Yubico, a company that sells physical security keys for two-factor authentication, today announced the launch of the new YubiKey 5C NFC, pairing USB-C and NFC support in a single device.
According to Yubico, the YubiKey 5C NFC is the first multi-protocol security key that supports smart cards. With the NFC integration, the YubiKey 5C NFC features tap-and-go authentication that works with all major browsers and operating systems, plus it continues to offer a physical USB-C connector.
Like other devices in the YubiKey lineup, the YubiKey 5C NFC is a hardware-based two-factor authentication dongle that is designed to work with hundreds of services to make logins more secure. It's more convenient than software-based two-factor authentication because you don't need a security code. Just connect it to a USB-C device or tap it on an NFC-compatible iPhone to authenticate.
"The way that people work and go online is vastly different today than it was a few years ago, and especially within the last several months," said Guido Appenzeller, Chief Product Officer, Yubico. "Users are no longer tied to just one device or service, nor do they want to be. That's why the YubiKey 5C NFC is one of our most sought-after security keys -- it's compatible with a majority of modern-day computers and mobile phones and works well across a range of legacy and modern applications. At the end of the day, our customers crave security that 'just works' no matter what."
YubiKey 5C NFC is compatible with common password management apps like 1Password and LastPass, and it also works on the web. It supports multiple authentication protocols such as FIDO2 and WebAuthn, FIDO U2F, PIV (smart card), OATH-HOTP and OATH-TOTP (hash-based and time-based one-time passwords), OpenPGP, YubiOTP, and challenge-response, so a single key can work with multiple services and applications.
We used Yubikeys in our org up through last year. They’re $50+ per piece. Our security team doesn’t allow us to deprovision/reprovision them for a 2nd use once they’ve been issued to the first departing employee because they could then contain malware and be compromised- even after following Yubi’s procedures to scrub them.
Needless to say, we don’t use them anymore because if you can’t safely repurpose an IT asset during its service life, it’s a showstopper.
If whatever you're trying to protect isn't worth 50 USD per employee why bother with the yubikeys in the first place? In most organisations I've worked getting a new employee hired, onboarded and trained up is costed in thousands of dollars at a minimum, 50 USD is insignificant compared to that cost, and items under 75 USD aren't tracked on our asset register.
We used Yubikeys in our org up through last year. They’re $50+ per piece. Our security team doesn’t allow us to deprovision/reprovision them for a 2nd use once they’ve been issued to the first departing employee because they could then contain malware and be compromised- even after following Yubi’s procedures to scrub them.
Needless to say, we don’t use them anymore because if you can’t safely repurpose an IT asset during its service life, it’s a showstopper.
Then I have to say as a fellow tinfoil-hat wearer that your security team is really not smart, or really doesn't understand the YubiKey.
It is not possible* for someone to alter the code on a YubiKey once it has been programmed and sealed at the factory.
To me this would be a whistleblower moment for higher-ups. They are throwing away both a massive capital investment, and quite literally (when used properly) the best tool they have against both phishing and lateral movement in their network, because they fail to adequately understand what they are working with and do a proper risk assessment.
Stories like this anger me so much. We need the best security we can possibly get, especially in an age where so many peoples' personal data is being collected and stored. But no, instead of asking the right questions, doing proper research, and doing a proper risk analysis, we're going to use something inferior.
(*as with anything else, yes, I'm sure it's possible somehow, but 1. not by persons of ordinary means and 2. not without physical destruction of the device or other evidence of tampering. Your security team is flushing value down the toilet over the smallest possible chance of compromise.)
I tell people that I use the last 6 digits of pi. With the people I used to hang around with, that usually got a few chuckles, and a puzzled look for whomever I was telling it to. So anyway...
Wednesday April 21, 2021 12:43 am PDT by Tim Hardwick
Apple's AirTag tracking devices can be identified by Android phones when they're in Lost Mode, according to a new support document published by Apple.
Announced on Tuesday, Apple's new AirTag item trackers let you easily track things like your keys, wallet, purse, backpack, luggage, and more. They work using an ultra-wideband U1 chip to keep in touch with the Find My network. However,...
Nomad today announced the launch of the Base Station Mini, a new single-device charging option that's designed to power an iPhone, AirPods, or other Qi-enabled device.
Designed to take up little space, Nomad says that the Base Station Mini is ideal for a night stand or desk. It's square shaped and not too much bigger than the AirPods, so it's useful for those who want a simple, space-saving...
Satechi, known for its lineup of accessories designed for Apple's Macs, today announced the launch of the USB-C On-the-Go Multiport Adapter that's compatible with the Mac lineup and the iPad Air and iPad Pro.
With the USB-C On-the-Go Multiport Adapter, Satechi aimed to fit in as many ports as possible into a package that's still portable. It includes a built-in USB-C PD charging port that...
AgileBits has released a version of 1Password for web browsers that brings Touch ID integration to the popular password management service.
The addition of support for biometric authentication means that if 1Password is locked and you have the desktop app installed, you can use the Touch ID ring that comes with Apple's latest MacBooks and Magic Keyboards to unlock your passwords.
The...
Popular Mac accessory makers CalDigit and OWC have today announced new all-in-one Thunderbolt 4 and USB 4 cables, promising maximum data and power transfer over a single cable, as well as full compatibility with older USB devices.
Thunderbolt 4 and USB 4 is the latest connectivity specification present in the newest Macs and high-end external hardware, offering performance up to 40Gb/s,...
The AirTag's built-in NFC coil can be used by the Apple Shortcuts app to trigger automations, it has been found.
The functionality, noticed by iCulture, allows users to trigger Shortcuts by simply tapping the top of their iPhone on the white plastic side of the AirTag. As Shortcuts are completely user-configurable, and can be used to initiate an almost infinite number of actions, the fact...
Apple's upcoming MacBook Pro models are expected to feature a number of major changes such as larger display options and powerful new Apple silicon chips. Among the more surprising updates to this year's MacBook Pro models is the return of three ports that have been missing from the machines for over five years.
Expected to come in 14- and 16-inch sizes, the 2021 MacBook Pro models are...
The Connectivity Standards Alliance, which includes major tech companies like Apple, Amazon, and Google, today announced the launch of "Matter," a new interoperable, secure connectivity standard designed for smart home devices.
Formerly known as "Project CHIP," Matter is a unified IP-based connectivity protocol that will be used to build and connect Internet of Things ecosystems. It is...
Apple will retain the Lightning connector on the iPhone for the "foreseeable future," with no intention of switching to USB-C, according to reliable analyst Ming-Chi Kuo.
In spite of much of the industry moving toward USB-C, Apple will not be using it to replace the Lightning connector on the iPhone 13, or indeed on any iPhone model for the time being. In a note seen by MacRumors yesterday,...
Friday February 26, 2021 4:49 am PST by Tim Hardwick
The Netherlands Authority for Consumers and Markets, or ACM for short, is reportedly nearing a draft decision in its investigation into Apple over rules that require developers to use its in-app payment system, which charges commissions of between 15% and 30%.
According to Reuters, the ACM revealed that the draft decision was nearing completion in letters sent this month to some of the...
Top Rated Comments
Did you find something that's better/cheaper?
It is not possible* for someone to alter the code on a YubiKey once it has been programmed and sealed at the factory.
To me this would be a whistleblower moment for higher-ups. They are throwing away both a massive capital investment, and quite literally (when used properly) the best tool they have against both phishing and lateral movement in their network, because they fail to adequately understand what they are working with and do a proper risk assessment.
Stories like this anger me so much. We need the best security we can possibly get, especially in an age where so many peoples' personal data is being collected and stored. But no, instead of asking the right questions, doing proper research, and doing a proper risk analysis, we're going to use something inferior.
(*as with anything else, yes, I'm sure it's possible somehow, but 1. not by persons of ordinary means and 2. not without physical destruction of the device or other evidence of tampering. Your security team is flushing value down the toilet over the smallest possible chance of compromise.)