Unfortunately for everyone, we're stuck with passwords for the foreseeable future—despite their being bad and humans being very bad at them.
The Security Key NFC by Yubico aims to go beyond password-only security by adding hardware authentication in the form of a slim USB device, and at a fraction of the price.
It can even talk to your phone—a rare feature for a device this affordable.
Unfortunately, limited support on the iPhone and from other services reduces the utility of this product.
That might change in the future, and for now it does just about everything it's supposed to.
How Two-Factor Authentication Works
The Security Key NFC is a device for two-factor authentication (2FA).
In practice, this means a second step you perform to authenticate yourself after you enter a password.
But technically the two in 2FA comes from using any two methods of authentication from a list of a possible three:
Something you know,
Something you have, and
Something you are.
A password, which should be secured in a password manager and not in your fallible head, is something you know.
A security key or an authenticator app is something you have.
Using biometrics such as fingerprints is something you are.
When you combine two of these authenticators, it becomes much harder for an attacker to gain access to your account, since an attacker is unlikely to have both of them.
Hands On With the Security Key NFC by Yubico
The Security Key NFC is a slim USB key, clad in textured blue plastic.
In shape and color, it's identical to the Yubico Security Key, except for a few cosmetic changes.
The Security Key NFC doesn't have the engraved numeral 2, seen on the original Yubico Security Key, and it adds semi-circle glyphs around an image of a key in the center of the gold, touch-sensitive disk.
This hints at the NFC communication within.
At $27, the Security Key NFC is also slightly more expensive than the original Security Key.
It's still very affordable compared to the rest of the Yubikey line, however.
The Security Key NFC is a svelte 18mm by 45mm by 3.3mm, and weighs only 3.6 grams.
It's small and thin enough to hang unobtrusively with my keys on a ring.
It uses a flat, exposed USB-A connector at one end and metal-reinforced hole at the other for a key ring.
I had no trouble enrolling Security Key NFC with Google and Twitter accounts.
The process is simple: find the portion of account settings for security keys, plug in the key, and then tap the illuminated gold circle when prompted.
That's it! Once I enrolled it, using the Security Key NFC to authenticate myself to these accounts was just as easy.
I entered my password, and inserted and tapped my Security Key NFC when the site instructed me.
The NFC capability of the Security Key NFC is its major selling point, so I tested the device with both a Pixel XL phone running Android 9 and an iPhone XR running the latest version of iOS 12.
Unfortunately, my results with these mobile devices were a mixed bag.
I had my best experience logging into my Google account via the Android settings menu.
After entering my username and password, I was prompted to hold my key against the back of my phone and wait for it to vibrate.
I had some trouble finding the sweet spot, but eventually the phone buzzed and I was authenticated.
Simple!
Unfortunately, other sites and devices don't support NFC authentication just yet.
Trying to log in to the Twitter app generated an error saying the browser wasn't compatible with my key.
I had the same issue trying to log into Google and Twitter through the Android Chrome browser.
On the iPhone, I saw the same error message in every context I tried to use the Security Key NFC—nowhere on the iPhone was I able to use it to log in.
This sounds bad, but it's not really a fault of the Security Key NFC.
It works exactly the way it's supposed to.
The problem is hardware manufacturers like Apple and a surprising amount of software doesn't support FIDO2 authentication via NFC.
Yubico confirmed that my experience on iPhone with the Security Key NFC was to be expected.
My company contact at Yubico explained that the iPhone's NFC functionality does not yet support FIDO2/U2F, which is part of why the company is developing a Lightning port security key.
Granted that doesn't explain why Twitter or Chrome refused to play nice with the Security Key NFC.
It's frustrating, because both allowed me to log in when connected the Security Key NFC via USB.
During this testing I relied heavily on the credentials stored in LastPass, which I secure with a YubiKey Series 5 key.
Notably, I was able to log in to the LastPass app using the Series 5 NFC capabilities.
However, LastPass uses one-time passwords (OTP) generated by the YubiKey, and not the FIDO2/U2F standard used with the Security Key NFC.
How Does This Key Compare?
The Security Key NFC is Yubico's second stab at creating a low-cost device that works with the FIDO2/U2F standard.
The first, the aptly named Security Key, costs slightly less at $20.
The Nitrokey FIDO U2F is an open-source competitor that isn't quite as sleek, doesn't support FIDO2, and costs $25.
The open-source pedigree is the real challenge the Nitrokey brings.
The rest of the YubiKey family is more capable, and more expensive.
The YubiKey 5 series comes in four flavors: The YubiKey 5 NFC for $45, the YubiKey 5 Nano for $50, the YubiKey 5C also for $50, and the YubiKey 5C Nano for $60.
The main difference between these devices is size, connector, and wireless connectivity.
Beyond that, they're mostly identical.
All four support FIDO2/U2F, like the two blue Security Keys, but the 5 series also supports OTP, OATH (HOTP and TOTP), Smart Card, and OpenPGP.
A forthcoming Yubikey device will feature an Apple Lighting connector on one side and a USB-C connector on the other, making it fully compatible with most mobile devices without requiring support for NFC authentication.
Google has its own offering with the Titan Security Key bundle.
This $50 set includes two security keys, one a flat USB-A device similar to a the Security Key NFC, and a battery-powered key fob that uses bluetooth and micro USB.
While capable, the Titan keys only support FIDO U2F, and are comparably quite expensive, despite doubling the number of keys.
Yubikey tells me the company intentionally avoided Bluetooth.
The company felt that the battery requirements made it less durabe and the wireless communication made it less secure.
Plenty of Potential
I was really excited when the Security Key NFC was announced.
I loved the simplicity of the original Security Key, and felt that the inclusion of NFC was well worth adding seven dollars to the price tag.
Unfortunately, the Security Key NFC is hamstrung by the support of the hardware and software that's supposed to work with it.
On iPhone it's completely unusable until Apple expands support for FIDO2/U2F, and I only found it to be partly usable on Android.
This is particularly frustrating because there's nothing wrong with the Security Key NFC.
It works just fine! But the stuff it's supposed to work with doesn't accept wireless communication.
As a USB security key, it works flawlessly.
That's disappointing, but hopefully it won't be the end of the story.
If support improves on mobile for the Security Key NFC, it could easily become a must-have item.
For now, we continue to recommend the original Security Key, which provides the unmatched security of a physical authenticator with support for a popular authentication protocol, at an impulse-purchase price.
It's a Daxdi Editors' Choice.
If you want to go further, the YubiKey 5 NFC is a veritable Swiss Army knife of authentication, but probably overkill for the average consumer.
And if you're a major supporter of open-source technology, the Nitrokey FIDO U2F is your best bet.
Security Key NFC by Yubico
Pros
Affordable.
Supports FIDO2 and FIDO U2F, used by Google, Twitter, Facebook, and others.
Durable.
Supports NFC.
View More
Cons
Limited by lack of support on mobile devices, especially iPhone.
Doesn't support other 2FA or encryption features.
Won't work with LastPass.
The Bottom Line
The Security Key NFC doesn't have all the tricks of its YubiKey cousins, but it supports the most popular method of two-factor authentication and can communicate with mobile devices via NFC.
Unfortunately for everyone, we're stuck with passwords for the foreseeable future—despite their being bad and humans being very bad at them.
The Security Key NFC by Yubico aims to go beyond password-only security by adding hardware authentication in the form of a slim USB device, and at a fraction of the price.
It can even talk to your phone—a rare feature for a device this affordable.
Unfortunately, limited support on the iPhone and from other services reduces the utility of this product.
That might change in the future, and for now it does just about everything it's supposed to.
How Two-Factor Authentication Works
The Security Key NFC is a device for two-factor authentication (2FA).
In practice, this means a second step you perform to authenticate yourself after you enter a password.
But technically the two in 2FA comes from using any two methods of authentication from a list of a possible three:
Something you know,
Something you have, and
Something you are.
A password, which should be secured in a password manager and not in your fallible head, is something you know.
A security key or an authenticator app is something you have.
Using biometrics such as fingerprints is something you are.
When you combine two of these authenticators, it becomes much harder for an attacker to gain access to your account, since an attacker is unlikely to have both of them.
Hands On With the Security Key NFC by Yubico
The Security Key NFC is a slim USB key, clad in textured blue plastic.
In shape and color, it's identical to the Yubico Security Key, except for a few cosmetic changes.
The Security Key NFC doesn't have the engraved numeral 2, seen on the original Yubico Security Key, and it adds semi-circle glyphs around an image of a key in the center of the gold, touch-sensitive disk.
This hints at the NFC communication within.
At $27, the Security Key NFC is also slightly more expensive than the original Security Key.
It's still very affordable compared to the rest of the Yubikey line, however.
The Security Key NFC is a svelte 18mm by 45mm by 3.3mm, and weighs only 3.6 grams.
It's small and thin enough to hang unobtrusively with my keys on a ring.
It uses a flat, exposed USB-A connector at one end and metal-reinforced hole at the other for a key ring.
I had no trouble enrolling Security Key NFC with Google and Twitter accounts.
The process is simple: find the portion of account settings for security keys, plug in the key, and then tap the illuminated gold circle when prompted.
That's it! Once I enrolled it, using the Security Key NFC to authenticate myself to these accounts was just as easy.
I entered my password, and inserted and tapped my Security Key NFC when the site instructed me.
The NFC capability of the Security Key NFC is its major selling point, so I tested the device with both a Pixel XL phone running Android 9 and an iPhone XR running the latest version of iOS 12.
Unfortunately, my results with these mobile devices were a mixed bag.
I had my best experience logging into my Google account via the Android settings menu.
After entering my username and password, I was prompted to hold my key against the back of my phone and wait for it to vibrate.
I had some trouble finding the sweet spot, but eventually the phone buzzed and I was authenticated.
Simple!
Unfortunately, other sites and devices don't support NFC authentication just yet.
Trying to log in to the Twitter app generated an error saying the browser wasn't compatible with my key.
I had the same issue trying to log into Google and Twitter through the Android Chrome browser.
On the iPhone, I saw the same error message in every context I tried to use the Security Key NFC—nowhere on the iPhone was I able to use it to log in.
This sounds bad, but it's not really a fault of the Security Key NFC.
It works exactly the way it's supposed to.
The problem is hardware manufacturers like Apple and a surprising amount of software doesn't support FIDO2 authentication via NFC.
Yubico confirmed that my experience on iPhone with the Security Key NFC was to be expected.
My company contact at Yubico explained that the iPhone's NFC functionality does not yet support FIDO2/U2F, which is part of why the company is developing a Lightning port security key.
Granted that doesn't explain why Twitter or Chrome refused to play nice with the Security Key NFC.
It's frustrating, because both allowed me to log in when connected the Security Key NFC via USB.
During this testing I relied heavily on the credentials stored in LastPass, which I secure with a YubiKey Series 5 key.
Notably, I was able to log in to the LastPass app using the Series 5 NFC capabilities.
However, LastPass uses one-time passwords (OTP) generated by the YubiKey, and not the FIDO2/U2F standard used with the Security Key NFC.
How Does This Key Compare?
The Security Key NFC is Yubico's second stab at creating a low-cost device that works with the FIDO2/U2F standard.
The first, the aptly named Security Key, costs slightly less at $20.
The Nitrokey FIDO U2F is an open-source competitor that isn't quite as sleek, doesn't support FIDO2, and costs $25.
The open-source pedigree is the real challenge the Nitrokey brings.
The rest of the YubiKey family is more capable, and more expensive.
The YubiKey 5 series comes in four flavors: The YubiKey 5 NFC for $45, the YubiKey 5 Nano for $50, the YubiKey 5C also for $50, and the YubiKey 5C Nano for $60.
The main difference between these devices is size, connector, and wireless connectivity.
Beyond that, they're mostly identical.
All four support FIDO2/U2F, like the two blue Security Keys, but the 5 series also supports OTP, OATH (HOTP and TOTP), Smart Card, and OpenPGP.
A forthcoming Yubikey device will feature an Apple Lighting connector on one side and a USB-C connector on the other, making it fully compatible with most mobile devices without requiring support for NFC authentication.
Google has its own offering with the Titan Security Key bundle.
This $50 set includes two security keys, one a flat USB-A device similar to a the Security Key NFC, and a battery-powered key fob that uses bluetooth and micro USB.
While capable, the Titan keys only support FIDO U2F, and are comparably quite expensive, despite doubling the number of keys.
Yubikey tells me the company intentionally avoided Bluetooth.
The company felt that the battery requirements made it less durabe and the wireless communication made it less secure.
Plenty of Potential
I was really excited when the Security Key NFC was announced.
I loved the simplicity of the original Security Key, and felt that the inclusion of NFC was well worth adding seven dollars to the price tag.
Unfortunately, the Security Key NFC is hamstrung by the support of the hardware and software that's supposed to work with it.
On iPhone it's completely unusable until Apple expands support for FIDO2/U2F, and I only found it to be partly usable on Android.
This is particularly frustrating because there's nothing wrong with the Security Key NFC.
It works just fine! But the stuff it's supposed to work with doesn't accept wireless communication.
As a USB security key, it works flawlessly.
That's disappointing, but hopefully it won't be the end of the story.
If support improves on mobile for the Security Key NFC, it could easily become a must-have item.
For now, we continue to recommend the original Security Key, which provides the unmatched security of a physical authenticator with support for a popular authentication protocol, at an impulse-purchase price.
It's a Daxdi Editors' Choice.
If you want to go further, the YubiKey 5 NFC is a veritable Swiss Army knife of authentication, but probably overkill for the average consumer.
And if you're a major supporter of open-source technology, the Nitrokey FIDO U2F is your best bet.
Security Key NFC by Yubico
Pros
Affordable.
Supports FIDO2 and FIDO U2F, used by Google, Twitter, Facebook, and others.
Durable.
Supports NFC.
View More
Cons
Limited by lack of support on mobile devices, especially iPhone.
Doesn't support other 2FA or encryption features.
Won't work with LastPass.
The Bottom Line
The Security Key NFC doesn't have all the tricks of its YubiKey cousins, but it supports the most popular method of two-factor authentication and can communicate with mobile devices via NFC.