Users of iPhones now can finally catch up to their Android counterparts and use a physical security key as a second factor when logging into mobile accounts that require two-factor authentication (2FA).
Security-key maker Yubico today (Aug. 20) debuted the YubiKey 5ci ($70), the first security key to feature an Apple Lightning USB plug to use when logging into an online account for the first time from an iPhone. Of course, you've got to have the key registered for the account first.
The YubiKey 5ci also has a USB-C plug for use with Macs, Windows PCs and Android phones, making it a one-stop shop for anyone who uses newer Apple devices. The key won't yet work on iPad Pros with a USB-C port, however.
Android owners have been able to use YubiKeys for years to log into 2FA-enabled accounts, thanks to the NFC (near-field-communication) chip built into many YubiKeys. But while iPhones can use NFC for Apple Pay, Apple doesn't like other companies' software interacting with NFC on iPhones.
Hands-on with the YubiKey
We got a YubiKey 5ci in advance and borrowed an iPhone to see how well the two devices play together. Unfortunately, we found that support for the 5ci on iOS was still pretty limited.
We had no trouble registering the 5ci to our Google account using the USB-C port on a Windows PC, but when we tried to log into our Gmail account on iOS, the Google Smart Lock app on iOS, required for Google 2FA on iOS, didn't recognize the security key.
That's actually fine, as the list of online services that supports the YubiKey 5ci on iOS is still pretty small and doesn't yet include Google. (It doesn't seem that Apple supports the FIDO2 standard that many websites implement for security keys.)
Yubico had told us that GitHub recognized the 5ci on iOS, but we couldn't get GitHub to recognize the key on a USB-C-enabled Windows PC, even though we were using the Brave web browser as Yubico suggested. We could register an older USB-A YubiKey with GitHub without trouble.
These are probably just teething issues. Yubico says the YubiKey 5ci is already supported by the LastPass and 1Password iOS apps, and many more online services are sure to follow, although each will have to implement its own support for the moment.
Other YubiKeys are supported by dozens of online services, including Dashlane, Dropbox, Facebook, Instagram, KeePass, Keeper, Microsoft, Nintendo, Okta, Reddit, Twitter and WordPress. You can even use one to log into your Mac.
Yubico isn't the only manufacturer of security keys. Google offers its Titan key bundle for $50, including a Bluetooth-enabled keyfob for devices that don't support NFC. The U.S. startup Solo sells a range of keys starting at $20.
All these security keys support the FIDO2 open standard, but Yubico adds its own features and supports several more services that shy away from FIDO2, such as LastPass.
Security keys are among the most secure forms of two-factor authentication, and have become especially important now that cryptocurrency thieves have been stealing phone numbers to intercept texted 2FA codes and break into accounts. Google employees use security keys for their work accounts, and the company says it hasn't had a single compromised workplace account since.