Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
65,005
33,198



Yubico, a company that makes physical security keys for two-factor authentication, today announced the launch of its Lightning-based YubiKey device that's designed to work with Apple's iPhones and iPads.

Yubico has long offered USB-A, USB-C, and NFC-based YubiKey options for PCs, Macs, and mobile devices, but this is the first time that a Lightning-based accessory has been made available.

yubico4-800x533.jpg

For those unfamiliar with YubiKey, it is a hardware-based two-factor authentication device designed to work with hundreds of services to make your logins more secure. It's often more convenient than software-based two-factor authentication because there's no need to enter a security code - just connect it and tap to authenticate.

The new YubiKey 5Ci, which was first introduced in January at CES, features a Lightning port at one end and a USB-C port at the other end, so it works with Apple's latest iOS devices and Macs, with the exception of the iPad Pro, as it is not compatible with the USB-C side at the current time.

yubico1-800x533.jpg

With the YubiKey 5Ci, users can lock down their 1Password, Bitwarden Idaptive, LastPass, and Okta apps with hardware authentication. At the current time, it also works with the Brave browser for iOS, authenticating logins from sites like Twitter, Login.gov, GitHub, Bitbucket, 1Password, and others.

yubico3-800x533.jpg

With the 1Password app, for example, you can set up two-factor authentication using the YubiKey to add an additional layer of protection for your 1Password account. This will require both your master password and your physical YubiKey to unlock your vault, with the app instructing you to plug in the YubiKey and touch the side button to confirm.


At the current time, the YubiKey 5Ci for iOS devices does not work with other apps or browsers as app developers and browser creators need to build in support. Yubico says that it is working with other developers through its Yubico Developer Program.

The USB-C side of the YubiKey works with USB-C Windows and Mac machines, and it is compatible with dozens of websites and services, with a list available on the Yubico website.

yubico2-800x533.jpg

Like other YubiKey options in the 5 series, the YubiKey 5Ci supports multiple authentication protocols, including IDO2/WebAuthn, FIDO U2F, OTP (one-time password), PIV (Smart Card), and OpenPGP.

Those interested in the YubiKey 5Ci can purchase it for $70 from the Yubico website starting today.

Note: MacRumors is an affiliate partner with Yubico. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running.

Article Link: Yubico Launches Lightning-Equipped YubiKey 5Ci for Secure Physical Authentication on iOS Devices
 

Crowbot

macrumors 68000
May 29, 2018
1,788
4,075
NYC
I like the idea but wonder how many people need this level of protection. But my biggest complaint is that there seems to be no protection for the connectors. Damage one pin and you're locked out. Maybe a case would be appropriate.
 
  • Like
Reactions: Koodauw and jent

hagjohn

macrumors 68000
Aug 27, 2006
1,796
3,562
Pennsylvania
I like the idea but wonder how many people need this level of protection. But my biggest complaint is that there seems to be no protection for the connectors. Damage one pin and you're locked out. Maybe a case would be appropriate.
I'm sure someone will make a case for it.
 

tmiw

macrumors 68030
Jun 26, 2007
2,527
605
San Diego, CA
I like the idea but wonder how many people need this level of protection. But my biggest complaint is that there seems to be no protection for the connectors. Damage one pin and you're locked out. Maybe a case would be appropriate.

For $10 (Wired subscription with free USB-A Yubikey), why not? Not sure about $70 though.
 

Crowbot

macrumors 68000
May 29, 2018
1,788
4,075
NYC
I'm sure someone will make a case for it.

Maybe it comes with one. But I don't think I'd leave it on my keychain. It just looks too fragile.
[doublepost=1566315344][/doublepost]
For $10 (Wired subscription with free USB-A Yubikey), why not? Not sure about $70 though.

This seems designed for people who need the highest level of security on their phones. Like the CIA. I trust Apple's system well enough.
 

thefarang

macrumors member
May 12, 2015
92
146
I like the idea but wonder how many people need this level of protection. But my biggest complaint is that there seems to be no protection for the connectors. Damage one pin and you're locked out. Maybe a case would be appropriate.

The USB ones hold up pretty well. I was concerned too but I've had mine on my keychain for a year now and it works fantastically. Lightening pins? We'll see, I guess. USB-C side, not too much of a worry. They already make one of those and I haven't heard anybody complaining about it holding up to being on your keychain full time.
[doublepost=1566322737][/doublepost]
What if you lose the key?

I think it's a bit unfortunate that YubiCo doesn't do a better job at explaining that most people should buy two devices. One as your primary and one as your backup. Most sites will let you register multiple keys so you can lose or destroy one key and use your backup.

That said, sites like Twitter only allow you to use one key so it's pointless because if you lost your key or it was damaged, you would be locked out of your Twitter account.

Personally, I have 3 devices and will probably buy one of these. I have two of the YubiKey5 and one YubiKey4 that I got from Wired.

I keep one at home near my computer in case I need it, one in my wallet, and one on my keychain. I use the keychain 99% of the time. The wallet is mostly an emergency backup and the one at home is when I'm too lazy to go in the other room and get my keychain :)

Overall, my biggest complaint about the whole Yubikey security strategy is that more sites don't use it.

It's frustrating that none of my banks or brokerage firms support it. Most still use SMS, which is famously flawed.

Maybe it comes with one. But I don't think I'd leave it on my keychain. It just looks too fragile.
[doublepost=1566315344][/doublepost]

This seems designed for people who need the highest level of security on their phones. Like the CIA. I trust Apple's system well enough.

It's not about the security on your phone, it's about the security of your accounts. This particular product integrates with Apple's lightening connector but the idea is that in order to log into any of your accounts, you have to have a physical device (i.e. the Yubi key).

When I log into Gmail, I have to have they key. When I log into login.gov (where they have tons of sensitive info about users), you have to have the key.

You might even think about it as being a physical form of being sent a verification code. But instead of waiting for a text message or push notification, you insert your key, click the button, and you're verified.
 
Last edited by a moderator:

justperry

macrumors G5
Aug 10, 2007
12,595
9,875
I'm a rolling stone.
The USB ones hold up pretty well. I was concerned too but I've had mine on my keychain for a year now and it works fantastically. Lightening pins? We'll see, I guess. USB-C side, not too much of a worry. They already make one of those and I haven't heard anybody complaining about it holding up to being on your keychain full time.
[doublepost=1566322737][/doublepost]

I think it's a bit unfortunate that YubiCo doesn't do a better job at explaining that most people should buy two devices. One as your primary and one as your backup. Most sites will let you register multiple keys so you can lose or destroy one key and use your backup.

That said, sites like Twitter only allow you to use one key so it's pointless because if you lost your key or it was damaged, you would be locked out of your Twitter account.

Personally, I have 3 devices and will probably buy one of these. I have two of the YubiKey5 and one YubiKey4 that I got from Wired.

I keep one at home near my computer in case I need it, one in my wallet, and one on my keychain. I use the keychain 99% of the time. The wallet is mostly an emergency backup and the one at home is when I'm too lazy to go in the other room and get my keychain :)

Overall, my biggest complaint about the whole Yubikey security strategy is that more sites don't use it.

It's frustrating that none of my banks or brokerage firms support it. Most still use SMS, which is famously flawed.

Thanks for taking your time to answer my question.

My one and only bank uses a random reader, much better than a normal User Login, Just a year ago I was "forced" to use another bank, just the usual Login procedure, I don't get why many banks don't use a safer way to login like the one above.

I find the price steep, it should be a LOT cheaper and ubiquitous.
 

thefarang

macrumors member
May 12, 2015
92
146
I find the price steep, it should be a LOT cheaper and ubiquitous.

Agree, I was surprised by the $70 price tag. Most of their other keys are $50-ish. But, then again, they are single-purpose keys. They have regular USB and USB-C but they are separate devices. This is USB-C + lightening so maybe they got Apple taxed.
 

Crowbot

macrumors 68000
May 29, 2018
1,788
4,075
NYC
It's not about the security on your phone, it's about the security of your accounts. This particular product integrates with Apple's lightening connector but the idea is that in order to log into any of your accounts, you have to have a physical device (i.e. the Yubi key).

When I log into Gmail, I have to have they key. When I log into login.gov (where they have tons of sensitive info about users), you have to have the key.

You might even think about it as being a physical form of being sent a verification code. But instead of waiting for a text message or push notification, you insert your key, click the button, and you're verified.

This is something like the token systems. I guess I would have to put a Tile to keep track it. ;)
 

konqerror

macrumors 68020
Dec 31, 2013
2,298
3,701
This particular product integrates with Apple's lightening connector but the idea is that in order to log into any of your accounts, you have to have a physical device (i.e. the Yubi key).

You might even think about it as being a physical form of being sent a verification code. But instead of waiting for a text message or push notification, you insert your key, click the button, and you're verified.

The additional advantage of U2F/FIDO2 over text message is it has anti-phishing and MITM protections. The protocol is a 2-way protocol that authenticates the server requesting the token. OTP and SMS doesn't offer this, and SMS has been banned in places due to SIM swap attacks.

Also, FIDO2 eliminates the username and password step, so it's one click and go. For FIDO2, there are advantages to the biometric or pin-verified tokens.

I find the price steep, it should be a LOT cheaper and ubiquitous.

That's what you get for buying an Apple-compatible version. The non-Apple Yubikey FIDO2 token is $24 for USB+NFC for Android, and $17 for USB-only. That's all you need unless you're dealing with the more esoteric PIV/PGP stuff.
 

Monstieur

macrumors member
Oct 16, 2018
49
47
I like the idea but wonder how many people need this level of protection. But my biggest complaint is that there seems to be no protection for the connectors. Damage one pin and you're locked out. Maybe a case would be appropriate.
You can add a Windows Hello or Android device as an additional / backup security key now that both platforms are FIDO2 certified. You can also buy the cheaper Security Key as a spare.
 

Crowbot

macrumors 68000
May 29, 2018
1,788
4,075
NYC
You can add a Windows Hello or Android device as an additional / backup security key now that both platforms are FIDO2 certified. You can also buy the cheaper Security Key as a spare.

I was only commenting on the perceived (by me) fragility of a device with such importance. I'd feel better if they just put the dongle in a slide out case like this. Tempting as it may be, I wouldn't put it on my keyring. (eggs and baskets)

61EUa0WpDlL._AC_UL640_QL65_.jpg
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.