Yubico - YubiKey NEO - USB-A, NFC, Two-Factor Authentication

I absolutely love the NEO. In fact I started out with their lowest end model, upgraded to this and then moved up to a Nano. Not b/c this wasn't good enough but just b/c I got hooked on them and the Nano has a big form factor difference.Here's the deal. If you use PasswordSafe or some other well known tool that is Yubikey friendly, you'll love this thing. If you want to use it for OAUTH or using really long safe passwords, it's quite well suited to that took. I use ridiculous passwords and change them frequently and that's why these are so 'must have' or me.Fair warning though - installation and use are going to probably be a real challenge for the uninitiated. I can almost guarantee that. There is plenty of support material for it from Yubico, there are plenty of people blogging about it and there are plenty of videos, but until you understand what you're doing it's going to be tough at first. IMHO, it's well worth the hassle of learning and the learning process is tremendously valuable in and of itself.However, that's where I can't emphasize a point strongly enough. MAKE BACKUPS. It's very easy to change the configuration in a way that you end up locking yourself out of important apps you have precisely b/c it does its job so well. It's a feature that can behave like a bug as the expression says but it's easily remedied by just using backups every time before making a change. Buy two of them if you get one just so you have a backup, you don't want to be stuck if you lose it and have to wait for another one to arrive.And make really sure that you understand the basics objectives of what it's intended to do. Products that are friendly to it are being added regularly and as useful and just plain awesome as these things are, I'm sure that will grow. However the initial configuration coupled with learning what you're doing is enough to make many people want to throw up their hands and rage quit. I certainly felt like that at first. The learning process alone justifies the cost of buying one. Plan on spending at least two hours minimum learning what it does and how to configure it and realistically, if you want to really 'trick it out' plan on spending quite a bit more time. That said, if you even remotely care about security, every second of that learning time will be useful. Not just because it will help you learn to use the tool, but by seeing that certain features are even available you'll learn a lot about good security practice and you'll probably end up changing the way you do things to become more security focused. These aren't cheap and Yubico has lower priced models that accomplish much of the same but within 3 days of getting my first one, I wanted to upgrade and then I want for a Nano as well.I love this so much that I actually purchased several for friends of mine, employees and peers that care about security just because I want to see these take off. I don't want to scare you off about the initial configuration but the best way to say it is that some not everything is plug and play. Like most things of real value, you're not going to be able to just run a wizard and be an expert at it. In this case, you'll likely spend a little while frustrated at first getting it to work with whatever the first feature is you decide to use it for. From there you'll almost certainly find yourself in a position of wanting to 'see what else I can do with it' which is where the backups become critical. And like I said, if you only have one, you're vulnerable to being stuck if you lose it so redundancy is your friend here. I've purchased around 20 different keys and all three models and I'll be buying more. I am so smitten with it that I find myself looking to try to convince people who aren't security conscious of how vulnerable they make themselves and convincing them to change their behavior.. Because of my enthusiasm and people seeing what it does for me (for instance, if I look at DropBox or Facebook from my phone people see me putting it up to my phone and asking what I'm doing), I've convinced a few people to adopt them. The others were already looking to try them but hearing my excitement was enough to get them to adopt it. These aren't that cheap that I'd typically go around and indiscriminately buy them for people just to get them to try it but that's what it's done. And so far, I've had two people say "not interested', another 2 give up in frustration and the rest have become as fanatical about them as I am.Also, you can use the app that Google provides for Gmail and its other services but there's a risk of introducing a vulenerability by using that. Like anything security related, you trade convenience for security. I wasn't overly worried about someone pulling off the attack before when I was using Google's app but it's still there depending on how important the stuff you want to protect is. Nonetheless, so many other services now support Yubikeys, PasswordSafe being the initial impetus for trying it (I have no connection to this company or Password safe, but Bruce Schneier turned me on to PasswordSafe and I definitely trust his judgment on anything security related. If you are security focused you'll know who he is, if you're not, I'd encourage you to check out his blog and follow his advice. In that regard, think about it this way. Is there anything in your email or dropbox or facebook that you wouldn't want the world knowing? Note how many popular YouTubers for instance have had their accounts hacked and commandeered recently. None of them woke up that morning thinking "I'm about to lose control of my stuff". And once your information is taken from you, there's not putting that genie back in the bottle. You 'leak' more information than you can possibly fathom these days and even if you password protect your phone, losing it means the only thing protecting your personal information and secrets from the world seeing them is some malicious person using a Cellebrite machine or similar tool to get through your password. You may think I'm being dramatic but if you think I'm exaggerating in the least (i'm actually not doing the threat justice) go look around at Cellebrite's UFED or similar tools and see how 30 seconds is the only speedbump someone would hit if they had access to your phone and the desire to get your info.

*** INTRO ***The YubiKey NEO has really set the bar for where these types of devices need to be heading. Many improvements have been made, additional support has been provided, and the device itself has proven to be functional, durable, and secure. I'll just go over some of the basic aspects of the NEO and point out some of the important aspects of the device.*** WHY BUY IT? ***I think the first question many people ask is, "why do I need this?" It really all depends on what type of information you need/want to protect. If all you do is browse the internet, not making any online payments or using any services that require a secure password, there's no need for a YubiKey. If you're using LastPass or another program designed to save all of your passwords in one spot using a "master password", you don't necessarily need a YubiKey, although I'd strongly recommend it, especially after the notorious "Heartbleed Bug" hit the news.The Heartbleed Bug is a very serious OpenSSL vulnerability that allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.)I was originally introduced to the NEO when I was searching for a security key that would help protect my Google account and services. U2F was a necessary service so that narrowed the list down quite a bit. I originally looked at the cheaper keys but settled on this one mainly because of its versatility in terms of usage. I now use it for LastPass in addition to several other services, including several services with 3-step verification (password, challenge question, YubiKey.)***WHAT IT STORES ***The YubiKey come with two (2) configuration slots which I use for OTP and U2F (downloading the NEO Manager is needed to set up U2F and it's a program you'll want to have anyway.) U2F is supposedly the security protocol that the industry is headed towards, although at the moment, only Chrome OS, version 38 and up (right now we're on Version 41) and a couple other services use the U2F protocol.*** SETUP ***Setup is literally plug-and-play for the most part, unless of course you need to enable advanced features, in which case you would download the YubiKey Manager software.*** LAST PASS ***YubiKey and LastPass work together so well, it seems like they were meant to be the combination of choice for 2-step authentication. I use the NEO for my LastPass account and it works great but honestly, as much as I love the functionality of LastPass, I wouldn't trust relying on it by itself unless it was secured by the NEO, too; Just entering a single "master password" in LastPass is not enough security in my opinion. LastPass also supports NFC which is great when using it on your mobile devices. More on the NFC functionality, below:*** NFC (Near Field Communication) ***The NEO makes good use of NFC (Near Field Communication) where you simply tap the NEO to the back of your Windows or Android Phone and the phone will sense and read the key, and you're good to go! Only iPhone 6 and iPhone 6 Plus support NFC so if you're using an older iPhone, you want have this functionality. As another reviewer pointed out last year (and is still the case as of 3/29/2015), U2F is not supported with NFC. I'll update the review if/when it is.*** UNABLE TO UPDATE YOUR YUBIKEY NEO ***Due to security reasons, YubiKey does not allow for the NEO to be updated should updates be released so whatever your current YubiKey supports is all it will ever support. I understand the reasoning behind this but it would be pretty annoying to buy a NEO and then a couple months later, the new ones are being shipped with updated firmware, supporting additional features.*** I'll update the review if any new information is available. If you have a question not answered in the review, let me know in the comments section and I'll try to find out for you. ***