Are Yubikeys the most secure form of multi-factor authentication (MFA)?

What is multi-factor authentication (MFA)?

Multi-factor authentication (MFA) is a method of authentication that requires 2 or more factors of authentication before user access is granted. Usually, this refers to authenticated access to online portals.

Before we can answer the question around whether Yubikeys are the most secure multi-factor authentication, we have to first look at the options available in the market when it comes to MFA.

The 5 most-used multi-factor authentication (MFA) methods

1. Hardware one-time password (OTP) tokens

    One-time password (OTP) tokens are generated by hardware-based devices that create one-off codes by means of a cryptographic key stored inside the device. This cryptographic key also communicates through a server that can create the same OTP to verify that the value provided by the user is correct.

    User interfaces (UIs) differ, but generally, they include a physical token that shows an OTP on a built-in screen or a device with a keypad which requires a user to enter an access code before the OTP is displayed.

    Common issues: 

    • This method offers a rather poor user experience (UX) as restrictions can limit the ability to verify one's identity on the go, something much-needed in today’s always-on world.
    • Challenges also come in with maintenance and operating costs because businesses need many hands on deck to help with support questions and a decent budget to ensure consistent maintenance.
    • Tokens are at risk of theft and can easily be used by impersonators.

    2. Standalone OTP mobile apps

      In short, these are authenticator applications.

      Common issues:

      • Poor user experience (UX) as users are forced to switch between applications to verify their identity and will lose access when something happens to their smartphone. It also doesn't offer a secure backup option.
      • Businesses that rely on third-party applications may struggle to get the appropriate support.
      • There is also scope for malicious applications to generate and then steal OTPs to impersonate users.

      3. Soft Token Software Development Kits (SDKs)

        This is software that can be embedded into mobile apps. Its cryptographic functions allow it to verify the user and device. And with no need to switch between apps, these solutions generally provide a smoother user experience. Plus, a great security advantage is that you don't have to rely on a hardware device. Another benefit is that soft token SDKs support advanced cryptography, for example, digital signatures. 

        Common issues: 

        • You still run the risk of losing access when you lose or upgrade your phone and there are no secure backup options.
        • Businesses that rely on third-party apps may also struggle to get the support they need. 

        4. SMS-based OTPs

          This is a user-friendly method that does not require users to install any app. Rather, in order to authenticate, a one-time password is sent by SMS to the user’s registered phone, and this is used to authenticate them.

          Common issues:

          • These OTPs can usually only be used for a limited time, so delayed delivery due to bad reception or mobile carrier issues can cause problems for users. 
          • Vulnerable to SIM-swapping attacks, malware, and SS7. 

          5. Smart Cards And Cryptographic Hardware Tokens

            These are physical devices with cryptographic capabilities. They are encased to provide proper physical protection of the keys inside. You can use it in the same way a Windows Smart Card can be used to log in to your PC. And you can also use it to digitally sign transactions to ensure that the verified user is indeed the authorised person for that transaction. Some smart cards are contactless, but cryptographic hardware tokens typically connect via USB. There are also smart cards that need a dedicated reader.

            Why is a YubiKey better than other MFA methods?

            Firstly, there is the convenience that YubiKeys (and similar devices) offer. Most SMS, email, and authentication apps require you to copy and paste a code or to manually enter the code you received. With the Yubikey, it is as simple as pressing the button on the device. 

            If you think about most two-step verification methods, you generally get a six-digit code to confirm your identity, but because you are not expected to manually type a code when you use a YubiKey, much longer codes can be generated for added security.

            And when you get a new computer, it is really easy to migrate because all you need to do is plug the YubiKey into the new device. There's also the option of using one key to log in to your account on multiple computers. A much simpler process compared to other two-factor verification methods.

            It is also very difficult to almost impossible to hack YubiKeys, whereas it is not that difficult for hackers to compromise your email or smartphone (SMS). With the current technology, it is nearly impossible to forge codes that match the ones generated by the unique hardware device.

            The short answer to “Are Yubikeys the most secure form of MFA” is yes, although a combination of the authentication factors can boost your security. Compared to other MFA methodologies, security keys make a great partner in helping you secure your online accounts and digital platform access.

            Find out more about how you can set up your Yubikey.