What is a YubiKey? (& How to Use Them When USB Ports Are Blocked)
Want to improve the security of your accounts with hardware-based multi factor authentication (MFA)? Hardware tokens such as the YubiKey are excellent tools for protecting your accounts against unauthorized access.
In this article you will learn what YubiKeys are, why you should use them, and the best practices for getting started with YubiKeys. You will also learn how to use YubiKeys when USB ports are blocked in your network so you can reduce USB security risks without blocking hardware tokens.
What Are YubiKeys?
YubiKeys are hardware-based U2F security keys that are manufactured by Yubico. YubiKeys and other hardware tokens are used to secure accounts with multifactor authentication (MFA).
While MFA can be accomplished with other forms of authentication such as a One Time Password (OTP), FIDO-compliant tokens such as YubiKeys provide an added layer of security by requiring a user to have access to a unique physical device to authenticate.
Requiring physical access to a piece of hardware prevents attackers from remotely infiltrating accounts as they will need more than simply a username and password to gain access.
What is Universal 2nd Factor (FIDO U2F)?
“The core of U2F leverages public-key cryptography with the use of a hardware key that contains a secret and unique key that is built directly into the device. The requirement to shift authentication to include something the user has (vs simply something they know, such as a password or knowledge-based question) mitigates the risks associated with compromised credentials as the account remains inaccessible without the physical device.” – Paul Stamatiou
Universal 2nd Factor (FIDO U2F) is a form of asymmetric cryptographic authentication that is compatible with security keys. It leverages your web browser to verify if you are logging into the intended domain and rejects the authentication if it detects that the credentials are being used on an unintended site.
Authentication devices that meet the FIDO U2F standard protect your accounts against phishing, session hijacking, man in the middle, and malware attacks.
Why Should I Use a YubiKey?
Multifactor authentication (MFA) is critical for reducing opportunities for threat actors to breach accounts. For business use cases where highly sensitive data such as electronic health records (EHR) or personally identifiable information (PII) are concerned, the improved security of a hardware token such as a YubiKey is highly desirable.
Hardware authentication tokens are far more secure than other MFA methods like SMS messages or knowledge-based security questions. In fact, Google entirely neutralized phishing attacks when they had their 85,000+ employees migrate to using hardware security keys for MFA.
Despite the critical importance of hardening authentication security, a mere 28% of respondents surveyed by Duo in 2017 took advantage of the added layer of security provided by MFA.
Why Password Aren’t Good Enough
While passwords are ubiquitous, they simply aren’t sufficient when used alone.
- Shared Knowledge: Passwords need to be stored in a database. Unfortunately, as an end-user, there is no guarantee that the passwords are being stored securely and sufficiently obfuscated with a hash. Even when passwords are hashed they can potentially be cracked after the database is breached.
- Password Reuse: A shocking 44% of respondents in the 2020 LastPass Psychology of Passwords Report reuse the same password for multiple services despite knowing the risks. If a single service is ever compromised any other service that uses the same credentials is now vulnerable.
- Easily Breached: Usernames and passwords can be readily breached through simple phishing attacks, social engineering, poor security practices, and computer spy software with keystroke loggers.
Fortunately, general awareness about the risks of password-based authentication is spreading. Gartner predicts that by 2022 we can expect 60% of large and global enterprises and 90% of mid-size enterprises to implement passwordless methods in more than 50% of use cases.
Which YubiKey Should I Use?
Yubico offers a diverse range of hardware tokens, the prices of which vary from ~$25-70 USD per device.
Where the best practice is to have two YubiKeys per person to prevent being locked out of your accounts when a YubiKey is lost, the investment needed to get started can add up quickly.
Naturally, businesses ordering in bulk can reduce the cost per unit but it is an investment nonetheless. If you would like to use a YubiKey to protect your accounts, Yubico offers a convenient quiz to help you narrow down your options.
Yubico is not the only company that makes hardware tokens, either. Competitors such as Google’s Titan Security Key or Thetis’ FIDO U2F Security Key can be used to secure accounts as well.
Can I Use YubiKeys If USB Devices Are Blocked in My Network?
Yes, if you use AccessPatrol to block USB devices it will still allow YubiKeys to be used on your computers. YubiKeys are HID composite devices; AccessPatrol’s USB blocker will not interfere with your YubiKey deployment.
If you are using hardware tokens that identify themselves as USB devices, there are methods you can use to exempt them from AccessPatrol’s USB device control policies.
These methods will also allow you to:
- Disable USB removable devices except mouse and keyboard
- Block USBs except for smart card readers
- Disable USB only for mass storage devices
- Block all USB devices except specific company USB devices
- Disable USB for some users and allow them for others (such as IT admins)
“When connected to another computer, the YubiKey identifies itself as a composite USB device, depending on the number of functions active. When communicating with a PC or mobile platform, the YubiKey will identify itself as three devices: either a USB HID Keyboard (direct physical connection) or passive NFC NDEF Tag (NFC only); a CCID reader with a smart card inserted; and a HID FIDO Authenticator. Communication for various functions on the YubiKey will use one of the three channels.” – Yubico
Will AccessPatrol Block YubiKeys If USB Devices Are Blocked?
No, blocking USB storage devices with AccessPatrol should not interfere with hardware tokens such as the YubiKey. In the event that AccessPatrol restricts the use of hardware tokens, Personal Identity Verification (PIV) smart cards, or other devices you can easily exempt them using the Allow List.
AccessPatrol’s device control policies allow you to block portable storage hardware such as flash drives, external hard drives, and SD/MM cards without interfering with USB human interface devices (HIDs) such as hardware tokens, mice, and keyboards.
Based on how AccessPatrol is designed most hardware authentication devices should continue to function as normal when USB storage device permissions are set to “No Access” or “Read Only” in your AccessPatrol policies.
For more tutorials and information, visit the AccessPatrol knowledge base.
Devices That Can Be Controlled With AccessPatrol
| Device Class | Devices | Access Permissions |
| Storage Devices | USB | Full / Read only / No access |
| DVD /CD | Full / Read only / No access | |
| Floppy | Full / Read only / No access | |
| Tape | Full / Read only / No access | |
| External Hard drive | Full / Read only / No access | |
| Firewire | Full / Read only / No access | |
| SD Card | Full / Read only / No access | |
| MM Card | Full / Read only / No access | |
| Wireless Devices | Bluetooth | Full / No access |
| Infrared | Full / No access | |
| Wifi | Full / No access | |
| Communication Ports | Serial | Full / No access |
| Parallel | Full / No access | |
| Imaging Devices | Scanners | Full / No access |
| Cameras, Webcams & Others | Full / No access | |
| Others | Printers | Full / No access |
| USB Ethernet Adapter | Full / No access | |
| Sound Cards | Full / No access | |
| Portable Devices (iPhones, Mobiles) | Full / No access | |
| Network Share | Full / No access |
How to Allow Only Certain USB Devices
In the event that USB devices you would like to allow are being blocked by AccessPatrol you can use one of these two methods to exempt them from your USB security policies.
- Add the USB devices you would like to exempt to the Allow List, or;
- Temporarily override the blocked devices list with the Access Code Generator
For most use cases the Allow List will be your best option as it will ensure that any authorized users on your network will be able to use the exempted USB devices. The Access Code Generator is best used for special use-cases where you want to provide temporary time-limited access to peripheral devices.
1) Grant Ongoing Access to a Authorized USB Devices
With AccessPatrol’s Allowed List you can block all USB devices except specific company USB devices. If AccessPatrol is blocking USB devices that you would like to exempt from your USB security policy you can add them to the allowed list by following these steps.
- Connect the USB device you would like to whitelist to any computer that has a CurrentWare Client installed
- Open the CurrentWare Console
- Select the folder with the computers or users you would like to control
- Under the AccessPatrol tab, select Allowed List
- Click “Add From Available Devices”
- Choose a device from the Vendor ID, Serial Number and/or PNP Device ID lists
- Click on Add to Allowed List, then click OK
Device whitelisting is configured on a per-folder basis. Devices that are added to the allowed list will apply to any computers that are in the specified folder. AccessPatrol’s allowed list supports USBs, External Hard drives, Imaging devices, and portable devices.
Note: Allowing a device by serial number is fully compatible with Windows 10. For Windows 7 or 8, some newer models of USB devices may not support this feature. Instead of allowing by serial number, it will allow all devices from the same vendor and model.
2) Grant Temporary Access to USB Devices
AccessPatrol can grant temporary access to blocked devices using it’s Access Code Generator.
Authorized Operator accounts can use the access code generator to produce a single-use code that provides a specific user or computer with a set duration where devices will no longer be blocked by AccessPatrol.
The access code is unique to each computer/user that you generate for and the computers do not need to be connected to the internet to use it. So long as the CurrentWare client is installed on the employee’s computer they can be provided with temporary access to USB devices.
- Generate a temporary access code
- Open the CurrentWare Console
- Select the computers or users you would like to provide temporary USB device access to
- Click “Access Code Generator”
- Choose the expiration date and duration of the access code
- Click Generate to create a temporary access code
- Activate the temporary access code from the employee’s computer
- Have the employee open the Control Panel
- Set “View By” to large icons or small icons
- Click “Grant access to endpoint devices”
- Have the employee enter the temporary access code into the dialogue box, then click “Unlock”
How to Block Mass Storage Devices Without Blocking YubiKeys
If you would like to prevent your users from using USB ports for mass storage without blocking hardware authenticators, keyboards, mice, and other desired USB devices you can do that with AccessPatrol.
By default AccessPatrol distinguishes between USB storage devices and HID peripherals such as keyboards and mice; setting USB permissions to “Read Only” or “No Access” will block USB storage devices while allowing YubiKeys and other HID devices.
- Open the CurrentWare Console
- Select the computers or users you would like to control
- Under the AccessPatrol tab, select Device Blocking
- Under Storage Devices, select USB
- Under Access Permissions set the desired level of restriction (Full Access, Read Only, No Access)
- Click Apply and then click OK
After following these steps you will be blocking USB mass storage devices while still allowing YubiKeys, keyboards and mice to function.
FREE DOWNLOAD
Removable Media Policy Template
- Set data security standards for portable storage
- Define the acceptable use of removable media
- Inform your users about their security responsibilities
Get started today—Download the FREE template and customize it to fit the needs of your organization.
Can I Use a YubiKey For All of My Accounts?
“The YubiKey works with hundreds of enterprise, developer and consumer applications, out-of-the-box and with no client software. Combined with leading password managers, social login and enterprise single sign on systems the YubiKey enables secure access to millions of online services.” – Yubico.com
YubiKeys are compatible with a diverse range of services, though much like other hardware authenticators it is not universally supported. For the most up-to-date list of compatible accounts, check out the Works with YubiKey catalog.
You can also visit DongleAuth to find out what websites support One Time Passwords (OTP) or FIDO2 U2F/Web Authentication (WebAuthn).
Example: How to Secure Your Gmail Account With a YubiKey
If you would like an introduction to a practical use case for a YubiKey, this video tutorial from Tristan Bolton breaks down how you can lock down your Gmail account using a physical security token such as a YubiKeys.
Best Practices For Using YubiKeys
1) Set Up 2 YubiKeys In Case You Lose One
The key weak point with YubiKeys is that you can potentially be locked out of your accounts if your YubiKey is ever lost, damaged, or stolen. To mitigate against this you can register two YubiKeys for each of your accounts; keep one as your day-to-day YubiKey and store the other in a secure location such as a safety deposit box.
To make the transition from your primary YubiKey to your secondary YubiKey easier you should keep a secure list of all the websites that you’ve registered the YubiKey to. If you ever lose your primary YubiKey you’ll have a convenient reference of all of the accounts you need to update.
2) Disable Less Secure Authentication Options
A chain is only as strong as its weakest link. If you’re investing in a YubiKey or similar hardware authentication token you need to disable less secure MFA/2FA options to actually benefit from the enhanced security provided.
If you use a YubiKey on an account that also has less secure options such as SMS codes (which are susceptible to SIM Swapping attacks) or One-time Passwords (which can be phished), your overall security level will be that of the weakest MFA option you have enabled.
3) Keep Your Backup Codes in a Secure Location
After you add your desired MFA/2FA method to an account you will likely be presented with backup (recovery) codes that can only be used once.
These codes are designed as a backup authentication method to regain access to your account should you ever lose access to your YubiKey or authentication app.
To keep them secure your backup codes should be kept in a secure location such as an encrypted USB device or a hardened password manager. As an added layer of security you can store your encrypted USB device in a secure offsite location such as a safety deposit box.
4) Use YubiKeys With Your Password Manager
A password manager is an excellent way to prevent the reuse of passwords. These tools will help you generate unique and secure passwords that are stored within an encrypted application. The application itself is protected with a “master password” that is strong, easy to remember but hard to guess, and only ever used for the password manager.
To further protect your passwords you can require the use of your YubiKey to gain access to your password vault. This ensures that your password manager remains secure even if your master password is phished or captured by a computer spy software’s keylogger.
You may also consider storing your one-time passwords in your password manager, though you must ensure that the password manager you choose is secure; in the event that the service is breached or the company opts to maliciously reconfigure their service to capture passwords your accounts will be in danger.
5) Use Your YubiKey Wherever You Can
Any service that is compromised can be used to escalate an attack. Keeping all accounts as secure as possible will maximize the security posture of yourself and your organization.
The very first thing you should secure with your YubiKey is your email service provider as they will be the backup recovery method used by the majority of websites.
After that, you should check out the Works with YubiKey catalog to find out what you can secure with your Yubikey. You can also visit DongleAuth to find out what websites support One Time Passwords (OTP) or FIDO2 U2F/Web Authentication (WebAuthn).
Conclusion & More Resources
Using hardware security tokens such as YubiKeys is an excellent way to protect your business against phishing attacks, unauthorized access to accounts, and other common authentication security threats.
If you would like to use YubiKeys when USB ports are blocked you can use data loss prevention software such as AccessPatrol to block all USB devices except for the YubiKey and other approved devices.
To learn more about authentication security, YubiKeys, and cybersecurity, check out the resources down below.
How to set up your YubiKey (YubiKey technical guides)
This guide from Yubico will show you how to set up your YubiKey as a form of two-factor authentication with the supported service you wish to secure. It includes tutorials for all of their offerings, making it a great resource for implementing your YubiKey with your accounts.
Getting started with security keys (Introduction to YubiKeys)
This excellent beginners guide from Paul Stamatiou shows you how to stay safe online and prevent phishing with FIDO2, WebAuthn and security keys. It’s just technical enough to clearly communicate the advantages and disadvantages of YubiKeys without being so detailed as to be intimidating for new hardware key users.
Yubico Resources Page (Official Yubikey information and resources)
The official resources page from Yubico includes FAQs, blog posts, white papers and other resources for YubiKey users and developers. This is a great resource for companies that would like to implement security keys at-scale.
The YubiKey Subreddit (Unofficial YubiKey community hub)
The YubiKey subreddit is a great resource for community discussion, frequently asked questions, and industry news related to YubiKeys. If you’re not already familiar with Reddit, it’s a social networking/forum website where users congregate around various “subreddits” on niche topics.
The CurrentWare Blog (Cybersecurity and business blog)
We regularly publish new articles for businesses that want to improve their security and productivity. Topics include cybersecurity, remote workforce management, employee productivity, and updates about CurrentWare’s security software.
