Can Yubikey replace Authy?

One of the common ways to do two-factor Authentication is to use an authenticator app like Authy, Microsoft Authenticator, 1Password or LastPass Authenticator.

Authy manages one-time passwords

The common denominator of Authy and other apps mentioned above is that they generate time-based one-time passwords (TOTP). They are usually set up like in the screenshot below. You have probably seen it many times:

A screenshot showing the typical screen for setting up two-factor authentication. Here, GitHub service uses the TOTP method with characteristic QR codes.
An example of a page helping set up 2FA. The screenshot is from GitHub, which supports time-based one-time passwords as a 2FA method.

This is a good and secure solution. It appears that it’s also the most popular 2FA method in the sites I visit. Personally, I have such 2FA method configured for 27 services I use! However, I don’t know how about you, but it also generates an annoyance and friction when I need to reach for the phone, find the app, and re-type the 6-digit code to the website 😉

YubiKey device is a bit different

YubiKey device is a bit different. You have probably bought it, or intend to buy, for a very convenient and secure single-touch login. Nowhere in the process you need to type 6-digit codes.

This is because underneath it’s an entirely different protocol called WebAuthn, and not TOTP described previously. A website might support WebAuthn, TOTP, or none, or both.

A typical two-step verification prompt on a website supporting WebAuthn protocol
Example of a WebAuthn prompt. Note, that here, the website is not asking for a 6-digit code, but pressing a button. But this is because it’s an entirely different protocol!

Unfortunately, this means that we cannot simply use YubiKey’s single push of a button wherever we used 6-digit codes. The site must implement the WebAuthn protocol to allow us to use that more convenient method of authentication. Many major sites like Google, Microsoft, GitHub, or Facebook do. But presently, it’s still less common than TOTP and you are unlikely to eliminate the use of time-based codes from your life completely.

See the following Stack Overflow post by Nate Eldredge if you want to understand why YubiKey cannot do some magic and just handle TOTP when you touch the device. The YubiKey device does not have a real-time clock on board, so it cannot generate time-based codes. Moreover, without any software assistance, it wouldn’t know which site is asking for the code and what token to generate.

Yubico Authentication App is yet another thing

It might be a bit confusing now to add that there is an application called Yubico Authentication App, released by the same company that creates YubiKeys.

It makes use of another feature of the YubiKey hardware. Credentials required to generate 2FA codes can be stored on YubiKey device instead of on mobile phone, and this way they are less likely to be compromised. You might take a look at it if you are interested in increased security. But don’t expect any increased convenience – you’ll still have to type the codes 😉

Yubikey 5 Nano firmly sitting in a USB-A port

Even though YubiKey 5 isn’t a magic tool that will instantly eliminate time-based one-time passwords from our life, I think it is a wonderful device. Hopefully, the support for the WebAuthn protocol will steadily grow and the future of 2FA will be marked by both security and convenience it provides. If you care about security on the internet and value your convenience, it’s certainly worth to have one (or more) 🙂

References and related posts

Leave a Comment