Winkeo-C FIDO2, hands on: A reliable and affordable USB-C security key

Pros

  • Good price
  • FIDO2 and FIDO U2F support

Cons

  • Some setup required
  • No NFC or biometric options

Many devices now use biometrics to let you log in without the inconvenience of remembering and typing a password: it’s more secure, but it usually adds a little to the price of the device. If you use any devices that don’t have Windows Hello, Face ID or a fingerprint sensor then you must have a password on your account anyway.  

If you want to use two-factor authentication (2FA) or even go full passwordless but you still have older devices with no biometric hardware (or you prefer not to use biometrics), a FIDO2 hardware key will let you use the same cross-platform authentication that’s built into Windows, MacOS, iOS, Android, ChromeOS, Linux (although you may need to do a little more setup) and an increasing number of online services like Microsoft 365, Azure AD, Google Drive and more. 

Winkeo-C FIDO2 in laptop

The Winkeo-C FIDO2 key is small enough to leave in your laptop.

Image: Mary Branscombe / ZDNET

The Winkeo-C FIDO2 from Neowave is a compact little security key that also supports the older FIDO U2F specification that works with AWS, Dropbox, Facebook, GitHub, Gmail, GOV.UK, Okta, Salesforce, Twitter, Zoho and dozens of other sites and services. It’s small enough to keep in the USB port of your laptop most of the time, although it doesn’t sit flush enough that you’d necessarily want to leave it in place when you’re carrying it in a bag (the lanyard hole makes it easy to put on a keyring to carry around though). We also found it fitted very snugly into the USB-C ports on multiple test devices, so you have to tug quite hard to extract it.

Winkeo-C FISO2 setup

Sites and services that use FIDO2 let you create a PIN and use a hardware key like the Winkeo-C to log in securely.

Screenshots: Mary Branscombe / ZDNET

You don’t have to install any software – not even a driver: just set up your accounts for 2FA (you have to do that for each site or service you want to use it with) and add the Winkeo-C as your security key. For many services, that will involve setting a PIN. Whereas a password is sent to the server (and if the service provider doesn’t protect their data properly a data breach could expose it to attackers), PINs never leave your device and are not synced across devices the way passwords are, so you must set them up on each system. PINs are just used to unlock the secure hardware that stores your log-on credentials, which means they can’t be exposed in the same way passwords can. Even if someone tricks you into telling them your PIN, they can’t use it without your security key. 

Once set up, the key uses both the PIN and a tiny touch surface on the end to log into FIDO2-enabled systems and services that support passwordless: when you’re using it as 2FA with a service like Gmail, you still need to fill in your password, but you must also have the security key plugged in and touch it to prove you’re there. This isn’t a fingerprint sensor, just a capacitive sensor that detects a live person touching it. 

Usually, the interface will tell you when to touch your device: if you miss that, the Winkeo-C flashes a bright red light to attract your attention (it also lights up green when you first plug it in to show it’s been detected by your device). Because it’s a USB-C device you can put it either way up: the light and touch surface are more visible when it’s the right way up, but because the case is slightly translucent and the touch sensor is on the end, you can still use it (and notice the light) either way round. 

Winkeo-C vs Winkeo-A

The USB-A version of the Winkeo FIDO2 is quite a bit bigger.

Image: Mary Branscombe / ZDNET

If you don’t have a USB-C port, Neowave has a USB-A model (the Winkeo-A FIDO2), which is quite a lot larger but otherwise works in the same way. 

There are plenty of FIDO2 hardware keys on the market, with Yubico being perhaps the best known, which have options like NFC or biometrics and are mostly priced around £40-50. The Neowave keys are rather cheaper – £21.99/€29.99 for the Winkeo-A and £32.50/€29.99 for the Winkeo-C – if more basic.  

As a lesser-known supplier, you may have a few more hoops to jump through to use these Neowave devices: they’re not listed on the common instructions for setting up a UDEV rule to FIDO2 and you may need to turn off the key restriction policies in Azure AD that limit hardware manufacturers you can use before enabling security keys for your tenant.  

That doesn’t mean there are any security concerns (Neowave is a Microsoft partner and its security keys are certified by ANSSI, the French national cybersecurity agency), but it does mean a little extra setup work to make logging in both simpler and more secure. 


Winkeo-C FIDO2 specifications

Smart card component Certified Common Criteria EAL5+ • up to 1024 credentials for FIDO2 and FIDO U2F
FIDO2 features
Supported crypto-algorithm ECC P-256
Supported options user PIN (4-63 bytes, try limit = 8) • resident keys (max number ~256 credentials)
Extension HMAC secret
FIDO U2F features
No security failure in case of key or password theft (Authentication requires both)
Second factor authentication fully compliant with Google services through Chrome, Edge and Firefox browsers
Extended compatibility (Salesforce, Office 365, etc.) through federation identity providers (Web SSO)
Supported operating systems Windows, Mac, Linux and Android
Supported browsers Chrome, Chromium, Vivaldi, Opera, Mozilla Firefox, Microsoft Edge (via WebAuthn/FIDO2 CTAP)
Dimensions 23.5mm (26.1mm with cap) x 14.4mm x 6.5mm
Weight 3g
Price £32.50 / €29.99

Alternatives to consider

RECENT AND RELATED CONTENT

This is the ultimate security key. Here’s why you need one 

The best YubiKeys: What’s the difference between each key? 

How to set up two-factor authentication for your Facebook account 

Connecting to public Wi-Fi: Here’s how to protect your data and your device 

The best security keys: Protect your online accounts

Read more reviews

READ MORE HERE