Science Focus - the home of BBC Science Focus Magazine
YubiKey 5 Series

YubiKey 5 Series: tap this way for 2FA

Published: 26th November, 2018 at 08:00
Subscribe to BBC Science Focus Magazine and get 6 issues for just £9.99

Two-factor authentication (2FA) is the latest tech keeping snoopers locked out of your online identity - we test out one way to keep your data secure.

What is that? This, my soon-to-be online-security-savvy friend, is a YubiKey, a two-factor authentication key.


So not a USB key? No, while it shares the same look and feel as USB storage, this has zero capacity for holiday snaps. What it can do though, is help keep those pictures safely under wraps, away from the prying eyes of anybody who wants to hack their way into your online accounts and see those embarrassing pictures of you sunburnt on the beach in Tenerife.

Yes, perhaps it would be best those never saw the light of day. So how does it work, and what is two-factor authentication anyway? Good question, let’s cover the second part first. You might have noticed at some point in your perusals of the internet that you do, occasionally, have to enter the odd password or two.

Can’t say that has escaped me, no. Exactly. There are many, many places that you have to enter a password, but how many of them do you have a unique password for? In fact, how many of those passwords are 123456?

Erm, not many… You’re not alone. A cyber-attack on the software company Adobe in 2013 revealed that nearly 2 million users had the password 123456, with the next two most popular passwords in the hack being 123456789 and password – makes you wonder how we managed to survive this long as a species.

As you can probably guess, it doesn’t take the smartest of hackers or computer algorithms to crack passwords like this. And don’t go thinking that passwords like iL0v3Y0u are any better, replacing 0 for O or a for @ are easy substitutions that anyone looking to gain control of your account can spot easily – in fact, the security guru who suggested doing this has since regretted giving this advice.

So when deciding on the best password, the advice set out by the National Cyber Security Centre is to pick three random words, making it easier to remember for you and harder for hackers to crack.

The YubiKey is no sweat to carry around, as demonstrated in the hands of BBC Focus picture editor James Cutmore's hand
The YubiKey is no sweat to carry around, as demonstrated in the hands of BBC Focus picture editor James Cutmore's hand

Still, about that key? Yes, this is the second part to protecting your online accounts. Two-factor Authentication (shortened to 2FA, but can also be known as multi-factor authentication) is like a second wall of protection behind your password, which makes sure that you are physically there when you are typing it in.

For example, a website might require you to enter a password, and then it’ll send a code to your mobile phone which you have to enter as well, or an app on your phone will ask to scan your fingerprint. This second step ensures you’re the one physically typing and not some mysterious bot on a server in the jungle - and that’s where YubiKey comes in.

To put it simply, when you are inputting your password, YubiKey requires you to push a button on the back of it, which verifies that it is actually you trying to gain access.

Sounds almost too simple. It does, but in fact there is a fierce amount of encryption and security smarts going on in there. The current version of the tiny USB device is the YubiKey 5 Series, which the clever bods who make it inform me “supports FIDO2, FIDO U2F, PIV (smart card), OpenPGP, Yubico OTP, OATH-TOTP, OATH-HOTP, and challenge-response, in on device, over both USB-A and NFC (keychain design), as well as in USB-C form factors.”

And in plain English? Basically, anywhere that you need secure access to information on a computer, it’ll add an extra layer of protection. Sites like Facebook or Google can both be protected, you can use it to login to your computer, or add an extra layer of security to your password managers. And yes, it’ll lock snoopers out of your Dropbox and keep those holiday snaps safe.

Phew! So what is it like to use? Well that depends on how you plan on using it. Being small and key-like, they fit quite handily on your keyring, and it’s a rugged little thing that is unlikely to break or freak out at a splash of water.

I hooked mine up to my LastPass account (a password manager that stores all your unique passwords in one place), which means that whenever I switched on my computer and opened a browser for the first time, a tab opened asking me to push the button on the YubiKey. Once that was done, it essentially said to LastPass “Hey, this guy is good, bring forth the passwords”.

The YubiKey also has NFC, so you can authenticate passwords on your smartphone by tapping the two together, although given I have a fingerprint scanner on the back of my Google Pixel XL, my finger was, well, handier than pulling out my keyring.

Hurrah, it’s an end to annoying passwords! Not really, it’s still advisable to have a properly secure password, but at least you’ll be safe in the knowledge that whatever it is, you’ll have another layer of protection between the outside world and your embarrassing holiday photos.

Hang on, how do you even know about them?!? Oh is that the time? Must dash…

Technical specs
  • The older YubiKey 4 is available on Amazon UK, £36.50, but the newly launched YubiKey 5 is available from and costs around £44.00.
  • Multi-protocol support; FIDO2, U2F, Smart card, OTP
  • Waterproof and crush resistant


Follow Science Focus on TwitterFacebook, Instagram and Flipboard


Alexander McNamaraOnline Editor, BBC Science Focus

Alexander is the former Online Editor at BBC Science Focus.


Sponsored content