In 2021 alone, many businesses endured over 1,001 data breaches. These attacks exposed millions of victims’ personal information.
You need to defend yourself from breaches. Whether you’re traveling, working from home, or living in another country.
That’s where Yubico and their YubiKeys come in.
Yubico has protected users’ information with their hardware security keys for years. One of their most popular keys is the YubiKey 5 NFC.
Explore this Yubico YubiKey 5 NFC review.
Learn why you should buy this two-factor authentication (2FA) key. Moreover, learn about the pros and cons and whether you should invest.
My Experience With a YubiKey 5 NFC: Is It Worth It?
I purchased my Yubico NFC security key about a year ago.
So far, the only regret that I have is—
That I don’t have two. I’ll tell you why having more than one is important in a bit.
I use this hardware security device as a daily driver to secure accounts I always use.
Was it worth the money?
Purchasing this key has significantly reduced my stress regarding account security.
Yubico YubiKey 5 NFC Specifications
|Supported password managers||Bitwarden Premium|
|Made in||Sweden and USA|
Fast ID Online (FIDO2)
Client to Authenticator Protocol (CTAP1)
FIDO2 CTAP2, Smart card (PIV-compatible)
OATH – HOTP (Event)
OATH – TOTP (Time)
Secure Static Password
Certifications: FIDO U2F Certified and FIDO 2 Certified
|Cryptographic specifications||Elliptic-curve cryptography (ECC) p256|
Rivest-Shamir-Adleman encryption (RSA) 2048
RSA 4096 (PGP)
|Device type||Human Interface Device (HID)|
Chip Card Interface Device (CCID) Smart Card
What Is a YubiKey?
Yubico made these hardware authentication devices as a two-step authentication method.
You can use these keys to log into operating systems, websites, and various applications. They act as a replacement for one-time password apps.
Yubico has keys with different connection options to make them useful for various devices
For instance, if you have a device that only supports USB-C, you’d go with the Yubico YubiKey 5Ci. If you need near-field communication (NFC) connectivity, go for Yubico’s 5 NFC.
YubiKeys also adhere to the industry standard dubbed Universal 2nd Factor (U2F).
U2F combines public key cryptography and hardware-based security authentication. Because of this union, it’s difficult for hackers to get a hold of your data.
Two-Factor Authentication 101
2FA acts as a medium that requires two ways to prove your identity to log in to a website or application.
For example, you’ll almost always enter a password first with website account security.
If you enable 2FA, the website will prompt you to enter a security code that you can get from your email, a text message, or an application.
You can further divide two-factor authentication into the following areas:
- U2F: login methods include biometrics, inserting a hardware security key, or using an NFC function to log into a device (most secure)
- Time-based One-Time Password (TOTP): generates a one-time password (second-best)
- SMS: the website will text you a code (least secure)
- Email: the website will email you a code—better than nothing
If you haven’t enabled 2FA yet, I recommend doing so.
While using 2FA won’t stop all hackers or thieves from going after your data, it will deter them.
If you don’t want to use a hardware key, download a free one-time password application. I’ll give you a good TOTP application in a second.
YubiKey 5 NFC Features: Do They Justify a Purchase?
Besides the specs mentioned above, the YubiKey 5 NFC has one task—to perform two-factor authentication. There aren’t additional features that you’ll need.
Yubico also offers a one-year warranty on their security keys. A useful perk if something goes wrong with your key.
Related: Guide on how to choose the best VPN
Who Is The YubiKey 5 NFC Best For?
In general, you’ll want a YubiKey if you want enhanced security for any accounts that Yubico supports.
When referring to the YubiKey 5 NFC, since you can connect it using USB-A and NFC, you can only support it on devices with USB ports or NFC options.
What Sites Support Security Keys? #
There’s a massive list of websites that YubiKey 5 NFC works on. Some of these sites include:
|Shopify||Gemini||Basecamp||Many password managers|
When reading Yubico’s website, you should find ‘Compatible YubiKeys.’
You’ll see this section further down the page. It ensures the YubiKey that you have worked with the website or app you want to use it with.
Some websites on this page don’t support YubiKeys. To determine whether they do, locate the checkmark beside the site’s name. The checkmark will let you know that Yubico ensured YubiKeys would work on the website.
Yubico’s Free Software To Help Manage Your Key/s
If you want additional functionality and ways to manage your key/s, Yubico offers free software.
Whether you want a more secure TOTP application or a way to manage your YubiKey.
Yubico Authenticator Application #
If you need a one-time password application that you can secure with your YubiKey, you’ll find it with the Yubico authenticator application.
You can use it on Mac, Linux, Windows, iOS, and Android operating systems.
I downloaded the Yubico Authenticator App on my Mac and Android phone for testing purposes.
First, I’ll cover the Mac.
Upon logging into the application, it asked me to plug in my YubiKey and enable the app to access privacy features. So I did that and was taken to a screen to add an account.
After that, it’s just like any other desktop TOTP application, either enter the security key manually or use Yubico’s screen capture feature to take a picture of the website’s 2FA QR code.
Keep in mind that if you remove the YubiKey at any point while using this application, the software will take you back to the login screen.
After doing that, the additional options sparked more interest.
First, you can choose whether to tap your key to generate the random code. Afterward, it will give you advanced options like:
- Type: TOTP or HMAC-based one-time password (HOTP)
- Secure Hash Algorithm 1 (SHA1): a hash function to determine whether a file has been altered
- SHA256: created by the National Security Agency and is a more secure successor to SHA1. The details of how this hashing function works are classified.
- SHA512: most secure hash function available
- Period: set the one-time password duration
- Digits: password length between 6–8 numbers
With the desktop application, you can also manage your key by tinkering with the PIN and sign-in data. You can also view the device type, firmware version, and device serial number.
If you want, you can connect an external card reader to interact with your YubiKey.
The Yubico Authenticator application for both my Mac and Android worked perfectly.
If your phone doesn’t support NFC or dongles, you can’t use the mobile application.
YubiKey Manager Application #
To further customize your YubiKey’s functions, you can download the YubiKey Manager application for Mac, Linux, and Windows operating systems. One way to configure your key is to require a 3-second touch when using U2F logins.
Also, you can use this software to view your key’s information.
How Durable Is a YubiKey? #
The YubiKey 5 NFC is IP68 rated.
This means that it can survive a maximum depth of 1.5 meters (4.9 feet) underwater for 30 minutes. However, tests didn’t specify whether the water had salt or chlorine. So test at your own risk.
It’s dust-, dirt-, crush- and sand-resistant. Also, Yubico makes its products with fiberglass reinforced bodies and hardened military-grade gold.
These keys should withstand most of what life will throw at the device.
I haven’t tried to destroy my YubiKey, so I don’t have first-hand experience as to how much of a beating these devices can take.
However, a Twitter user accidentally ground his YubiKey in a weed eater.
Have you ever wondered how durable a multifactor token is? @N8ACR, one of our @MiamiRegionals IT staff found out with his @Yubico YubiKey. He lost this one years ago, and found it this week when his weed eater threw it back up on to the porch. It still works! pic.twitter.com/PuMM283OGg— David Seidl (@davidseidl) May 5, 2020
As you can see, the YubiKey still works.
I’m sure these things aren’t fireproof, though. I recommend investing in a fireproof case for this device if your home catches on fire.
How Do I Use My YubiKey 5 NFC? #
Yubico has a guide on setting up whatever YubiKey model you purchased with any website they support.
Once you configure your key to the website, you will see a message that looks like this image every time you log in.
Afterward, your key will glow like in the video below.
Press your finger against the key for however many seconds that you set.
In some instances, you will have to enter your YubiKey’s pin.
You will have to set this pin when setting up your hardware security key.
Finally, you will either see a message saying that you are successfully logged in or that you must try again.
2FA Security Key Buying Guide: Don’t Buy the Wrong Key
Fortunately, you won’t need complex criteria when purchasing security keys for multi-factor authentication. However, you’ll want to keep the following factors in mind:
- Standards support: future-proof your device’s support by ensuring it supports the newest set of security standards. FIDO2 support is a good example.
- Compatibility: each key has different connections it supports. Some support USB-C connections, while others have USB-A and NFC connections.
- Durability: ensure your device won’t break while you’re carrying it.
- Documentation: opt for a company that offers the most information possible on their products. Also, check whether there’s a decent-sized community based around the key you want.
YubiKey 5 NFC Alternatives: There Aren’t Many #
If you’ve gotten to this point and realized that you don’t have any use for USB-A or NFC, keep reading.
YubiKey 5Ci: Best for Apple Product Owners
The YubiKey 5Ci is exactly like the YubiKey 5 NFC with a couple of differences—the connectivity.
With this device, you can connect it via USB-C or Lightning, making it better for you who primarily use Apple products.
If you want the most versatile YubiKey device, I recommend saving money and getting a USB-A to USB-C adapter.
That way, you can still use NFC technology and access type C and Lightning connectors.
I use the USB-A female to a C adapter that came with my phone. However, I’m sure you can find an affordable dongle on Amazon.
The YubiKey 5Ci shares the same pros and cons as the 5 NFC.
Google’s Titan Security Key: Read the Description
Before, I recommended this key. However, after finding a study stating that a hacker can copy the chips inside these keys, I can no longer recommend Google’s Titan Security Key.
Instead, I will leave the previously published information for your reference.
I have a link to the research paper in the FAQ section of this article.
Google offers an alternative hardware key with USB-A, USB-C, and NFC connectivity. Moreover, they work with services that support FIDO standards. The Titan Security Key acts as more affordable than the YubiKey 5 NFC and NFC. However, Google doesn’t offer as much information and features as Yubico. Therefore, if you decide to buy this security key, you’ll want it as a backup key.
Thetis FIDO2 Security Key: A Slightly More Affordable Alternative
The main difference between Thetis’ key and their competitors is fingerprint verification. It also offers more affordable USB-A security keys.
Otherwise, they don’t seem to have much to offer.
These 2FA hardware keys can withstand drops and are FIDO U2F certified. Otherwise, Thetis doesn’t go into many details.
|✔️ 1-year warranty||❌ Bulky|
|✔️ Bluetooth connection|
Yubico YubiKey 5 NFC Review: My Overall Opinion
I don’t buy many items.
Because most of the time, I regret my purchases or find that I don’t use what I buy enough.
However, the YubiKey 5 NFC is an exception. I use it every day and only wish that I had bought two.
YubiKey did a fantastic job designing these devices.
They’re durable, small, and have a massive community surrounding them.
I wish more websites would accept these devices as a means of 2FA. However, that may come in the future.
|✔️ Crush-resistant||❌ Unusable on a lot of websites|
|✔️ No required software installations||❌ Can’t retrieve access to accounts if you lose your YubiKey|
|✔️ OTP support|
|✔️ FIDO U2F compliant|
FAQ: Yubico YubiKey 5 NFC Review
Do you have more questions about YubiKeys? Here are several essential questions to answer before you buy a YubiKey.
How Can I Tell If My YubiKey Is Real?
You can tell if your YubiKey is authentic by using Yubico’s official web application.
First, insert your YubiKey and allow the web app to scan your card’s hardware key. After a couple of seconds, you’ll land on a page that says whether your device is verified.
However, I couldn’t find a way to figure out if a YubiKey product listing is fake. In this case, ensure you get your YubiKey from Yubico or their approved vendors. Otherwise, if you end up with a counterfeit, you’re potentially putting your information in the hands of a hacker.
What Do I Do If I Lose My YubiKey?
If you lose your YubiKey, you’re out of luck. Unless the website offers a way to recover your account.
But technically, account recovery defeats the security of the YubiKey.
Because a hacker could also use a similar recovery method to enter your account.
The best way to prevent losing your accounts is to get another hardware key. Make sure you store this second hardware key in a different location from your original one.
Can YubiKey Be Bypassed?
Hackers can’t bypass YubiKeys.
However, certain websites using security keys may have security flaws. These backdoors could enable an attacker to access your accounts without a key.
Can You Copy a YubiKey?
While there has been no documentation on YubiKey’s being copied, a report (PDF link) states attackers can clone Google’s Titan key.
Additionally, another source stated that other security keys that use A700X chips might also be vulnerable.
The YubiKey product that I know uses an A700X chip is the YubiKey NEO. However, the NEO is now a legacy device and is not supported by many websites.
Where Is YubiKey Made?
YubiKey manufactures all its products either in their United States- or Sweden-based factories. Also, Yubico sources all of its materials from the U.S. and Sweden.
Should I Get a YubiKey 5 NFC?
YubiKey has proven its worth and given me a better sense of account security.
While YubiKey falls behind in website adoption, plenty of websites still accept them as a 2FA method.
With enough education around U2F authentication, more companies may implement these keys into their sites’ login security.
If you get a YubiKey 5 NFC or its counterparts, you may save a lot of money. Funds that you could have lost if someone got into one of your accounts. Also, you wouldn’t have to stress over account and asset recovery.