Physical Keys for Your Digital Life: A Review of the Yubico and Google Security Keys
By: Karl Belanger, Access Technology Specialist
We’ve all encountered this before when logging into a service: “Please check your phone and enter the code we just sent you.” This is an example of two-factor authentication, a process which aims to make your online accounts more secure than with just a password. However, the email- or text message-based methods of two-factor authentication are not that secure, and we’ve all dealt with the frustration of our phone not receiving the message because it’s dead, or the email not arriving or getting sent to the spam folder.
Fortunately, there are other options available, one of which is the hardware security key. These keys connect to your phone or computer, and provide unique codes that take the place of the traditional verification process. They are fast and easy to use, but come with their own drawbacks. They aren’t free, with some costing up to $80. They’re yet another thing to keep track of, and losing one can be very inconvenient. Also, not all services support hardware keys, so at least for now you won’t be able to completely do away with the text message verification process. Also, for blind users, there is the additional concern of how accessible they are and whether they will work with access technology. We picked two keys, the Yubico YubiKey 5 NFC, and the Google Titan Security Key, and put them through their paces. Let’s dive in, see what they can do, how accessible they are, and whether or not they are worth using.
A Brief Intro to Two-Factor Authentication and Some Needed Terminology
As you dive into the world of hardware security keys, you will encounter a variety of terms and acronyms that will likely be confusing at first. Fortunately, unless you’re going for an IT security job, you likely will only need to know a few terms and a little about how all this works. Here are the basics that should get you started.
Two-factor authentication, often abbreviated as 2FA, and the broader multifactor authentication (MFA), refer to the process of using two or more pieces of data to authenticate a user. These generally take three forms: Something you know, something you have, and something you are. Something you know may be your username and password to your email or your PIN for your ATM card. Something you have can be a variety of things, such as your ATM card, your phone where you receive the text message, or a hardware key. Lastly, when you unlock your phone with a fingerprint or facial recognition, that’s something you are. Any two out of three are generally considered sufficient for authentication.
FIDO and TOTP
While there are a variety of security related acronyms, the two most relevant to the average user are FIDO (fast identity online) and TOTP (time-based one-time passcodes). Services that support FIDO use your security key directly, and generally don’t require any extra steps beyond registering it. Services that use TOTP will generally require the use of an authenticator app, which we will discuss later. Not all keys support all services, so make sure the key you want is compatible with the services you want to use.
Getting Started with a Security Key
Once you’ve decided to get a security key, there are a few steps to consider before diving in.
How Will It Connect?
You can get keys with USB type A, the standard USB port on most computers, or USB type C, the smaller port used on newer laptops and Android phones. Some keys also have NFC, allowing you to connect it to a phone wirelessly. Unfortunately, the number of keys with a lightning port appears extremely limited, so NFC is probably a safer bet. Look at what technology you have and make your choice accordingly.
What Services Do You Use?
Look at the settings of the services you commonly use. The relevant setting will usually be in a section called Login, Security, Verification, or something similar. If you find an option to register a security key, then the service likely supports the FIDO protocol. If you only find instructions to set up an authenticator app, then the service only supports TOTP. Keys will indicate which protocols they support, and will often have a compatibility list, but it’s good to double check yourself.
Strongly Consider a Spare
These keys are small, and if not connected to a keychain or otherwise secured, could be lost easily. Just as with a physical key to your house, losing a security key is very inconvenient. Some services allow the use of text message verification as a fallback, others may let you use a different authenticator app. It is possible to be locked out of your account if the key is lost, and unfortunately there is no such thing as a digital locksmith. For this reason, it is highly recommended to have two security keys. Keep one with you, and store the other one in a safe place in case one gets lost. This is also the most secure, as using keys only will eliminate most opportunities for someone to compromise your account.
The Google Titan Security Key
Google offers two versions of the Titan Security Key, one with USB A and the other with USB C. The USB A version was out of stock during our testing, so we obtained the USB C version. Both keys also work with NFC, so they should work with an iPhone. The keys cost $30 for the USB A version, or $35 for the one with USB C. The packaging is a nice box with a magnetic closure along the side, two print books, and a cutout for the key. One book is safety and regulatory information, the other contains getting started instructions in multiple languages. The Google key has a hole for a keychain or lanyard on one end. In the middle is a large, slightly recessed oval area where the touch sensor is located. The other end has the USB C port. The top and bottom of the key are slightly rounded, with flat edges. The end with the keychain hole is also rounded.
Google’s key only supports FIDO protocols, so it won’t work with all services. Most notably, it doesn’t work with services which require one-time passcodes through authenticator apps. Unfortunately, other than a basic list of the protocols the key supports, Google does not have any sort of compatibility list or instructions for setting up services other than Google. Google also advertises its Advanced Security program, which is designed for journalists, politicians, public figures, and anyone else who may be at increased risk of targeted attacks. While this service isn’t recommended for general users, it may be something to consider if information in your Google account is particularly sensitive and valuable.
The YubiKey 5 NFC
We obtained the YubiKey 5 NFC, a model from Yubico which has a standard USB port and NFC capability. You can also get a version with USB C, a nano version with either USB A or C but no NFC, or a version with both USB C and Lightning, but also no NFC. Yubico also offers a cheaper security key line, but these don’t support one-time passwords, limiting the services they can be used on. YubiKey prices start at $25, with the key used in this review costing $45. The packaging is very simple, consisting of a card with the key in a blister pack in the middle. There is a tear point on the back of the card which exposes the key. There is nothing else included with the key. The YubiKey 5 NFC looks like a very thin flash drive. At one end is a hole where it can be attached to a key ring or lanyard. In the middle of the top side is a small round indentation containing a touch sensor, and the other end is a USB port. The YubiKey is thinner than the Google key, with squared corners. The touch sensor is also slightly smaller.
Registering with a Service
The process of registering a service is accessible, provided the service’s settings are accessible. For services using the FIDO standard, the process is identical whether you’re using the YubiKey or the Titan Security Key. Log into the service you want to set up and find the two-factor authentication settings as discussed earlier. For this example we’ll assume there is an option for registering a security key. After selecting this option, you will receive a prompt to plug in your key if it isn’t already. Next, your browser will ask you whether you want the website to be able to access the information on your key. The third step is a prompt to touch your key. If all worked, you will receive a prompt to name your key, after which the process is complete. If you’re using NFC, you will receive a prompt to scan your key, in which case using the touch sensor is not required. If you have a spare key, unplug your main key and go through the same process again to register it. If you don’t, be sure to set up text message verification, or save its backup codes so you don’t get locked out.
Once you add a service, when you log in from a new device, you will receive a prompt to use your key. Simply plug in your key, or scan it with NFC, and touch the sensor. You will then be logged in.
The Yubico Authenticator App
For services that don’t directly support hardware keys, there is the Yubico authenticator app. The app is available for all major operating systems. This app is designed for and only supports YubiKey devices, and not the Google Titan key. It also doesn’t support the cheaper YubiKey security key series. The app is mostly accessible, depending on which operating system you’re using it on. When you launch the app, you will see a prompt to plug in or scan your key. After doing this, you can start adding services. Once you’ve added some services, plugging in the key will show all the services linked to that key, and optionally, the codes for them. If the box is unchecked, the code appears as soon as your key is plugged in or scanned. If hidden, the code will appear as a line of asterisks. To reveal the code, navigate to it and press Enter if using the desktop, or select it and hit the Calculate button if you’re using mobile. Then touch the sensor or scan your key as directed and the code will appear.
Adding a Service to the Authenticator
Once again, go to the security settings of the service you want to add. This time, choose the option labeled something similar to “Use an authenticator app.” This will bring up a QR code and a button to set up manually. If you’re using the app on your phone, select the button to scan the QR code and you can attempt to use the camera. Otherwise, select to set up manually. The service will give you a string of letters and numbers. Copy this and paste it into the secret key box on the Add Account screen of the Authenticator app. On this screen there are some advanced options, which are beyond the scope of this blog, as well as the option to require touching your key or not. Once the service is added, enter the generated code on the site and the process is complete. Be sure to use the secret key to add the service to all your keys before finishing.
Accessibility Issues in the Authenticator App
On Windows, there are a few issues when using the authenticator app. The button that brings up the main menu is labeled, but the menu is not accessible from the keyboard. The button to add an account is also unlabeled. When adding an account, the fields are unlabeled. Also, once you tab to the Secret Key field, it is not possible to Shift + Tab to the previous fields, nor is it possible to Tab back around to the top. Finally, when pressing Enter on a hidden code, the prompt to touch your key does not speak, and there is no indication that the code has been revealed unless you arrow away and back to the code.
On mobile, the app is mostly accessible. On iOS, it is somewhat difficult to initiate the NFC scan as you must double tap and hold, then drag down in the right place to start NFC. When adding an account manually, the labels for each field appear as separate, dimmed items, though the fields themselves are accessible. On Android, the only, though major, issue is that when attempting to add an account manually, the secret key field is not accessible at all with Talkback. For now, Android users will want to either scan the QR code or create the account on a computer. These issues have been reported to Yubico, and I am hopeful we will see some improvements.
Either the YubiKey 5 or the Google Titan key are viable options for securing your online accounts. The accessibility of setup will depend on how accessible the service is, but if the underlying service is accessible, then the setup will be as well. The Yubico Authenticator greatly expands the services which the YubiKeys will work with, but there are a few issues with it that could range from somewhat annoying to showstopping depending on your use case. Any security key will help keep your accounts secure, and provide another layer between you and anyone after your private data. You can find out more information and purchase the keys on either the Yubico or Google sites.