Humte

Yubico's Yubikey

10 May 2008 - 10:24pm UTC

Through the rather excellent Security Now podcast, Steve Gibson has introduced me to an emerging product from a new company called Yubico. By the sounds of things it has the potential to completely revolutionise authentication on the Internet. It sounds as interesting and revolutionary as OpenID, and can actually build upon OpenID to make it more secure.

I'll just give a really brief introduction because I'm not enough of a security expert to really explain this and the podcast does a much better job if you have an hour and a half to geek out on this. If not, it's something to pay attention to anyway.

Something you have

Some large companies such as Paypal and Verisign offer a key-fob/dongle to add a layer of security when signing in; making it multi-factor authentication.

(For the uninitiated, a password is basically a single factor authentication system and that factor is referred to as 'something you know'. It's secure unless someone discovers your password, at which point they can log into your system. Another factor is 'something you have'. This means that someone trying to log into your account would have to steal something physical from you in order to authenticate and this is obviously a lot harder than grabbing your password somehow. The key you use in your front door is probably the most obvious example of this.)

These dongles are small devices which produce a unique one-time password when you press a button. The password changes every time you press the button and has a limited lifespan. If anyone tried to learn the password they would be out of luck because it will expire by time they get to use it. This means you must own the dongle to get into the site. It adds the 'something you have' authentication and makes everything a lot more secure.

Yubikey Revolution?

Good so far. But the Yubikey is revolutionary for two reasons.

First: it is a USB key which is essentially a keyboard. This is a particularly good idea because it means there are no driver difficulties or issues with installing client software. You simply plug the key into your USB connection, go to the login screen and then press the button on the Yubikey. The Yubikey then spits out a really long one-time encrypted password and your computer interprets it just like you were manually typing it out on a normal keyboard. This makes it really easy to use and instantly compatible with pretty much any computer.

Second, it is open source. This means anyone can set up a server because all you need to pay for is the actual USB key. This makes it usable by more than a few small large corporations who set up an account with someone like Verisign.

The possibility of using this with OpenID is particularly exciting. One of the issues with OpenID is that you have only a single password that lets you into lots of stuff on the web. This means that if someone found out your password they could get into a whole load of your accounts instead of just one. The Yubikey makes your OpenID a whole load more secure.

So the Yubikey is really useful for small businesses and even single individuals. But it's also a benefit to large corporations because they can run the servers themselves; on an internal intranet if they choose. It's really a win for everyone (except Verisign, of course!)

As long as Yubico has the capacity to make these keys in huge numbers, I'm 99% sure this is going to be massive.

If you want to know more listen to the Security Now podcast and take a look at the Yubico website.

Comments

Max M says

on 6 August 2008 - 8:27am UTC

I completely agree with your blog. I've been using the Yubikey for a few weeks now and it is excellent. It's portable and cheap which makes it really easy to get. It makes logging into the sites that support it a breeze. I love that I can use it anywhere I want, because I don't need to install anything.

However, I don't know if you've heard of some sites that Yubikey works with. Mashedlife, is a password management site. It stores all your passwords in one location and lets you use a one-click log in. Using Yubikey to log in there makes password storage easy and secure. Since my Yubikey logs me in, and Mashedlife remembers my other passwords, this is a relationship made in heaven. I'd say you should go check it out. Just go to www.mashedlife.com

Thanks for the great blog post!

Regards,

Max

Alan says

on 12 August 2008 - 2:08am UTC

Hi Max,

Clearly I need to set up email notifications of new comments. Sorry for a late reply.

I've not had time to look at Mashedlife properly yet, but it looks interesting. The big worry is trusting the service with important passwords, but it looks promising other than that marketing hurdle.

Are you connected with the company?

And thanks for the link.

Alan

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.