Top positive review
8 people found this helpful
A great multi-factor device for power users
By Austin Seipp on Reviewed in the United States on July 21, 2016
An excellent multi-factor authentication token. As a programmer, it supports everything I need: HOTP, Yubico OTP, U2F, static passwords, OpenPGP smartcard support, and the most recent version of the Yubkey 4 with the 4.3.1 firmeware even supports attestation features for cryptographic signatures, etc. It also supports TOTP, but due to the lack of a clock on the device, you must synchronize the clock through a separate authenticator application. There is no iOS version of this authenticator, but desktop and Android versions exist. It's otherwise standard TOTP RFC compliant, much like Google Authenticator. Note that this model does not support NFC (and the Yubikey with NFC support doesn't have all the Y4 features, either). So, make your choices wisely. If you are a programmer and want to add 2FA to your applications, the Yubico OTP option is an excellent choice, even if non standard. All Yubikeys are preconfigured by default to use a Yubico OTP configuration in their default slot, and these are registered when they ship you the device. This makes initial rollout dramatically simpler. The Yubico OTP API is also very easy to use for the most part, and you can even run the authentication servers on your own (if you buy a compatible TPM module like the YubiHSM). I integrated Yubico OTP into one of my applications in an hour or so, and the net effect is anyone can plug in a newly bought Yubikey, right out of the box, and add 2FA to their device in seconds, without QR codes or smartphones. The addition of U2F is nice. Unfortunately it is only supported by Chrome at the moment, or Firefox with a 3rd party extension. I'm a Chrome user mostly, but I still find this particular bit somewhat disappointing - it's somewhat of a minor amount of lock in. If you're using U2F, I strongly suggest also making sure you support regular TOTP or Yubico authentication as a backup for any users, of course, who want to migrate. Hopefully Mozilla, Microsoft and Apple will follow through with U2F support in time. As a programmer, in particular, having a stable smartcard compatible device to manage GPG and SSH keys is also extremely powerful, but I admit I have not taken the plunge yet. This requires GnuPGP 2.1 at minimum for the most recent features, like ECC support. These devices also do not support every signing or cryptographic protocol, obviously. From what I can tell: if you're using 2k/4k RSA keys, then you're good for PIV/attestation, GPG and SSH support. If you'd like to use ECC, you will have to settle on ECDSA via NIST P-256 or NIST P-384 for your GPG and SSH keys. Finally, if you want ECC for PIV/attestation, you *only* get secp256r1 or secp384r1. If you're like me and have ed25519 keys, you're totally out of luck. However, overall this is an excellent product, and I highly recommend it. Having used a previous Gen2 Yubikey for years, they are near indestructable, cheap, easily provisionable, and have good management software.
Top critical review
50 people found this helpful
Dissapointing thus far
By Stefan on Reviewed in the United States on December 29, 2017
My initial thoughts on the Yubikey... As a background, I am a cyber security engineer. I know my way around smart cards. And I work with crypto stuff. I might not be the world's foremost expert on this, however I know a thing or two about a thing or two. * I bought this so I could manage a large variety of identities (and provide more secure key management). It seems it can only handle two "Slots". Due to poor documentation I am still not sure what a slot is. However I assume it means you can, for example only have 2 pgp key pairs on it. I have two separate PGP keypairs I wanted to use with this, in addition to my keepass database, some web stuff, and authentication to Windows/Linux Machines -- or at least that was my theory. I am not sure how much of this the Yubikey can simultaneously handle (due to poor documentation it isn't readily apparent to me). Further, I'm not sure why they would arbitrary limit you to 2 slots. It is 2017 -- memory is cheap. * The documentation is abysmal. I have now spent ~4 hours and am thoroughly confused by the yubikey's capabilities and documentation. * For example the different modes they keep talking about: Yubico OTP, OATH-HOTP, Static Password, and Challenge-Response. The documentation mentions them many times. I know what the terms mean. But their documentation fails to specify the significance of them or what the implications are of choosing one over the other. You know, basic stuff that could be explained in like a sentence or two. * Along those lines, the UI is also awful. There are a bunch of random buttons that are really obscure in their meaning. * For example "YubiKey(s) unprotected -- Keep it that way" is an option in the GUI. I have no idea what that means. And I haven't been able to find an explanation of what it means in the PDF I am reading about the personalization tool (even though they reference "YubiKey(s) unprotected -- Keep it that way" several times in this PDF). * Others have mentioned this, However you should buy 2 of these since they do not have an account recovery function. That is if the yubikey is lost or malfunctions, you will not be able to access your account/data -- naturally this raises the question of how to protect the second yubikey. I own a safe which is probably good enough. This is not by any stretch of the imagination a problem unique to the Yubikey. * The personalization tool is not optimized for 4k screen resolution. Fonts are tiny on a 4k screen! * I think I also locked my Yubikey with 3 incorrect pin entries, even though I typed in the default "12345678" pin. Not sure how to change the pin because the GUI is confusing. I'm also not sure how to do a factory reset. The docs mention that I will need to do a factory reset unless I had set a PUK (which I hadn't because I don't know how to do that), and promptly fail to mention how to do a factory reset. Fortunately I have nothing important on the Yubikey as of yet. * Customer support was unintelligible in their email to me. I asked where I could find PGP signatures for their software on their website. They responded with a link to a page with no signatures and I still have not been able to make sense of what his 1 sentence response means. Overall -- I think Yubico needs to figure out what the they are doing. This is *not* consumer grade electronics (even though they market it as such) and it is *not* documented sufficiently for an enterprise deployment. I'm sure it is a great tool -- I'll give it another try another day when I am not ticked off by their incompetence.
Sort by:
Filter by:
By -
Verified Amazon Purchase
Vine Customer Review of Free Product
Sorry, no reviews match your current selections.
Try clearing or changing some filters.Show all reviews
Show more reviews