This Tiny Device Makes It So You Never Have to Remember Another Password

YubiKey 5 Series
YubiKey 5 Series / Yubico
facebooktwitterreddit

In our increasingly online world, password management has become an overwhelming chore. You probably use dozens of passwords on any given day—for your email (work and personal), your social networking accounts, your Spotify, your Seamless, your online bank account, your Venmo, every single store you’ve ever made an online purchase from, and any other site you set up a profile for. Personally, my password manager holds almost 200 different passwords that I’ve created over the past two years. There has to be a better way. And there is. According to Wired, the new YubiKey 5 Series could make passwords entirely a thing of the past.

Made by Yubico, a security company founded in Sweden in 2007, YubiKey is a type of physical token called a security key that you plug into your computer as a way to verify your identity in place of the usual two-factor authentication methods like texting a number to your phone. You can use it in conjunction with your existing password as an extra layer of protection for services like Gmail, password managers like LastPass, and some Windows and Mac devices, kind of like how you need both a physical debit card and a pin to use an ATM.

With the launch of its latest version, the 5 Series, Yubico is now moving toward hardware options that don’t require passwords at all. It uses near-field communication (the same technology behind some keycards and tap-to-pay systems) and a new open authentication standard called FIDO2 that’s designed to protect login information from getting into the wrong hands. Instead of using information that can be stolen to verify your identity—that probably not-that-secure password you always forget—this method allows sites to authenticate your identity with a physical object like a YubiKey that you carry with you. While a hacker can steal your password off the internet from anywhere in the world, it’s much harder to fraudulently log in to someone’s account if you need to steal their YubiKey from off their key ring to do so.

The passwordless future hasn’t entirely arrived, though. Companies like Mozilla, Google, and Microsoft are still working on implementing the FIDO2 standard, so while you will one day be able to use passwordless logins for things like Chrome and Firefox, that’s not the case yet—you still can only use it for two-factor authentication, using the key in conjunction with a password. And passwordless doesn't mean you won't have to remember any information to log in. Even when you can use the key alone in place of a password, you will likely still want to use a PIN with it, just as you use one with your debit card.

YubiKey isn’t the only security key available. Google makes its own key, called Titan, though it doesn't yet support the new FIDO2 standard. There’s also an open-source version in the works called Solo. As a security measure, these keys have been shown to be very effective. Google, for one, began requiring all of its employees to use security keys in 2017, and it hasn’t fallen prey to any phishing attacks since then.

If you have a tendency to lose things, you might worry about tying all of your existing online accounts to a piece of hardware that you might lose at any moment. There are a few ways to get around that very plausible occurrence, though. Most rely on the particular service you’re using the key to access, so if you lose the device, you’ll have to go through and disable your YubiKey authentication for any application you have linked it to. You may have to go through the steps you would normally take to reset your password, essentially, using another form of two-factor authentication like SMS. LastPass, for instance, offers a way to disable your YubiKey authentication if you lose your key. Some services allow you to register multiple authentication keys, too, so you could also buy and register a back-up key to use if your primary one goes missing. Being a little forgetful about your belongings is no excuse for poor security, in other words.

[h/t Wired]