Why I added Yubikey support to most of the websites I work with

Yubikeys are amazing little devices that can add military grade protection to your website or computer. The concept is simple but might seem a little foreign at first:

  1. The user navigates to your site
  2. They click on login
  3. The enter their username and password (and maybe click on "I Am Not A robot" too)
  4. Once they click submit and they pass, they are presented with another screen that requires them to "tap" their Yubikey.
  5. The next step is for the user to plug their Yubikey into their computer and "tap" the button on the key which will then log them in on the website

The Yubikey acts as phyiscal key and without it, you can't actually log in. The interesting thing is that the Yubikey also sort of acts as a keyboard. The moment you tap that button, it starts outputting a long string of characters. This is what I just got when I tapped my Yubikey:

cccXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

I replaced most of the characters with an X to hide the code but hopefully you see that pressing the Yubikey button, will produce a long string of characters and this string is essentially your 2Factor Authentication code that is needed to authenticate you.

This is extremely difficult to bypass, dare I say, impossible! Which is why it was added to most of the sites I work with and is required to be enabled by all admin users. Some admins even go one step further by adding normal 2Factor Authentication using Google Authenticator on top of the Yubikey authentication which means after they pass the Yubikey step, they also have to type in their 2FA code from Google Authenticator. This is a bit overkill but I guess one can never be too safe!

Things to keep in mind:

  • If you need to buy a Yubikey, you can check out this company.
  • It is recommended to have 2 Yubikeys per user in case one Yubikey is broken or lost. (keep the backup in your safe)

Share this Post

Leave a comment