White paper: Bridge to Passwordless best practices
In 2007, Yubico set out to protect as many people as possible by making secure login easy and available for everyone. We are happy Apple has joined Yubico, Google, and Microsoft on this journey by implementing W3C WebAuthn/FIDO compatible platform authenticators and are pleased to say that now all major platforms have adopted the standards Yubico worked more than 10 years to create and proliferate!
In 2013, when our solution was proven at scale inside Google, and before we contributed our joint work to the FIDO Alliance, we presented our standards vision blog and Future of Authentication FAQ. As the ecosystem evolved, Yubico has been focused on enabling portability, security, and privacy across all devices and systems.
Portable root of trust – The YubiKey can be used across systems for all devices, including shared workstations and mobile restricted environments. FIDO protocols allow for multiple authenticators to be registered to accounts, allowing YubiKeys to be the primary authenticator or an affordable back-up FIDO authentication key, when a computing device is lost or broken. YubiKeys are extremely durable and do not need to be charged to operate.
Minimizing the attack surface – While it is far better security to store cryptographic secrets on a more secure area of a phone than in a software app, the risk is further limited when keeping your credential separate and outside a complex, multipurpose device. The Intel SGX vulnerabilities highlight the cybersecurity risks of multipurpose components constantly connected to the internet. For all authenticators, being built-in or external, a trusted supply chain matters. Most certifications focus on interoperability, few review cryptographic code, and none can ensure total system architecture, implementation, and supply chain security.
Decentralization and ecosystem independence – The major tech vendors, including Google, Apple and Microsoft will want to link your credentials to their platforms and systems. Many users and consumer applications will accept these privacy trade-offs, but it can be a concern for others, including high-risk individuals, enterprises, and government services.
More than 4 billion internet users need easy and strong login protection. The vast majority of all IT breaches are due to stolen login credentials, mainly from static passwords or other weak authentication methods. YubiKeys and FIDO-enabled phones and computers are here to stop account takeovers and advanced phishing attacks and make the internet safer for everyone. Big warm thanks to everyone on the Yubico team and the global open standards community who has helped make this shared vision happen!