My Review of YubiKey 5 NFC
Introduction
Well, I finally got a YubiKey. I had long wanted to get one, as I had been considering security options for a while. You see, there's a type of social engineering that I have dubbed the "Brick to the Head" method. In a situation where an attacker can merely knock you out, most two factor authentication (2FA) is going to prove worthless because they have your face, your fingerprint, your phone, and your security key (FIDO/FIDO2, YubiKey, CAC card, PIV card, etc).
So I decided for my birthday that I would get a pair of Yubico YubiKey 5 NFCs. This will document my experience configuring my accounts, in the hopes that maybe someone will benefit.
Initial Setup
There was no registration process with YubiKey, per se. This makes sense because Yubico doesn't need to hold on to the information on our keys.
Google Account
One of the first things I did was to register the keys with my Google Account. However, on my Google Pixel 5, I had no shortage of difficulties. They would not link up during the NFC portion of adding them as 2FA on my account. The keys worked in NFC and on Windows and Linux, just not there. Per the /r/yubikey subreddit, this is common, and adding them via USB on Chrome on a laptop or other computer should work fine, which I did for both of my keys. This was infuriating because the YubiKey authenticator could see them and I could use them. I went to no shortage of troubleshooting steps on my Pixel 5, from NFC settings to clearing cache on the NFC system apps to resetting network settings on the entire phone to even doing a factory reset on the phone. Not a single thing worked. So I added the YubiKey Authenticator app to my Google account, or so I thought. I can use that if all else fails. Then I added the keys via USB via Chrome on my laptop.
Note that your Pixel 5 and onward Google Pixel phone have a built in Titan security key. However, like I said before, I wanted to secure my devices from the "brick to the head" hack method. I use my fingerprint to get into my Google Pixel phone, so I don't want people to be able to change settings on any of my apps.
However, when I tried to authenticate with the YubiKey Authenticator later for something, Google did NOT accept the YubiKey Authenticator. Indeed, it claimed I had none. When I tried to add the YubiKey Authenticator, it said I can only add the Google Authenticator. This is infuriating because I should be allowed to use an Authenticator of my choice.
Trying to then use my YubiKey on my
phone means I can only use the Google Chrome app to get into
my account. This works, but again, slightly annoying
because I'd like there to be a step between my Authenticator
and my account. I'm ok with the current state, which
requires my password and the Google Authenticator on my
phone (since there's no version for Windows), since Pixel
phones include a Titan Security Key. However, I'm
still not happy that I can't use one app for all of this.
Windows
On Windows, the installation was not as straightforward at first as I would've liked. I would've liked more thorough documentation. For instance, I gave the backup key to my wife. I wanted her key to be her primary login to my machine and my backup, and vice versa, on all accounts. I had to sort of guess by adding one account at a time. It happened to work, so I guess I did it right. My use case was sort of an edge case.
The YubiKey Authenticator synchronizes back and forth between my phone and Windows, so that was a pleasant surprise. I was hoping not to have to reaccomplish all the steps on my laptop.
Amazon Account
With Amazon, I was a little less happy. You see, there was no way to tell it that I wanted to make my authenticator app and/or security key my primary method. And it would not let me change the order of importance either. So I had to basically disable 2FA on Amazon altogether, which gave me the ability to clear the 2FA settings. Then I re-enabled 2FA and started all over again. So this time it worked. But I am slightly disappointed that Amazon won't authenticate with key and password: I have to use the authenticator.
However, when I somehow got my password
wrong too many times, Amazon's features worked
properly. It had me change passwords, but I still
could not get in without my Authenticator.
PayPal
Of all the accounts I wanted to secure, PayPal was the best in my opinion. I didn't have to delete my settings, I could just move them around, set them as primary, change them, delete them, etc. You see, in configuring all my accounts, I set a phone as the backup method, but I set my wife's phone as the backup phone number, because I have the key and the authenticator as well as my password. In the event that I absolutely need to get in and I don't have the authenticator or the keys, I would get the code from her via text as a last resort.
Dropbox
Dropbox works in Windows and Android but not Linux. See my Linux page for information. Basically, because of this, I had to make the YubiKey Authenticator the primary method of using the YubiKey in all my accounts because Chrome doesn't seem to pull the chip info in PIV/CCID mode in Linux, and because websites are annoying. Indeed, Dropbox will only let me add one YubiKey to the account.
Patreon
Patreon does not yet support using the
YubiKey as 2FA. Indeed, when you click authenticator,
instead it gives you backup codes. This means Patreon
is inherently weaker in security. They offer 2FA via
text messages, but that's what I'm actually trying to avoid
because of the risk of simjacking.
Backup Phone
On nearly every account, I also made my
wife's phone, not mine, the backup text in case I lose the
keys. That is, every account that would let me.
Website support of YubiKeys is a bit random right now.
Some, like PayPal, will let me designate which phone will be
the backup on-the-fly. Some will not. Some will
not let me specify an alternate phone and so I have to "lie"
and say my wife's phone is mine. Some will let me add
her phone as the backup without deleting my own phone number
off my account.
Summary
The YubiKey 5 NFC itself works very
well!