This was posted 3 years 9 months 23 days ago, and might be an out-dated deal.

Related
  • out of stock

Yubico Yubikey 5 NFC OTP USB-A Security Key $49 + Shipping @ Shopping Express

650
Yubico Yubikey 5 NFC OTP USB-A Security Key $49 + Shipping @ Shopping Express
Go to Deal
nicrankin on 04/07/2020 - 22:07 shoppingexpress.com.au (2085 clicks)
Last edited 05/07/2020 - 11:09

Looks like shopping express has a great weekend deal on the Yubico YubiKey 5 NFC OTP Two-Factor Authentication USB-A Security Key @ $49 plus shipping.
These are normally US$45/AU$64 + shipping direct from Yubico.
Normally when Yubico offers deals they are multi-buys so finding a special on single units is a change.
Shopping Express isn’t listed as an official distributor or reseller on the Yubico website, but I don’t think that list has been updated for years.
No deals on the USB-C versions.
Also, the website says the discounted price for 2 or more is still normal, but I ordered two for $98.
Edit: For more info on what security features the key supports, head to https://www.yubico.com/ to find out more.
For services/sites that don't utilise the built-in protocols, there are two 'slots' on the key and you could store a password to a password manager in the second slot (activated by a long press on the button).

Computing NFC Security Key Yubico Yubico Yubikey

Related Stores

Shopping Express
Shopping Express

closed Comments

  • An0nymous on 04/07/2020 - 22:16
    +3

    Can you use this with Aus banks? From mobile app?

    • gunslinger on 04/07/2020 - 22:58
      +19

      AUS banks seem to think mfa is multiple things you know.
      Password, security number, captcha, mfa ftw.
      Kind of concerning.

      • dust on 05/07/2020 - 07:50

        Well a yubikey (or equiv) is technically something you have not just something you know.

      • tomvghs on 05/07/2020 - 08:54
        +13

        Yep agreed……AUS banks have no concept of cyber security. For e.g. ANZ does not allow customers to use special characters in their password. Had an argument with a branch manager about it and their argument many customers will forget password and will be hard to manage. Well then don’t enforce it, atleast give it as an option.

        • gunslinger on 05/07/2020 - 08:58
          +4

          Yep, pretty crazy.
          My VoIP provider, a small qld company supports TOTP MFA but my bank only recently allowed passwords more than 8 characters long and has no MFA support.

          • tomvghs on 05/07/2020 - 09:02
            +5

            @gunslinger: Yep totally!!
            In addition, ANZ does not support more than 10-12 characters from memory.
            ANZ says customers can enable 2FA (https://www.anz.com.au/security/protect-your-virtual-valuabl…) but SMS PIN to a mobile number is not 2FA; That's 2-step verification (2SV).
            No technical understanding of security!!

            • hmof on 05/07/2020 - 14:25

              @tomvghs: They have their own ANZ Shield app for two factor authorisation of transactions. No two factor authentication though.

        • teslacoil33 on 05/07/2020 - 10:11

          My partner was with Westpac. Their password requirements were insane! Password had to be exactly 6 characters long and include a number.

          • sghetti on 05/07/2020 - 10:25
            +3

            @teslacoil33: 1Password has a freak out with storing Westpac banking passwords. It won’t even allow you to randomly generate a password that small.

            Banks have most likely done the sums and worked out the cost of people forgetting passwords (Of course you don’t have to enforce it) as well as changing legacy systems that don’t necessarily support passwords that complex. It is probably cheaper for them to cover any potential fraud than to change their platforms.

        • whichwhatwho on 05/07/2020 - 15:07

          They spend millions in cyber security each year. It doesn't start and stop with a password field to online banking.
          There's 101 other controls in place around the detection of unusual behaviour, suspicious transactions etc.

          • md333 on 05/07/2020 - 15:28

            @whichwhatwho: Seems to me like you constantly get locked out due to over the top suspicious systems, might be actually useful from a security point of view, except to allow people to actually get any banking done they allow it to be bypassed by phoning up and giving them your mother's maiden name.

        • No Username on 05/07/2020 - 21:45

          I think because the way they setup the database having special characters would allow people to do SQL injections. Kind of like how you can't have symbols or custom words like null is a custom car plate.
          But upgrading to a DB that would accept symbols would mean they would have to rewrite some code and do extensive testing. So this is more of a scalability issue.

      • karu on 05/07/2020 - 11:07
        +1

        Laughs in Westpac.
        6 character alphanumeric.

        • shadowangel on 05/07/2020 - 12:07

          To be fair the most recent hacks target email and phones and just reset passwords.

          Most people don't have 2FA on email and even if they do its setup incorrectly with the recovery process still with txt verfication.

    • CyberMurning on 04/07/2020 - 22:58

      Want to know this. So how to use it on any mobile phone apps?

      • Tacooo on 04/07/2020 - 23:34

        The mobile app needs to support it otherwise you can also use them to generate TOPT 2FA codes.

        • CyberMurning on 04/07/2020 - 23:35

          Use the physical key or use yubi app to replace my laspass authenticator app?

          • Tigerhacker on 04/07/2020 - 23:37

            @CyberMurning: If the app, site or service supports FIDO2/U2F then yes

            Otherwise you can use the key to 'secure' a software HOTP/TOTP generator

          • Tacooo on 04/07/2020 - 23:39

            @CyberMurning: The Yubikey app needs to be used along with the key. All your TOTP secrets are stored on the key while the app just decodes it. When you open the Yubikey app it has nothing in it by default so no one with your phone can easily get a TOTP code from it. When you tap your Yubikey on the back of the phone it will ask for a password you've set and only then it will show the codes stored on the Yubikey itself.

    • Tigerhacker on 04/07/2020 - 23:28
      +9

      As far as I can tell no major Aus bank support a standard 2fa method, if they even do 2fa, it'll be through sms, their proprietery app or hardware fob (which actualy is nod bad, but a bit inconvenient).

      From a quick look, I found no reports of any banks here that support

      • HOTP/TOTP (2FA via a "number generator", i.e. Google Authenticator app, Authy)
      • FIDO2/U2F (which most hardware 2fa keys use)

      Main support of these I've seen is from the usual big tech companies (Microsoft, Google, Facebook), here's Yubico's list of known compatible sites

      https://www.yubico.com/works-with-yubikey/catalog/

      • An0nymous on 05/07/2020 - 07:58

        Thank you mate

      • RogerLoger on 05/07/2020 - 08:34
        +1

        That was a very useful link. It helped me finally arrive at a decision about Yubico products.

        Not for me. I'll stick with 2FA via SMS. Just need to take due caution about SIM swaps.

        • Quantumcat on 05/07/2020 - 09:07
          +10

          Do you have a separate phone number for sms 2fa that you don't tell a single living soul? That's the only way to take due caution if using sms 2fa.

        • shadowangel on 05/07/2020 - 11:49

          2FA by text should honestly be avoided.
          If you plan to use it on the same device thats even worse.

          Another problem is what happens if you lose your phone, malware or sim swap.

          With the authenticator key they can reset your password on most services. Your device may not even require a login password for email.

          • wharlie on 05/07/2020 - 13:09

            @shadowangel: While I agree that SMS is not the most secure method of 2FA. It's still 100 times better than no 2FA.

      • soan papdi on 08/07/2020 - 00:25

        Rabo bank always had a separate totp generator device. Haven't seen any other bank offer anything like it for retail accounts

        • CyberMurning on 08/07/2020 - 09:53

          hsbc does, long time ago. a little device that generates code.
          i hated it.

    • mlakmlak on 05/07/2020 - 10:33

      LOL

  • adamiscoolization on 04/07/2020 - 22:34

    Anyone got it working for Up freedom account? Recently signed up.

    • t3chshopper on 04/07/2020 - 23:53
      +2

      What's an Up freedom account? I'm with Up bank, but have never heard of this.

      • adamiscoolization on 05/07/2020 - 01:08

        My bad, obviously new if I can't even remember the correct name, Up everyday.

    • cheaponos on 04/07/2020 - 22:45
      +6

      Yubiright mate

    • 51ngh on 04/07/2020 - 22:47
      +2

      Here, save your fingers …..
      https://en.m.wikipedia.org/wiki/YubiKey

    • Tacooo on 04/07/2020 - 23:36
      +6

      Sure they don't cost much to make (even though they're made in the west). But you know what does cost a lot? The engineers who designed the cryptography, the marketers who advertise it to businesses and the designers who create the finished model plus all the IP and rights they need to license.

    • joelmuzz on 05/07/2020 - 11:51
      +1

      You are paying for the respected brand. There are DIY solutions but you wouldn't want some AliExpress POS providing security because it could actually go backwards.

  • CyberMurning on 04/07/2020 - 23:05

    I'm really interested but reading the wiki I see something about yubi version 4 and then 5.
    So my question, when in the future there is yubi 8 for example, means all the previous gen will be useless?

    • Tacooo on 04/07/2020 - 23:40
      +3

      Not at all. The previous generations just won't have support for some of the newer technologies which you're unlikely to come across for a while. Newer versions also just bring in other features like NFC or USB-C connectors.

  • Black Hole on 04/07/2020 - 23:26
    +2

    I could not get it work fully with my android NFC. Last year I have this and was told it only support very early android firmware.
    To me, it cost me more time to use this than just using long password that I remember with rhythm etc.. and my phone as 2nd authentication. Not worth it.

    • Tacooo on 04/07/2020 - 23:41
      +7

      Working fine on my Galaxy S20 Ultra. Also this doesn't replace your passwords, it's for 2FA only.

      • fault on 05/07/2020 - 09:04
        +2

        YubiKeys support FIDO2 passwordless logins too but there's very few practical applications of this at this time.

  • CyberMurning on 04/07/2020 - 23:33

    And I found on Amazon
    YubiKey U2F FIDO2 Security Key (USB-A/Two-Factor Authentication)
    Only aud32.
    Yes it doesn't have NFC but I'm strugle to understand the other differences between yubi 5 and that cheaper key

    • encryptededdy on 04/07/2020 - 23:38
      +4

      The black YubiKeys support U2F, Smart card, OpenPGP and OTP, whereas the blue keys only support U2F. If your only use case is 2FA on the web, then U2F on the blue keys should be sufficient (however, as you mentioned, no NFC).

      • fault on 05/07/2020 - 09:07

        Or if you intend to use it (the YubiKey with NFC) with your phone without having to plug it in…

      • CyberMurning on 05/07/2020 - 09:28

        That's where I lost. Openpgp otp I have no idea. Will Google more later

  • capslock janitor on 04/07/2020 - 23:42
    -4

    what;s thus

  • tenko on 04/07/2020 - 23:52

    thanks op; lost my last one ages ago and i've been looking to replace it so this deal's somewhat worthwhile

  • onlinepred on 05/07/2020 - 00:21

    Got two for $5 through the wired subscription last year. Bought a USBC key, and would highly recommend. They are more solid, smaller, and work straight on phone without adaptor.

    • renza on 05/07/2020 - 00:59

      I have the USB-A version linked on this deal and the NFC works great on my iPhone - for me it seem that NFC would be more convenient than plugging it into my phone.

      • onlinepred on 05/07/2020 - 03:34

        Yes except for size. I can plug the USBC into every laptop, PC, Mac and Android. I don't even have NFC or USBa on my laptop haha

        • CyberMurning on 05/07/2020 - 09:09

          Gee that $5 deal is so good I wish I can buy at that price. You shouldve bought 10.

          • onlinepred on 05/07/2020 - 10:40

            @CyberMurning: Was limited by physical addresses. I have to carry around adaptors for my phone which is kinda annoying

        • fuzzy wuzzy on 05/07/2020 - 11:19

          So no issues at all for you using yubikey neo with androids and mac?

          • onlinepred on 05/07/2020 - 15:02

            @fuzzy wuzzy: Haven't used it on my USBC only MacBook yet, works great on my pixel, galaxy, windows PC, work Linux PC.

    • theg00s3 on 05/07/2020 - 01:47

      Neither?

    • Freestyle on 05/07/2020 - 04:47

      not everything is a conspiracy

      do u even know what cryptography is?

    • Diji1 on 05/07/2020 - 09:40
      +1

      Let me guess: you seem to have no idea what's going in the world because you watch news and nothing else.

      So that means means you voted for constant metadata surveillance by the Labor and Liberal Parties.

      That's a typical Australian: a person talking about fictional foreign surveillance while voting for a police state in which their Government surveils them while they watch news and know nothing about it.

  • SamyKn on 05/07/2020 - 01:27

    Yubico's only issue is the proprietary part , i prefer Gotrust although it support lesser key size.

  • Deluge on 05/07/2020 - 05:23
    +1

    Hmm can annoy one vouch for the legitimacy of These considering they are cheaper than wholesale or the actual brand manufacturer. I’ve heard of cheap knock offs with Yubikeys or similar named ones. It’s the kinda thing I wouldn’t want to cheap out on as they might be buying from the Alibaba listing where they are $4, cheaper than the company that actually makes them….
    If you care about security i’d recommend googling “Where can I buy a Yubikey” to get a proper seller.

  • b0nd on 05/07/2020 - 07:33

    Does one key works with all account ? Or it’s one key and one account thing ? Like - one kep working with Facebook, google, office365, lastpass !!

    • jwilthethrill on 05/07/2020 - 07:57
      +2

      One key for multiple accounts of course. If it was one key and one account that would be a horrible deal.

      • fault on 05/07/2020 - 09:20
        +3

        Note you should either:

        1) buy 2 x YubiKeys though and enrol/register each "account" twice for U2F: once per YubiKey; just keep the 2nd YubiKey in a super secure place since it won't be with you
        2) setup backup 2FA with TOTP or backup codes; both of these have their disadvantages vs U2F but is still common with most services

        Otherwise, all hell will break loose if your one and only YubiKey is lost, stolen, or fails.

        Note: Some services don't support registering multiple YubiKeys at all so you're stuck with option 2.

        • hmof on 05/07/2020 - 14:27

          Also no way to use the key on iPad so you have to have TOTP backup if you need to work on iPad. I’m not even sure the NFC key is supported on iPhone either.

    • mikokik5 on 05/07/2020 - 10:13

      One key to rule them all? And in the darkness find them?

  • CyberMurning on 05/07/2020 - 09:01

    I wish soon we can have passwordless experience.
    Just go to any sign in page, insert this key and fingerprint or retina scan or both, and boom we are in. No need to type username. Any website.

    • Diji1 on 05/07/2020 - 09:42

      Guess you haven't heard of Google Authenticator.

  • ChaLuo on 05/07/2020 - 09:21

    What's the use case for these?
    Who authenticates the generated TOTP/HOTP?

    • Trishool on 05/07/2020 - 09:31
      +2

      Maybe be bothered reading through this thread like I just did? The answer to your question is in here.

  • shaybisc on 05/07/2020 - 09:22

    Can you use one Yubikey on multiple devices?

    • CyberMurning on 05/07/2020 - 09:23

      Yes of course that is the main purpose, you keep one key with you all the time to access your website's at many devices

  • CyberMurning on 05/07/2020 - 09:23

    What is wrong with just fingerprint authentication? Is it not so secure?

  • phocus on 05/07/2020 - 09:24

    This thing is great to stop me impulse buying on amazon

  • shaybisc on 05/07/2020 - 09:46

    I've had a couple of Yubikeys for years but don't find them particularly useful. It locks my home pc, great, but that's about it. I had it on Gmail as second factor but it played up a lot and was a pain.

    What do you use it for?

    Oh, I also had it on Last pass but it intermittently played up there too so I switched back to authenticator- less hassle.

    • jwilthethrill on 05/07/2020 - 10:12
      +1

      That's strange, can you describe how it was playing up?

      I use it for everything that supports it and haven't had any problems whatsoever. I've found it way easier to just tap on the Yubikey or use the NFC reader to log in than going to an Authenticator app, scrolling until I found the code and having to paste it in. I know most people praise the security of the keys but I've found the convenience to be the bigger benefit of using them.

      • shaybisc on 05/07/2020 - 10:15

        Google, often, and LP, less often, were not recognising the Yubikey.

  • b0nd on 05/07/2020 - 09:52

    Configure Token based authentication (google Authenticator) along with YubiKey - possible?
    Like, if I don’t have hardware key with me, I can use Authenticator app or sms based?

    Not sure if it’s possible to have 2 MFA when having hardware key. At least SMS + Authenticator app works well for some cases.

    • jwilthethrill on 05/07/2020 - 10:07
      +2

      Yeah it's doable with most accounts. I can't say for all of them but the ones I use all support using a Yubikey as well as TOTP like Google Authenticator.

  • CyberMurning on 05/07/2020 - 09:54

    Reading googling more and got more confused.

    The ubikey nano, does it have fingerprint reader too? Is it 100% same as the standard ubikey except size and NFC?

    • jwilthethrill on 05/07/2020 - 10:05
      +1

      It does not have a fingerprint reader. It's 100% same as the standard Yubikey except size and lack of NFC. I use one at my desktop PC, it's good for having a Yubikey that you will rarely remove from the system (it's quite difficult to remove it).

      The Yubikey Bio (which isn't out yet iirc) will have a fingerprint reader.

      • CyberMurning on 05/07/2020 - 13:35

        Uh I thought touching the current yubikey is reading fingerprint but actually just a way of presenting human elements. So anyone can touch it to login.

  • peterpeterpumpkin on 05/07/2020 - 10:58

    I don't get the "reality check" utility of these things when it comes to securing personal account access. U2F would probably be the main security benefit (also available on cheaper, one trick pony devices) but I imagine most services in 2020 would still either (a) support a less secure fallback or (b) not support U2F at all (such as banks). So at the moment you're really only saving time.

    And if you're protecting something serious like nuclear launch codes, you're also putting a lot of faith into a manufacturing and delivery process you didn't audit. Well probably as much research you did into those closed source services you use with end-to-end encryption…

    Keep in mind I haven't actually looked into all the features of this device and my net assets probably match the value of the product in question. Oh, and my subversive activities are very mild in nature.

    • snowl on 05/07/2020 - 11:24

      Google supports it with 0 other 2FA like SMS, so the security benefit is that you need to have your Yubikey to log into GMail with no other way of getting in. This is pretty good since email is one of the most vulnerable parts that will be targeted

    • toastyx on 05/07/2020 - 12:10
      +1

      Many large tech companies have some form of mandatory U2F supplied by Yubico, and one would think that they would have to survive a pretty rigorous security audit before they're allowed to supply keys to their employees.

      A year after Google mandated security keys for all its employees, phishing rates have basically gone down to zero. I would consider that a pretty resounding endorsement of Yubico and U2F in general. If they can keep most of their internal company secrets secure with Yubikeys, then most people should consider it good enough to protect their accounts with.

  • od1n on 05/07/2020 - 11:22

    There is a perfect article to explain what it is and how to use it - https://paulstamatiou.com/getting-started-with-security-keys

  • terrywang on 05/07/2020 - 11:25
    +2

    Does anyone know if these YubiKey 5 NFC has the latest firmware (5.2.3+)? I need to use ECC (Curve25519)

    https://support.yubico.com/support/solutions/articles/150000…

    YubiKey firmware is NOT upgradable… that's why the ask.

  • dd101 on 05/07/2020 - 12:41

    Any 2 factor authentication is good. Yubikeys are just another way of doing the 2 factor authentication (over a phone app, or a phone notification or SMS). While it can be more secure than other methods, it is an inconvenience and not worth the $$ IMO. Adoption is very limited today for consumer apps.

  • noshopping on 05/07/2020 - 13:10
    +5

    Some random tidbits of info I gathered from YubiKey and YubiKey 5 in general:

    Why use YubiKey over Google Authenticator?
    https://www.reddit.com/r/security/comments/b2ikab/why_would_…
    https://www.reddit.com/r/security/comments/9oru2e/what_i_lea…

    • Even if a hacker gets remote control of your PC, they can't generate 2FA codes from Yubi Authenticator because they need to "touch" the key physically before it generates 2FA codes (apparently only YubiKey 5 has this option?), see: https://www.youtube.com/watch?v=UjyaGdab_Bg
    • 2FA codes to websites are stored on the YubiKey, unlike apps (ie: Google Authenticator) where data is stored on the device/cloud. If something happened to your phone and you had no backup key saved, well you just lost all your 2FA login codes!
    • Yubikey startup password is stored on YubiKey. Startup password is required to load Yubi Authenticator app on Windows/Mac/Android/iOS.
    • Use multiple Yubikeys for 2FA, that way if you lose primary key, you still have backup key(s), see https://www.reddit.com/r/yubikey/comments/hcaazo/register_bo… or https://www.reddit.com/r/yubikey/comments/atdi7r/planning_to…
    • Yubikeys only have capacity to store 32 TOTP/2FA keys
    • Check if YubiKey is genuine here: https://www.yubico.com/genuine/
    • Yubikey has no firmware updates. This is to prevent hacking on the device. It's a security feature. If there's new version, you have to buy new keys.
    • It's virtually impossible to get phished if you use Yubikey to authenticate (via U2F).
    • Can a YubiKey user be tracked from site to site? No. A unique key is generated for each site using a random number and the site URL (among other things) along with the hardware key. There's no mathematically feasible way to determine the hardware key from this.

    Info gathered above may be outdated or incorrect. DYOR!

    In general if you value your data (email, cloud data, crypto assets) you DEFINITELY need a YubiKey.

  • Deluge on 05/07/2020 - 14:38

    Out of stock. Here seems to be the next best places to get their range. https://www.rstassured.com/where-can-i-buy-a-yubikey/

  • ca6leguy on 05/07/2020 - 15:36

    Too much trouble. SMS MFA is enough for me.

    • hmof on 05/07/2020 - 17:40
      +3

      Not considered very secure due to number porting risk. Not sure that is as much a concern in Australia as in the USA though.

      • CyberMurning on 05/07/2020 - 18:14

        Now for every porting request Will send SMS to the existing number and ask for approval, is this right? So it's almost impossible for hacker to port our Sim out I think

    • No Username on 05/07/2020 - 21:55
      +1

      Here's why SMS MFA is not 100% secure:
      * Someone could social engineer their way to getting another copy of your sim card to read the SMS
      * Silent JS attacks via Websites, Portal Settings, BIO and even Email
      * Valuable apps which allow for SMS to be read
      * A tool for which I won't name obviously which allows you to read the SMS of a the targeted device silently by getting the user to do something innocent.
      * Having a Rooted Android device or Jail Broken Device
      * People for some reason also have ADB debugging enabled and Bluetooth and Wifi ADB Debugging

  • tenko on 07/07/2020 - 13:26

    got mine today in the mail; verified on yubico website and it's genuine

  • dragond on 07/07/2020 - 15:15

    I use the Kensington Verimark Fingerprint USB key, which can be attached to a keychain. How is Yubikey different?

    • hmof on 07/07/2020 - 19:57
      +1

      Yubikey has NFC, GPG, TOTP… but for simple U2F it looks equivalent. The Kensington is quite a bit more expensive though.

      • CyberMurning on 07/07/2020 - 20:43

        I saw $20 USB dongle fingerprint reader on AliExpress. May buy it one day to try. It says compatible with windows hello. My laptop doesn't have fingerprint reader.

  • CtrlAltSpoods on 08/07/2020 - 10:25

    I have one of these, can confirm it works well with the services it's supported on (Dashlane, Google, FB, Twitter, Microsoft etc)

    Recommend getting the NFC one though to auth on phone easily.

Login or Join to leave a comment
Login Join