Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

YubiKeys by Yubico provide two-factor authentication by USB

Glenn Fleishman | Dec. 1, 2014
I've written a few times about two-factor authentication (2FA), where a password (something you know) is paired with a second item, like a device-generated token or one-time code sent via SMS (something you have). A password can be stolen or sometimes extracted, so a second factor makes it substantially more difficult for someone who lacks physical access to you or your stuff to break into one of your accounts. This restricts attackers from accomplishing wholesale attacks across thousands or millions of accounts, unless 2FA is badly implemented or attackers find an exploit.

Yubico's keys, the Premium Neo ($50), the Premium Neo-N ($60), and the FIDO U2F Special Security Key ($18) have a integral button. The Premium Neo includes NFC. (Yubico hopes Apple opens up its NFC support to allow direct NFC validation.) I tested the Neo-N and Special Security Key. The Neo-N is so tiny it's quite difficult to pull out of a deep USB port, and the Special Key has a keychain hole for ease of carrying.

Early backers

So far, there's little support as the standard and hardware are new, but Google is a backer of the spec, and lets you substitute a U2F key for other second-factor methods of authentication with a Google account when used via the Chrome browser in Mac OS X and on other platforms.

LastPass also supports U2F. It's very easy to implement, from all reports, and the broad participation in the FIDO Alliance's board by major firms means both the likelihood of wider support. Allowing U2F as a second factor doesn't close down other options for authentication. (Yubico has other key types that simply simulate typing a password, and which work more universally; some of its U2F-supporting hardware includes that functionality.)

A U2F key can be registered to multiple accounts and it can't be password protected. So it's as useful as an app, in that only a single piece of hardware is required to generate appropriate codes for multiple accounts. But it's as vulnerable as a security dongle, since mere possession obliterates the second-factor advantage. Someone who physically obtained your U2F key would still need your password or other first factor. An app or computer-based second factor can still be better, by requiring an ostensibly different password to unlock a computer or mobile device before obtaining the second factor.

Will U2F keys sweep the land? It's hard to imagine them becoming a required item on every keychain, but I dare say that they are so much simpler to use than anything currently outstanding, that they should sweep in another broader circle of users who won't be bothered with today's methods. If Apple opens up NFC access as is generally anticipated, such keys can become a touch-and-go second factor with even less fuss.

An update on Touch ID and compulsion

In my first Private I column, I mentioned that Touch ID had a problematic component: you could be compelled to unlock a device, either by force or by law. "An individual or agent of others who want some of your information must only get ahold of your device, ensure it hasn't been rebooted, and then be able to hold an appropriate digit still for long enough to validate one's fingerprint."


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.