Yubikeys are for everyone

5 min read

Do you know exactly where your Multifactor Authentication (MFA) codes are stored? Are they tied to a device? Up in the cloud? Do you need a password to access them? What happens if you lose your device? These are all important questions to know, given that 80% of people use MFA in some form for their personal accounts. Losing a MFA method is a frequent cause of being locked out of accounts, and getting them back can be a huge pain, if it is possible at all. Yubikeys are small physical devices which you can buy two of (as opposed to the feasibility of buying two phones) and are not nearly as complex as they seem. They can be a great solution for storing MFA codes, and they just work.

What is a Yubikey?

A Yubikey is a small physical device that looks a lot like a USB stick. There is a small hole that can be used to attach the device to a key ring. They come in many varieties and retail for around $55 CAD at the time of writing.

diagram showing a primary and backup Yubikey setup

They are made to last a long time. They are IP68 rated, are crush resistant, and do not contain any batteries, or moving parts. While $55 CAD may be expensive, I would say they pay off over the long run.

How to use Yubikeys to store TOTP codes

TOTP stands for “Time-based one-time password” and is one of the most frequent ways that sites will setup MFA. The Yubikey 5 series can hold 32 such codes, and integrates with an app that reads the codes off of them. The steps to setup are as follows (instructions can also be found on the yubico website):

  1. Download the Yubico Authenticator app. This is available for every platform (both mobile and desktop)
  2. To add an account on mobile, open the app and press “add account”. This will open up the camera for you to scan a QR code (usually shown by the application). If no code is shown, you can also add the code manually by pressing “add manually” at the bottom of the interface.
  3. Lastly, tap the key to the back of the phone (if you have a phone and key that are NFC compatible) or insert the key into the port on the bottom of your phone.

That’s it! The one pain point is that you should setup MFA for an account on both keys. This can be done by either having both keys present at the same time and scanning the QR code with both before finishing setup, or saving the QR code for later. Note that if you save the QR code for later, make sure to delete it as soon as you are done setting up the second key. While this may sound intimidating, usually this involves a lot of work for a day, but then you rarely need to worry about either key for a long time.

What if someone steals one of my Yubikeys?

You can setup a password on your Yubikeys so that if an attacker does steal a key, they still won’t have access to the TOTP codes stored on it (the strength that such a password should be, and even if it makes sense to set is based on an individual’s threat model). As opposed to someone stealing your phone (which would likely have passwords associated with it as well) they now only have 1 of 2 factors. This gives you time to quickly reset MFA on your accounts using your remaining key. If you don’t get your house keys stolen, then I would say it is equally as unlikely that you would get your Yubikey stolen.

Why would this be better than an app?

The reason why I thought it made sense to write this article is to present Yubikeys as something that make more intuitive sense than many apps. Since it is very unlikely that you would have two phones, a lot of TOTP codes reside on one device only. Additionally, phones are not as resilient as Yubikeys, and so are more prone to break. Using Yubikeys feels a lot like using keys for locks in the real world, you have two keys, each works identically. Lose one, use the backup, and replace the key when able.

For the authenticators that do offer backup, it can be a real catch 22 on where to store the password that encrypts that backup. If you store it in your password manager, what happens if you destroy your phone and need to sign into the password manager to get the password for the TOTP code… for the password manager???.

While expensive, and a little less convenient to setup, once you get them working, they really do work well.