If you're at all serious about online security, you're sure to have at least a passing familiarity with two-factor authentication, or 2FA. Single-use codes sent in text messages or emails are probably the most common type of 2FA, but there are more secure methods. The YubiKey 5C NFC facilitates several of those methods in a small, affordable package: at 55 bucks, it's a pretty fantastic little gadget. Honestly, everybody should have one of these things.

The Good

Versatility You can either plug the 5C NFC in or tap it to your phone.
USB-C Easy to use with newer phones and laptops.
Durability IP67-certified and "crush resistant." No moving parts.

The Not So Good

No USB-A You might need an adapter to use the 5C NFC with desktop computers.
Mobile app functionality Some advanced features can only be managed from Yubico's desktop app.

Design, hardware, what's in the box

The YubiKey 5C NFC looks like a slim flash drive: it's a flat rectangle, about an inch long, with a USB-C plug sticking out one end. There's a touch-sensitive gold circle in the middle and a hole to attach it to a key ring so it's always with you. It's good practice to keep it on your person (assuming you have a backup way into your protected accounts somewhere safe in case you lose it), but something about keeping it on a key ring, bumping up against metal and rolling around in pocket/bag debris, rubs me the wrong way. I'd be happy if there were a silicone sleeve included to protect it.

My fears are probably unfounded, though. The 5C NFC is IP67-certified (the internet is full of anecdotes from people who've run their key ring through the wash to find the YubiKey still works after) and its body is fiberglass-reinforced and "crush resistant." The touch area is also coated in "military-grade hardened gold." All told, it's probably one of the more durable pieces of tech you'll ever own.

There's actually nothing in the box other than the key itself; all the literature is online. Considering you can't set it up without access to the internet anyway, that's no great loss.

Functionality

The basic idea behind 2FA is to require a second factor in addition to your password to authenticate your identity, safeguarding against stolen, easily guessed, or otherwise compromised login info. SMS 2FA is better than nothing, but it's relatively unsecure and isn't much use without cell service. The YubiKey 5C NFC can be used for several different types of 2FA, but I'll just touch on the two most people will use.

First, app-based 2FA, which plenty of sites support. It's pretty technical, but long story short, app-based 2FA uses your device to generate single-use passwords you use in addition to your regular password to log in. These temporary passwords are generated fresh every 30 seconds, and are based on a very long, unchanging password both your device and a server know (usually loaded into your phone via QR code).

Apps like Google Authenticator store these unseen, unchanging passwords locally on your phone. Some apps, like Authy, also let you encrypt and back them up online. Yubico's trick is that it lets you store them on the YubiKey itself and load them into its authenticator app by either plugging the key in or tapping it to the back of your phone, a setup that makes moving between devices that much easier (and alleviates any anxiety you may have about storing your 2FA info in the cloud). You can even lock the key with an additional password, in case anybody else gets their hands on it.

Some services — Google, Dropbox, and Twitter among them — can be configured to require the physical presence of a U2F security key (like this one!) to let you log in after entering your password. For that type of authentication, you either tap the 5C NFC to your device or plug it in and touch the little gold circle when prompted, and that's that. It's generally a breeze to set up and use, and considering how much sensitive stuff is probably tied to your accounts, it's a good idea.

Each YubiKey also has a "static password" feature you can access by plugging the key in while a text field is selected and tapping the gold circle (to fill the password in, the key identifies itself as a hardware keyboard). The idea here, Yubico says, is that you can enter a few characters you have memorized, then tap the key to load in the 32 additional characters, making for passwords that are too long to feasibly remember, but don't have to be stored in a password manager. That's stronger security than I think I need, but the option is nice to have. This static password can be manually changed, too, but only using the desktop YubiKey Manager app.

Developer: Yubico
Price: Free

Should you buy it?

YubiKey 5C NFC
9/10
Yes. There aren't a ton of two-factor security keys on the market, and Yubico makes a healthy portion of the ones that are. But for my money, this is the one I'd choose. It's small enough not to feel cumbersome on a key ring or in a wallet, it's durable, and it supports all the security features you could ask for, including the FIDO2 standard that hopes to eventually do away with passwords altogether. Its additional bells and whistles, like storing app-based 2FA credentials and generating a 32-character static password, are great bonuses.

I wish the key had both USB-A and USB-C, though — Yubico doesn't currently offer any models that do, which means you'll need an adapter to use the 5C NFC with a lot of desktop computers (or to get the YubiKey 5 NFC, which lacks USB-C). You also can't manage some advanced features or reset the key without using a desktop app. Still, if you're living the USB-C life full-time, the 5C NFC should fit very neatly into it.

Buy it if:

  • Your current and future devices all have USB-C ports (or NFC).
  • You swap devices frequently enough that Google Authenticator's credential transfer process is a hassle.

Don't buy it if:

  • You don't care about NFC. Options like the YubiKey 5C and Google's Titan USB-C are smaller and cheaper (although the latter can only be used as a U2F key).
  • You still need USB-A.

Where to buy:

  • Yubico – $55