to suit YOUR needs?
There are actually a wide array of hardware security keys available from Yubico, and it can be quite confusing to try and pick out what you do and don’t need.
I hate purchasing a product and then finding out it is either missing a feature I wanted, or there was something better suited to my needs that I missed…
Update Jan 2019
It turns out that Yubico have recently released an NFC version of their Security Key.
This along with the release of the Yubikey 5 series late last year makes picking up the best key a lot easier. I have therefore updated the article below to reflect this.
Before we begin
If you are looking at this article and you have no idea who Yubico are, or what a hardware security key is, then I recommend you read our previous article which should bring you up to speed.
The Main Yubico Family
The picture above shows the main security keys that are currently available form Yubico. The blue device on the left is the Yubico Security Key (of which there are now two versions: with NFC and without NFC), and the four devices on the right are the Yubikey 5 Series keys in different form factors. They all look fairly similar, but in some cases they have very different features, so I will do my best to point you in the right direction.
What’s the difference?
All the keys listed above can deal with both FIDO U2F and FIDO2 (if you don’t know what either of those are take a look at my previous article), which are the main protocols that everyday users will be interested in at the moment. One of the most important new releases is FIDO2 support, which represents the future of password-less login.
From that point is where the differences start to come in. Some have NFC, some don’t. Some have more advanced protocols available, others don’t. . .and as you can see from the picture above they come in a variety of form factors.
So let’s get stuck in!
Yubikey 5 Series
The Yubikey 5 series is the most advanced key Yubico produce in terms of features. If you want all the possible features you can think of in one security key then these guys have you covered.
In terms of the security capabilities of the series 5 keys, all have exactly the same features. The only differences come with the interfaces used for connectivity. So from left to right:
- USB Type A and NFC
- USB Type C (no NFC)
- USB Type A low profile (no NFC) – designed to be very low profile in a laptop or server
- USB type C low profile (no NFC) – designed to be very low profile in a laptop or server
In terms of protocols that the keys can deal with, here it is:
- FIDO U2F
- Smart Card (PIV)
- Yubico OTP
- Storage of long password strings
If you don’t know what any of the above are apart from FIDO U2F and FIDO2, then it is likely you will not need them. If that is the case you may be more interested in the Yubico Security Key, which we will get to later in the article.
I would encourage you to take a look at the uses for each item on the list above in case the use case interests you. For example OpenPGP can be used to send secure emails, and encrypt and decrypt files.
Which of the four series 5 keys is the best to get?
This depends on your circumstances, but in general you should opt for the USB type A version.
There are various reasons for this. Firstly the build quality of this key is excellent. It is waterproof and crush-proof.
It is extremely thin, and about the same size as a standard house key, which makes it ideal for key-chains.
…and on top of all that it is the only key in the Yubico 5 Series that has NFC connectivity. This means that you can not only use this device to secure your logins on your desktop computer, but also your android smartphone or iPhone!
With all that aside, there are obviously reasons you might want to opt for one of the other keys.
For example if you want to have the keys permanently in a laptop or server, then the low profile USB-A and USB-C keys make sense. Also if you predominantly use devices with USB type C ports then the USB type C key makes a lot of sense.
However, as detailed above I think for most people the USB Type A key is just the best all rounder. Rugged, and with the best connectivity options.
Yubico Security Key 2
If your main concern is securing your login into websites such as Facebook, Twitter, Google accounts etc. Then the main protocols of interest are FIDO2 and FIDO U2F.
The Yubico Security key 2 covers those use cases without all the other more complicated protocols. As such it represents great value for most people, at around half the price of the 5 series keys.
Furthermore, as of January 2019 the Security Key can now be purchased with NFC connectivity, so you can use it with your phone or other NFC capable devices.
Yubico FIPS (not pictured)
Yubico has another series of keys that look identical to the 5 series keys. They are called the FIPS series.
As I understand it, Yubico has been seeking certification for FIPS 140 for a while, and it just attained it.
FIPS-140 is basically a set of standards that a hardware security device must meet according to the requirements of US government agencies. The requirements are quite stringent, which proves that the keys on offer by Yubico are indeed top notch.
It was actually the previous series (4 series) keys that were entered for certification, which is why they look exactly the same (please note the 5 series and 4 series keys look literally identical with the exception of the NFC sign on the 5 series USB type A key). What this likely means is that the FIPS keys are based on the old 4 series keys, and so you would miss out on NFC connectivity for example.
The long and short is: you only need the FIPS series keys if you work for a government agency that requires FIPS certification, otherwise it really isn’t worth the hassle.
My Current Setup
Just to give you an idea of what I use my keys for. . .
I actually own three Yubikeys. I decided to buy a Security Key 2 (without NFC as there was no option at the time) and a Yubikey 4 USB type A originally (see picture below). I have since purchased a Yubikey 5 Series USB Type A key to take advantage of the NFC capabilities of the new key. For me this is just about perfect.
I have my main 5 Series key that I carry around all the time, which can deal with FIDO U2F and FIDO2 for logins, whilst also holding my PGP keys for server login, and file signing / encryption. I then have the Yubico Security Key 2 as a backup for all the FIDO U2F and FIDO2 logins, and the Series 4 Key contains a backup of my PGP keys.
If I was to do it all again I would likely just get two Yubikey 5 Series keys, but I didn’t have that option when I originally purchased them.
Conclusion and Recommendations
For most people I would recommend that you buy at least two Yubico Security Key 2 NFC devices.
If you really need the extra features of the 5 Series Yubikeys, then I would recommend you buy at least two Yubikey 5 Series NFC Type A keys.
If you are not sure why you would need a pair of security keys I would suggest giving my previous article a read, which explains why. The short answer is: it acts as a backup should you lose one!
Overall, my experience so far has been excellent with regard to FIDO U2F. It really is a breeze to use, but I think the guidance and usage with regard to the more advanced features needs a little bit of work to make it easier to implement.
Either way they are worth the effort to learn how to use as the extra security they bring cannot be understated.