Phishing has talking over the cybersecurity world, and the only way to combat phishing is implementing phishing resistant credentials, while Microsoft has Windows Hello For Business and Passkeys, you still need a hardware key to solve the chicken and egg problem of onboarding passwordless identities without a password, but while Yubico has become the “Kleenex” of the hardware tokens, there are other alternatives that might cover your use case.
Yubikeys are expensive for 2 reasons: 1. They have the brand recognition and name (hence why you are reading this rather than googling “Cheap FIDO2 and PIV tokens”) allowing them to charge a premium. 2. They have great integrations, what separates Yubico from other hardware token providers, is their software integration from their GitHub with code samples to their guides, they revolutionized the hardware token industry by taking care of the full user workflow rather than creating a hardware token and saying “Figure it out”.
Luckly for you, Keytos and Microsoft have done most of the work (and believe us it was hard), to bring the same compatibility from Yubikeys to other hardware tokens, To get around the expensive cost of Yubikeys you can go two routes, one is using a FIDO2 + PIV token that does all the things that a Yubikey can do (Some of them are half the price as the Yubikey), or you can lose some functionality but cut the cost even further (With EZCMS there are some plans that will include the smartcards for free) and use a traditional smartcard.
The best budget friendly alternative to Yubikeys is the FEITIAN K9D this key, not only looks like a flat YubiKey, but it has the same FIDO2 and PIV functionality as Yubikeys allowing you to use them for on-premises and cloud. For EZCMS Secure Entra ID Phishing Resistant Onboarding, we worked very closely with the FEITIAN team to even add hardware Key attestation to avoid supply chain attacks (speaking of supply chain, these are the first keys that are part of our EZCMS hardware subscription service that for an additional dollar a month, you get the keys for your users, contact us to learn more about this).
The next best option when it comes to Yubikey alternatives, is the Thales Fusion This key was created by Thales, a very famous security company (we use their HSMs for our azure cloud PKI) and with their Gemalto acquisition, they got into the smartcard and hardware tokens world. While the fusion is able to do both FIDO2 and Smartcard; making it a cheaper Yubikey alternative, as a legacy company they are still in the mindset of “we create the hardware keys and good luck with the integrations” this mindset has set them behind Yubico and FEITIAN with more modern attestation features that are required for the modern zero-trust world.
Up until now we have mostly talked about one for one most cost effective YubiKey alternatives. However if you are willing to lose some Yubikey Features such as FIDO2 authentication and the hardware key having an integrated USB reader, then you can look at Smartcards, this is the original way of how governments implemented phishing resistant authentication and while not as cool as Yubikeys, you can get high quality smartcards for Entra ID for 1/5 the cost of a Yubikey (and with EZCMS yearly subscription you get them for free).
Now that you have successfully found your phishing resistant authentication method, book a free identity assessment with our identity experts and learn how you can implement this in your organization.