Passwords have been the weak point of security since they were first introduced.
Thankfully, the Yubico YubiKey 5 NFC is here to protect our most important accounts and much more besides.
The fifth generation of the YubiKey supports FIDO U2F for a secure second-factor authentication and uses NFC to work with your phone.
But that's just the start of what this remarkably powerful, and remarkably tiny, device can do.
If you're just looking for a simple hardware U2F option, the YubiKey 5 NFC is probably overkill—consider the more affordable Security Key by Yubico or the Google Titan Security Keys instead.
But if you're already steeped in security wonkiness, you'll love what the 5 NFC has to offer.
How Two-Factor Authentication Works
While there's a lot you can do with a hardware security key such as the YubiKey, its primary role is as a second factor of authentication.
In practice, two-factor authentication (2FA) means having to do a second thing after entering your password to prove it's you.
But the theory behind 2FA is combining two different systems of authentication from a list of three:
Something you know,
Something you have, or
Something you are.
For example: a password, is something you know, and it should exist only in your head (or inside a password manager).
Biometrics—thingk fingerprint scans, retina scans, heart signatures, and so on—count as something you are.
Yubico YubiKeys and their ilk are something you have.
Using two factors from this list of three provides greater assurance that you are who you say you are, and that you have authority to access the thing you're trying to access.
It's also harder for bad guys to break.
An attacker might buy your password from the Dark Web, but she's probably not going to be able to get your security key, too.
The authentication provided by 2FA is also ephemeral: it only works once, and usually for only a limited time, for added security.
This review looks primarily at hardware 2FA, but there are many ways to add a second factor.
Many sites will send you codes via SMS to verify your identity.
Apps such as Duo (Free at Duo) and Authy rely on push notifications which are (in theory) harder to intercept than SMS messages.
Whether you go with a hardware or software solution or a mix of both, do add 2FA wherever you can.
When Google deployed 2FA keys internally, it saw successful account takeovers drop to zero.
Yubico has always offered several sizes and variations of its security keys to fit just about every need.
This is great, because consumers and IT professionals can get exactly what they need at a variety of prices.
The downside is that browsing the Yubico store is a frequently overwhelming experience.
I'll do my best to boil down the basics.
There are four flavors of YubiKey 5 Series devices, including the $45 YubiKey 5 NFC reviewed here, as well as three other form factors: the $50 YubiKey 5 Nano, the $50 YubiKey 5C, and the $60 YubiKey 5C Nano.
The 5 NFC is the only YubiKey to offer wireless communication, but besides that the only difference among these devices is size, price, and USB connector.
The two Nano devices are the most diminutive devices in the group and nestle within your USB-A or USB-C slots, easily within reach if you need them often.
The YubiKey 5C uses a USB-C connector, is slightly smaller than the 5 NFC, and can hang on your keychain alongside the 5 NFC; it lacks wireless communication.
You can, however, connect either the YubiKey 5C or 5C Nano directly to your Android device.
What sets the YubiKey 5 Series apart from the competition isn't just the variety of form factors.
These devices are real digital security Swiss Army knives.
Each one can function as a Smart Card (PIV), can generate one-time passwords, support both OATH-TOTP and OATH-HOTP, and can be used for challenge-response authentication.
All four devices support three cryptographic algorithms: RSA 4096, ECC p256, and ECC p384.
These devices can fit so many different roles, often at the same time—provided you know what you're doing.
While the YubiKey 5 NFC is the focus of this review, I have tested the YubiKey 4 Series devices in the past, and these are physically identical to the USB-C and Nano variations of the YubiKey 5 Series.
All of them are well-made, clad in black plastic that hides wear, and equipped with hidden green LEDs to let you know they're connected and functioning.
The USB-A devices have either a gold strip or disk that you tap, depending on the size of the device.
The USB-C devices, meanwhile, have two tiny metal tabs that you tap to authenticate.
The USB-A Nano device is harder to remove from a slot than the USB-C Nano device, but the USB-A Nano YubiKey has a tiny hole, so it can be hung from a string or cord, while the USB-C Nano does not.
Which YubiKey device you purchase will largely depend on what context you plan on using it.
The Nano devices are useful if you plan on using them with a trusted computer, and you know you'll need to access the YubiKey often.
The full-size keys are better for hanging on a keyring and keeping close at hand.
Hands On With the YubiKey 5 NFC
To help you get started, Yubico has created a handy guide for new users.
Just pick the YubiKey device you have, and the site displays a list of all the places and contexts you can use your YubiKey.
Some of these link directly to a site or service's onboarding page, while others provide instructions you have to follow yourself.
Setting up the YubiKey as a U2F second factor is very simple.
Follow the site or service's instructions and then insert the YubiKey into the appropriate slot when prompted.
Just tap the gold disk (or metal tabs, depending on the model), and the service enrolls your key.
The next time you go to log in, you enter your password and you get a prompt to insert your key and tap.
That's it!
Dashlane, Google, and Twitter are a few of the many sites that support U2F and accept YubiKey 5 Series devices.
In my testing, I enrolled it as a second factor for a Google Account.
When logging in on a desktop computer, I entered my login credentials, and then Google asked me to insert and tap my security key.
That's no problem, although I did have to use the Chrome browser to log in.
On my Android device, the process is just as simple.
When logging in testing, I entered my credentials, and then my phone prompted me to use my security key.
I selected NFC from a menu along the bottom, and then slapped the 5 NFC against the back of my phone.
It took quite a few tries, but eventually the phone buzzed an affirmative and I was logged in.
The YubiKey 5 Series can authenticate you in a number of ways, not just via U2F.
With LastPass, for instance, you enroll the YubiKey to generate one-time passwords (specifically HMAC-based One-time Passwords, but I'll use OTP for brevity) with a tap.
This is different from U2F but it in practice it feels very similar.
Log in to LastPass, navigate to the appropriate part of the Settings menu, click on the text field, and tap the YubiKey.
A string of letters spews out, and that's it! Now when you want to log in to LastPass, you'll be prompted to plug in your YubiKey to have it spit out more OTPs.
Most of you are probably familiar with Google Authenticator, an app that generates six-digit passcodes every 30 seconds.
This technology, more generally, is called Time-based One-time Passwords (TOTPs) and it's one of the most common forms for 2FA used today.
Along with a companion desktop or mobile app, Yubico puts an interesting spin on the TOTP system.
Plug in your YubiKey, fire up the Yubico Authenticator app, and then navigate to a site that supports Google Authenticator or a similar service.
To secure a Google Account, for example, I clicked the option to enroll a new phone with the authenticator app.
A QR code usually appears at this point, and the site prompts you to scan it with the appropriate authenticator app.
Instead, I selected a menu option in the Yubico Authenticator desktop app and it capture the QR code from my screen.
After a few more clicks, the app started providing unique six-digit codes every 30 seconds.
The trick is that the Yubico app cannot generate TOTPs without the YubiKey.
Instead of storing the credentials needed to create those codes on your computer, the Yubico Authenticator stores that data directly on your YubiKey.
Pull it out, and the Authenticator app can't make new TOTPs.
That's handy if you're concerned about someone stealing the device you use to generate your TOTPs.
You can also lock your YubiKey with a password, so even if it were stolen from you it couldn't be used for generating TOTPs.
Yubico also offers a TOTP-generating Android app that works with the YubiKey 5 NFC, to take your TOTPs on the road.
When you open the app, it's empty, but slap your 5 NFC against the back and it begins to generate codes.
Quit the app, and the codes disappear; you'll have to tap the 5 NFC again.
That's less convenient than storing the information in the app itself, but far more secure.
These were the scenarios I looked at, but the YubiKey 5 Series can do much more.
You can use it as a smartcard to log in to my desktop computer.
You can use it log in to SSH servers.
You can even generate a PGP key and then use the YubiKey to sign or authenticate.
Frankly, however, just getting my head wrapped around the TOTP keys was difficult enough.
Although Yubico has lots of documentation and three separate desktop apps (and three more mobile apps), it's very difficult to use every facet of the YubiKey without a good dollop of existing knowledge.
Yubico has deployed a website to help inform customers about what they can use their key for, and to guide them toward the necessary information.
That guidance is great, but it's just guidance, not the hand-holding usually provided by tech products.
Using your YubiKey for U2F is also very simple but getting the most out of your YubiKey isn't easy for a novice—or even a security journalist.
YubiKeys vs.
the Google Titan Security Key
Yubico has a solution for just about every situation with the YubiKey 5 Series, but cost is an issue.
Each individual device is priced between $40 and $60 for just one YubiKey.
Google's Titan Security Key Bundle, on the other hand, provides two devices for $50: One USB-A key and a Bluetooth/Micro USB key fob.
That gives you a spare right off the bat.
On the other hand YubiKey just has more security bang for your buck (assuming you puzzle out how to use it all).
Both Titan devices can use NFC but, as of this writing, support has not been enabled on Android devices.
Google also supplies a USB-C adapter, so you can use your Titan key with just about any device.
The Titan keys, however, only support FIDO U2F.
That will work for just about every website or service, but they can't be used for TOTPs, OTPs, Smart Card access, and the other protocols supported by YubiKey 5 Series.
Price-conscious readers primarily looking for just a U2F device will likely prefer the $20 Security Key by Yubico.
This USB-A key has the same silhouette as the YubiKey 5 NFC, but can be identified by its handsome blue plastic enclosure, a key glyph on the center button, and the number two etched on its top.
As the name suggests, this device supports FIDO U2F and FIDO2, but that's it.
The Security Key doesn't support all the protocols of the YubiKey 5 Series, so you can't use it with LastPass or as a smart card, nor can it communicate wirelessly.
It also costs less than half the Titan key bundle or the 5 NFC.
The YubiKey to Success?
The YubiKey 5 Series is a remarkable family of devices that fill a dazzling number of niches.
Its most basic use is as a FIDO U2F authenticator or an OTP generator, but it can do so much more.
The trouble we've always had with YubiKeys, and Yubico overall, is simply the challenge of figuring out which YubiKey to choose, among the half dozen the company currently offers.
Figuring out what you can do with it beyond U2F is doubly challenging.
The Yubico devices are excellent, and their documentation improving, but they are definitely designed with security wonks and IT professionals in mind.
If you glance over the laundry list of capabilities the YubiKey boasts and understand them, or are at least curious about them, then this is the device for you.
You won't be disappointed in this rugged little device.
If you know you want to better secure your online accounts, but aren't sure how to go about doing it, you're probably better off with the Google Titan Security Keys or the far more affordable Security Key by Yubico.
YubiKeys are an established and mature technology, but we're still exploring this space.
As such, we're giving the YubiKey 5 NFC four stars, but are withholding an Editors' Choice award until we've examined more options.
Pros
Durable, reliable construction.
No batteries or moving parts.
NFC capable.
Different form factors.
Supports FIDO U2F, FIDO2.
Can generate six-digit one-time use passcodes with companion app.
Supports multiple protocols for different security roles.
View More
The Bottom Line
The Yubico YubiKey 5 NFC is a tiny, USB device that keeps the bad guys out of your accounts by adding a secure second factor to your login process.
The YubiKey does so much more, too—provided you can take the time to figure it all out.
Passwords have been the weak point of security since they were first introduced.
Thankfully, the Yubico YubiKey 5 NFC is here to protect our most important accounts and much more besides.
The fifth generation of the YubiKey supports FIDO U2F for a secure second-factor authentication and uses NFC to work with your phone.
But that's just the start of what this remarkably powerful, and remarkably tiny, device can do.
If you're just looking for a simple hardware U2F option, the YubiKey 5 NFC is probably overkill—consider the more affordable Security Key by Yubico or the Google Titan Security Keys instead.
But if you're already steeped in security wonkiness, you'll love what the 5 NFC has to offer.
How Two-Factor Authentication Works
While there's a lot you can do with a hardware security key such as the YubiKey, its primary role is as a second factor of authentication.
In practice, two-factor authentication (2FA) means having to do a second thing after entering your password to prove it's you.
But the theory behind 2FA is combining two different systems of authentication from a list of three:
Something you know,
Something you have, or
Something you are.
For example: a password, is something you know, and it should exist only in your head (or inside a password manager).
Biometrics—thingk fingerprint scans, retina scans, heart signatures, and so on—count as something you are.
Yubico YubiKeys and their ilk are something you have.
Using two factors from this list of three provides greater assurance that you are who you say you are, and that you have authority to access the thing you're trying to access.
It's also harder for bad guys to break.
An attacker might buy your password from the Dark Web, but she's probably not going to be able to get your security key, too.
The authentication provided by 2FA is also ephemeral: it only works once, and usually for only a limited time, for added security.
This review looks primarily at hardware 2FA, but there are many ways to add a second factor.
Many sites will send you codes via SMS to verify your identity.
Apps such as Duo (Free at Duo) and Authy rely on push notifications which are (in theory) harder to intercept than SMS messages.
Whether you go with a hardware or software solution or a mix of both, do add 2FA wherever you can.
When Google deployed 2FA keys internally, it saw successful account takeovers drop to zero.
Yubico has always offered several sizes and variations of its security keys to fit just about every need.
This is great, because consumers and IT professionals can get exactly what they need at a variety of prices.
The downside is that browsing the Yubico store is a frequently overwhelming experience.
I'll do my best to boil down the basics.
There are four flavors of YubiKey 5 Series devices, including the $45 YubiKey 5 NFC reviewed here, as well as three other form factors: the $50 YubiKey 5 Nano, the $50 YubiKey 5C, and the $60 YubiKey 5C Nano.
The 5 NFC is the only YubiKey to offer wireless communication, but besides that the only difference among these devices is size, price, and USB connector.
The two Nano devices are the most diminutive devices in the group and nestle within your USB-A or USB-C slots, easily within reach if you need them often.
The YubiKey 5C uses a USB-C connector, is slightly smaller than the 5 NFC, and can hang on your keychain alongside the 5 NFC; it lacks wireless communication.
You can, however, connect either the YubiKey 5C or 5C Nano directly to your Android device.
What sets the YubiKey 5 Series apart from the competition isn't just the variety of form factors.
These devices are real digital security Swiss Army knives.
Each one can function as a Smart Card (PIV), can generate one-time passwords, support both OATH-TOTP and OATH-HOTP, and can be used for challenge-response authentication.
All four devices support three cryptographic algorithms: RSA 4096, ECC p256, and ECC p384.
These devices can fit so many different roles, often at the same time—provided you know what you're doing.
While the YubiKey 5 NFC is the focus of this review, I have tested the YubiKey 4 Series devices in the past, and these are physically identical to the USB-C and Nano variations of the YubiKey 5 Series.
All of them are well-made, clad in black plastic that hides wear, and equipped with hidden green LEDs to let you know they're connected and functioning.
The USB-A devices have either a gold strip or disk that you tap, depending on the size of the device.
The USB-C devices, meanwhile, have two tiny metal tabs that you tap to authenticate.
The USB-A Nano device is harder to remove from a slot than the USB-C Nano device, but the USB-A Nano YubiKey has a tiny hole, so it can be hung from a string or cord, while the USB-C Nano does not.
Which YubiKey device you purchase will largely depend on what context you plan on using it.
The Nano devices are useful if you plan on using them with a trusted computer, and you know you'll need to access the YubiKey often.
The full-size keys are better for hanging on a keyring and keeping close at hand.
Hands On With the YubiKey 5 NFC
To help you get started, Yubico has created a handy guide for new users.
Just pick the YubiKey device you have, and the site displays a list of all the places and contexts you can use your YubiKey.
Some of these link directly to a site or service's onboarding page, while others provide instructions you have to follow yourself.
Setting up the YubiKey as a U2F second factor is very simple.
Follow the site or service's instructions and then insert the YubiKey into the appropriate slot when prompted.
Just tap the gold disk (or metal tabs, depending on the model), and the service enrolls your key.
The next time you go to log in, you enter your password and you get a prompt to insert your key and tap.
That's it!
Dashlane, Google, and Twitter are a few of the many sites that support U2F and accept YubiKey 5 Series devices.
In my testing, I enrolled it as a second factor for a Google Account.
When logging in on a desktop computer, I entered my login credentials, and then Google asked me to insert and tap my security key.
That's no problem, although I did have to use the Chrome browser to log in.
On my Android device, the process is just as simple.
When logging in testing, I entered my credentials, and then my phone prompted me to use my security key.
I selected NFC from a menu along the bottom, and then slapped the 5 NFC against the back of my phone.
It took quite a few tries, but eventually the phone buzzed an affirmative and I was logged in.
The YubiKey 5 Series can authenticate you in a number of ways, not just via U2F.
With LastPass, for instance, you enroll the YubiKey to generate one-time passwords (specifically HMAC-based One-time Passwords, but I'll use OTP for brevity) with a tap.
This is different from U2F but it in practice it feels very similar.
Log in to LastPass, navigate to the appropriate part of the Settings menu, click on the text field, and tap the YubiKey.
A string of letters spews out, and that's it! Now when you want to log in to LastPass, you'll be prompted to plug in your YubiKey to have it spit out more OTPs.
Most of you are probably familiar with Google Authenticator, an app that generates six-digit passcodes every 30 seconds.
This technology, more generally, is called Time-based One-time Passwords (TOTPs) and it's one of the most common forms for 2FA used today.
Along with a companion desktop or mobile app, Yubico puts an interesting spin on the TOTP system.
Plug in your YubiKey, fire up the Yubico Authenticator app, and then navigate to a site that supports Google Authenticator or a similar service.
To secure a Google Account, for example, I clicked the option to enroll a new phone with the authenticator app.
A QR code usually appears at this point, and the site prompts you to scan it with the appropriate authenticator app.
Instead, I selected a menu option in the Yubico Authenticator desktop app and it capture the QR code from my screen.
After a few more clicks, the app started providing unique six-digit codes every 30 seconds.
The trick is that the Yubico app cannot generate TOTPs without the YubiKey.
Instead of storing the credentials needed to create those codes on your computer, the Yubico Authenticator stores that data directly on your YubiKey.
Pull it out, and the Authenticator app can't make new TOTPs.
That's handy if you're concerned about someone stealing the device you use to generate your TOTPs.
You can also lock your YubiKey with a password, so even if it were stolen from you it couldn't be used for generating TOTPs.
Yubico also offers a TOTP-generating Android app that works with the YubiKey 5 NFC, to take your TOTPs on the road.
When you open the app, it's empty, but slap your 5 NFC against the back and it begins to generate codes.
Quit the app, and the codes disappear; you'll have to tap the 5 NFC again.
That's less convenient than storing the information in the app itself, but far more secure.
These were the scenarios I looked at, but the YubiKey 5 Series can do much more.
You can use it as a smartcard to log in to my desktop computer.
You can use it log in to SSH servers.
You can even generate a PGP key and then use the YubiKey to sign or authenticate.
Frankly, however, just getting my head wrapped around the TOTP keys was difficult enough.
Although Yubico has lots of documentation and three separate desktop apps (and three more mobile apps), it's very difficult to use every facet of the YubiKey without a good dollop of existing knowledge.
Yubico has deployed a website to help inform customers about what they can use their key for, and to guide them toward the necessary information.
That guidance is great, but it's just guidance, not the hand-holding usually provided by tech products.
Using your YubiKey for U2F is also very simple but getting the most out of your YubiKey isn't easy for a novice—or even a security journalist.
YubiKeys vs.
the Google Titan Security Key
Yubico has a solution for just about every situation with the YubiKey 5 Series, but cost is an issue.
Each individual device is priced between $40 and $60 for just one YubiKey.
Google's Titan Security Key Bundle, on the other hand, provides two devices for $50: One USB-A key and a Bluetooth/Micro USB key fob.
That gives you a spare right off the bat.
On the other hand YubiKey just has more security bang for your buck (assuming you puzzle out how to use it all).
Both Titan devices can use NFC but, as of this writing, support has not been enabled on Android devices.
Google also supplies a USB-C adapter, so you can use your Titan key with just about any device.
The Titan keys, however, only support FIDO U2F.
That will work for just about every website or service, but they can't be used for TOTPs, OTPs, Smart Card access, and the other protocols supported by YubiKey 5 Series.
Price-conscious readers primarily looking for just a U2F device will likely prefer the $20 Security Key by Yubico.
This USB-A key has the same silhouette as the YubiKey 5 NFC, but can be identified by its handsome blue plastic enclosure, a key glyph on the center button, and the number two etched on its top.
As the name suggests, this device supports FIDO U2F and FIDO2, but that's it.
The Security Key doesn't support all the protocols of the YubiKey 5 Series, so you can't use it with LastPass or as a smart card, nor can it communicate wirelessly.
It also costs less than half the Titan key bundle or the 5 NFC.
The YubiKey to Success?
The YubiKey 5 Series is a remarkable family of devices that fill a dazzling number of niches.
Its most basic use is as a FIDO U2F authenticator or an OTP generator, but it can do so much more.
The trouble we've always had with YubiKeys, and Yubico overall, is simply the challenge of figuring out which YubiKey to choose, among the half dozen the company currently offers.
Figuring out what you can do with it beyond U2F is doubly challenging.
The Yubico devices are excellent, and their documentation improving, but they are definitely designed with security wonks and IT professionals in mind.
If you glance over the laundry list of capabilities the YubiKey boasts and understand them, or are at least curious about them, then this is the device for you.
You won't be disappointed in this rugged little device.
If you know you want to better secure your online accounts, but aren't sure how to go about doing it, you're probably better off with the Google Titan Security Keys or the far more affordable Security Key by Yubico.
YubiKeys are an established and mature technology, but we're still exploring this space.
As such, we're giving the YubiKey 5 NFC four stars, but are withholding an Editors' Choice award until we've examined more options.
Pros
Durable, reliable construction.
No batteries or moving parts.
NFC capable.
Different form factors.
Supports FIDO U2F, FIDO2.
Can generate six-digit one-time use passcodes with companion app.
Supports multiple protocols for different security roles.
View More
The Bottom Line
The Yubico YubiKey 5 NFC is a tiny, USB device that keeps the bad guys out of your accounts by adding a secure second factor to your login process.
The YubiKey does so much more, too—provided you can take the time to figure it all out.