YubiKey 5 Series Adds FIDO2/WebAuthn Support

Posted on September 24, 2018 by Paul Thurrott in Cloud, Mobile, Windows 10 with 11 Comments

Yubico today announced its YubiKey Series 5 family of multi-protocol security keys. The new keys now support FIDO2/WebAuthn, in addition to previous support for FIDO U2F, PIV (smart card), OpenPGP, Yubico OTP, OATH-TOTP, OATH-HOTP, and challenge-response. And one of the new keys supports NFC as well.

“The YubiKey 5 Series is the industry’s first set of multi-protocol security keys to support FIDO2/WebAuthn, the open authentication standard that Yubico helped to pioneer, along with Microsoft and others,” Yubico’s Jerrod Chong writes. “All leading platforms and browsers have either made support or are engaged in this standards work, expanding authentication choices using authentication devices, such as a YubiKey, with or without a username and password.”

So what is FIDO2/WebAuthn exactly? This is the technology that Microsoft has co-created to help put an end to passwords. It’s an open standard and widely adopted by platform makers. And it is integrated across the Microsoft stack, from Windows to Edge to the firm’s online services.

“This will allow Microsoft customers to use any Microsoft identity – both personal Microsoft accounts and organizational identities based on Azure Active Directory – to sign-in using a FIDO device instead of a password on any FIDO2 compatible device or browser,” Microsoft explained back in April.

The YubiKey 5 Series includes the YubiKey 5 Nano, YubiKey 5C, YubiKey 5C Nano, and the YubiKey 5 NFC. Each can be used in single-factor, two-factor (username/password + key) or multi-factor (passwordless + PIN + touch) scenarios. And as its name suggests, the YubiKey 5 NFC provides a tap-and-go NFC-based experience.

The keys are available now and cost $45 to $60 depending on model.


Tagged with ,

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (11)

11 responses to “YubiKey 5 Series Adds FIDO2/WebAuthn Support”

  1. Jeffsters

    I seriously don't get the point of these things! I love the keychain picture as I've NEVER seen anyone with it on their keychain. 90% of people I see in our VERY VERY large office, especially those with the smaller version, always leave their YubiKey in a USB port of their laptop and never remove it. It's tiny and flush with the case, so why not I guess, but what good is a YubiKey now? How is that situation any better than an unprotected laptop with only a single factor password? Shrug.

    • Polycrastinator

      In reply to Jeffsters:

      Depends on your threat vector. Obviously it's not helpful if someone sits down at your computer. I don't worry about that. I worry about a phishing attack stealing a password, and for that it's great, because it will prevent the attacker from using that password to gain access to accounts. Leave it in the port. It's accessible then and there when you need it. If your threat vectors include stolen devices, you need a different solution. But for most people, password compromises are the risk.

    • wright_is

      In reply to Jeffsters:

      The security officer is obviously not doing his job in training the people or enforcing company policy (assuming there is one). If it was me, I'd walk around the office and collect the keys from unattended devices.

      I keep mine in my pocket at all times, when it isn't currently needed.

  2. mclark2112

    We are thinking of implementing this or something like it for login to all our AD machines. I think this is the future of security in the enterprise.

  3. Polycrastinator

    Really excited for these. I'm hoping Microsoft quickly rolls out support. I see far too many people with depressingly guessable passwords and who refuse to use a second factor because it's apparently too much hassle to type a code from a phone. The passwordless login with a PIN to unlock the Yubikey seems like a really viable solution to get the lazy people onto a secure login method.

  4. wright_is

    I've been waiting for this for a while. I wanted to buy a new Yubikey Neo, but they still only had the original version, whilst all of the others were at least one generation ahead. I use my Yubikey Neo with LastPass on my mobile, no Yubikey, no access to the LastPass app and its safe.

    On the desktop, I just plug it in to the USB port, but, obviously, smartphones don't support that, so you have to use NFC to unlock the password safe. My original still works well, but is getting long in the tooth and I wanted a replacement / spare, but didn't want to fork out for old technology, when newer (non-NFC) versions, with more features were available. After around 3 years wait, it looks like I can finally order new Yubikeys!

    Also, the old Neo also supported Mifare, so I could use it as the NFC token for booking into and out of the office at my previous employer, it was better than carrying around yet another credit card sized token - given the number of NFC enabled cards these days (national ID card, driving license, credit cards and debit cards), it often played havoc with the card readers at the doors, people would hold their wallet against the reader and we would get readings from dozens of different cards, marked as illegal access attempts and the employee left standing in the rain, until he dug the card out of his wallet and held it against the reader, without the others being in range.

  5. smccandlish

    So each application that you use needs to support FIDO2/WebAuthn so that you can use this, right?

  6. m_p_w_84

    As someone who loves gadgets and is quite technologically minded etc. I still don't understand what these are for, they keep trying to market them at your 'average' consumer and I really can't understand why.