• expired

Yubico Yubikey 5 NFC US$40 Delivered (~A$51) @ Yubico


For those who want a little extra security baked into their online presence.
Have been using one for awhile, very straight forward to setup with the likes of Google, LastPass, O365, etc. Compatible with Mac, Windows and any mobile with NFC.

Found the promo code online, not sure how long it is valid for - can be used for $10 USD off most of their products excluding the Security Key NFC.

Using current exchange rates, the Yubikey 5 NFC at $40 USD delivered equates to ~$51 AUD.

Normally found locally at $89.99 AUD with Amazon or $79 at Umart

edit: updated the link back to the Yubikey 5 NFC instead of the 5C
edit 2: not valid for the Security Key NFC

Related Stores


closed Comments

  • also applied to the normal usb (not C), net AUD 46 delivered, instead usual AUD75-80 for example here

  • +2

    hmm i believe for normal users, this one is more than enough.

    AUD 63 for 2… i heard we do need two as minimum when setting up yubikey on some website, is that right? (otherwise they wont let us proceed)

    • 1 extra is for backup. Google Extra thingy needs 2.

    • double check the authentication protocols. The basic unit only has U2F & FIDO2 limiting your usage.

      Good comparison found here

      • +5

        Better to link to the Yubico page https://www.yubico.com/au/store/compare/ instead of linking a Reddit article that links to the Yubico page

        • can anyone explain what that all means? in what use cases do you need the more expensive one over the cheaper one?

    • Cheaper on eBay if you have eBay Plus and use code PAPR15.

      • That's not the YubiKey 5 NFC though.

        • Never implied it was. I was replying to ChiMot recommending this specific model while linking to the official website. My deal is slightly cheaper but even better it's AU stock.

          • @Monkits: True, fair call

          • @Monkits: Yours slightly more (33.95 each after code vs mine 63 for 2)
            But yes local stock wins.

            • @ChiMot: Nah mine was still cheaper, that's the only reason why I bought it there. On official website the tiffany10 didn't work for me and they added $5 postage at checkout. So it ends up $67.91 vs $73.08. I guess you got a discount that I didn't.

  • +14


    • -1


    • Very clever Sir Dong

    • is that pronounced?
      - You Need Key?
      - You Buy Key! (Yu bi key)

      • +3

        You Be Key? Be the key you want to secure this world.

  • what is this? how does it work? bought it anyway because it sounds and looks cool

    • +18

      if only there was some way to find out stuff…maybe some sort of interweb which could be searchable… one day.

    • Instant +100 geek creds if you wear it on a bracelet or around neck. Girls in big glasses love it.

  • Sorry, keen on getting two of them.

    How does someone get the $40 pricing?

    I see one for US$55 + US$5 shipping, with a US$10 discount makes it US$50, not US$40.

    • thats the usb-c version for $55 not the usb-a version for $45

    • -1

      Shipping from EU is free, but it still is US$45, not US$40.

      • How do you get free shipping? From the US if ordering 2 keys, free shipping. It always throws $5 on at the last minute for me, meaning the price is $50, not $45 :(.

        What's the trick for free shipping?

        • +1

          Sorry I got it wrong. I saw $0 shipping to Australia before filling a street address. my bad.

          • +2

            @ddhytz: Nah, all good. Was hoping to get them down to $90 for the pair of them, will be $100 - all good.

            Feeling like you are missing out is always the worst - thanks for taking the time, coming back and confirming for me, you are a star champ.

    • +2

      I think I see what has happened. The link is for the USB-C version, which is $55 USD (YubiKey 5C NFC). The YubiKey 5 NFC (USB-A) is $45 USD. Shipping is $5 so $40USD delivered would be the USB-A version.

      It's better to do two separate transactions if you want to buy two- I got one in USB-C and one as USB-A.

      • post was edited to be the C model, i've changed it back to the original posted link.

  • +1

    Cheers just ordered a 5 nfc c. 30 day shipping :(

  • +3

    How is this any more secure when you already use password manager with different password for every website + mfa?

    Just curious about the use cases

    • +2

      password managers can and have been compromised in the past. They are also subject to keylogger and various other attacks while you have the password manager active. Pass manager is much better than lots of weak passwords but it is definitely not anywhere near as secure as good long passwords and way less secure than using a hardware token where supported. But yes a password manager plus MFA is good enough for the majority of people.

    • +1

      MFA is good enough this is not going to be any better plus if you use MFA apps like Authy it has a cloud backup and secondary backup so if you lose your device you can restore your MFA I got 15 services on Authy and it backed up on a second device of an old phone in a safe, on top of cloud backup ..never have to worry about losing your device

      • +1

        Most MFA is good enough. Not all MFA are equal - e.g. SMS-based MFA is worse than a proper OATH token. Only as strong as its weakest link.. so it's nice to have a physical token and perhaps back up with an OATH token (e.g. Google authenticator) and remove SMS from the equation if possible.

        • google authenticator is so yesterday, Authy FTW

    • I use this to secure my password manager (LastPass)..

    • +2

      This is an element that can be used to prove you (or at least the yubikey) are physically present at the point of authentication.

      OTP does this in a way, but ultimately TOTP can be duplicated (without physical evidence), and is arguably less convenient than a Yubikey in some scenarios (having to carry it around is not convenient, but simply pressing a button is easier than checking for a code on your phone and typing it in).

      • but simply pressing a button is easier than checking for a code on your phone and typing it in).

        Some OTP mobile apps send a push notification so you just need to accept the notification and the web site logs you in

        • Then you have the disadvantage of needing one app per authentication method.

          • @Shwayne: Why?

            All you need is an OTP app that can send push notifications. Apps like Authy and LastPass can do that.

      • so…does that mean for argument's sake if you (and your yubikey) are away from a computer and need family to log in to something for you, you're out of luck? or is there a way to use a backup login method?

        I got a previous version from some Wired promo ages ago….just recently found the yubikey at the back of a draw, still not sure how to make use of it without it being a pita

        • +1

          is there a way to use a backup login method?

          That's up to the service you're trying to use the Yubikey with.

          i.e. when you setup Google's 2FA, it generates (10?) backup codes that will work at any time, but only once each. The idea being that you save/print those codes and store them somewhere safe. Then if you lose access to your 2FA code generator (i.e. phone app), you can use one of the backup codes to login to your account and disable/re-setup the 2FA.

          • +3

            @Chandler: It's a catch 22.

            If you have a different way of getting in, in case the token breaks, is lost or becomes inaccessible, a hacker can use that way to get in too, so the extra security is only that you're not using that alternate method regularly so you can't be keylogged easily.

            And of course if you don't have another way of getting in and your token breaks, is lost or becomes inaccessible, you lose the account.

        • Depends on the service, if for example you used it with Google, you could still just use SMS or Phonecall auth or present one of your backup passwords, they only use the key as a "second factor".

          For services that absolutely mandate the use and presence of the key (actually secure) then you'd be out of luck, especially if the key is used to decrypt something or provide a key used for doing so.

    • +5

      FIDO2 is more secure than normal MFA because it uses the website's certificate as part of the key gen process meaning that you can't generate a key for a phishing site with a similar name or compromised DNS.

    • +4

      Here is a handy guide that answers your question:


      In short, password manager + app or sms-based mfa is a 5 or 6 out of 8 strength (pretty good). Token-based mfa is a 7 out 8 strength as it protects against additional attack scenarios.

    • -2

      Not, if you're on Mac. No amount of magic amulets like this helps on Windows

    • +1

      Password manager fails if someone logs/sees the master password or is in the machine, you don't even know they have it.

      MFA depends which. Some fail to the same master password weakness. Phones aren't invulnerable to hacks.

      It's still pretty robust. But needing the physical key doesn't have those vulnerabilities and you know nobody is getting in without the key.
      It's overkill for regular stuff, but justified for plenty of business usage.

  • I'm getting this at checkout: "This coupon isn't valid." Expired?

    Edit: Coupon doesn't apply to the 2 pack: "Security Key NFC by Yubico - 2 Pack" My bad.

  • +1

    Side topic, do I need a dedicated password manager or should I just continue using Chrome password manager?

    Are there any drawbacks of using Chrome inbuilt functionality?

    • +3

      Being stuck with Chrome and Google is a drawback

    • +4

      Probably better to look into a password manager that you can use across your different devices. I've literally just switched to BitWarden. It's apparently one of the best one out there due to it being opensourced. I've got it on my Mac, PC, iPad, iPhone and it all sync just fine. The free tier is more than adequate for most users.

      Also, for 2FA I also recently moved away from using Google Authenticator since it doesn't backup my keys in any way, its a huge pain in the ass if you change phone or god forbid, lose your phone. Unless you had your keys written down somewhere, its pretty much gone with the phone. I'd recommend Authy or Microsoft Authenticator, you can enable multi device (albeit less secure) so you still got backup in case something goes wrong.

    • +8

      I recommend Bitwarden, been using it for 5 years and only have good things to say.

      • +3

        It's Easy to transition from LastPass etc. and it's been rock solid across all browsers/phones/PCs for me since leaving LastPass 3 yrs ago.

        Free or Premium for USD 10/yr.

    • No drawbacks if its just your home PC and personal laptop thats using it, just make sure its physically sure and both are password-protected (or even Windows Hello)

      and make sure your google account has a secure long password and has 2FA activated

    • +2

      I was a long-time chrome pw manager user, but recently switched to Bitwarden. Main reason is that it sits across all platforms (chrome, firefox, android etc) easily. Admittedly it's not quite as smooth and painless as chrome, where the integration is fantastic. But the ease of access across platforms and through the app makes it worthwhile for me.

      Google has hundreds if not thousands of products, whereas a pw manager only has one - so their focus is 100% on making the best possible pw manager.

      Bitwarden (free tier) is extremely highly rated on reddit/internet, highly reputable, and highly secure.

    • omg… the chrome pass mgr does not have password to protect.. basically if you left your computer screen on someone can sit and login to your bank…. seriously….
      the feature should not even be created in the first place….. its worse than writting your password in a paper and stick it next to your computer….

      • +2

        Here's what Justin Schuh from Google said about the reason they don't have a second layer of security beyond your OS password:

        I'm the Chrome browser security tech lead, so it might help if I explain our reasoning here. The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theater.

        Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.

        We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get.

        In summary, if you leave your computer unlocked for someone else to access, then it's game over even if you have a separate password for your password manager.

        • Windows computers can more or less be opened with a USB key can't they?

          Or has that been improved upon in windows 10?

          • @Jesus Chicken: I haven't heard of that. What was the story?

            • @ragrum: I believe this still applies.

              My understanding (maybe this has been fixed in recent windows 10 but idk) is that, unless you encrypt the actual drive you boot windows off, a password can be reset with a simple tool like this:


              • +1

                @Jesus Chicken: yeah I can confirm that it's very very easy to get into windows computers unless you have disk or partition encryption turned on. It takes me 5-10 minutes to do

        • so the best is never to login to lastpass bitwarden etc from pc then ?

          • @ChiMot: I'm not quite sure about lastpass, but bitwarden (the browser extension or the desktop app) don't auto-login, it requires you to type in the password to unlock

            • @theg00s3: Hmm agree but not instantly asking again so if you away from pc someone can quickly access. Or Maybe there is an option in the setting to make it always ask? will look into it.

  • tried these for years and luv yubico but gotta say i pretty much use google authenticator now and whatever else the dark web keys require….

    • +8

      No one should use google authentication. No backup cloud. If you lost ypur mobile then….

      • Remember you can store / copy the TOTP keys wherever (basically scan the QR code and save the value).

        • Shouldn't each QR code only work once for better security?

      • +1

        No backup cloud.

        What happens when the cloud service is hacked and your keys are available to anyone?

      • For iOS I use Raivo-OTP.
        It’s open sourced, does encrypted backups to iCloud I understand.


  • Doesn't seem to be as good a deal as it appears. Seems Yubico recently increased the price of their Amazon listings. Honey is reporting the Yubikey 5 was increased by 25% and Yubikey 5c was increased by 15%..

  • What's the difference with the blue one? $57. https://www.amazon.com.au/Yubikey-Security-FIDO2-Factor-Auth...

    • That amazon listing is expensive. Check ebay i saw 45 bucks

  • An option for anyone who frequents Ars Technica would be to subscribe to their Ars Pro++, which includes a yubikey for new subscribers for $US50. Obviously a bit more, but I don't mind giving money to Ars because when you subscribe they reduce tracking and offer full articles in their RSS feeds, although I only personally subscribe to their Ars Pro level which doesn't include the yubikey.

  • What happens when YubiKey 6 comes along, can you still use version 5?

    ~nevermind. I found online it still works.

  • +2

    So upsetti!!! I literally put my order in for 2 of these two days ago!!

    • Email them and ask to cancel your order.

      • Had already shipped!

  • +3

    When is ozb going to support yubikey? All my postings are really valuable

Login or Join to leave a comment