One of the biggest questions that we’ve seen across sales calls, Reddit forums, conferences, and more is: “Are YubiKeys phishing resistant?” Honestly, it’s a valid question – YubiKeys have been pretty prominently featured in the push for passwordless authentication but, as we know, not all forms of passwordless authentication are phishing resistant. In this blog, we’ll take a quick look at which YubiKey features are and are not phishing resistant.
Let’s begin by reviewing arguably the most talked-about term in recent years within the identity protection sphere: FIDO2. Basically, FIDO2 employs cryptographic authentication, similar in nature to PIV or smartcards; unlike these, however, FIDO2 operates without needing a PKI. This approach is phishing resistant because the FIDO2 key remains securely within the YubiKey – what this means is that an attacker cannot deceive the user into revealing their credentials, unless they physically obtain the user’s key and PIN (two things you should NEVER share).
Additionally, for FIDO2 credentials that are registered, the browser further enhances security by verifying that any request originates from a sanctioned domain. This additional layer makes it exceedingly difficult for an attacker to trick a user into logging in. So, in short: yes, YubiKey FIDO2 is phishing resistant. Check out this blog on how FIDO2 prevents phishing for an even deeper dive into the topic.
YubiKey PIV authentication (aka smartcard authentication) is exclusively offered in the YubiKey 5 series. As per the United States’ Executive Order 14028, YubiKey PIV authentication is the preferable authentication method for your organization to use. This method has been a standard for securing identities among government entities and their contractors for many years. It involves the use of a cryptographic certificate, where the private key is safeguarded by a hardware key (in this instance, a YubiKey). Every time that a user needs to authenticate, they do so by signing the request with their YubiKey. The fact that the key remains within the YubiKey at all times is what allows us to also say that yes, YubiKey PIV authentication is phishing resistant.
The final YubiKey authentication method – excluding their app, which generates codes and is susceptible to phishing – is OTP (One Time Passcodes). This method is typically employed as a secondary authentication factor and is usually activated by mistake (we’ve all been there where we touch our YubiKey and it inputs a string of complete nonsense, right?). Since OTP is used alongside a password, it is not phishing resistant.
For example, an attacker could set up a fraudulent website where you input both your password and YubiKey OTP, allowing them to access your accounts on your behalf. While OTP isn’t nearly as secure as FIDO2 or PIV authentication, it does still offer significant protection for accounts that don’t support FIDO2 authentication like Bitwarden.
Are YubiKeys phishing resistant? There’s only one acceptable answer, and it’s something that you never hear in cybersecurity – it depends. Regardless of whether or not you use a YubiKey authentication method that’s phishing resistant, it’s sure as sugar better to be using a YubiKey than not.
Want to see how EZCMS, the best CMS for FIDO2 and Entra can help your organization? Schedule a FREE consultation with one of our ex-Microsoft identity experts today, and feel free to check out the video below which highlights one of many customer success stories from using EZCMS to onboard YubiKeys.
