YubiKey 5Ci review: WebAuthn encrypted Lightning key for iPhone and iPad for secure authentication

Yubico's new YubiKey 5Ci is the company's first hardware authentication device with a Lightning adapter for the iPhone. YubiKey provides security that reduces the potential of password-based account hijacking.

Just like a second-factor token sent via text message or generated by an authentication app like Google Authenticator or Authy, YubiKey provides an additional element after a login with a username and password. Because phone numbers can be and have been hijacked and re-routed to other phones, it’s even more reliable than assuming a text-based code will always wind up at the same physical device.

YubiKey currently works with some apps and via the Brave browser in iOS. YubiKey supports the relatively new WebAuthn protocol approved by the World Web Web Consortium (W3C) to allow strong, encrypted second-factor authentication directly within a browser, without requiring proprietary extensions or company-specific hardware or software.

The $70 device also includes a USB-C plug for desktop authentication, but its USB-C port doesn’t yet work with iPads equipped with that connector.

Yubico

In testing, the YubiKey 5Ci performs as expected, but many websites aren’t yet ready for iPhone and iPad authentication. That will change in the near future as WebAuthn adoption improves and as the key enters the market.

Broad industry support, but sites behind

Yubico already makes a line of USB and NFC (contactless) keys that support earlier secure protocols, while its newer models also handle WebAuthn. This extension to Lightning paired with USB-C is an attempt to push this substantially more secure option to iPhones and iPads, by ostensibly creating demand and interest among Apple users.

Microsoft Edge, Google Chrome (desktop and Android), Opera, Firefox (desktop and Android), and the built-in Android browser all support WebAuthn in release versions. Apple has enabled WebAuthn in the Safari Technology Preview for the upcoming version 13, that will ostensibly appear in release form in Catalina.

Apple hasn’t yet said whether Safari for iOS and iPadOS will also support WebAuthn. As a broadly adopted industry standard that leaves security control in a user’s hands, there’s little reason for Apple to stand aside.

For now, you need the right app in iOS to work with the YubiKey 5Ci. That includes the security-minded Brave browser, which handles WebAuthn directly, and standalone apps like 1Password and LastPass that have incorporated support. Yubico says that more companies are expected to follow.

I tested the YubiKey 5Ci with Dropbox, Amazon Web Services console, Twitter, 1Password, and others. Enrollment seemed to require using a desktop browser at the moment, and I relied on the USB-C end of the two-pronged key.

After enrollment, mileage varied. 1Password instantly recognized that I’d upgraded my authentication, requesting I insert the key when I launched the app. I plugged it in via Lightning, tapped it, and 1Password was in business.

IDG

Other sites were fussier. Some wouldn’t recognize the macOS Safari Preview as supporting WebAuthn, so I switched to Chrome for the desktop. Then, using the Brave browser in iOS, some sites refused to recognize Brave as WebAuthn-supporting, either. With Dropbox, it understood the browser could read the code, but wouldn’t accept it. With Twitter, however, the system worked as seamlessly and perfectly as with the 1Password app.

Hundreds of websites already allow WebAuthn-based logins, which require very little modification to work alongside other second-factor methods. The numbers have increased as browsers added support for the finished form of the standard over the last year. But developers have clearly tried to minimize compatibility issues by using strict filters about which browsers it believes are capable.

WebAuthn has the same sort of advantage over texted and app-generated second factors as Apple’s Secure Enclave in iPhones, iPads, and the T2 Security Chip in Macs—and in similar security chips in other devices—in requiring possession of a piece of unique hardware that can’t have data extracted from it. Instead of relying on plain text codes that can intercepted or generated, WebAuthn uses public key cryptography and creates a unique encryption key for each site.

WebAuthn starts with enrollment. You visit a site or use an app that supports the standard, prove your identity, and then plug in your WebAuthn-equipped key like the YubiKey 5Ci, and tap it. Your hardware device generates a unique private-public keypair for the site, and retains the private key in its tamper-resistent hardware. It sends the public key to the site, which stores it along with the account.

On subsequent visits, when logging in with any scenario in which a second factor would be required—such as a new browser, a geographically distant location, or after 30 days, depending on the site—you enter a username and password as before, but then insert and tap your YubiKey to authenticate.

Because the encrypted message is generated within the key and the site already has the public key associated with you stored, it dramatically limits the opportunity for someone to intercept a message and prevents generating one that would fool a site. It also bars sending the message to any site that doesn’t match the original URL and doesn’t have the public key with which you enrolled, deterring phishing from hijacked websites.

Bottom line

The YubiKey 5Ci is ready to go, but all the pieces aren’t aligned to show it off to its best advantage. At $70, it may seem a steep price without websites, apps, and Apple all having their act together in iOS, and with a few rough edges in macOS.

However, as WebAuthn is a broadly supported industry initiative that’s well underway and gaining steam, the 5Ci is the right portable authenticator for a future-proofed purchase.