One of the common ways to do two-factor Authentication is to use an authenticator app like Authy, Microsoft Authenticator, 1Password or LastPass Authenticator.
Just to clarify, I am talking about the apps generating time-based one-time passwords (TOTP). They are usually set up like in the screenshot below. You have probably seen it many times:
This is a good and secure solution. It seems that it’s also the most popular 2FA method in the sites I visit. Personally, I have such 2FA method configured for 27 services I use!
However, I don’t know how about you, but it also generates an annoyance and friction when I need to reach for the phone, find the app, and re-type the 6 digit code to the website 😉
Can a Yubikey device do its magic and let us replace this with a single push of a button, the same way it does it when the site supports WebAuthn?
Well, this is not what you want to hear, but no, it cannot 🙁 At least not as a standalone device. As Nate Eldredge mentions in this StackOverflow post, the device does not have a real-time clock on board, so it cannot generate time-based codes. I can also see another problem – without any software assistance, it wouldn’t know which site is asking for the code and what token to generate. So TOTP protocol is not supported, which is unfortunate as it seems to prevail in the internet today.
It might be a bit confusing for me to now add that there is an application called Yubico Authentication App. It allows those of us who use time-based one time passwords to make use of Yubikey. But the app is not providing a one-click experience. Instead, it allows to store credentials needed to generate 2FA codes on Yubikey instead of on mobile phone, so they are less likely to be compromised.
Despite the above, I think that Yubikey 5 series is a wonderful device. If you care about security in the internet and value your convenience, it’s certainly worth to have one (or more) 🙂