A YubiKey is Yubico hardware authentication device designed to achieve secure 2-factor authentication (2FA) for online services like AWS, computer logins, developer tools, password managers and other important data. The YubiKey combines hardware-based authentication and public key cryptography to eliminate account takeovers and provides the extra security you need.
YubiKey’s were created by Yubico a private company founded in 2007 by CEO Stina Ehrensvärd they currently have offices in Palo Alto, Seattle, and Stockholm.
It plugs into your computer, and instead of entering a six-digit MFA code, you tap the key that’s plugged into your computer.
It’s more secure than using Multi-Factor Authentication (MFA), a one time password has a shared secret that is sent over the internet making it vulnerable, using a Yubikey eliminates the possibility of a phishing attack — a hacker will not be able to access any of your online accounts unless they have your specific YubiKey.
You can even store your SSH key on your Yubikey.
Setup is simple! To begin, visit yubico.com/start and select your key.
If you want to set up your AWS account, type AWS in the search field, or click the AWS logo to get the site’s instructions.
From the AWS Documentation:
- In the navigation bar on the upper right, choose your user name, and then choose My Security Credentials.
- On the AWS IAM credentials tab, in the Multi-factor authentication section, choose Manage MFA device.
- In the Manage MFA device wizard, choose the U2F security key, and then choose Continue.
- Insert the U2F security key into your computer’s USB port.
- Tap the U2F security key, and then choose Close when U2F setup is complete.
The YubiKey is praised for its ease-of-use, programmability, cost benefits, range of authentication and cryptographic protocols and its water-resistant durability. In conclusion, if security is a priority — use a YubiKey.
There’s been a ton of coverage of the recently discovered Capital One breach. I’m generally very skeptical when AWS security makes the news; so far, most “breaches” have been a result of the customer implementing AWS services in an insecure manner, usually by allowing unrestricted internet access and often overriding defaults to remove safeguards (I’m looking at you, NICE and Accenture and Dow Jones!). Occasionally, a discovered “AWS vulnerability” impacts a large number of applications in AWS – and it also impacts any similarly-configured applications that are *not* in AWS (see, for example, this PR piece…um,…Read More