Yubico Launches 'YubiKey 5C NFC' With USB-C and NFC Support

[MacRumors]

Yubico, a company that sells physical security keys for two-factor authentication, today announced the launch of the new YubiKey 5C NFC, pairing USB-C and NFC support in a single device.

According to Yubico, the YubiKey 5C NFC is the first multi-protocol security key that supports smart cards. With the NFC integration, the YubiKey 5C NFC features tap-and-go authentication that works with all major browsers and operating systems, plus it continues to offer a physical USB-C connector.

Like other devices in the YubiKey lineup, the YubiKey 5C NFC is a hardware-based two-factor authentication dongle that is designed to work with hundreds of services to make logins more secure. It's more convenient than software-based two-factor authentication because you don't need a security code. Just connect it to a USB-C device or tap it on an NFC-compatible iPhone to authenticate.

"The way that people work and go online is vastly different today than it was a few years ago, and especially within the last several months," said Guido Appenzeller, Chief Product Officer, Yubico. "Users are no longer tied to just one device or service, nor do they want to be. That's why the YubiKey 5C NFC is one of our most sought-after security keys -- it's compatible with a majority of modern-day computers and mobile phones and works well across a range of legacy and modern applications. At the end of the day, our customers crave security that 'just works' no matter what."

YubiKey 5C NFC is compatible with common password management apps like 1Password and LastPass, and it also works on the web. It supports multiple authentication protocols such as FIDO2 and WebAuthn, FIDO U2F, PIV (smart card), OATH-HOTP and OATH-TOTP (hash-based and time-based one-time passwords), OpenPGP, YubiOTP, and challenge-response, so a single key can work with multiple services and applications.

The YubiKey 5C NFC can be purchased for $55 from the Yubico website.

Article Link: Yubico Launches 'YubiKey 5C NFC' With USB-C and NFC Support

 

[Gutwrench]

I’ll stick with 1234.

 

[Blackstick]

We used Yubikeys in our org up through last year. They’re $50+ per piece. Our security team doesn’t allow us to deprovision/reprovision them for a 2nd use once they’ve been issued to the first departing employee because they could then contain malware and be compromised- even after following Yubi’s procedures to scrub them.

Needless to say, we don’t use them anymore because if you can’t safely repurpose an IT asset during its service life, it’s a showstopper.

 

[jogu]

We used Yubikeys in our org up through last year. They’re $50+ per piece. Our security team doesn’t allow us to deprovision/reprovision them for a 2nd use once they’ve been issued to the first departing employee because they could then contain malware and be compromised- even after following Yubi’s procedures to scrub them.

Needless to say, we don’t use them anymore because if you can’t safely repurpose an IT asset during its service life, it’s a showstopper.

If whatever you're trying to protect isn't worth 50 USD per employee why bother with the yubikeys in the first place? In most organisations I've worked getting a new employee hired, onboarded and trained up is costed in thousands of dollars at a minimum, 50 USD is insignificant compared to that cost, and items under 75 USD aren't tracked on our asset register.

Did you find something that's better/cheaper?

 

[samh004]

I have 1Password set up to require a password every so often (can't recall the length of time I set it to... but eventually my face/fingerprint stops working). If I had one of these configured for both iPhone and Mac, would I still need to re-authenticate with a password every so often, or does the device take care of that/every instance of authentication? I couldn't work it out from their page on 1Password.

 

[Secondempire]

I have 1Password set up to require a password every so often (can't recall the length of time I set it to... but eventually my face/fingerprint stops working). If I had one of these configured for both iPhone and Mac, would I still need to re-authenticate with a password every so often, or does the device take care of that/every instance of authentication? I couldn't work it out from their page on 1Password.

Setting up two factor auth with 1Password (with a physical key or code generating app) doesn't affect the locking and unlocking of 1Password during day to day use – you keep using your Face ID/Touch ID and sometimes your master password depending on settings. The key is only used when you set up 1Password on a new device or browser.

 

[samh004]

Setting up two factor auth with 1Password (with a physical key or code generating app) doesn't affect the locking and unlocking of 1Password during day to day use – you keep using your Face ID/Touch ID and sometimes your master password depending on settings. The key is only used when you set up 1Password on a new device or browser.

Thanks for the explanation, I fear that it would be a bit useless for my purposes then, as I find the existing 2FA support in 1Password to more than meet my needs. I was just looking for a way to avoid entering my password occasionally!

 

[murdoc2k]

Thanks for the explanation, I fear that it would be a bit useless for my purposes then, as I find the existing 2FA support in 1Password to more than meet my needs. I was just looking for a way to avoid entering my password occasionally!

The reason why 1Password requires you to re-enter the password from time to time is to prevent you from forgetting your password, which is the secret that is used to encrypt all passwords. Unless you are using a family plan, there is no way to recover your password if you forget it.

This is why it has to be done this way.

 

[jlocker]

More security in this day and age the better. I use my fingerprint reader on my MacBook Pro 16.

 

[bierdybard]

We used Yubikeys in our org up through last year. They’re $50+ per piece. Our security team doesn’t allow us to deprovision/reprovision them for a 2nd use once they’ve been issued to the first departing employee because they could then contain malware and be compromised- even after following Yubi’s procedures to scrub them.

Needless to say, we don’t use them anymore because if you can’t safely repurpose an IT asset during its service life, it’s a showstopper.

Then I have to say as a fellow tinfoil-hat wearer that your security team is really not smart, or really doesn't understand the YubiKey.

It is not possible* for someone to alter the code on a YubiKey once it has been programmed and sealed at the factory.

To me this would be a whistleblower moment for higher-ups. They are throwing away both a massive capital investment, and quite literally (when used properly) the best tool they have against both phishing and lateral movement in their network, because they fail to adequately understand what they are working with and do a proper risk assessment.

Stories like this anger me so much. We need the best security we can possibly get, especially in an age where so many peoples' personal data is being collected and stored. But no, instead of asking the right questions, doing proper research, and doing a proper risk analysis, we're going to use something inferior.

(*as with anything else, yes, I'm sure it's possible somehow, but 1. not by persons of ordinary means and 2. not without physical destruction of the device or other evidence of tampering. Your security team is flushing value down the toilet over the smallest possible chance of compromise.)

 

[bierdybard]

If whatever you're trying to protect isn't worth 50 USD per employee why bother with the yubikeys in the first place? In most organisations I've worked getting a new employee hired, onboarded and trained up is costed in thousands of dollars at a minimum, 50 USD is insignificant compared to that cost, and items under 75 USD aren't tracked on our asset register.

Did you find something that's better/cheaper?

Aside from, as previously discussed, it's a complete waste to throw them away like that... this is also an extremely valid answer. $50 is an absolute drop in the bucket as far as the cost of onboarding goes. Frankly, if they're cycling through people so quickly that they are concerned about this, that's a red flag of a different sort. Also, if they are buying them in any sort of volume, the cost will be less.

 

[Mr. Heckles]

Sadly the desk top app for 1Password doesn't support this yet.

 

[unsynaps]

I have 1Password set up to require a password every so often (can't recall the length of time I set it to... but eventually my face/fingerprint stops working). If I had one of these configured for both iPhone and Mac, would I still need to re-authenticate with a password every so often, or does the device take care of that/every instance of authentication? I couldn't work it out from their page on 1Password.

For others that might read this this is only if you PAY for 1passwords service. If you use local syncing your SOL. 1Password refuses to add physical key support to local databases.

just like they refuse to support anything other than drop box in iOS.

 

[katbel]

USB keys had or still have potential threat with the firmware embedded with spying software capable to record your password or even inject malware. Probably is not the case with Yubico but after a friend had his computer compromised after using a USB key I’m very diffident of any USB key.

 

[ducknalddon]

Thanks for the explanation, I fear that it would be a bit useless for my purposes then, as I find the existing 2FA support in 1Password to more than meet my needs. I was just looking for a way to avoid entering my password occasionally!

Doesn't using 1Password for 2FA wipe out the benefits of 2FA. You have gone from someone needing to steal two things, your password and yubikey to needing just one, your 1Password password.

 

[AppleHeadPhx]

How will these work if Apple takes the port away?

 

[bierdybard]

USB keys had or still have potential threat with the firmware embedded with spying software capable to record your password or even inject malware. Probably is not the case with Yubico but after a friend had his computer compromised after using a USB key I’m very diffident of any USB key.

As you have discovered, like anything else in computing, not all things are created equal and being cheap does not always end well. Anybody can create a cheap USB stick that stores passwords. tokens are much more than that.

Properly-used and reputably-manufactured hardware tokens are the best defense available against phishing and man-in-the-middle attacks. For the most secure protocols, MITM becomes useless because the authentication is a cryptographic signature of a challenge presented from the authenticating agent. Even if that is intercepted, it would only be useful if the authenticating agent generated that same challenge again, predictably. The private key is never exposed from the device with these protocols, ensuring the highest level of safety possible.

Rather than avoiding hardware tokens entirely, the proper lesson here would be to make sure they are purchased from reputable vendors and support the latest protocols (WebAuthn/FIDO2).

 

[bierdybard]

How will these work if Apple takes the port away?

YubiKey 5C NFC.

 

[bookofxero]

It is not a USB key. It is a secure enclave with a USB interface. Very different things.

 

[dooyou]

What happens if my YoubiKey gets damaged? To be safe, do I need a second YoubiKey as a backup?

 

[bierdybard]

What happens if my YoubiKey gets damaged? To be safe, do I need a second YoubiKey as a backup?

Yes, it is highly recommended that you keep either a second YubiKey or some alternative method of access like backup codes (of course, the latter potentially lessens your overall security posture -- find the balance that works for you). Unfortunately, not all providers (Twitter and AWS immediately come to mind) even let you add multiple keys to the same account, so you'd need the latter anyway.

That said, YubiKeys are very durable. I've been using them for almost 5 years now between work and personal use, and I've never had one break or fail despite constant plugging and unplugging, and living on my keychain with other keys. That isn't to say it doesn't happen, but the reports seem to be few and far between. I would be more worried about one getting lost than damaged.

 

[PinkyMacGodess]

I’ll stick with 1234.

I tell people that I use the last 6 digits of pi. With the people I used to hang around with, that usually got a few chuckles, and a puzzled look for whomever I was telling it to. So anyway...

 

[JD2015]

Still not compatible with USB C iPad Pros though which stops me from getting one.

 

[PinkyMacGodess]

We used Yubikeys in our org up through last year. They’re $50+ per piece. Our security team doesn’t allow us to deprovision/reprovision them for a 2nd use once they’ve been issued to the first departing employee because they could then contain malware and be compromised- even after following Yubi’s procedures to scrub them.

Needless to say, we don’t use them anymore because if you can’t safely repurpose an IT asset during its service life, it’s a showstopper.

I volunteered at a local school system quite a few years ago to try to teach their caffeinated spawns of Satan something about computers. The word went out to the local area, "Bring all your old computers here, and they will be used to educate the children of the future".

Yeah...

One corporation donated TONS of computers! Monitors, printers even a few serverstoo. It looked like someone went points shopping and scored HUGE. One big problem. I wasn't expecting hard drives to be included, but every damn one of the computers was stripped of RAM too. You know what that is, it's the stuff that forgets everything once the power is disconnected. So the school says 'How's it going? Looks like you have plenty to teach computer stuff with.' Yeah, but now I need $20,000 for memory! 'WHAT? Why?' All those computers have NO RAM installed. They are unusable. We, you, need to buy new memory to get them working. Yeah, that didn't go over well. (Plus a lot of the systems were really old PS/2 CSO's (computer shaped objects. They had token ring cards in them! One had a twinax looking adapter too)

So, I took them apart, and we had 'this is hardware', and they were all tossed. Sad...

Corporations do crazy stupid stuff sometimes. I hope they didn't get a tax writeoff for that gracious gift...

 

[PinkyMacGodess]

Hey! Great timing! I just bought their awkward double headed USB-C/Lightning dongles. GRRRR... In the same voice as Shatner screams in the movie: MURPHY!!!!