Yubico's YubiKey line has been a go-to choice for simple, hardware two-factor authentication for years.
The final frontier for Yubico has been the iPhone, which it finally addresses with the YubiKey 5Ci.
This tiny double-ended device sports a USB-C connector on one end and an Apple-compliant Lightning connector on the other.
This hydra of a hardware key works exactly as it should and comes packed with features the competition can't match, but is hampered by limited support on iOS and a comparatively high price.
What's Two-Factor Authentication
In practice, two-factor authentication (2FA) is using two things to log in to a site or service, but that's not where the name comes from.
Instead, it refers to a theory of authentication where you prove that you should have access with:
Something you know.
Something you are.
Or something you have.
Something you know is like a password, which humans are terrible at and we should really let password managers take care of.
Something you are is like biometric data, such as using your fingerprint to unlock a phone.
Something you have could be a hardware authenticator, such as a YubiKey.
2FA is where you use two authenticators from the list instead of just one, since an attacker is unlikely to have two of the three.
It's an enormously effective way to secure logins.
So much so that after Google required the use of 2FA hardware keys internally, successful phishing attacks dropped to zero.
[embed]https://www.youtube.com/watch?v=AMOtB7XkTT4[/embed]
There's lots of ways to do 2FA.
Receiving one-time password via SMS is probably the one people are most familiar with, although this is on its way out due to security concerns.
Yubico has spearheaded the creation of the FIDO2 protocol and the WebAuthn standard, which uses public key cryptography for secure authentication.
The W3C certified WebAuthn standard has brought this style of authentication to more and more browsers and services in recent years, and could be the future of how we do authentication.
Microsoft, for instance, has been experimenting with using WebAuthn devices like YubiKeys for completely passwordless authentication.
Made For Mobile
The YubiKey family has grown significantly, featuring seven different keys in sundry sizes and a preponderance of plugs and protocols.
The USB-A Yubico Security Key supports only FIDO2/WebAuthn and costs $20, while the USB-A Security Key NFC adds wireless support for $27.
Image via Yubico.
The YubiKey 5 series, pictured above, covers several devices.
Starting from the left, the USB-A YubiKey 5 NFC costs $45, and is perhaps the most capable of all the devices.
The USB-C YubiKey 5C costs $50, and most closely resembles the 5Ci in its thin, stubby design.
The 5 Nano and 5C Nano cost $50 and $60 respectively, and are designed to live inside your ports semi-permanently.
At $70, the YubiKey 5Ci is the most expensive key in the family.
Compared to the USB-A YubiKey design, the 5Ci is tiny.
It's 12mm x 40.3mm and a mere 5mm thick.
That's a little over one-half the width of a USB-A key, and slightly shorter.
It's cast in durable, black plastic with a metal-reinforced center hole to attach it to your key ring.
The 5Ci is, however, thicker than the YubiKey 5 NFC.
That extra girth coupled with its central hole make it a bit of an odd fit for a keyring, but it works.
It is feather-light at only 3 grams, but still feels well built.
Near the middle of the device are two raised metal nodes.
When you plug the 5Ci in, you tap these nodes when prompted to complete verification.
Like all YubiKey devices, the 5Ci has no internal battery, and draws all its power from the device to which it is connected.
Notably, the YubiKey 5Ci does not support NFC, while the Yubico Security Key NFC and YubiKey 5 NFC do.
The YubiKey 5Ci has a unique double-ended design.
One side has a USB-C connector, and the other sports an Apple Lightning connector you've seen on iPhone and iPad chargers for years.
Ironically, my biggest complaint about the 5Ci is its connectors.
For one thing, I had a hard time finding a computer with a USB-C port to test the various capabilities of the 5Ci.
It's also much easier to enroll the key from a computer than it is from a mobile device.
If you're using recent hardware, finding a USB-C port probably won't be a problem, but if you're like me and use computers until they quite literally fall apart, you might be in need of an adapter.
For another, the USB-C end of the device wasn't a good fit in either the Nokia 6.1 or the Asus UX360c ZenBook Flip I used in testing.
I had to really push to get the 5Ci in, and every time I thought I was going to break something.
There were also a few instances where it seemed that device was not seated properly, as it did not connect.
This wasn't a deal breaker by any sense, and after a few pushes and pulls the connector started to feel like a better fit.
Perhaps it just needs breaking in.
The Lightning connector, on the other hand, worked remarkably well.
It entered smoothly and clipped in sturdily.
It was thoroughly Apple-like, and I have no complaints.
Yubico did point out that the USB-C connector on the 5Ci won't work in iPad models that have USB-C ports.
Image via Yubico.
Hands On With the YubiKey 5Ci
Before you can use the 5Ci, or any other hardware authenticator, you have to enroll it with each service.
The problem is that not every browser or application supports hardware authenticator keys.
I ran into this problem the first time when I tested Yubico's Security Key NFC.
Back then (as now), Apple's support for NFC didn't extend to security keys in most contexts.
I found that there were more contexts where the 5Ci worked on iOS than when I tested NFC keys on iPhones, but the relatively small support is a bit frustrating.
To test the FIDO2/WebAuthn support, I opened up Twitter in the Brave browser, which Yubico suggested I use because it supports browser-based authentication.
I logged in as usual, navigated to the Settings pane, and enrolled the YubiKey 5Ci.
The next time I logged in, Twitter prompted me to enter my key, and tap it.
I complied, and swiftly brought upthe web app.
Unfortunately, I wasn't able to log in to Twitter with either Safari or the Twitter iOS app.
I also wasn't able to enroll Yubikey 5Ci with my Google account in Brave, Safari, or even Chrome.
The YubiKey 5Ci also supports one-time passwords (OTP).
In this configuration, you plug in the key and tap the metal nodes, and a lengthy, unique code is spit out.
Here's one: ccccccciichjarvekkfjidvvutlhidkgdffrcrrdkfwwheb.
A few services, like LastPass, use this feature instead of FIDO2/WebAuthn.
The advantage is that the key is read as a keyboard, so it's very simple and requires no additional support from the browser.
To test OTPs, I first had to enroll the key with a LastPass account.
I wasn't able to do this on an iPad or iPhone.
In the case of browsers, I wasn't given the option to use alternate methods and the browsers couldn't use NFC to read my YubiKey 5 NFC.
The LastPass app did read my NFC key, but the app doesn't include options to edit your enrolled hardware keys.
In the end, I had to find a laptop with USB-C ports to enroll the 5Ci.
Once I did, logging in to LastPass via the app or through the LastPass app or the Brave browser was a snap.
I entered my username and password as usual, and was then prompted to insert my key, and then tap the metal nodes on the key.
A second later, I was logged in.
These were just a few of the services that the YubiKey can work with, and Yubico maintains a fairly comprehensive list of sites and services that accept either FIDO2/WebAuthn or YubiKey OTPs.
A company representative mentioned 1Password, Bitwarden, Idaptive, and Okta as specific iOS apps that already support the use of YubiKeys.
The YubiKey 5Ci has all other manner of tricks, but they all require a computer at some point.
For instance, you can customize various aspects of your key, such as having it spit out a pre-set password when you long-press the metal nodes.
It can also be configured to double as a smart card, and can spit out time-limited passcodes (TOTPs) just like Google Authenticator with the help of a desktop authenticator application.
A Yubico representative confirmed to me that, except for NFC communication, the YubiKey 5Ci can do anything the YubiKey 5 NFC can do.
The YubiKey 5Ci vs.
the Competition
There are a host of hardware authenticator competitors out there, not the least of which is Google.
For $50, the company will send you a USB-A Google Titan Security Key that uses FIDO2/WebAuthn and a rechargeable Bluetooth dongle.
It's a good set, but I have always been skeptical of using Bluetooth for security devices.
If you own a mobile device running Android 7.0 or later, you can use it as a hardware authenticator for Google accounts, too.
This has the advantage of being completely free and using existing hardware you already own, but it is currently limited in scope.
It also relies on batteries and radios to work, unlike all the YubiKey devices.
If the Google branding isn't your thing, you can go direct to Feitian, the company that Google whitelabeled for the Titan keys.
These devices come in numerous sizes, configurations, and prices.
The only downside is the unlikely potential for supply chain attacks, as Feitian is located in China.
Yubico is always quick to point out that it manufactures its keys in the US and Sweden.
Some might prefer an open-source alternative, such as the NitroKey FIDO U2F.
This German device runs €22.00, and uses open-source hardware and software.
The benefit of open-source hardware is that its security can be independently verified by any third party.
I found the NitroKey it be capable, but clunky.
While other security keys are thin like, well, keys, the NitroKey is chunky and uses a full-size USB-A connector.
I asked a representative of Yubico about using open-source components, and they replied that the best secure element chips available simply aren't open-sourced.
One thing to keep in mind is that 2FA does not require a hardware key.
Google Authenticator, Duo Mobile, and other services offer 2FA for free via apps.
Google and Apple secure accounts on their services with the option to authenticate from another trusted device.
The advantage of hardware keys is that they work without power or cell service, but if you think using a physical key is too much of a hassle, I recomend simply using whatever 2FA method makes the most sense for you.
Too Much, Too Soon
My only real complaints with the YubiKey 5Ci itself are its price and its sticky USB-C plug (which might improve over time).
The real trouble is support on iOS devices which, while improving, is still limited.
That's not really Yubico's fault, but it is frustrating because the USB-C YubiKey costs $20 less.
I'd love it if Apple and other developers started to work seriously on expanding support for all kinds of hardware keys.
Once that happens, the YubiKey 5Ci will really shine.
Until then, our Editors' Choice badge remains the Security Key by Yubico, which costs a mere $20 and will work in just about anywhere you stick a USB-A plug.
Yubico's YubiKey line has been a go-to choice for simple, hardware two-factor authentication for years.
The final frontier for Yubico has been the iPhone, which it finally addresses with the YubiKey 5Ci.
This tiny double-ended device sports a USB-C connector on one end and an Apple-compliant Lightning connector on the other.
This hydra of a hardware key works exactly as it should and comes packed with features the competition can't match, but is hampered by limited support on iOS and a comparatively high price.
What's Two-Factor Authentication
In practice, two-factor authentication (2FA) is using two things to log in to a site or service, but that's not where the name comes from.
Instead, it refers to a theory of authentication where you prove that you should have access with:
Something you know.
Something you are.
Or something you have.
Something you know is like a password, which humans are terrible at and we should really let password managers take care of.
Something you are is like biometric data, such as using your fingerprint to unlock a phone.
Something you have could be a hardware authenticator, such as a YubiKey.
2FA is where you use two authenticators from the list instead of just one, since an attacker is unlikely to have two of the three.
It's an enormously effective way to secure logins.
So much so that after Google required the use of 2FA hardware keys internally, successful phishing attacks dropped to zero.
[embed]https://www.youtube.com/watch?v=AMOtB7XkTT4[/embed]
There's lots of ways to do 2FA.
Receiving one-time password via SMS is probably the one people are most familiar with, although this is on its way out due to security concerns.
Yubico has spearheaded the creation of the FIDO2 protocol and the WebAuthn standard, which uses public key cryptography for secure authentication.
The W3C certified WebAuthn standard has brought this style of authentication to more and more browsers and services in recent years, and could be the future of how we do authentication.
Microsoft, for instance, has been experimenting with using WebAuthn devices like YubiKeys for completely passwordless authentication.
Made For Mobile
The YubiKey family has grown significantly, featuring seven different keys in sundry sizes and a preponderance of plugs and protocols.
The USB-A Yubico Security Key supports only FIDO2/WebAuthn and costs $20, while the USB-A Security Key NFC adds wireless support for $27.
Image via Yubico.
The YubiKey 5 series, pictured above, covers several devices.
Starting from the left, the USB-A YubiKey 5 NFC costs $45, and is perhaps the most capable of all the devices.
The USB-C YubiKey 5C costs $50, and most closely resembles the 5Ci in its thin, stubby design.
The 5 Nano and 5C Nano cost $50 and $60 respectively, and are designed to live inside your ports semi-permanently.
At $70, the YubiKey 5Ci is the most expensive key in the family.
Compared to the USB-A YubiKey design, the 5Ci is tiny.
It's 12mm x 40.3mm and a mere 5mm thick.
That's a little over one-half the width of a USB-A key, and slightly shorter.
It's cast in durable, black plastic with a metal-reinforced center hole to attach it to your key ring.
The 5Ci is, however, thicker than the YubiKey 5 NFC.
That extra girth coupled with its central hole make it a bit of an odd fit for a keyring, but it works.
It is feather-light at only 3 grams, but still feels well built.
Near the middle of the device are two raised metal nodes.
When you plug the 5Ci in, you tap these nodes when prompted to complete verification.
Like all YubiKey devices, the 5Ci has no internal battery, and draws all its power from the device to which it is connected.
Notably, the YubiKey 5Ci does not support NFC, while the Yubico Security Key NFC and YubiKey 5 NFC do.
The YubiKey 5Ci has a unique double-ended design.
One side has a USB-C connector, and the other sports an Apple Lightning connector you've seen on iPhone and iPad chargers for years.
Ironically, my biggest complaint about the 5Ci is its connectors.
For one thing, I had a hard time finding a computer with a USB-C port to test the various capabilities of the 5Ci.
It's also much easier to enroll the key from a computer than it is from a mobile device.
If you're using recent hardware, finding a USB-C port probably won't be a problem, but if you're like me and use computers until they quite literally fall apart, you might be in need of an adapter.
For another, the USB-C end of the device wasn't a good fit in either the Nokia 6.1 or the Asus UX360c ZenBook Flip I used in testing.
I had to really push to get the 5Ci in, and every time I thought I was going to break something.
There were also a few instances where it seemed that device was not seated properly, as it did not connect.
This wasn't a deal breaker by any sense, and after a few pushes and pulls the connector started to feel like a better fit.
Perhaps it just needs breaking in.
The Lightning connector, on the other hand, worked remarkably well.
It entered smoothly and clipped in sturdily.
It was thoroughly Apple-like, and I have no complaints.
Yubico did point out that the USB-C connector on the 5Ci won't work in iPad models that have USB-C ports.
Image via Yubico.
Hands On With the YubiKey 5Ci
Before you can use the 5Ci, or any other hardware authenticator, you have to enroll it with each service.
The problem is that not every browser or application supports hardware authenticator keys.
I ran into this problem the first time when I tested Yubico's Security Key NFC.
Back then (as now), Apple's support for NFC didn't extend to security keys in most contexts.
I found that there were more contexts where the 5Ci worked on iOS than when I tested NFC keys on iPhones, but the relatively small support is a bit frustrating.
To test the FIDO2/WebAuthn support, I opened up Twitter in the Brave browser, which Yubico suggested I use because it supports browser-based authentication.
I logged in as usual, navigated to the Settings pane, and enrolled the YubiKey 5Ci.
The next time I logged in, Twitter prompted me to enter my key, and tap it.
I complied, and swiftly brought upthe web app.
Unfortunately, I wasn't able to log in to Twitter with either Safari or the Twitter iOS app.
I also wasn't able to enroll Yubikey 5Ci with my Google account in Brave, Safari, or even Chrome.
The YubiKey 5Ci also supports one-time passwords (OTP).
In this configuration, you plug in the key and tap the metal nodes, and a lengthy, unique code is spit out.
Here's one: ccccccciichjarvekkfjidvvutlhidkgdffrcrrdkfwwheb.
A few services, like LastPass, use this feature instead of FIDO2/WebAuthn.
The advantage is that the key is read as a keyboard, so it's very simple and requires no additional support from the browser.
To test OTPs, I first had to enroll the key with a LastPass account.
I wasn't able to do this on an iPad or iPhone.
In the case of browsers, I wasn't given the option to use alternate methods and the browsers couldn't use NFC to read my YubiKey 5 NFC.
The LastPass app did read my NFC key, but the app doesn't include options to edit your enrolled hardware keys.
In the end, I had to find a laptop with USB-C ports to enroll the 5Ci.
Once I did, logging in to LastPass via the app or through the LastPass app or the Brave browser was a snap.
I entered my username and password as usual, and was then prompted to insert my key, and then tap the metal nodes on the key.
A second later, I was logged in.
These were just a few of the services that the YubiKey can work with, and Yubico maintains a fairly comprehensive list of sites and services that accept either FIDO2/WebAuthn or YubiKey OTPs.
A company representative mentioned 1Password, Bitwarden, Idaptive, and Okta as specific iOS apps that already support the use of YubiKeys.
The YubiKey 5Ci has all other manner of tricks, but they all require a computer at some point.
For instance, you can customize various aspects of your key, such as having it spit out a pre-set password when you long-press the metal nodes.
It can also be configured to double as a smart card, and can spit out time-limited passcodes (TOTPs) just like Google Authenticator with the help of a desktop authenticator application.
A Yubico representative confirmed to me that, except for NFC communication, the YubiKey 5Ci can do anything the YubiKey 5 NFC can do.
The YubiKey 5Ci vs.
the Competition
There are a host of hardware authenticator competitors out there, not the least of which is Google.
For $50, the company will send you a USB-A Google Titan Security Key that uses FIDO2/WebAuthn and a rechargeable Bluetooth dongle.
It's a good set, but I have always been skeptical of using Bluetooth for security devices.
If you own a mobile device running Android 7.0 or later, you can use it as a hardware authenticator for Google accounts, too.
This has the advantage of being completely free and using existing hardware you already own, but it is currently limited in scope.
It also relies on batteries and radios to work, unlike all the YubiKey devices.
If the Google branding isn't your thing, you can go direct to Feitian, the company that Google whitelabeled for the Titan keys.
These devices come in numerous sizes, configurations, and prices.
The only downside is the unlikely potential for supply chain attacks, as Feitian is located in China.
Yubico is always quick to point out that it manufactures its keys in the US and Sweden.
Some might prefer an open-source alternative, such as the NitroKey FIDO U2F.
This German device runs €22.00, and uses open-source hardware and software.
The benefit of open-source hardware is that its security can be independently verified by any third party.
I found the NitroKey it be capable, but clunky.
While other security keys are thin like, well, keys, the NitroKey is chunky and uses a full-size USB-A connector.
I asked a representative of Yubico about using open-source components, and they replied that the best secure element chips available simply aren't open-sourced.
One thing to keep in mind is that 2FA does not require a hardware key.
Google Authenticator, Duo Mobile, and other services offer 2FA for free via apps.
Google and Apple secure accounts on their services with the option to authenticate from another trusted device.
The advantage of hardware keys is that they work without power or cell service, but if you think using a physical key is too much of a hassle, I recomend simply using whatever 2FA method makes the most sense for you.
Too Much, Too Soon
My only real complaints with the YubiKey 5Ci itself are its price and its sticky USB-C plug (which might improve over time).
The real trouble is support on iOS devices which, while improving, is still limited.
That's not really Yubico's fault, but it is frustrating because the USB-C YubiKey costs $20 less.
I'd love it if Apple and other developers started to work seriously on expanding support for all kinds of hardware keys.
Once that happens, the YubiKey 5Ci will really shine.
Until then, our Editors' Choice badge remains the Security Key by Yubico, which costs a mere $20 and will work in just about anywhere you stick a USB-A plug.