A selection of questions we have received and answered on YubiKey NEO and Universal 2nd Factor (U2F), since this new open authentication standards initiative was announced in Wired Magazine and the Yubico identity vision blog.
Note: The YubiKey NEO publicly available on Yubico web store does not yet include U2F and cannot be upgraded to support U2F.
Why do you want to kill the password?
We don’t. Yubico does and will continue to recommend two-factor authentication, consisting of a PIN or password in addition to a device which generates new and encrypted pass codes every time it is used, such as the YubiKey. The best security practice is to use something you have with something you know. With the YubiKey, the password becomes a supporting element rather than the main defense; thus a simple PIN suffices to protect you against misuse of your YubiKey by those around you.
What is the user experience of YubiKey NEO and U2F?
It is easier to use a YubiKey NEO with U2F than logging in with a username/password. With NFC mobile devices, all you need to do is to enter a PIN and tap the YubiKey NEO to an NFC-capable phone or tablet. With computers, you place the YubiKey NEO in the USB-port enter a PIN and touch the device. And you will only need a YubiKey and a simple password for any number of services. To see how it works, watch this video.
Why is a hardware key better than software-based authentication methods?
A software application, regardless if it’s on your computer or your smart phone, can be easily targeted and misused by malware – which has already happened to SMS and authentication apps. The best security practice is to move login credentials to a separate hardware device not connected to the Internet. To further improve security, it is recommended to use PKI encryption with session security, and a user presence touch button; features uniquely provided by the Yubikey NEO and the U2F specifications.
Will U2F support software-only implementations?
The initial U2F deployments inside Google and elsewhere are all based on hardware devices. However, for lower security applications, U2F software-only implementations are likely to be offered down the road.
Why can’t I have my identity and a security chip integrated in my device instead?
A user identity, including U2F specifications, can be integrated directly in your smartphone or computer using TPM, Arm TrustZone, SIM Card or a secure element. While this approach reduces the number of separate devices needed, it has notable disadvantages from a security, privacy and mobility perspective.
Security – Identity and authentication technologies that are permanently connected to a computer or phone fails to meet the “not connected to the Internet” best practice for storing sensitive secrets. These devices are all more or less exposed to malware, malicious apps, Wi-Fi exploits and VPN masking. In addition, they don’t help against the social attacks (i.e., software tricking the user into doing something unintended) which will continue to be the easiest way to attack users. Those social attacks will always be available on general multi-purpose devices where users can download and install apps on their own, and provide an avenue to attack the secure elements directly.
Mobility – With your credentials tied to a integrated device, it may be difficult to move your identity between other devices, or to use a computer at a hotel or friend’s house. For the majority of high security applications that are performed on computers, it may not help to have an identity tied to a phone, as there is no communication standard between all computers and mobile devices.
Privacy – The device identity may be controlled or monitored by the telecoms provider or other party, which may add cost, complexity and privacy concerns. In a time of “Big Data” and government surveillance, many enterprises and individual users have concerns about privacy. What’s more, tying your identity to a device does not easily allow for multiple identities, such as separate identities for work and personal accounts.
Why would users want to have multiple identities?
U2F and Yubico supports an open identity eco-system where users can be secure – but still guard privacy. Just as with email, many users chose to have multiple accounts; a real/personal, a real/job and an high privacy/alter ego or spam email account. We want to help you to prove that you are the legitimate owner of an account, while not requiring additional personal information. We also want to support use cases where identities are used for a limited time and revoked when needed. We believe you should be in control about how sites track you over your digital life; With the YubiKey NEO and U2F, minting new Private/Public key pairs for each site, tracking across sites is not enabled.
I still do not like to have to keep track of one more thing.
You will not need to. U2F is designed for secure elements; high security chips, for integration into many of the things you are likely to carry with you today; a card in your wallet, a key in your key-chain or directly in your phone. Therefor the U2F technology gives you the choice; you can use it embedded into your existing devices for low-risk purposes, or use U2F via a Yubikey NEO when you want better mobility, privacy and security properties.
So, what about fingerprints or face recognition?
We don’t believe that biometrics sent over the wire to authenticate users is appropriate for privacy and security reasons; Your fingerprint is a static and unique image that can be copied and misused – but not revoked. However, once the technology is proven to be more dependable, biometrics to unlock a phone or computer could be useful, but where the actual interaction and authentication is done between a security chip in the device and the server. But as discussed earlier, having a security chip permanently tied to a computer or phone device may have limitations from a security, privacy and mobility perspective.
When will NFC get mass adoption?
The majority of high security applications requiring strong second factor login are still performed from a computer with a USB-port. To address the growing use of mobile devices, YubiKey NEO and U2F also support NFC. While Apple is waiting to adopt NFC, their competitors, who represent a combined 80% smart phone market share, will have sold more than 200 million NFC enabled devices in 2013. Banks are pushing NFC enabled payment solutions and critical mass is being achieved in several countries. Once the next generation NFC credit- and debit cards have been deployed, allowing “one touch” secure payments directly on your own phone and computer, there will be a market demand for NFC on all devices and platforms.
How does the Yubico identity vision relate to federated identity services?
It is very complementary to SAML, Open ID Connect, etc, as these protocols enable powerful single sign-on opportunities but need to be combined with two-factor authentication. U2F is based on a PKI infrastructure where every service provider can optionally also be their own identity provider. When user data and cryptographic secrets do not need to be shared between service providers, both security and user privacy can be enhanced.
Why would users want to pay for their online identity?
In a time where users’ personal information is collected and used by a growing number of organizations, many users are growing concerned about privacy. Once a single U2F device can be used for a multitude of popular services, users will want to buy, own and control their own online identity, that does not need to be tied to a service provider. Also, with a physical U2F device, users will be ensured that their online identity is well protected and is not being exposed to malware, which has already happened to software authentication apps. Some service providers will offer financial incentives for users to buy and use a U2F device with their service, but many users will also be willing to pay for it themselves. In partnership with leading password managers, Yubico has already proven that there is a real market demand for a single and secure authentication hardware solution. Also, the millions of end-users who have purchased anti-virus software, prove that we are willing to pay to protect ourselves on the Internet.
The U2F and the NEO technology still allows enterprises and organisations to purchase larger volumes of devices and put them in the hands of their users, so you can chose whether to adopt the model where the user acquires and own the device and where the service organisation purchases and deploy the device.
What would happen if a user loses a U2F device?
A user will be able to have multiple and back-up U2F devices enrolled with an account, with the possibility to easily disable a lost device. Similar to other account recovery processes, the service provider may also choose to send “recovery codes” over email or phone as a back-up to the physical device. Ultimately, revocation is something that needs to be resolved by each website that authenticates users because they have the direct relationship with the user. U2F does not solve this problem, but makes it easier to have stronger recovery processes by introducing new authentication factors.
Why can’t we use Big Data to fix the authentication problem?
Server side risk evaluation software has its place in services, especially involving high-value transactions. However, easy-to-use strong authentication is critical in striking a balance between ease of use, reducing false positives and eliminating fraud. Computers, phones and networks will never be free from malware, and users will need to move their secure identity between devices and services. The YubiKey NEO with U2F enables true end-point authentication, where we only need to trust a key in our pocket and the services it connects to.
What are the main barriers in the broad adoption of YubiKey and U2F?
The inventor of the 3-point seatbelt at Volvo realized that security needs be really quick, simple and made into an open standard to scale. Online authentication for the masses has the same requirements. A YubiKey with U2F is easier to use than easier to use and more secure than traditional two-factor solutions, and is being supported and deployed by leading Internet thought leaders, including Google. This is a great start, but just like the seat belt; mass adoption will be derived from more severe accidents, increased concerns about security and privacy, and government and industry regulation.
What is the business incentive for driving a new open authentication initiative?
Yubico recognizes the potential that a higher level of authentication using PKI can offer, designed with better usability and less complexity than solutions available today. We found that Google’s authentication efforts are aligned with these goals. To support a next generation secure Internet, scaling our technology to as many services as possible, our approach is to make U2F a new and truly open standard.
How would you make high security transactions with a device you could purchase at your corner store?
For some identities you may choose to be secure and “anonymous”. For services requiring a higher level of identity assurance, you would bring your identity device along with your Passport, driver licence or ID to an official location which would associate your U2F device with your real identity. There are also online services offering identity proofing which could accredit your device.
What authentication technology initiative do you see as your biggest competitor?
All initiatives in this space help to educate and challenge the market for something better than the legacy username/password. There will not be one single authentication method and security protocol to rule the world, but the winners will address different needs and be open and interoperable. And Yubico’s focus is to make online authentication as easy and affordable as possible, yet retaining the highest level of security and privacy.