Review: Yubico's 5C NFC YubiKey Works Well With Apple's Security Keys Feature

[RobbieTT]

...an iPhone or Apple Watch is a multi-purpose device that is locked with biometric authentication or wrist monitoring (with a very strong passcode)...

Which iPhone model uses biometrics to lock/unlock?

I only have the iPhones that are locked/unlocked with a simple passcode, with an additional convenience function that may allow FaceID or TouchID to be used some of the time, but never after a restart. The passcode remains the master at all times.

 

[timestride]

Will these work with an adapte? For instance, a USB-C to Lighting. If I got a Yubico key with USB-C and the iPad has a Lighting port, will I be able to use an adaptor?

I don’t *think* it will work with an adapter because of MFi (Made For iPod) certification. I got a YubiKey 5C NFC and a 5Ci, which has USB C and MFi compatible lightning for my iPad Air3. The 5Ci does not include NFC support. You may want to verify for yourself whether this is actually the case.

 

[b0fh]

With the launch of iOS 16.3 and macOS 13.2 Ventura, Apple added Security Keys for the Apple ID, offering a more robust way to protect your Apple account and everything associated with your Apple account.

A Security Key is a physical device that works with two-factor authentication. Instead of using a code generated by a secondary Apple device for authentication, when you log into your Apple ID on another device after setting up Security Keys, you need to authenticate through a physical key that's actually plugged in to your device.

You can use any FIDO Certified security key to activate the feature, and Apple recommends the YubiKey 5C NFC and the YubiKey 5Ci, two devices sold by Yubico. Yubico sent me a pair of its security keys so that I could try them out with Apple's Security Key function.

The YubiKey 5Ci has a USB-C connector and a Lightning connector so that it can be plugged into iPhones, iPads, Macs, and other devices that use these connectors, while the YubiKey 5C NFC has a USB-C connector and the ability to interface with NFC-enabled devices.

With Apple eliminating the Lightning port in the iPhone this year and because I don't own any devices without NFC, I opted for the YubiKey 5C NFC for futureproofing, but if you plan to have an iPhone or an iPad with a Lightning port for an extended period of time, the 5Ci might be the better option if you're interested in using Security Keys.

Security Keys can be set up on the iPhone, iPad, or Mac. Note that whatever security key product you pick, you have to have two, not just one. Apple requires dual security keys for redundancy purposes, and Yubico recommends a pair as well. The reason for this is because if you lose your physical security key, if you don't have another in a safe place, you're going to lose access to your Apple ID. You're going to want to store the Security Keys in two separate locations.

On an iOS device or Mac, Security Keys can be enabled through the Password and Security section of the Settings app. Before you can add a Security Key, you need to sign out of all inactive devices, which includes devices that you have not used in the last 90 days. Older devices won't support Security Keys at all.

I had to go through this process, and I want to note that it didn't quite work properly (which is not the YubiKey's fault). Apple's process signed me out of the unsupported devices or devices I had not logged into, but then the Security Keys setup would not progress. I swapped over to the Mac to continue, and had better luck.

The setup process required me to connect the security key, which I did using USB-C, and then I had to press on the key to get the Mac to recognize it. Apple had me give it a name, and then repeat the process to add the second security key.

After that, I was instructed to review my list of active devices and choose whether to sign out of any of them. There was an option to stay signed in to everything, which is what I selected. Following the setup process, Apple instructed me to store the keys separately and in a safe place, and clarified that I can add additional keys in the future.

There's also a single line on the bottom of the setup screen that makes it clear Apple has no way to help access an account that is tied to a security key if both keys are lost, a warning that should probably be in bolder text. Apple sends an email about the Security Key setup process, and in both Mac and iOS settings, I can view my connected Security Keys and remove them.

When I attempt to sign into my Apple ID on a device on the Mac, I'm instructed to insert and activate one of my security keys. This process requires inserting the key into a USB-C port and pressing on it to activate it. I receive notifications across all of my devices when a login attempt is made.

On an iPhone, the login process is similar, but the YubiKey needs to be held near the iPhone's NFC reader (the top of the device) and activated for authentication. In general, it's a simple process on every Mac, iPhone, and iPad I've tested it with. All of my devices are running iOS 16.3 or later or macOS Ventura 13.2 or later, and they all support USB-C or NFC. On devices that are not updated or do not support USB-C/NFC, the process might not be as seamless and could require adapters.

My major worry activating Security Keys is that I'm going to lose one. YubiKeys and other security keys are small, unobtrusive, and easy to lose since they're designed to be kept secret and hidden. The YubiKey has a hole at the top for a keyring, so I'm going to add a keyring to one that will remain in a secure place in my office, and the second will go somewhere safer.

Two-factor authentication with a physical security key is more secure than authentication with a digital code, according to Apple, but it's a little riskier. I can't track my YubiKeys if they're lost, but I can track down all my secondary Apple devices if I should lose one and need it for a code. That said, the authentication process is super easy, and it's even quicker than getting a code from another Apple device.

YubiKeys don't need to charge and seem to be durable so far based on anecdotal reports from YubiKey users, which is good because I'm also worried about breaking one. Ultimately, I think I may add a third key to my account just for another layer of protection, since there's little chance I'll lose or break three at one time. There's an IP68 water resistance rating so it can hold up to liquid immersion, and it has a storage temperature of -4 °F to 185 °F.

You won't need an app to use a YubiKey for some services (like with an Apple ID or Twitter), but for others, the Yubico Authenticator will need to be installed. The Yubico Authenticator is like Google Authenticator or Authy, generating a code that uses the YubiKey.

I was not able to set up the YubiKey with Instagram because Instagram's authentication process plus the Yubico app simply would not work. The app would not recognize the key, so be aware that there may be some troubleshooting involved. There are limitations with the YubiKey in terms of supported accounts. It can store up to 25 FIDO2 credentials for password-free logins, two OTP credentials, 32 OATH credentials for one-time passwords (when paired with the Yubico Authenticator), and an unlimited number of U2F credentials. If you have more than 32 accounts where you need one-time passwords, the YubiKey might not be the best solution because it only works with 32 logins.

In addition to an Apple ID, the YubiKey works with other websites and services with two-factor authentication. Google, Microsoft, 1Password, LastPass, Facebook, Twitter, Instagram, bitcoin wallets, government accounts, and a bunch more are all supported.

Bottom Line

If you're aiming to better secure your Apple ID through physical authentication using the Security Keys feature, the YubiKey series is worth looking at. It offers better protection than you'll get through digital codes, but it is expensive and there are some limitations to be aware of if you want a multi-purpose physical authenticator.

How to Buy

The YubiKey 5C NFC that I used in this review is priced at $55, and it can be purchased from the Yubico website. The YubiKey 5Ci with Lightning connector and USB-C connector is priced at $75.

Article Link: Review: Yubico's 5C NFC YubiKey Works Well With Apple's Security Keys Feature

I have been using YubiKeys since v2 or v3 of their keys. Love them. They are essentially unbreakable. However, I would never get a YubiKey 5Ci. Those are fragile and easily break if you leave them on a keychain. I've had multiple 5Cis break. Never get a 5Ci.

 

[onenorth]

Even setting aside the apparent preference for a George Costanza wallet, an iPhone or Apple Watch is a multi-purpose device that is locked with biometric authentication or wrist monitoring (with a very strong passcode) and can be remotely disabled or wiped if lost or stolen. A Yubikey is an additional item that does not have any built-in protection against use by unauthorized parties, visually announces that it is a key guarding something valuable, and is still dependent on software/services which could decide to introduce usage fees. In my view, having my existing devices act as 2FA for each other still wins out over adding a Yubikey to the mix, just as having my password manager app generate time-dependent passcodes is preferable to bringing back the old SecurID keychain fobs.

Apple clearly indicates that hardware keys are intended to prevent phishing attacks. They have no real purpose if someone has physical possession of the device and the passcode. So as long as one doesn't fall prey to a targeted attack, the hardware keys are definitely less convenient to use than a regular OTP authenticator app. But the trade-off has always been convenience over security.

 

[nt5672]

I have a simple question.

Can YubiKey cut off your access if YubiKey does not like you political beliefs or if the government requests it?

Added: Oh and does NSA or other TLA have a back door into the security code?

 

[CarAnalogy]

They make a cheaper on for $29 that will work. There are other brands out there too.

Awesome! I just need to find out if they will work with a Lighting adaptor (Lighting to USB-C). We have 1 iPad with Lightning and no NFC. I don’t want to get a key for one thing that has Lightning, because that will probably get replaced in a year.

I hope I can use 1 key for 2 Apple ID accounts. I was thinking about getting 3 keys, one for each of us, and the 3rd for both account as a back up.

I believe it will work with an adapter as all it should be doing is reading a certificate from ROM so there’s nothing special hardware-wise.

 

[CarAnalogy]

I have a simple question.

Can YubiKey cut off your access if YubiKey does not like you political beliefs or if the government requests it?

Added: Oh and does NSA or other TLA have a back door into the security code?

I don’t think so. Basically what the hardware key is, is a private key on read only memory. Just like any other private key it’s just used as the basis to validate your public key that is in the accounts you use it with. I don’t believe there is any sort of revocation. Once you have the private key the negotiation is between that key and the services you use it with.

As far as the NSA, if the NSA is after you, you are ****ed. But the NSA is not after you, because you wouldn’t be asking that question.

Whether the government has backdoors into systems is kind of outside the scope of this. The key is not the weak point. You and the services you use are the weak point. If the FBI wants it they will knock your door down at 4 AM and take it.

 

[nt5672]

......
Whether the government has backdoors into systems is kind of outside the scope of this. The key is not the weak point. You and the services you use are the weak point. If the FBI wants it they will knock your door down at 4 AM and take it.

This I don't understand. So a criminal can do the same thing? That is 'take the key'. I don't see anything here that does anything extra from what a strong password will do. So what is the security problem it solves again.

Since the keys are hardware how do we know the secret is not kept on file at Yubico?

Oh, and they are from Sweden, so the US government does not even have to break US law to get your info.

 

[Apple_Robert]

This I don't understand. So a criminal can do the same thing? That is 'take the key'. I don't see anything here that does anything extra from what a strong password will do. So what is the security problem it solves again.

Since the keys are hardware how do we know the secret is not kept on file at Yubico?

The key cannot phone home.

 

[kevcube]

Holy wordy

Why not review the 5Ci? Would’ve made a ton more sense.

 

[kevcube]

The key cannot phone home.

Right, but it’s public/private key cryptography. The keys come preloaded with a private key and provide the public key when connected to a device. So theoretically yubi could be storing all the private keys when they create devices.

 

[kevcube]

This I don't understand. So a criminal can do the same thing? That is 'take the key'. I don't see anything here that does anything extra from what a strong password will do. So what is the security problem it solves again.

Since the keys are hardware how do we know the secret is not kept on file at Yubico?

Oh, and they are from Sweden, so the US government does not even have to break US law to get your info.

They are solving the problem of “second factor” in “multi factor” authentication. If you lose your password and the attacker doesn’t have physical access to your device/key, you are safe. If you lose your physical key but not your password, you are safe.

authentication factors are simple: something you have (hardware key), something you know (password), something you are (biometric, considered less secure but still good enough for many)

 

[coolfactor]

Right, but it’s public/private key cryptography. The keys come preloaded with a private key and provide the public key when connected to a device. So theoretically yubi could be storing all the private keys when they create devices.

Some keys are bound cryptographically to the hardware that they were generated on. Maybe that's the case here, and the keypair won't validate when on other hardware?

I know SSH keys are not bound that way, but maybe these are?

 

[cupcakes2000]

I got three yubikeys, with one on my carkeys, another on a lanyard and the third permanently on my imac

Great experience thus far and looks to cover all possible scenarios that I have come across

I’m not sure keeping the key constantly attached to a device which in turn can access all the accounts on the key is really the best way of operating your syssec regime. Having another million discreetly hidden across the planet wouldn’t make a bit of difference. I recommend not leaving attached permanently.

I have been arguing with USAA for years now to support FIDO (they have good phone-based customer support). Based on forum comments on this topic I am not alone. I use three different banks (2 banks, 1 S&L). None support FIDO althought the S&L has their own hardware key. It appears this is common for banks and S&Ls. WTH. Does anyone know why banks (which I think for most consumers are the most important login) REFUSE to support FIDO ?? USAA forces one to use 2FA via mobile phones... Yeah super secure USAA. Appreciate your insights.

Banks are laughably insecure with their passwords and other security methods. My bank requires a 4 digit pin to ok a purchase. What a joke.

like at $9.99 (which is average price of 1 TB usb drive

Is it? That seems cheap. It’s certainly not expensive here but not that low for a tb. In fact, 1tb usb keys aren’t even that easy to find.

 

[Nomax2000]

I know I might be in the minority here but…..

$55?!?!?!?? THAT’S OVERPRICED!!!!!!! (LET ALONE YOU NEED TWO SO ITS $110 TOTAL!!!!!!!!!) ​

If companies wants security keys to become the norm for logins, they need to convince the companies that make the security keys to lower down the price. I know there’s lot of components needed to make the device secure but average consumers don’t care about that. They want it at affordable price, like at $9.99 (which is average price of 1 TB usb drive. at $110, i can buy 10 of those, which is not necessary)

If your account/data isn’t worth 110$ don’t buy them. It’s like easy at that.

 

[cupcakes2000]

If your account/data isn’t worth 110$ don’t buy them. It’s like easy at that.

Sure. But there are other ways to do a similar thing, 110 IS expensive comparatively. With strong passcodes and regular 2FA it’s as secure. If you do it properly. For the average person (for example the person above that keeps it plugged in to their mac) it’s either not done properly regardless of the method, or it’s worth it comparatively, or they choose another method and do that properly instead.

 

[DrJR]

Apple is trying to get rid of your wallet and keyring. These keys seem like a step backwards.

Good. Not taking my physical wallet, physical keys, nor physical money. If you can’t hold it, you don’t own it.

 

[PinkyMacGodess]

I have a simple question.

Can YubiKey cut off your access if YubiKey does not like you political beliefs or if the government requests it?

Added: Oh and does NSA or other TLA have a back door into the security code?

The Yubi key is a static device. It has a public and private key. The only interaction you might have with Yubico after you enroll the key, is through a Yubico app, and those are not required. Relax. It's not an active device.

 

[PinkyMacGodess]

As I have read, any key must meet the FIDO standards. If it's not FIDO, it won't work.

 

[Mac4Brains]

I never understood why Apple never made a thumb drive or SD computer login. so I effectively just carry my user folder around with me and can log on to any Mac with out leaving a user folder on every computer I use. This would be great for students.

 

[Mr. Heckles]

I'm just curious, wouldn't this make stealing everything you own as simple as stealing something on your keyring?

If people are concerned about an iPhone being stolen, stealing this would make things MUCH harder to fix as Apple themselves won't be able to get you back in.

No looking to argue, I am seriously asking why this would be better than a long passcode that you can remember?

you still need a password to get into an account. I have one for my email, but that just stays home anyways.

 

[Apple_Robert]

I'm just curious, wouldn't this make stealing everything you own as simple as stealing something on your keyring?

If people are concerned about an iPhone being stolen, stealing this would make things MUCH harder to fix as Apple themselves won't be able to get you back in.

No looking to argue, I am seriously asking why this would be better than a long passcode that you can remember?

The hardware key Apple introduced is basically for authenticating new devices, as far as I am aware. It is not needed on a daily basis with the phone.

 

[Nomax2000]

The hardware key Apple introduced is basically for authenticating new devices, as far as I am aware. It is not needed on a daily basis with the phone.

Correct. After a device is once authenticated you don't need the key. If you want to make changes to your account, new devices, then it is getting relevant. It is mainly a pishing protection. There are plenty of videos that show how to bypass 2FA (E-Mail, SMS, Regular 2FA App). Security was and is always somehow inconvenient.

 

[ZZ9pluralZalpha]

Which iPhone model uses biometrics to lock/unlock?

I only have the iPhones that are locked/unlocked with a simple passcode, with an additional convenience function that may allow FaceID or TouchID to be used some of the time, but never after a restart. The passcode remains the master at all times.

Yeah, in this universe we call FaceID and TouchID biometric unlock, as in, your phone requires authentication either via one of those “biological metric” measurements or your master passcode. Which, by the way, has offered for a very long time the option to be way more complex than the 6-digit default. 😏

 

[ZZ9pluralZalpha]

Apple clearly indicates that hardware keys are intended to prevent phishing attacks. They have no real purpose if someone has physical possession of the device and the passcode. So as long as one doesn't fall prey to a targeted attack, the hardware keys are definitely less convenient to use than a regular OTP authenticator app. But the trade-off has always been convenience over security.

I agree with most of that—and of course, we’re likely all screwed against really targeted attacks—but it just seems like the security gain from an hardware key is rather minimal in exchange for its inconvenience (true, good security doesn’t care about my whiny complaints there) and the additional, if rather inaccessible, attack surface that it does represent. A random pickpocket might not be able to reset my accounts without my password, but I can’t do anything either until I retrieve the Yubikey or a backup; worse, it’ll cooperate fully with whoever happens to physically possess it, so if I forget it plugged into or near a logged-in terminal, the key won’t simply lock itself after some inactive period and I can’t send a remote lock command until I get to one of my other keys. Even according to Yubico, the primary difference between a hardware key and a passkey is that passkeys are by default copyable—and that seems like something that could be set to 90+% certainty in software alone, 99+% with hardware integration a la Secure Enclave. (Please correct me if I’m wrong, I’d love to learn!) It’s a niche application, but I wouldn’t be surprised if Apple closes the gap with some sort of device-to-device authentication—and it would also help drive hardware sales, conveniently…