54% off: 2x Yubikey 5 NFC US$45.54 / 2x Yubikey 5C NFC US$55.66 / Yubikey 5 NFC + 5C NFC US$50.60 / US$5 Delivery @ Yubico

950

54% off: 2x Yubikey 5 NFC US$45.54 / 2x Yubikey 5C NFC US$55.66 / Yubikey 5 NFC + 5C NFC US$50.60 / US$5 Delivery @ Yubico

Go to Deal

PeteM on 05/05/2022 - 08:37 yubico.com (3181 clicks)
Last edited 05/05/2022 - 12:15 by 2 other users

Thanks to one of my Canadian colleagues for letting me know about this.

Yubico just forced the price down on YubiKey 5

54% of two pack YubiKey's for May the 4th sale.

Ends 16:59 AEST

Choose from:
• Two YubiKey 5 NFCs (2pack) - ~~$99usd~~ $45.54usd + Shipping
• Two YubiKey 5C NFCs (2pack) - ~~$121usd~~ $55.66usd + Shipping
• One YubiKey 5 NFCs and One YubiKey 5C NFCs (2pack) - ~~$110usd~~ $50.60usd + Shipping

Note:
• All prices are in USD. Shipping to Australia = $5 USD.
• Appears discount is limited to one of the two packs per order. i.e. max discount $59.40usd on the 5c twin pack.

Computing 2FA NFC Security Key Two Factor Authentication USB-A Yubico

5 May 2022 4:59pm

Related Stores

Yubico

closed Comments

Smigit on 05/05/2022 - 08:49

+1

Would be all over it if they had the 5 series Nano available.
Jabba the Hutt on 05/05/2022 - 08:59

+17

Shamefully poor take up on the part of Australian companies that should be offering customers the full spectrum of stronger 2FA options as part of their commitment to taking security "very seriously".

The only Australian entity I'm able to use mine with is Fastmail. Still no local banks supporting these types of keys, and since there isn't a single one you can move your business to, there's little means as a consumer to encourage adoption.
- slowmo on 05/05/2022 - 09:35
  
  +6
  
  i get what you are saying.
  but honestly imo, 2FA for customers is the least of most org's critical cyber security issues.
  
  TFW you realise staff transfer confidential things around with .xls files.
  
  or why in training modules, there are still mention of things NOT to do like emailing work to your own personal email to WFH.
  - eraser215 on 05/05/2022 - 10:18
    
    +1
    
    Not to mention complete lack of maintenance/patching of internet facing systems. Much of the time malicious actors penetrate networks by exploiting known and already patched vulnerabilities on web servers, vpn boxes etc.
    - slowmo on 05/05/2022 - 10:54
      
      or they just email their ceo to click a link…
      
      tbf, all those things you mentioned costs money… i can imagine during this time where staff is going for higher pay, and cost pressures… some orgs are probably going to put these upgrades/improvements on pause until they get another security incident.
      
      (yes, even patching requires time and money, because aint noone gunna do the whole patch test cycle for free.)
- hotphil on 05/05/2022 - 09:43
  
  +28
  
  I think my favourite is WestPac. Six character password limit for online banking. No MFA. At all.
  - Oxxy on 05/05/2022 - 09:54
    
    +10
    
    I called them out on this, their position was that this was sufficient……I left the bank.
  - slowmo on 05/05/2022 - 09:56
    
    +1
    
    not taking sides with banks but i'm a little familiar with heavily regulated industries. Most times when you felt that 'this is doesn't make sense', usually there was either a lawsuit involved that set a precedent, or a requirement coming from the advice of a body, eg. a body that looks at discrimination or accessibility.
    
    also ultimately a cost/value proposition. imo there are more people wanting convenience (and more likely to lodge complaints) over people choosing mfa, however, the cost of implementing MFA is still the same.
    
    to add to the fun, there are quite a few banks out there that has case-INsensitive passwords. go try it. you'll be floored. :P
    as to why? refer to previous paras. :)
    - isthisreallife22 on 05/05/2022 - 10:06
      
      +2
      
      I reckon Westpac just have old systems and the people with authority to change these kinds of things get more excited about other stuff, but the people who care the most just don't have authority
    - enigma48 on 05/05/2022 - 10:08
      
      +4
      
      In this case, it's not about regulation - every other bank, insurance company etc all have far stronger requirements.
      
      My understanding is that their back-end system simply can't support it. Most banks/large insurers that were around in the 60s and 70s build large, complicated systems which weren't flexible. Changing the back end from a 6-character password to anything else could take down the bank. It's cheaper to monitor the hell out of account usage and block brute force attacks rather than risk taking down the system.
      
      Several banks have 5-10 year plans to replace those older systems but this keeps getting pushed back - the risk is very, very high. At this point, forget making changes to the old systems - there's no one left that even understands them, much less is confident about making changes.
    - juns on 05/05/2022 - 10:09
      
      +1
      
      That's a very interesting perspective, because I have been using password manager and hence used to use ridiculously long password.
      
      But I have not taken into account of the part where you said "a body that looks at discrimination or accessibility". This does make a lot more sense now, since there might be case that warrants a shorter password or requiring it be case insensitive.
      
      However, without giving too much thought, I am not sure why they don't provide an option for longer password and/or case sensitive if customer really wants it. Like an explicit checkbox maybe? So that they cater for people that needs special accessibility and the rest as well.
      - slowmo on 05/05/2022 - 10:44
        
        @juns: all i can speculate is there's always a common denominator when it comes to including/excluding features… it's cost (including possible legal penalties).
        
        having a 2FA automatically assumes someone can afford a mobile phone, a mobile plan.
        
        so it's probably one of those things. I wonder how service NSW or centerlink got away with it though.
        
        joshau on 05/05/2022 - 10:57
        
        +1
        
        @slowmo: It's not about requiring 2FA, just offering the option. All Westpac need to do is allow people who want 2FA to use it, and everyone else who don't have a mobile phone or can't use 2FA for whatever reason just leaves the option disabled. Win-Win.
        
        slowmo on 05/05/2022 - 11:03
        
        @joshau: what's the rationale behind this and what's the value to the bank to be doing this though? just honestly curious.
        
        btw i have no skin in the game, if anything, I'm pissed that they cancelled my 0 annual fee for life time of their visa card due to inactivity.
        
        joshau on 05/05/2022 - 11:14
        
        +1
        
        @slowmo: I personally don't use Westpac either, but the barrier to adding 2FA to a login system is not huge (I am a software engineer by day), and the excuses of accessibility and convenience aren't really relevant, as 2FA is rarely enforced as a requirement when it is available (outside of corporate environments).
        
        If the reason is "It's too hard to tack 2FA on to our existing system" and "It costs us less just covering fraudulent transactions than to implement 2FA" then that should be the reason. To obfuscate the reasoning behind accessibility and convenience is just a cop out.
        
        slowmo on 05/05/2022 - 11:38
        
        @joshau: unfortunately, if accessibility is not baked into the UI designs early, it can mean a bad time for all devs involved. Depending on what industry you are in obviously.
        
        I've provided a couple of possibilities in my initial post, not sure why you end with picking "accessibility is a cop out". i find that odd to say that accessibility is an excuse.
        
        i didn't say it was the one reason preventing 2FA, but it may very well be. IMO, if you are looking for orgs to own up to say "too expensive, we too lazy" you'd be waiting for a long long time. It could be as trivial as "our CEO told us to do this" even.
        
        Adding a 2FA is non-trivial, the code may well be, a proper implementation of it isn't. I'm surprised that as a software engineer, I expected you to be more aware of your entire implementation cycles and subsequent Ops support part.
        
        Introducing a feature doesn't mean you just throw it over the fence to ops and they get to work extra workload for free. What about the user training and awareness to let users know about 2FA, support training for helpdesks when the inevitible calls come in about 2FA issues? Paying project managers, devs, ops people, hosting driving projects and having all things tested, ensuring the 2FA actually works when inter country links are down? or the link to the 2FA server is down.
        
        Look, I agree that 2FA should be a baseline, I'm not making excuses for banks, but let's not trivialise something like implementing a core identity feature into an existing infrastructure.
        
        that's why i said, what's the value to the org? if it's going to cost them X but not gaining much benefit and unless someone hits them with a stick (eg regulation), they probably will just operate the same as ever.
        
        joshau on 05/05/2022 - 11:47
        
        +1
        
        @slowmo: I'll be honest, I didn't read your original post, I was actually just responding to your later comment about requiring 2FA assumes everyone has a phone.
        
        When I said that using accessibility and convenience is a cop out, I didn't mean to say that accessibility in general is a cop out, rather, given 2FA is an option on nearly every platform that implements it, if enabling 2FA is going to cause accessibility issues for a certain person, then that person is likely to just not enable 2FA. All the people who want 2FA and don't have any accessibility concerns with enabling can use it.
        
        Accessibility and convenience is only really a concern if it's enforced on everyone, which it rarely is, so to say that "We can't add 2FA because it will cause accessibility concerns" is a cop out, because it's not likely the actual reason as to why they do not want to implement 2FA.
        
        I didn't intend to trivialise the cost or effort in implementing 2FA, I certainly know it's not as simple as importing a library and hey presto. But considering all of the other technologies banks implement, and the size of their teams, I meant to suggest that in comparison to everything else they do adding 2FA to their product should not be some brain shatteringly difficult thing for them to achieve. Like you said, if the banks saw this as a benefit to them, it would be relatively straightforward for them to allocate the resources to get it implemented.
        
        I think we're both sort of agreeing with each other, just in a more roundabout way.
        
        slowmo on 05/05/2022 - 11:54
        
        @joshau: ah, probably my bad. yes, i agree that it should be a baseline, what im saying is really there are a lot of reasons (justified or not) to not having it. (It is frustrating but, well, we don't have billions in the account to make it a viable reason i suppose)
        
        but honestly, i've at some point in time or another a customer of about 6 different banks/lenders in australia and about 3-5 overseas… i have only had a 'collection' of 4 different bank hardware tokens (interestingly, most of them overseas) that are similar to the RSA secureid implementation. don't get me wrong, I am not some high deposit owner, I even felt guilty that they DHL'ed me those tokens but I have like $20 in the balance. lol.
        
        which are the ones you speak of in australia that currently have 2FA? from my current experience , i've yet to see one.
        
        joshau on 05/05/2022 - 15:05
        
        @slowmo: A lot of the newer smaller "virtual" banks have them (like Up and Hay), which makes sense, as those are the ones who are usually built from the ground up in the last century. I haven't personally used a bank that provides 2FA though, unfortunately.
        
        peter05 on 05/05/2022 - 12:59
        
        @joshau: its kind of a strange situation though because specifically with westpac, you can't have 2FA when logging in but when you want to authorise transfers to a new account, you have to get an SMS code. so are they being cheap with SMS? :D
        
        isthisreallife22 on 10/05/2022 - 10:11
        
        @peter05: It's weird because they just cant get their s41t together to complete the job. One day they'll do it and wonder why they waited so long. It's not a unique situation to Westpac.
  - humbala on 05/05/2022 - 10:32
    
    +1
    
    the reason why they have 6 character limit (and mind you, it is NOT case sensitive) was because that was from an old system, which use mouse click on a virtual keyboard, which is secure against keylogger.
    
    They ditch the virtual keyboard and just let you use the same old password, without 2FA, is insecure.
  - whichwhatwho on 05/05/2022 - 10:35
    
    +2
    
    This will just be one layer amongst a huge array of others. The shallow password limit is probably an accessibility thing and the trade-off of customers remembering a simple password and having access to their finances is a better outcome than Grandma not understanding what a push notification is.
    Heck, ING have a 4 digit pin. Go nuts.
    They are audited and regulated up the wazoo. This isn't some magical Achilles Heel that you've stumbled across. The risk is mitigated via other controls.
  - DingoBlue on 05/05/2022 - 10:37
    
    +1
    
    Based on St G, there is MFA for a first-time transfer isn’t there?
    
    Better than CBA putting a 24 hour hold and you look like a scammer when you tell someone you have already paid.
  - s20525xxx on 05/05/2022 - 12:38
    
    +1
    
    And ANZ doesnt allow special characters in pwd
  - nitens on 05/05/2022 - 16:30
    
    I love no use of punctuation for Telstra - at least they MFA though.
  - DoctorCalculon on 05/05/2022 - 19:46
    
    My favourite is ING. Forced 4-digit access code. When I asked for 6 digits, I got told: "No soup for you. NEXT!"
    
    Here is another one. When they send the letter with your debit card, they mention everything: BSB, account number, client ID.
    
    EDIT: One more > No 2FA prompt when you log into your ING account from a completely new browser.
  - airtime on 05/05/2022 - 22:19
    
    While it is true to say Westpac don't offer MFA for account logon authentication, it is not accurate to say they don't do it at all.
    
    Westpac do offer MFA at the transaction level for the consumer banking customers. It is basic but does provide an effective mitigating control - transactions transferring monies to new accounts can require SMS code verification. Similarly high value transactions can require SMS code verification. 2 authentication factors are required for transaction to go ahead - successful account logon & successful verification of the SMS code.
    
    Not going to get started debating the weaknesses of using SMS based secondary factors, e.g. SS7 attacks, SIM swap attacks, etc.
    
    Not defending Westpac's weak password policy (i.e. max 6 characters) and lack of MFA for account logon authentication for their consumer banking products. They should be allowing longer and stronger passwords and they should be offering support for MFA for account logon authentication.
- schquid on 05/05/2022 - 12:01
  
  "Please provide a password between 4 and 8 characters"
  "Please only use the characters a-z and 1-9" (0 looks too much like null I guess)
  "You cannot use spaces, quotes, semi-colons or hyphens"
  
  … banks, government services, big4 consultancies handling security audits.
  
  I'll take just being able to use decent passwords on most services first, 2FA with security tokens are just icing on the cake at this point…
  - slowmo on 05/05/2022 - 12:06
    
    ayyyyy i should have saved the screenshot that outlook.com wants me to give them a password between 12-18 characters, that's like quite narrowing down the bruteforce dictionary for me bro.
    - Zorlin on 06/05/2022 - 15:30
      
      1-9 characters doesn't make up that much of the 1-18 character dictionary though.
shaybisc on 05/05/2022 - 09:04

+1

What, specifically, do you use YOUR Yubikey to secure?
- mimik13 on 05/05/2022 - 09:14
  
  +2
  
  I use mine as 2fa for my password manager (with a backup passphrase incase I lose the key)
- ihfree on 05/05/2022 - 09:19
  
  +4
  
  Personal: Google, Bitwarden.
- hotphil on 05/05/2022 - 09:37
  
  +2
  
  Any of my services that support FIDO have both my Yubikeys set up. Same with TOTPs.
- maybe a bot on 05/05/2022 - 10:15
  
  Google
  FB
  Bitwarden
  Twitter
  Personal and work MS accounts
  System login via YubiKey Login
  Crapload of OTP tokens
- DuBistKomisch on 05/05/2022 - 10:16
  
  +1
  
  2FA for KeePassXC
lucas001 on 05/05/2022 - 09:16

+1

gmail, facebook, binance, those are the ones that matter to me.
- ChipsChicky on 05/05/2022 - 10:00
  
  One yubikey can hold data for all of them ? and how does it works ?
  - killingtime on 05/05/2022 - 10:56
    
    Many YouTube videos to explain. It works with unlimited compatible services, there’s nothing stored in this key
  - SaddenAscentAspirin on 05/05/2022 - 10:56
    
    +1
    
    It doesn't hold any data, it's just a second "factor" for authentication. Like when you log into a website and they text you a code. Your password is the first factor, the code is the second factor. Except instead of getting texted a code, you have to 'supply' the yubikey. Which is the yubikey sending that second code to the website. It's more secure than getting an SMS or an email as a 2nd factor. All the yubikey is doing is generating that second factor, which is based on the time IIRC.
    - vlo on 05/05/2022 - 13:09
      
      That's actually not true. Yubikey does hold data. If you have the Yubikey authenticator app you can login and see all the accounts that are linked to the Yubikey.
      - peter05 on 05/05/2022 - 13:45
        
        @vlo: it also "knows" which website the FIDO is for and can distinguish between multiple accounts for the same website via username fields
        
        vlo on 05/05/2022 - 13:54
        
        @peter05: I'm guessing that we both agree that a Yubikey does hold data?
        
        peter05 on 05/05/2022 - 18:46
        
        @vlo: that's correct, how else would it be able to generate the TOTP or authenticate FIDO, the original statement that something with a chip inside it doesn't hold data can't conceptually be correct as otherwise what's the encrypted chip for! Even if you only have the old RSA tokens, they still hold the encryption to generate from the time
      - SaddenAscentAspirin on 07/05/2022 - 11:38
        
        @vlo: It may not be exactly right, but their website literally says:
        
        "Unlike other 2FA, YubiKeys store no data, no network connection, and don’t run on software."
        
        slowmo on 09/05/2022 - 09:06
        
        @SaddenAscentAspirin: just offering the view that, that statement is partly true and depends on how technically correct you want to be.
        
        the keys can store data technically, because that's how you program 2 different profiles on it. does it store OTHER types of data (eg. like ledger wallets?), I don't think so.
        
        afaik, there's no network connection unless you count NFC as some sort of wireless comms.
        
        these keys, any hardware keys for that matter, has firmware. has a version number. so that is technically 'software'. but it's not something you can "install cut down linux" on. if that makes sense.
        
        but i might be wrong, i'm just someone who get to play with hardware keys for fun. ¯\_(ツ)_/¯
  - peter05 on 05/05/2022 - 11:03
    
    +1
    
    it depends on the type of authentication.
    
    for example, the time based OTP they can hold around 32 keys. this is the similar one you would use for google authenticator types of 2FA
    
    you also have the FIDO2 type of authentication, i believe these hold around 25. What you can do with the services that support these, is register them and plug the USB in or hold the NFC near your phone and you never type a password, you just type the "pin" for your account into the key and press the gold plate to confirm (if you're plugging into PC), for phones its enough for NFC if i remember correctly.
    
    On another note I would strongly suggest that unless users really need USB C that you gravitate towards the USB A types. If you are carrying these on your keychains, the USB A is proven to be stronger overall in terms of longevity as the connector cannot be crushed like the USB C type can
    - airtime on 05/05/2022 - 22:36
      
      I carry the YubiKey 5 NFC and the YubiKey 5Ci. Covers devices that support USB-A, USB-C, Apple Lightning and NFC. Allowing authentication with secondary factor just about everywhere.
      
      Never had any issues with damage to the USB-C connector on the 5Ci yet and one has been carried by me at all times for about 2 years so far. Also use YubiKey 5C s as well and no damage to connectors but they don't get exposed to as much travel.
mixology on 05/05/2022 - 09:17

+1

Great item, even if they dont natively support Yubikey you could always use the 2fa solution that replaces the Google 2FA.
- Smigit on 05/05/2022 - 09:29
  
  +2
  
  You mean the TOTP/Google Authenticator? Might not be an issue for some but Yubikeys only support 32 TOTP codes per Yubikey. By comparison my OTP software app of choice has 112 codes in it currently. I’m sure I have way more than most, but 32 isn’t a whole lot by any stretch.
  
  Hope they up this in the future.
slowmo on 05/05/2022 - 09:19

+4

honestly, i felt it's a bit rich to say that yubico forced the prices down.
(yeah i know its a pun)

i remember paying $25 for the yubikey nano 4 and $20 for the yubikey 4 on amazon. (this is the newer gen release that wasn't vulnerable to that bug) and this is the RRP

they have since came up with a cut down version of yubikey 4 and sold it at a higher price.

their reprogramming program is horrible and there wasn't sufficient documentation or warnings to warn that if you custom key'ed it, they permanently void certain things that you can't use for yubico server facing auth. I recently burned 3 of my 5 yubikey 5 keys just doing precisely that before i realised. that's USD150 i wouldn't get back.
- vash12 on 05/05/2022 - 09:54
  
  +1
  
  Thanks for the heads up - maybe this 2fa is not so good after all.
  - slowmo on 05/05/2022 - 10:03
    
    +1
    
    they are still good, just that i call them out on their shitty "sales" practices.
    
    this offer is probably the lowest price you can get until you wait for the next one.
    
    i'm still using yubikeys, it's my only option at the moment. The others like ledger wallets have some implementation but they are not specifically hardware tokens and i like to keep my things separate and not all in one basket.
- raybies on 05/05/2022 - 12:06
  
  4 Feb 2019 16:27:38 AEDT I paid $350.60 USD for YubiKey 5 NFC 10 Pack
- Zorlin on 05/05/2022 - 12:30
  
  their reprogramming program is horrible and there wasn't sufficient documentation or warnings to warn that if you custom key'ed it, they permanently void certain things that you can't use for yubico server facing auth. I recently burned 3 of my 5 yubikey 5 keys just doing precisely that before i realised. that's USD150 i wouldn't get back.
  
  Could you elaborate on this? I'm not sure what precise terms to search for.
  
  https://www.yubico.com/products/manufacturing/programming-op… - They really do pretend it's fine, don't they?
  - slowmo on 05/05/2022 - 12:33
    
    hah. lucky that i still have that in my browser history :P
    essentially this issue:
    https://forum.yubico.com/viewtopic1acd.html?p=7565
    
    be aware of this.
    
    it is a major PITA (and on wallet)
    - Zorlin on 05/05/2022 - 12:34
      
      What sort of things does this affect? I'm using my Yubikey for Cloudflare, password managers, Gmail etc.
      - slowmo on 05/05/2022 - 12:36
        
        @Zorlin: if you happen on a provider that looks out specifically for "CC" then you are OOL, you need a brand new spanking yubikey from their factory that hasn't been programmed by you.
        
        otherwise, you live life as usual.
        i'm unhappy that their programming app doesn't warn you about this at all.
dfg555 on 05/05/2022 - 09:37

+2

So this is better than Google Authenticator?
- slankets on 05/05/2022 - 09:44
  
  +2
  
  Hardware key so yes
- slowmo on 05/05/2022 - 09:46
  
  +2
  
  its a physical hardware token. so yes, as it's another layer of separation.
  
  i use this in place of google auth. for things like logins to windows, keepass, bitwarden, mobile app, emails (if they support) and a few other things.
  
  you usually need to buy 2 , one for a backup, incase the dog ate the one, and you need to logon to the machine while waiting for the one in the dog to pass…
- joshau on 05/05/2022 - 10:04
  
  +10
  
  The answer is a bit more complicated than the blanket "yes" that others have given.
  
  The primary benefit to a hardware authentication token, like a Yubikey, is that the authentication method it uses is resilient to phishing attacks. If you think of an OTP token (Google Authenticator), you have to trust the website that you're entering the token into is the legitimate one, otherwise it's possible for it to make off with both your password and your OTP token. With FIDO (Yubikey etc), the domain of the page you're on is part of the key derivation process, so it's not possible for the key to authenticate with a fake version of the website on the wrong domain (how 99% of phishing attacks occur).
  
  That said, there are a number of downsides to hardware tokens that make them somewhat less secure/better than OTP tokens (Google Authenticator). Firstly, you're far more likely to lose or misplace your tiny Yubikey than you are your phone. It's also a lot easier for someone malicious to steal your Yubikey than it is your phone, as you're much more likely to be aware of your phone going missing than your Yubikey. Hardware tokens also have no way to authenticate with the token externally, so if someone steals your Yubikey, there is nothing stopping them from using it; unlike Google Authenticator which you can use Face ID or a passcode to protect. Even if someone did steal your phone, they'd still need an additional level of authentication to access your OTP tokens.
  
  All up, I'd say if phishing is a major concern for you, then a hardware token is more secure than an OTP token, however if you're more likely to misplace or lose your Yubikey or if you are likely to be a target for state sponsored actors who might walk past your table at a coffee shop and swipe your keys, then an OTP application like Google Authenticator might actually be more secure, thanks to the additional levels of authentication on a modern phone vs a hardware token.
  - jumpypotato53 on 05/05/2022 - 11:49
    
    +1
    
    Another thing to consider: a phone could get compromised (virus, malware app, etc) and they could steal TOTP seeds.
  - peter05 on 05/05/2022 - 12:52
    
    +2
    
    I will disagree on a few points you have put out here.
    
    Yubikey supports TOTP in the exact same fashion as Google Authenticator, so all the benefits and drawbacks are exactly the same, except now you have a physical token that yes theoretically if they had your password, you could have this key stolen and used as your 2FA. The main reason for separation is such that if you lose your phone, you don't lose all your 2FA. There are positives and negatives to this as you lose convenience but if you lose your phone it means you don't need to keep setting up all your 2FA (not opening up dsicussion about duo and cloud backups of 2FA etc). It also means if they crack your phone they don't get both your password + 2FA, as often we save passwords on the phone and you're VERY likely to be using the same password for security and in the case of google authenticator it just doesn't exist. I'm not saying tech savvy users will do this but the "typical" user will.
    
    The situation where you are talking about someone stealing the token, the scenario you have presented is true for TOTP but for FIDO where it can login to services automatically for you, it has a pin code that you set so there is a layer of security there.
    
    The separation in "most" cases I truly believe will be positive. It can even prevent snooping partners etc who know your phone password etc. If they know your phone password they have both pieces of the puzzle which minimises the effective protection from 2FA. The other aspect is that this protects against attacks on the OS level. The Apple ecosystem is quite secure and so is the Google Pixel series, but other than those two "lines" of phones, most others do not have a fully hardened software/hardware phone platform against differing vectors of attacks although Samsung have made leaps and bounds in the last few years
mhaqs on 05/05/2022 - 09:51

How do you get the last one to work? or is that a typo?
K1ngJony on 05/05/2022 - 09:59

+2

Awesome! Thanks OP! Been hanging out for a sale to make the jump.

Unfortunately couldn't stack them though, so had to place two orders to get four keys. (Although that extra 4% off essentially negates shipping so I suppose I shouldn't complain)
- Bohlen on 05/05/2022 - 17:15
  
  Was in the same boat waiting for a good sale, So I also placed 2 orders of 2 keys each :)
ChipsChicky on 05/05/2022 - 10:02

Can someone explain how does these work ? I am currently using Microsoft Authenticator for OTP, what would be advantage of yubikey ?
- maybe a bot on 05/05/2022 - 10:14
  
  +1
  
  Its a hardware key - harder to lose, completely unique and always works unlike a phone. For MS accounts you can use password less where you just need to enter username and then use the key to sign in. For OTP it just keeps the codes across multiple devices (eg plug in on laptop, tap on phone for nfc keys). Limited to 32 codes though
- fookos on 05/05/2022 - 10:16
  
  +2
  
  It's add a layer of security online so that entry to sites/services that support it requires:
  
  Something you know (your username/password) AND
  
  Something you physically have (your Yubikey)
  
  An online scammer can't fudge your authentication without also having your Yubikey.
  
  I looked into this for a while but, given the price, I was a little deterred when I realised how few services in Australia have adopted compatibility. Hopefully that's better another year on. We all naturally want to be safe online, but that also means going to grab your Yubikey when logging into certain websites, which could be a PITA at times. That said, safety and protection should really trump that.
- peter05 on 05/05/2022 - 12:56
  
  if you are comfortable with the phone being your sole authentication method there is not significant advantage.
  
  with the yubikey, you can set it as a login. So when you enter your username into a microsoft based authentication website, app or otherwise, you are able to use the yubikey as an authentication method. When you present the key, you will be asked for a passcode that you code into the yubikey yourself, then it will automagically authenticate with microsoft for the account you selected.
  
  you can choose to use only this method, you can choose to use both methods, its up to you with microsoft.
  
  I have personally moved to passwordless account which means you cannot send a text message to get bypass codes, you cannot use passwords to login, you must have either the mobile phone authenticator or the yubikey in order to get in. This negates most of the hacking attempts on your account.
Leho on 05/05/2022 - 10:13

+1

wow this is an insanely good deal. would buy more if i didnt have 2 already LMAO
shaybisc on 05/05/2022 - 10:29

I've had 3 Yubikeys so far. The first two the only thing I could find useful for them was Windows login. And then one day they mysteriously stopped working. Then I discovered that the number I had taken down at setup to reset was the wrong number so they were bricked. I haven't used the 3rd Yubikey for anything yet.

Bitwarden + Bitlocker + Authy - a lot more convenient. Chance of being hacked fantastically low.
- slowmo on 05/05/2022 - 12:00
  
  you can still reuse those 'bricked' keys for other things btw.
  
  unless something bad has happened during programming, you can repurpose those keys via their woeful-ui-manager app.
littlesoldier on 05/05/2022 - 10:29

Bought YubiKey 5 NFCs (2 packs) for AUD $70.42, paid via Revolut visa
- rsop on 05/05/2022 - 10:55
  
  Not bad, $89 via paypal.
abctoz on 05/05/2022 - 11:09

just use an old phone lol
- ChipsChicky on 05/05/2022 - 11:19
  
  can explain further ?
  - rsop on 05/05/2022 - 12:08
    
    I think what they are trying to get is an Old phone won't be hacked? But prob doesn't know that an older device will be more prone to hacking because of its lack of Security or out of date firewall.
    - slowmo on 05/05/2022 - 12:21
      
      probably trolling.
      
      any security solutions that starts with "just use …." can't be taken seriously.
    - abctoz on 05/05/2022 - 13:47
      
      depends on often you use it/how serious you need the security
      
      people on the internet act like the chance of getting hacked is high… its actually quite rare
      
      if you're constantly inputting 2fa codes and it is of critical importance then ok maybe get a yubikey
      
      if you use 2fa few times a week, for the average user the below procedure will be overkill already:
      
      reset the old phone, leave the phone off most of the time, use with wifi off, only turn on to sync time if it goes out of sync
      
      like if you're wondering if you need this then you don't need it, proper security procedures with a phone is enough already
mountaineer on 05/05/2022 - 11:30

Curious: Are all or most of you commented working in the IT(security) industry?
- littlesoldier on 05/05/2022 - 11:44
  
  Its for most normal users who the systems they use requires 2FA
  this key replace the need to use Authenticator app or OTP to login
  which is more secure and convenient in some way i think
  - peter05 on 05/05/2022 - 12:58
    
    the other security feature with these keys is that you can set particular codes to require "touch", so even if you leave them plugged into your computer for convenience, the key doesn't release the OTP until you press the gold disc. It means even if you get remotely accessed they can't just access your OTP
- csmacd on 05/05/2022 - 11:53
  
  This is similar to a HSM (Hardware Security Module) but with a much smaller footprint. When it comes to MFA, hardware devices are said to be deterministic compared to soft-token based apps which are tend to be a bit probabilistic. Simply put, this is indeed more secure.
- slowmo on 05/05/2022 - 12:02
  
  the beauty of this is, if you are a slightly techy, you can help a family member do this and they will be far more secure state than most people. and it's just a tap on the phone (with the NFC key) to get access.
  
  or plug in and single button push.
  
  just like a … physical key.
  
  and that's it. you forget about it. until a dog eats it or something.
  - rsop on 05/05/2022 - 12:12
    
    Yes I agree with this. But I can also see my wife being frustrated with me because even though I'm added another layer of security for her, I'm also added another layer of frustration when it doesn't work hahaha.
    
    I can just see it already, "One wrong with my Password". I will give her that though, her password is pretty secure and random. I don't know how she remembers it.
    - slowmo on 05/05/2022 - 12:20
      
      i used bitwarden specifically for this. it's tied to faceid and apps/browsers… so bitwarden took the place of 'browser stored creds' and i use keepass (with yubikey) for the more sensitive things.
      
      so far no complaints :D
DevonBlaze on 05/05/2022 - 16:24

What are these?
Sorry for being a noob
teddiebear on 05/05/2022 - 19:44

There is a heap of these available on shopping express atm under "opened box" although they aren't double packs (i think).
So these disable a rig if it isn't plugged in? Am i reading this correctly??
- CyberMurning on 05/05/2022 - 22:19
  
  this is the link
  https://www.shoppingexpress.com.au/search-results?q=yubikey
[Deactivated] on 05/05/2022 - 21:21

Missed out :(
CyberMurning on 05/05/2022 - 22:46

will the yubikey works through a cheap usb hub dongle ? i run out of usb slot on my laptop
- ProlapsedHeinous on 06/05/2022 - 03:24
  
  no, this will occupy a port until you have authenticated and unplug it again.

This was posted 1 year 11 months 22 days ago, and might be an out-dated deal.

54% off: 2x Yubikey 5 NFC US$45.54 / 2x Yubikey 5C NFC US$55.66 / Yubikey 5 NFC + 5C NFC US$50.60 / US$5 Delivery @ Yubico

Related Stores

closed Comments

Related Products

Top Deals

New Deals