YubiKey

Overview

YubiKey is a hardware security key manufactured by Yubico, a Swedish-American company founded in 2007. It provides phishing-resistant two-factor authentication by using cryptographic protocols that are bound to the specific website you are authenticating with. Even if you are tricked into entering your password on a fake website, the YubiKey will not authenticate because the domain does not match the registered service.

The key is a small, durable device that connects via USB or NFC. It requires no batteries, no drivers, and no software installation on most platforms.

How It Works

When you register a YubiKey with a service, the key generates a unique cryptographic key pair for that site. During authentication, the service sends a challenge that only your physical YubiKey can respond to. The FIDO2/WebAuthn protocol ensures that the key will only respond to the legitimate website, making phishing attacks virtually impossible. You simply touch the key when prompted, and authentication completes in under a second.

Who Should Use It

Everyone who can afford one should use a YubiKey, but it is especially important for high-value accounts such as email, cloud storage, password managers, and financial services. Buy at least two keys and register both with every account so you have a backup. At 25-55 pounds for a key that lasts years with no subscription, it is one of the best security investments you can make.