YubiKey 5Ci review: WebAuthn encrypted Lightning key for iPhone and iPad for secure authentication

Yubico’s new YubiKey 5Ci is the company’s first hardware authentication device with a Lightning adapter for the iPhone. YubiKey provides security that reduces the potential of password-based account hijacking.

Just like a second-factor token sent via text message or generated by an authentication app like Google Authenticator or Authy, YubiKey provides an additional element after a login with a username and password. Because phone numbers can be and have been hijacked and re-routed to other phones, it’s even more reliable than assuming a text-based code will always wind up at the same physical device.

YubiKey currently works with some apps and via the Brave browser in iOS. YubiKey supports the relatively new WebAuthn protocol approved by the World Web Web Consortium (W3C) to allow strong, encrypted second-factor authentication directly within a browser, without requiring proprietary extensions or company-specific hardware or software.

The $70 device also includes a USB-C plug for desktop authentication, but its USB-C port doesn’t yet work with iPads equipped with that connector.

Yubico

The YubiKey 5Ci has a LIghtning connector for use on iOS devices, and a USB-C key for conecting to a Mac. It does not yet work with USB-C equipped iPads.

In testing, the YubiKey 5Ci performs as expected, but many websites aren’t yet ready for iPhone and iPad authentication. That will change in the near future as WebAuthn adoption improves and as the key enters the market.

Broad industry support, but sites behind

Yubico already makes a line of USB and NFC (contactless) keys that support earlier secure protocols, while its newer models also handle WebAuthn. This extension to Lightning paired with USB-C is an attempt to push this substantially more secure option to iPhones and iPads, by ostensibly creating demand and interest among Apple users.

Microsoft Edge, Google Chrome (desktop and Android), Opera, Firefox (desktop and Android), and the built-in Android browser all support WebAuthn in release versions. Apple has enabled WebAuthn in the Safari Technology Preview for the upcoming version 13, that will ostensibly appear in release form in Catalina.

Apple hasn’t yet said whether Safari for iOS and iPadOS will also support WebAuthn. As a broadly adopted industry standard that leaves security control in a user’s hands, there’s little reason for Apple to stand aside.