Yubico, a company that makes physical security keys for two-factor authentication, today announced the launch of its Lightning-based YubiKey device that's designed to work with Apple's iPhones and iPads.
Yubico has long offered USB-A, USB-C, and NFC-based YubiKey options for PCs, Macs, and mobile devices, but this is the first time that a Lightning-based accessory has been made available.
/article-new/2019/08/yubico4-800x533.jpg?lossy)
For those unfamiliar with YubiKey, it is a hardware-based two-factor authentication device designed to work with hundreds of services to make your logins more secure. It's often more convenient than software-based two-factor authentication because there's no need to enter a security code - just connect it and tap to authenticate.
The new YubiKey 5Ci, which was first introduced in January at CES, features a Lightning port at one end and a USB-C port at the other end, so it works with Apple's latest iOS devices and Macs, with the exception of the iPad Pro, as it is not compatible with the USB-C side at the current time.
/article-new/2019/08/yubico1-800x533.jpg?lossy)
With the YubiKey 5Ci, users can lock down their 1Password, Bitwarden Idaptive, LastPass, and Okta apps with hardware authentication. At the current time, it also works with the Brave browser for iOS, authenticating logins from sites like Twitter, Login.gov, GitHub, Bitbucket, 1Password, and others.
/article-new/2019/08/yubico3-800x533.jpg?lossy)
With the 1Password app, for example, you can set up two-factor authentication using the YubiKey to add an additional layer of protection for your 1Password account. This will require both your master password and your physical YubiKey to unlock your vault, with the app instructing you to plug in the YubiKey and touch the side button to confirm.
At the current time, the YubiKey 5Ci for iOS devices does not work with other apps or browsers as app developers and browser creators need to build in support. Yubico says that it is working with other developers through its Yubico Developer Program.
The USB-C side of the YubiKey works with USB-C Windows and Mac machines, and it is compatible with dozens of websites and services, with a list available on the Yubico website.
/article-new/2019/08/yubico2-800x533.jpg?lossy)
Like other YubiKey options in the 5 series, the YubiKey 5Ci supports multiple authentication protocols, including IDO2/WebAuthn, FIDO U2F, OTP (one-time password), PIV (Smart Card), and OpenPGP.
Those interested in the YubiKey 5Ci can purchase it for $70 from the Yubico website starting today.
Note: MacRumors is an affiliate partner with Yubico. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running.
Top Rated Comments
I like the idea but wonder how many people need this level of protection. But my biggest complaint is that there seems to be no protection for the connectors. Damage one pin and you're locked out. Maybe a case would be appropriate.
The USB ones hold up pretty well. I was concerned too but I've had mine on my keychain for a year now and it works fantastically. Lightening pins? We'll see, I guess. USB-C side, not too much of a worry. They already make one of those and I haven't heard anybody complaining about it holding up to being on your keychain full time.[doublepost=1566322737][/doublepost]
What if you lose the key?
I think it's a bit unfortunate that YubiCo doesn't do a better job at explaining that most people should buy two devices. One as your primary and one as your backup. Most sites will let you register multiple keys so you can lose or destroy one key and use your backup.That said, sites like Twitter only allow you to use one key so it's pointless because if you lost your key or it was damaged, you would be locked out of your Twitter account.
Personally, I have 3 devices and will probably buy one of these. I have two of the YubiKey5 and one YubiKey4 that I got from Wired.
I keep one at home near my computer in case I need it, one in my wallet, and one on my keychain. I use the keychain 99% of the time. The wallet is mostly an emergency backup and the one at home is when I'm too lazy to go in the other room and get my keychain :-)
Overall, my biggest complaint about the whole Yubikey security strategy is that more sites don't use it.
It's frustrating that none of my banks or brokerage firms support it. Most still use SMS, which is famously flawed.
Maybe it comes with one. But I don't think I'd leave it on my keychain. It just looks too fragile.
It's not about the security on your phone, it's about the security of your accounts. This particular product integrates with Apple's lightening connector but the idea is that in order to log into any of your accounts, you have to have a physical device (i.e. the Yubi key).[doublepost=1566315344][/doublepost]
This seems designed for people who need the highest level of security on their phones. Like the CIA. I trust Apple's system well enough.
When I log into Gmail, I have to have they key. When I log into login.gov (where they have tons of sensitive info about users), you have to have the key.
You might even think about it as being a physical form of being sent a verification code. But instead of waiting for a text message or push notification, you insert your key, click the button, and you're verified.