Yubico FIDO U2F Security Key is a USB device that uses the FIDO U2F protocol. It will work with websites that support the FIDO U2F protocol like Facebook, Google, Google Apps, GitHub, BitBucket, and Dropbox.
FIDO Alliance, or just FIDO, in short, is an open authentication industry consortium.
U2F stands for Universal 2nd Factor. It is an open authentication standard that strengthens and simplifies two-factor authentication using specialized USB or NFC devices based on similar security technology found in smart cards (Source: Wikipedia).
Yubico sells their FIDO U2F Security Key on Amazon for US$17.99 (S$29). It does ship to Singapore directly for an additional US$5.05 (S$8) in shipping fee.
On Yubico website, the FIDO U2F Security Key is retailing for US$18 and shipping is an additional US$5. It is US$0.04 cheaper than Amazon.
The security key weighs 3g, is crush-resistant and waterproof. There is also a hole for you to attach it to your keychain.
It identifies itself as a USB Human Interface Device (HID) device which is a standard on all computers (Windows, Mac OS, and Linux). You do not need to install any software or drivers on the computer.
Google Internet Safety
As part of Google Internet Safety initiative, Google sometimes give away the Yubico FIDO U2F Security Key.
Thanks to Lucian from Google’s Trust and Safety team for passing me the Yubico FIDO U2F Security Key.
The previous pictures of the Yubico FIDO U2F Security Key are taken when I bought it from Amazon for my brother. The packaging contents differ slightly.
Using it with Google
I am already using 2FA for my Google account since 2012. You can head over to myaccount.google.com/signinoptions/two-step-verification to get yours setup if you haven’t done so.
Google supports Google Prompt, security key, authenticator app and voice/text messages as your Two-Factor Authentication (2FA).
Google Prompt is Google’s new 2FA option which was launched last year (2016). Google Prompt as the name sounds, sends a prompt to your phone. The prompt will ask if you’re trying to sign in and you just have to tap “Yes” or “No”. For iOS users, you need install the Google iOS App. For Android users, it should be automatically available to you if you are using Google Play store.
Authenticator apps are a type of app you can install on your mobile phone that generates a token based on Time-based One-time Password Algorithm (TOTP) or HMAC-based One-time Password Algorithm (HOTP). The token is then used for your 2FA login.
Personally, I am using Authy (iOS | Android) as my authenticator app. You can also use Google Authenticator (iOS | Android) or Microsoft Authenticator (iOS | Android). If you are using 1Password, it also supports one-time password.
Google has been supporting physical USB security key as a 2FA option since 2014. To setup a security key like a Yubico FIDO U2F Security Key on your Google account, go to:
2-step Verification > Set up alternative second step > Security Key
Note that both security key and Google Prompt cannot be activated for the same Google Account. I am not too sure why is there such a limitation. So you have to choose a different type of 2FA such as an authenticator app or voice/text messages in order to use the security key as your alternative 2FA.
In layman terms, Yubico FIDO U2F Security Key is a hardware 2FA USB device that you have to physically plug into a computer when logging in to websites that support the FIDO U2F protocol.
After entering your username and password on the login page, you will be prompted to insert the security key into a USB port and press the button on it. That’s it. You do not need to key in any 2FA token or SMS verification code anymore.
If you are logging in to those sites using your mobile phone, you still have to use an authenticator app or voice/text message as your 2FA.