Suresh Thiru

Doing the Math: Why strong authentication for every employee makes sense

By now, it’s an all-too-familiar routine…

Step 1: Organization suffers an expensive and embarrassing security breach

Step 2: Organization hastily introduces multi-factor authentication (or steps up its efforts to mandate its usage). 

Oftentimes, it takes a breach to make organizations fully embrace strong authentication. But why? We know that usernames and passwords alone cannot provide sufficient security, and we know that SMS two-factor authentication (2FA) has been deprecated time and time again. Yet, many companies continue to rely on these less-than-secure methods anyway. 

Considering the cost of implementing multi-factor authentication

One theory is the perceived cost and complexity of implementing widespread strong, multi-factor authentication (MFA). Security is usually seen as a cost center and CISOs are accustomed to the careful balancing act between the strength of a security posture and its cost. But, as breach impact and frequency change, so too must the calculations CISOs make when determining their authentication strategy

There are three factors — and their associated cost implications — that must be calculated when deploying strong MFA enterprise-wide: security, usability, and scalability.

Security: Misguided MFA could be an $8 million mistake 

The first consideration must be the cost and probability of your organization suffering a security breach. The average cost of a data breach in 2020 is $8.64 million in the US ($3.86 million globally). And that’s not counting the cost in lost revenue of a reputational hit. 

Forrester estimates that most organizations have a 30% likelihood of facing a cyber attack. These odds have only increased through 2020 with a surge in phishing attacks as hackers capitalize on the shift to remote working and accelerated adoption of the cloud. Not to mention, the potent cocktail of circumstances caused by a pandemic, election, recession, and social unrest have bred fear, uncertainty, and doubt — prime territory for hackers. For some organizations, such as political groups, government agencies, media, and healthcare providers, the risk is even greater. If the cost of a potential breach isn’t incentive enough, failing to reduce your breach risk exposure can also impact your cyber insurance premiums.

With a 30 percent chance (on a good day) of suffering a $8+ million security breach, the cost of implementing MFA as an investment seems incontrovertible. But which type of authentication will be strong ‘enough’?

A study by Google and NYU compared the standard baseline of password authentication with 2FA methods including FIDO security keys, smartphone-based one-time password (OTP) generators, and SMS. Google found that hardware-based security keys, like the YubiKey, provide the strongest security — the only method to protect against phishing attacks 100% of the time — while also offering the best mix of usability and deployability. Strong, hardware-based multi-factor authentication, can give enterprises peace of mind by eliminating the threat of phishing attacks and account takeovers, which contribute to roughly 80% of all security breaches

Usability: Poor user experience can drive support costs upwards of $12M a month

The next consideration in the cost of implementing multi-factor authentication for CISOs is often usability. If strong, hardware-based MFA is the most secure option, what will the user experience be? To answer this, we need to examine the alternative forms of authentication from a user’s perspective, specifically simple usernames and passwords or mobile-based 2FA

Let’s face it, it’s frustrating to have to enter passwords or one-time passcodes all the time. And, as we all know, employees frustrated by a poor experience will not only be less productive and engaged, but also more likely to churn or circumvent the process — all of which are expensive outcomes. This either puts an organization back to square one — at risk of a data breach due to failed user adoption of security solutions — or creates disruptive workflows that take a toll on productivity. Gone are the days when users put up with hard-to-use tools at work, even if those tools are there for their own protection. Usability is no longer a nice-to-have and most CISOs know it. 

For starters, let’s take a look at the IT support costs required to control and sustain password-based authentication across an organization. It’s well known that password resets alone are a top cause of support calls and emails. According to statistics from Gartner, 20-50% of all IT helpdesk calls are password resets and Forrester estimates that the average cost of a password reset is $70. In fact, password resets cost Microsoft over $12M per month according to a presentation given by Alex Simons at Microsoft Ignite 2017. That support burden is magnified when you introduce mobile-based 2FA, giving employees additional apps to manage, and giving IT additional licenses and software to provision. 

According to a Google case study, the company was able to reduce its password reset costs by 92% after deploying YubiKeys worldwide. Additionally, employees saw a significant reduction — by nearly 50 percent — of the time to authenticate using a YubiKey compared with using  a one-time password (OTP) via SMS. Logins were nearly four times faster when comparing the YubiKey to Google Authenticator. 

Scalability: Access for all employees saves on cost & time

The third and most complex consideration in a CISO’s calculation is scalability. This is where misperceptions and assumptions abound. How can hardware-based multi-factor authentication solutions, like the YubiKey — clearly the most secure and usable option — also be scalable across thousands of employees and hundreds of enterprise systems? Shouldn’t it be reserved for a few privileged users? 

Well, no. All users are susceptible to security breaches. In fact, hackers are savvy and will always take the path of least resistance, meaning that your privileged users may not always be their first target. And all users need an experience that doesn’t hinder productivity. The truth of the matter is, YubiKeys can be rolled out to all users without breaking the bank or creating an administrative sinkhole. In fact, they offer substantial cost and time savings.

When considering a company-wide deployment for an authentication solution, it’s important to consider how interoperable it is in various environments and across multiple technology stacks. For example, your organization may have “office-based” workers to secure like IT admins, HR teams, and more, but you may also need to secure employees “in the field” who are operating in mobile-restricted environments or with shared workstations like in retail or healthcare. It’s also likely that, over time, your organization will transition from legacy systems to more modern cloud-based technologies — all of which will support varying degrees of authentication. If you select a standards-based MFA solution that works with multiple back-end systems,  independently of mobile connectivity, and with a premier “tap-and-go” user experience, you can eliminate the costs and complexities associated with managing several authentication mechanisms within your organization. 

YubiKeys, for example, work out of the box with every major web browser and hundreds of enterprise cloud services, no custom development needed. So no matter which new services and applications you introduce, or which business use cases you need to solve, you won’t need to roll out new authentication devices or workflows for users to get familiar with. One device can be used company-wide. 

It’s also worth noting that 2FA via a mobile authenticator app or SMS is not a hardware-free option. Users need a mobile phone and many companies will either provide employees with a work-issued device or reimburse them for a portion of their monthly personal phone bill. According to a study by Oxford Economics, 89% of organizations provide a full or partial stipend to compensate employees for their mobile phone expenses. This averages $36.13 per month, and amounts to about $430 per year for each employee. 

Then there’s the cost of emailing or texting authentication codes to users. It may seem trivial, but to give an example, a mid-sized bank was able to reduce its SMS fees by 10%, saving $2.9m, after moving away from SMS-based 2FA

Conversely, a YubiKey requires just the low-cost key itself, ranging from $20-$70. In fact, the combined security, usability, and workflow efficiencies of the YubiKey, allowed Google to give each employee multiple YubiKeys and still realize overall cost reductions. Now, with YubiEnterprise Delivery, enterprises can distribute YubiKeys to thousands of users in 34 countries — all while experiencing predictable spending with YubiEnterprise Subscription. 

The Total Cost of Hardware-Based Strong Authentication

All things considered, the equation for calculating the cost of implementing multi-factor authentication has changed. 

Traditionally, CISOs may have felt they couldn’t afford to introduce strong MFA universally. But, given the current cost of security breaches, and the advancements made in scalability and interoperability of hardware-based authentication, can they afford not to? CISOs are recognizing that strong hardware-based authentication for all is no longer going to put them at war with the CFO and, in fact, makes financial sense. It is possible to achieve affordable security, usability, and scalability after all.

To learn how your organization can cost-effectively deploy YubiKeys enterprise-wide, watch our webinar, “YubiEnterprise Subscription: Hardware Authenticators as a Service,” or contact our sales team

Shamalee Deshpande

Why 3 government agencies are relying on hardware-based MFA with YubiKeys

America’s government is under attack. To put it more accurately, its governments are under attack, all the time, at every level — federal, state, and local — from opportunistic scammers, sophisticated cybercriminals, and even state actors.

We’ve all seen the stories about intelligence services stealing political emails, snooping into election systems, and even penetrating the US power grid. But those are just the government cyber security breaches that make the front page. For every cyber attack the public hears about, there are undoubtedly thousands that go unnoticed — even by their victims. According to one recent study, attacks on state, local, territorial, and tribal governments rose 50% between 2017 and 2020. The authors suspect that those numbers actually understate the problem. 

The reality is, government agencies are in a bind. On the one hand, they want to increase access to public information and make their operations faster and more efficient (especially during the pandemic when citizen services are rapidly moving online). On the other, they need to secure remote workers, protect sensitive PII (personally identifiable information), and keep America’s critical infrastructure — including elections and democratic integrity — safe. And they have to do it all on tight budgets.

The cyber security measures government agencies have taken so far fall short. Passwords offer little protection and are easily forgotten. Simple multi-factor authentication (MFA) methods like SMS verification codes or secure mobile authentication apps can still be subject to phishing attacks. These options are better than nothing, but they’re not enough. Alternatively, smart cards offer strong authentication but are expensive and cumbersome to deploy (especially in the middle of a global pandemic!). 

With the stakes as high as they are, and funding what it is, it’s becoming clear that government agencies need to move to a more scalable and economical form of strong authentication, like the YubiKey. In fact, there are several 2021 state and local tech priorities where hardware MFA plays an important role: 

  • Infrastructure and process modernization 
  • Supporting and enabling hybrid workforce and work 
  • Enabling connectivity and access 
  • Securing the new edge

To help federal, state, and local agencies navigate many of these priority areas in 2021, we’ve partnered with Government Technology to publish a new paper that outlines the critical use cases for hardware security key-based MFA and real-world examples of three government agencies — City of Mission Viejo, Sacramento, and Washington State — who have successfully deployed YubiKeys to protect their critical systems. Topics include: 

Building a more secure remote work infrastructure

The shift to remote work has introduced a new distributed perimeter and exponentially more security vulnerabilities. Many IT leaders are having a difficult time re-establishing trust with the individuals accessing their systems. Hardware security key-based MFA can reduce the danger of man-in-the middle attacks and provide greater flexibility for remote government workers, eliminating costs associated with mobile device-based authentication.

Enhancing security for digital services  

More governments are providing digital services to constituents, a crucial part of ensuring business continuity during times of crisis. Government IT chiefs can streamline operations and strengthen security for both internal services, as well as external citizen-facing digital services, with hardware security key-based MFA that can be conveniently integrated into existing Identity and Access Management solutions. For example, modern FIDO2 and WebAuthn standards are the best-suited authentication methods for external customer-facing services.

Protecting critical election infrastructure

Top of mind currently, but essential for every election or referendum: how municipalities can adopt hardware-based MFA to secure voter registration databases, election management systems, e-poll books, and other election infrastructure using the strongest authentication possible to stop 100% of account takeovers. This is even more important when a large percentage of the users are temporary volunteers.

Government agencies have a special charge to protect the public, and many authentication methods aren’t up to the task. Around the world, government organizations including the British NCSC (National Cyber Security Centre) and European Union Agency For Cybersecurity (ENISA) are recommending the move to MFA solutions, of which hardware security key-based MFA is the strongest version.

The tools are available. The technology is here. And it’s easy enough for anyone to use.

To learn more, download the full Yubico white paper, “How State and Local Governments Are Combatting Account Takeovers.” 

Stina Ehrensvard

Wrapping up 2020: A year where technology and internet security prevailed

Never has the world been more dependent on the internet, and never has it been more attacked than in 2020. In fact, it proved to be a year where trust in many of our systems was challenged. Yet I remain an eternal optimist and believe that we can transform the hard lessons learned in 2020 into tremendous potential for those of us who aim to make a difference in the world of security and privacy.

The powerful and beautiful human experience named the World Wide Web was launched only 30 years ago, designed for sharing information, not for security. Today, the core infrastructure that holds up our modern society has become a new digital war zone, not only for criminals, but for strong financial and political powers to conquer new territories, assets, and minds. 

At Yubico, we had our fair share of challenges in 2020, but we are also grateful that the YubiKey, the YubiHSM, and our open standards contributions have made a significant positive impact for internet security. In no other year, have we experienced a higher demand for our technology. Yubico products are being used internally to protect the largest internet companies and their services, which this year have become the backbone for team collaboration and communication for billions of people. 

This blog summarizes nine events that helped Yubico’s accelerated growth and adoption for trusted, portable, phishing-resistant hardware security keys. 

1. The continued rise of spear phishing
The vast majority of all IT security breaches are due to stolen or weak login credentials, and the most common attack vector is phishing. Old school phishing scams trick users to download a file or reveal sensitive data to a fraudster website. The new, most sophisticated spear phishing attacks compromise accounts without the user noticing. In fact, 95% of all attacks targeting enterprise networks are caused by successful spear phishing. The authentication technologies proven to stop these attacks all use public key cryptography, including YubiKeys and smart cards. 

2. WebAuthn momentum
Traditional smart cards have proven strong security, but were not designed for web or mobile. Beginning in 2011, Yubico began development of open authentication standards offering a next generation smart card technology, designed for the modern web and scale. We contributed our inventions to the FIDO Alliance and W3C. 2020 saw these FIDO and WebAuthn standards become natively supported in all leading platforms, browsers, and identity access management (IAM) solutions, building security foundations far beyond passwords and basic MFA.

3. Remote work
As COVID-19 hit us hard and furious, businesses around the world faced a new reality with the shift to remote workforces. Many organizations scrambled to establish trust with employees and their devices outside of the traditional perimeter-based security that they’d typically have in an office environment. To help solve this, Yubico launched YubiEnterprise Delivery, which helps businesses ship YubiKeys quickly and directly to their employees’ doorsteps. 

4. Demand for cross device authenticators
With a growing market demand and increasing use cases for USB-C and wireless near-field communication (NFC) connections, Yubico released the YubiKey 5C NFC. Designed in the thin, robust, YubiKey “signature design”, the new key enables simple and strong authentication from all modern phones and computers, and has received raving reviews from the press, partners, and customers. 

5. Headliner security breaches
The most recent large-scale attack of this year, SolarWinds, is quite possibly one of the biggest breaches in modern time and joins a long list of other major breaches from 2020. All of this combined is leaving cyber security, strong multi-factor authentication and HSMs (Hardware Security Modules) on top of mind for many organizations, as well as the importance of a trusted supply chain

6. Secure manufacturing
Most security certifications do not review any actual security code, making it critical to trust your vendors’ supply chain. In a recent survey, the large majority of Yubico customers shared that they value that we manufacture all our keys in Sweden and California, and offer unique custom configuration tools enabling them to control their own encryption secrets. To date, we have made more than 15 million YubiKeys, and we continue to ramp up our production for significantly higher numbers to meet market demands in the years ahead.

7. Rising attacks on press freedom
Press freedom violations skyrocketed in 2020 due to increasing political and social unrest. In the US, there have been 182 journalists arrested while covering protests since 2017, and 121 of those arrests were from 2020 alone. Around the world, an increasing number of journalists covering injustice and misuse of power are being tracked, arrested, and in some cases, even killed. On our mission to help protect people, Yubico doubled up our YubiKey donation efforts program serving users at risk, including journalists. If there is no free press, there is no security. 

8. The 2020 presidential election
Four years ago, Hillary Clinton’s election campaign was hacked. A year later, YubiKeys were highlighted for the first time in a high school science fair, stating that hardware-backed multi-factor authentication (MFA) could have eliminated the chance for unauthorized account access, and possibly, changed the election outcome. In 2020, major phishing attacks from non-democratic forces were reported. To date, no emails were leaked from the election campaigns thanks to security keys, like the YubiKey, that are built on the FIDO open authentication standards that Yubico pioneered.

9. People taking action
YubiKey and WebAuthn is not the only technology that will help us build a more secure internet, but it is proven to stop the single biggest problem – account takeovers. And now is the time to take action: For easy integration Yubico offers free open source servers, and a WebAuthn Starter Kit. We also welcome you to ask your favorite online services and apps to incorporate WebAuthn support. It’s a global open standards effort designed to make the internet safer for all. 


2020 – a year like no other – is coming to an end. This year has become a wake up call for many things that we need to change. It’s been hard on all of us, but innovation, technology, and human collaboration
can prevail. With new, better protection against attacks on our physical and digital lives, 2021 can be a safer year for us all.

All the Best, 

Stina Ehrensvard
CEO & Founder 

Christopher Harrell

4 things ‘Among Us’ can teach security professionals about authentication

You’re making good progress on this task. One more data upload and then you’re out of here. But right before you can complete the upload, a klaxon blares. There’s been an attack! Time to head to the meeting room for the usual finger-pointing and scapegoating before the team decides who to jettison from the ship.

Of course, I’m describing a scene from the wildly popular game Among Us. But, I could equally have been describing a day in the life of a security professional.

For the uninitiated, Among Us is a game of suspense and betrayal. Players are crew mates on a spaceship (or a similar fictional venue) and must determine which fellow crewmate among them is a hidden imposter—before they all become victims. 

While most security professionals don’t spend their days on a spaceship evading murderous imposters, there are more similarities between their day-to-day activities and the game than you might think. The very conditions that have contributed to Among Uss breakout success in the pandemic are the same ones that have sent cyber attack numbers soaring. 

Maybe you’ve heard Among Us mentioned among colleagues, or perhaps you have kids at home who will be obsessively playing the game during holiday break. Better yet, maybe you’ve actually played the game yourself. Whatever the case, a comparison of the two serves as a useful reminder of the fundamentals of today’s cyberthreat landscape. 

The threat is already inside

The whole point of Among Us is that the attacker is, well, among us—hiding in plain sight. Players quickly learn to trust no one, that anyone could be a threat. That, of course, is the very premise of Zero Trust security. Assume everyone attempting to access your apps or services cannot be trusted until you have authenticated them. Whether they’re coming from outside the network or are already inside, they must be considered equally untrustworthy until proven otherwise. As the perimeter all but disappears amid the shift to remote work, the only option is to adopt a security posture that assumes nothing and authenticates everything.

The bad actor is an impostor

Among Us hinges on pretence. The attacker, of course, is known as the impostor and they must fool other players into believing they are one of them. In order to lure victims into situations where they can strike, the impostor fakes tasks and pretends to be earnestly engaged in the crew’s mission. Just like a hacker launching a phishing attack, the imposter entreats others to take actions that seem innocent but only further their nefarious cause. The victims never discover the impostor’s true identity until it’s too late. As security professionals, it is our constant refrain to users: you must not assume that the sender of the email is who they say they are; you must always be alert to suspicious communications.

Impostors thrive on chaos 

For much of the time in the game, players are alone and not permitted to speak with one another. A meeting is only called when a player finds a victim. Then, players congregate to loudly debate the evidence and make accusations about who the imposter could be. Amid those frenzied discussions, chaos is the impostor’s ally and best chance at pinning the blame on an innocent crew mate who, say, fails to remember exactly which tasks they were performing in the reactor room three minutes ago. Chaos is also the perfect breeding ground for cybersecurity attacks: when users are distracted or confused they are far more likely to fall for a phishing ruse. The current political, economic, and health uncertainties mean security professionals must stay on high alert (as we discuss in this webinar on protecting remote workers).

Attacks derail players from getting work done 

Between attacks, crewmates are engaged in a variety of tasks, which they must finish in order to win the game. The discovery of an attack means players must stop mid-task and head to the meeting room. This unplanned interruption, and ensuing pandemonium, wreaks havoc on the crew’s productivity and is easy to compare to the impact of a cyberattack on an entire company. Unlike in the game, however, a cybersecurity breach takes weeks, months, or even years to recover from. No quick reset and restart option here. 

Among Us has become a runaway success since the pandemic began. It’s not hard to see why. This is a game uniquely appropriate for the circumstances in which we all find ourselves: it is both a suspenseful and engrossing form of escapism and an eerie metaphor for the events that have characterized 2020 so far (as this article in Vice so eloquently explains). It is a game perfectly suited to the current environment. Just like the hacking industry, which has flourished since COVID took off, capitalizing on current social dynamics such as remote working, social distancing, anxiety, and fear. The difference, of course, is that cyber attacks are no game. The financial, social, and political repercussions are well known to all of us. 

For now though, if you’re in need of some relaxation after a long day fighting cyber attacks, hunting impostors in Among Us might be just the thing you need. Because, like any good security professional, you’re never truly off duty.

 

Christopher Harrell

Lessons from the SolarWinds incident

Last week, a large and expertly run espionage operation was made public — one that began no later than October 2019, and which had been actively exploiting victims since at least early 2020. This incident is particularly interesting for several reasons: for the breadth of sensitive global government and industry targets, for misuse of a trusted product’s software supply chain, and for the techniques used to circumvent internal controls and maintain persistent access without raising alarms.

First, and most importantly, we feel deeply for incident responders, PR teams, security and technology professionals, attorneys, law enforcement, and others who will be dealing with investigations into their own systems as the result of these revelations instead of enjoying the holidays after a tough year. HugOps to all of you working hard to understand what happened and for cleaning it up!

What follows is our perspective on what happened based on the facts available so far, with some recommendations of what to focus on, and what not to lose focus of, as the dust settles.

What Happened?

Overview

FireEye reportedly discovered this campaign as they investigated a breach of their own network, and determined that it originated from a attacker modified version of SolarWinds’ Orion Product. They were far from the only ones impacted.

SolarWinds Orion is a network monitoring and management tool that is used widely to understand and control the complexity of heterogeneous environments. It needs broad and privileged access to function properly, and this makes it a great vehicle to gain access to many environments. To better illustrate this level of network access, we’ve outlined the scenario in a diagram below. Orion is represented by the system on the left, and on the right it is accessing cloud services, routers, workstation, software as a service offerings, and many other things an organization depends upon.

SolarWinds reported to the SEC that more than 18,000 Orion customers received the same infected update. While almost two thousand unique command and control domains are known for this malware, only a small percentage of organizations are confirmed impacted so far.

Gaining initial access via Orion

So far, little information is available about how Solarwinds came to be compromised, but we expect that to change over time. What we do have are details about how Orion came to have malicious code inserted.

The version of Orion containing the malicious payload came with a valid signature from SolarWinds’ software signing keys, and according to SolarWinds, the illicit modification happened in their software build system, and was not visible in their source code.

A software supply chain consists of all the people, systems, and code that go into making and distributing or operating a product, application, or service. A simplified version is illustrated here, showing roughly where the attack took place inside SolarWinds’ systems.

Each trojaned instance of Orion then made connections to the internet using domain names specific to the victim, which were pointed to command and control servers hosted in the same countries as their victims. Those connections served as the basis of the control plane for this malware, and are where the instructions originated for what “bad things” to do next.

Lateral movement and escalation of privilege

Once the attackers were inside the networks of their target organizations, by way of Orion or other means, they leveraged other systems as necessary to gain additional privileges.

Of note is the supposed misuse of Identity and Access Management (IAM) systems like single sign on, network logon systems, SAML/OAuth/OIDC federation systems, and the like. In particular, there is talk, but not yet persuasive public evidence, that now patched vulnerabilities in Microsoft Netlogin, VMWare Access or Identity Manager, and similar were used to elevate privileges. These systems are also trusted, by necessity, because they convey who is accessing a service by digitally signing an assertion of their validated identity. Attackers would be able to forge assertions if they stole or added keys used to digitally sign assertions.  

In this diagram, a user proves their identity to the IAM component in the middle, which then uses its key to sign a message that the services on the right can use to validate that identity. This message contains information about the user accessing the service, and sometimes the roles and privileges that user should be granted.

Persistence and ongoing espionage

As is typical, once the attacker has initial access to the victim’s environment, they diversify their access to help maintain a persistent foothold. Methods will often mirror expected user behavior to reduce the risk of detection. This can include the use of stolen credentials and use of remote access technologies like VPNs.

Specific examples of these tactics include stealing the SAML signing secrets, SSO application integration secrets, or other keys from IAM components that could allow already-obtained access to be utilized without requiring ongoing use of malware on the victim’s network.

Lessons Learned

Develop an inventory and dependency map

The most important thing security professionals can do to secure any environment is to know what they have, where it is, how it’s configured, and what it depends on. In short, it is imperative to have an inventory and a dependency map for your systems and services. While this won’t stop an attacker, it is required to understand what you’re protecting, who and what can access it, and when something does go wrong, what the “blast radius” is. Don’t forget about where your systems could have an impact on your customers!

Once you have identified your most important and/or sensitive assets, you can focus on ensuring you are comfortable with how they, and the access to them are maintained, the people who have access, and the full map of dependencies that can lead to their compromise. Tabletop exercises about breaching specific targets can be quite illuminating here. The MITRE ATT&CK database of adversary techniques gives a great set of angles to consider.

Plan to be breached

In any environment of sufficient value or complexity, the likelihood of something being breached increases over time.. This doesn’t mean we shouldn’t protect our systems! It means we should plan on reducing the opportunity an attacker has to do bad things once they gain access. We do this by having rigorous detection, response, and remediation capabilities.

NIST provides great high-level guidance on much of this process in their cybersecurity framework. Additionally, Microsoft’s security rapid modernization plan is tailored to thinking through these issues and using technology to implement strong, usable solutions on Windows networks.

Mature security practices will include scenario-based drills that exercise detection, response, and remediation processes. They will also include formal debriefs about how effective current practices are and plans to improve them.

Avoid bad advice

The pieces of bad advice I’ve seen the most as part of this particular incident are fortunately few and not pervasive, but are listed below out of an abundance of concern.

First is the idea that you should delay patching. This ensures that any security vulnerabilities patched may be exploitable in your environment for a longer period of time. We’ve seen automated exploit development from publicly patched vulnerabilities in timeframes as short as a day, so this is not usually a great tradeoff. For the most part, organizations lack the ability to evaluate a patch for stability, let alone security, so exercising the muscle of deployment and rollback is the way here. There may be limited environments and organizations where this isn’t true, but those professionals already know what they’re doing and aren’t taking advice from this blog.

The second bad advice I’ve seen is shifting all your time and effort toward your, or your vendors’, supply chains. You should of course make sure you believe the stories you’re told from the things that have the most access to your environment, and that the company telling you these things has a credible team and a good track record. But your time is better spent controlling blast radii and planning for being breached as mentioned above.

Finally, is the idea that you have to immediately move to build and host everything yourself. Business is about risk, and most companies can’t afford to hire the number, and quality, of people who could make this happen. Even if they could, they would not benefit from lessons learned across the industry if they’re only working on your environment. While the most sensitive environments may require deep expertise, custom hardware or software, and very carefully constructed, air gapped environments, most environments will not. Instead, choose vendors carefully, and understand what systems those solutions should and shouldn’t be used for.

Deploy processes and technologies that can help

In every breach, assume that capable adversaries will be very knowledgeable about the technologies you use, and will go after the systems that give them the most access to the things that are most valuable to them. Our goal is to detect when that happens and try and make their job as noisy as possible so we can spot them, and get them out quickly. Below are some examples of technology that can help with the techniques we’ve seen so far in this operation.

Private Keys

In each of our previous diagrams you’ll notice icons representing keys in places where they are commonly used, and thus also at risk from being abused. In the SolarWinds campaign and in almost every breach you’ll find credentials, keys, and secrets abused anywhere they can be. The goal of the first two technologies is not to completely prevent abuse of those keys, but rather to ensure that if they are abused, that abuse happens only on or through the systems to which they are attached, at the time that they are attached to them. This allows you the opportunity to monitor your most critical secrets every single time they are used.

WebAuthn and SmartCards replace user passwords and OTP or SMSs with strong hardware-bound public/private key cryptography. This means an attacker can’t walk away with those secrets, and in the case of WebAuthn even requires the user to physically interact with their authenticator every time the key is used. This makes more “noise” and thus allows more opportunity to detect misuse even if the system to which the device is attached is compromised.

HSMs can keep your federated identity systems’ or your build systems’ signing keys from being removed from the environment, and thus monitorable in the same way.

Both of these technologies are critical to use not just for internet-facing services, but also for systems that are “behind the firewall”, because as we’ve seen, it is prudent to assume that someone is always behind your firewall. This forms the basis of a zero trust or beyondcorp architecture that implements least privilege for all systems. While it may be a long road for many complex environments to get there completely, starting with the most sensitive systems as soon as possible has a very high return on investment.

Logs and Log Analysis

The timeline of this operation was long. If someone called you today and said a threat actor  breached your network 9 months ago, would you have the logs you needed to confirm this and track the breach to its origin and across your network as it was explored? Ensuring you have the right logs, the right log retention, and the right processes to keep the attackers from erasing or modifying those logs even as they gain elevated access to your environment is a must. Without that you couldn’t confirm a report of a breach, let alone detect one.

The infected version of Orion couldn’t be remotely controlled unless it could talk to its command and control servers on the internet. Any form of internet access for systems with privileged access to your environment should be tightly controlled. Don’t forget less obvious routes to the internet, like dns tunneling. Allowed access should be monitored and logged, and unusual or new behavior scrutinized by experts.

One tricky bit about logs is that, all too often, alerts are set up only for an event happening rather than for an event not happening. In the case of the misuse of IAM signing secrets above, the system which was accessed using a SAML assertion for a given user would have logged that, but the IAM system would not have logged it, and that discrepancy could have detected the misuse right away.

Behavioral modeling and anomaly detection

It turns out that FireEye caught this attack because of MFA logs and alerting which informed an employee and their security team that someone added a new device to the employee’s account that they didn’t recognize. Many large breaches have been detected by attentive employees. Striking the right balance of alerting, not just for the security team but also for employees, is key. Too much, and they’ll be ignored; too little, and they won’t have the opportunity to notice.

Technologies that build profiles of user or system behavior and alert the user or a security administrator of unusual behavior have come a long way, and deploying them in a transparent and focused manner can help us leverage our entire organizations to get better at detection and response.

Parting Thoughts

While there is no silver bullet to prevent this sort of attack, there are many well established practices and technologies that can help ensure we compartmentalize any damage, detect breaches quickly, and respond and recover before the adversaries get too far.

We hope this was helpful, and don’t hesitate to reach out to Yubico if you need help or have questions about using our solutions to address these sorts of campaigns.

And if you’re interested, please join us for an upcoming webinar on January 19, “Securing privileged accounts and critical authentication resources”. We’ll cover the basics of securing administrator access, best practices for enrolling YubiKeys for smart card administration, and methods for enrolling YubiKeys as security keys for administrators.

Merry Christmas, Happy Holidays, God Jul, och Gott Nytt År,

Christopher Harrell
C
TO, Yubico

Dain Nilsson

Yubico releases new public beta versions of iOS and Android mobile SDKs

Today, Yubico is excited to release public beta versions of the next generation of our mobile SDKs for both iOS and Android platforms. The Yubico Mobile SDKs can be used to integrate multi-protocol YubiKey support into mobile apps via near-field communication (NFC), Lightning, and USB connections (USB available for Android only). With this public preview, we want to give our developer community a sneak peek into what’s to come, and we hope to get feedback which we can incorporate into the generally available versions slated to release early next year. 

The Yubico Mobile SDKs help developers build strong authentication into mobile apps quickly and easily. They unlock the power of the YubiKey to protect user identities and data, and provide a consistent user experience across platforms and devices. The Yubico Mobile SDKs include libraries, code samples, and documentation for both iOS and Android platforms.

What’s new 

Looking back, each release of the Android and iOS Yubico Mobile SDKs have primarily been feature driven. We’ve learned a lot along the way, but looking at the bigger picture, it was clear that the next step was to unify the developer experience across the two SDKs and streamline the integration experience across platforms. For example, some of the earlier features in the SDKs operate differently from some of the later features, some features were originally designed around platform limitations that have since been lifted, and so on.

It was also important to us that we don’t treat iOS and Android developers as different isolated islands. Instead, we want developers to feel at home, and to be able to move easily between platforms without feeling like they have to learn a completely different SDK. We’re now aiming for a more consistent experience in terms of structure, functionality, and naming. That said, we fully acknowledge that platforms sometimes do have fundamental differences, and we first and foremost aim to be idiomatic. 

The new versions of both the Android and iOS SDKs achieve our goal of making things easier and faster for developers, while greatly elevating the level of security built into the new apps and services being built. We’ve restructured things quite a bit to make them much more consistent, both internally as well as across platforms. We want to offer the same functionality, in a similar fashion, regardless of whether a developer is on iOS or Android. This does mean breaking some backward compatibility, but we’re confident that the benefits of a streamlined experience will greatly outweigh the inconvenience of having to migrate some code. To help mitigate any challenges that may exist with migration, we plan to host a webinar with more detailed guidance closer to the date of general availability.

How to get started 

With the new releases of our mobile SDKs, we hope to put a solid foundation into place that developers — including our own — can rely on to build amazing apps that utilize the full power of YubiKeys. To learn more, please join us for two webinars (which will be available live and on-demand) where we’ll give a first-hand look at utilizing each SDK:

After that, download our iOS and Android Mobile SDKs from GitHub, and try them out for yourself. Remember, we need your feedback to guide us on what to improve and what to focus on next, so please let us know your thoughts in GitHub issues!

Ronnie Manning

#YubiSecure: Take your Twitter security to the next level with increased 2FA support

Great news YubiFans! As of today, Twitter made it a lot easier for you to tweet safely and keep your accounts secure. Phishing-resistant YubiKey authentication via WebAuthn is now supported on Twitter’s desktop, Android and iOS mobile applications. 

With native WebAuthn support throughout the Twitter platform, you can register and use a USB-, NFC-, or Lightning-compatible security key, like the YubiKey, directly from your mobile phone to secure your account.  

Adding a YubiKey as your primary authenticator introduces the highest level of security and convenience to your Twitter accounts, regardless of device and platform. Once a YubiKey is registered, you will be asked to either touch or tap your key to verify that it is you accessing your account.

Once authenticated, you may also have the option to make your device a trusted one by selecting “remember this device”, so your app login experience will be as simple as opening the Twitter app before tweeting away. You will only be prompted to use your YubiKey again when you log in to Twitter from a new device, which will only require a simple touch. 

To take advantage of these new features on your account, check out our latest video:

“Helping people keep their Twitter accounts secure by providing them the tools and controls they need is a top priority for us. We have been consistently improving the way people can add two-factor authentication (2FA) to their Twitter accounts over the past year and are glad to be expanding our support to enable people to use physical security keys to login to the Twitter app on mobile. We encourage everyone to enable 2FA on Twitter to help protect their account,” said Sri Harsha Somanchi, Senior Product Manager, Twitter.

Want to use a mobile device as a back-up? Set up a second YubiKey with your Twitter account using Yubico Authenticator, our time-based one-time password (OTP) app for desktop, Android, and iOS. We highly recommend disabling SMS after a security key and authenticator app are enabled to ensure maximum security. 

The Yubico Authenticator works like other time-based OTP apps with one major difference—instead of your credentials residing on your phone, they stay secured on your YubiKey and stay with you. 

Getting a new phone or laptop over the holidays? Not a problem. Yubico Authenticator eliminates the frustration of manually re-enrolling services with your authenticator app when you use a new device. All you need to do is plug in or tap your YubiKey while using Yubico Authenticator to generate your codes. 

Derek Hanson

AWS Expands YubiKey Support with AWS SSO WebAuthn Integration

Another win for FIDO at the heels of its first industry conference, Authenticate 2020.  AWS Single Sign-On (SSO) has introduced native WebAuthn support to secure user access to AWS accounts and business applications using strong, FIDO-based multi-factor authentication (MFA) with YubiKeys.  Broader choice of authentication methods by AWS SSO is a win for modern authentication that has historically been limited to username/passwords and basic MFA to validate user access. 

This serves as yet another milestone for Yubico, an Advanced AWS Technology Partner and AWS Public Sector Partner, and the open standards work we’ve pioneered over the past decade

When AWS SSO users authenticate with a YubiKey, the public and private encoded exchange occurs, creating a phishing-resistant connection to commonly used third-party software as a service (SaaS) applications as well as other applications within the AWS ecosystem. The new features in AWS SSO allow administrators to manage access and logins to AWS SSO integrated applications. Administrators can set policies to allow apps to access certain users or groups sourced from AWS SSO or external identity providers (IdPs) such as AWS SSO Identity Store and Microsoft Active Directory. 

Using a YubiKey with AWS SSO increases identity protection, workload administration and simplifies the need to establish user credentials with each application.  Attestation using the YubiKey establishes proof that is tied to the digital you, confirming your access to various cloud based productivity and collaboration applications such as Salesforce, Slack, and Microsoft 365 – eliminating the need to authenticate into each app separately. 

With enforced enrollment features also available on AWS SSO, organizations can prevent unauthorized users from accessing valuable company data by requiring users to add multi-factor authentication methods such as biometrics or security keys.  

This is great news for the AWS and the Yubico ecosystem of app developers, systems integrators, and security administrators who are challenged to secure the organization’s ever-expanding firewall perimeter, while keeping remote workers secure and productive from anywhere, anytime. 

To learn more about protecting AWS SSO with the YubiKey, attend our joint webinar: Modern Authentication to Secure Enterprises: AWS SSO + YubiKeys on December 8th. For developers, read our recent blog: Go passwordless with the new Yubico WebAuthn Starter Kit to build support on WebAuthn. YubiKeys are available at yubico.com/store.

David Maples

Go passwordless with the new Yubico WebAuthn Starter Kit

WebAuthn is the latest open standard for modern online authentication that is highly phishing resistant, combining high security with a simple and easy user experience. With WebAuthn, any web service can integrate strong authentication into applications using support built-in to all leading browsers and platforms. This means that web services can now easily offer users strong authentication with a choice of authenticators such as YubiKey security keys or built-in platform authenticators with biometric readers.

WebAuthn is the first standard to enable strong single factor passwordless (Tap n Go), strong multi-factor passwordless authentication, as well as strong second factor authentication for more secure user access to online accounts.  In the strong multi-factor passwordless authentication scenario, Yubico is presenting passwordless login as YubiKey + PIN  to authenticate, and future YubiKey + Fingerprint with the upcoming YubiKey Bio

With the wide adoption of WebAuthn across OS and browser vendors, WebAuthn has moved to the mainstream for strong authentication, and service providers have taken notice. Yubico is delighted to make the integration experience of WebAuthn easier to implement for architects, developers, and system designers, by providing a fully-fledged, open source, reference architecture in our WebAuthn Starter Kit.

The Yubico WebAuthn Starter Kit provides an example of a WebAuthn-centric architecture featuring an authentication framework which bridges the gap between legacy password-based login and a modern passwordless experience. Not only does the Yubico WebAuthn Starter Kit include code ready to be deployed to any AWS account, but it also includes documentation that covers the application logic, reference implementation details, and best practices around WebAuthn.

Addressing developer pain points

Currently, a developer looking to integrate WebAuthn into their identity provider may have difficulties finding code examples and documentation that explain:

  • Steps on how to adopt WebAuthn and migrate users away from passwords.
  • WebAuthn credential management and lifecycle best practices.

The Yubico WebAuthn Starter Kit helps to address the pain points associated with the transition away from passwords by using a dynamic flow centered on the user’s identity. In an identifier-first flow, a user is automatically guided down the login path enabled by the authenticators they have registered with their account (i.e. YubiKeys, built-in biometric sensors, etc.) using a password only if the authenticator does not support multi-factor, or is not supported by the client (i.e. browser or operating system) they are authenticating with. Validating that the authenticator’s user verification flag matches the expected value on the server-side is a crucial element of the identifier-first flow guidance.

The Kit aims to provide a reference architecture demonstrating the concepts in a practical deployment. The ultimate goal is to provide interested developers with an environment they can stand up for their own use. This environment is designed to resemble authentication frameworks that are in use today, but with WebAuthn incorporated as a cornerstone of a passwordless experience versus a standard two-factor authentication flow.

Leveraging Amazon Web Services (AWS) 

Yubico leveraged the AWS Serverless Application Model to act as a uniform framework for users to deploy personal instances of the Yubico WebAuthn Starter Kit to review. Additionally, a script automating the deployment is also included, streamlining the deployment process and ensuring uniformity. A free AWS account is sufficient for anyone looking to deploy the WebAuthn Starter Kit.

In addition to a backend server hosted on AWS, the Yubico WebAuthn Starter Kit also provides a sample web client as part of a standard deployment, allowing interested parties to share the WebAuthn experience with others in their organization.

Transitioning from passwords to passwordless with WebAuthn

The benefit to passwords is that they are universal — everyone knows how to use them, and everyone has the ability to create their own. The downfall is that passwords are not secure and can be easily hacked, or breached from a server. And while easy to set up, the experience is also sub-optimal, requiring a user to remember hundreds of passwords and periodically change them, often in favor of more complex versions. By contrast, WebAuthn offers a global standard for secure authentication on the web, with the ability to potentially eliminate passwords altogether, across all leading browsers and platforms. This enables a secure and consistent user experience, no matter what device they are on. 

By not requiring unnecessary user interaction, services can automatically guide users down the most secure path and simultaneously support the entire range of authentication options from YubiKey as a 2nd factor with passwords to passwordless.  Ultimately, services can direct users to a WebAuthn passwordless experience when applicable for them, while still supporting users who have not had the opportunity or desire to move beyond their password. This can all be done while maintaining a similar user flow.

Using the Yubico WebAuthn Starter Kit

The Yubico WebAuthn Starter Kit and associated documentation was created with technical audiences in mind. The goal is to address the practical implementation and code-specific questions, as well as provide more theoretical WebAuthn best practices and integration-related advice.

  • Architects and high-level system designers will benefit from having a deployment where individual components are well defined, with the interactions between each element clearly described. Further, the benefits of an identifier-first flow, bridging passwords and passwordless experiences, can be observed in practice, bringing clarity on how such a flow can be integrated into existing architectures.
  • UI/UX and client system developers will benefit from an open source client, allowing them to understand both the required connections to a backend system for implementing WebAuthn, as well as the new authentication options for users that WebAuthn enables. Further, the Starter Kit addresses some of the most common concerns for WebAuthn, such as account recovery.
  • Backend and server system developers will have a working WebAuthn server, which implements the entire WebAuthn spec connected to backend logic to handle not only performing WebAuthn interactions, but also backend credential and user management. With a working example to refer to, development can be streamlined across multiple platforms and languages.

Getting the WebAuthn Starter Kit

The Yubico WebAuthn Starter Kit is available now on Github. Learn more and access documentation on the Yubico Developer Site

Emil Lundberg

Yubico proposes WebAuthn protocol extension to simplify backup security keys

One of the most common questions people have about YubiKeys, and security keys in general, is: “What if I lose my key?” 

While WebAuthn and FIDO2, the open standards for security key authentication, promise strong, phishing-resistant and — perhaps most importantly — easy-to-use multi-factor authentication, this question still remains. As of today, there are no answers that offer an excellent user experience without making compromises on security.

Yubico’s mission is to make the best security easy to use, which often means developing new technologies to solve big problems. In this blog, we’ll take a closer look at Yubico’s recent proposal to the World Wide Web Consortium (W3C) to add a user-friendly solution for backup security keys to the WebAuthn standard. We’ll also discuss our collaboration with researchers at the Surrey Center for Cyber Security to develop a new cryptographic building block for it.

Background

First, let’s talk about the current state of affairs. The standard answer to the opening question in this blog, “What if I lose my security key?”, is that you enroll two keys with every service or application you’re protecting. By doing this, you prepare a backup security key in advance, much like you have a spare key to your house, your office, or your car. However, the user experience with this approach is not ideal.

If you store the backup security key away — say, in a drawer at home, or a bank deposit box — you would need to retrieve it every time you register with a new service. Not only is this inconvenient, but the additional handling also increases the risk that you lose the backup key, which would defeat the very purpose of it.

A few solutions have been proposed, but they all come with additional trade offs or concerns:

  • Some rely on sharing private key material, which is not only generally frowned upon, but also causes issues with authenticator attestation and signature counters.
  • Some rely on generating a lot of key pairs in advance and sharing the public keys, which isn’t feasible for devices with limited storage capacity like security keys. 
  • Some rely on backing up keys to a third-party service, which certainly can be done but introduces a new dependency on the availability of that third-party service. 
  • And finally, some approaches only work for U2F-style keys stored on the server, and some only work for discoverable keys stored onboard the security key.

In short, we were not completely satisfied with any of the solutions proposed thus far, which is why we chose to develop our own. We believe our proposed solution strikes a better balance between security and usability.

Yubico’s proposal

If we were to imagine a perfect solution, we would like one where we can set up a backup security key once and not have to think about it until we lose the primary security key. At that point, we would retrieve the backup security key and it would “just work”. Ideally, all of the services we’ve already registered our primary security key with would also automatically know we’ve moved to the backup security key, and revoke access for the lost key.

Fortunately, Yubico’s proposed solution gets most of the way to the scenario described above. Using the YubiKey as an example, our solution would work like this:

1. First, you get two YubiKeys and use a software tool (such as YubiKey Manager in the context of YubiKeys) to associate the two devices with one another, making one the “backup” YubiKey and the other the “primary” YubiKey.

2. You can now store the backup YubiKey away somewhere safe, and use the primary YubiKey as usual. The next time you log in with the primary YubiKey, the website will also detect that you’ve set up a new backup YubiKey and ask you to register it by simply tapping the gold disc on the primary YubiKey. The same goes whenever you register with a new site for the first time.

3. Now, if you lose the primary YubiKey, you start logging in by providing your username and password as usual. When prompted for your YubiKey, you instead select “I lost my security key”. This will instead prompt you for your backup YubiKey, which you retrieve from where you stored it.

4. The service verifies the backup YubiKey and grants access. At the same time it automatically revokes access for your lost YubiKey, “promotes” the backup YubiKey as the new primary key, and sends you an email notification about these changes to your account.

5. You can now get a new YubiKey and set that up as your new backup by going back to step one.

Unfortunately, there’s still no way to perform the recovery procedure for all services at once, but at least this solution minimizes the manual effort needed to set up and maintain backup security keys.

How it works

So, how does this all work under the hood? 

In our proposal, the initial setup to associate the two security keys with one another creates a cryptographic link between the two security keys, allowing the primary security key to generate public keys on behalf of the backup key. However, the primary security key does this without knowing the corresponding private keys, and like all WebAuthn public keys, these public keys are non-correlatable to prevent tracking users between services.

Along with the backup public key, the primary security key registers a “key handle” for it. The first time you log in with the backup security key, the service sends it the key handle, which the backup security key uses to derive the backup private key. At the same time, the backup security key also generates a new public-private key pair to replace the backup key pair that was generated initially. From then on, you can log in as you normally would.

Data flow between the two security keys and the web service

 

This cryptographic link enables backup key pairs to work much like U2F key pairs do: the private keys are actually stored on the relying party’s server instead of on either security key. But even so, only the backup security key can access the private keys. This means that backup key pairs don’t consume storage space on either security key, so you can have backup key pairs for an unlimited number of services.

It also doesn’t matter whether the primary key pair is a discoverable key that is stored on the primary security key, or a U2F-style key pair that is stored on the relying party’s server. Since the backup key pairs are their own separate key pairs, they can be used for both.

Securing cryptographic proof

Last year, Yubico teamed up with a group of researchers at the Surrey Centre for Cyber Security to help prove the security of the cryptographic operations in our proposed WebAuthn protocol. This work was presented at the ACM CCS conference on November 11, 2020. 

The research team, consisting of Dr. Mark Manulis, Nick Frymann, and Daniel Gardham, has not only proved the security of Yubico’s proposal, but also generalized it. They model our protocol as an instance of a new abstract functionality called “Asynchronous Remote Key Generation” (ARKG), and prove that any instance of ARKG can be composed with any public key protocol. This makes ARKG an interesting construct in its own right and also paves the way for new instantiations, possibly using other cryptographic techniques beyond elliptic curves.

Looking forward

With the cryptographic security proof in place, we’re confident that this work can form a solid basis for a much needed backup solution for WebAuthn security keys. To that end, we’ve proposed our solution to the W3C Web Authentication Working Group as an official protocol extension, but a lot of standardization work remains to be done. 

The solution will also require services to implement support for it, which will take considerable work, but can be aided by reusable software libraries. Either way, Yubico remains committed to making the best security easy to use for everyone.

Read Yubico’s full implementation proposal here, and the research paper here. The full ACM CCS conference presentation can also be viewed here

We are very grateful to Dr. Manulis, Mr. Frymann, and Mr. Gardham for helping us push the state of the art forward!

Appendix: Diving into the math

Our proposal makes use of the simple relationship between private and public keys in elliptic-curve cryptography, and uses a small arithmetic trick to “mask” a private key by combining a randomly generated public key with a designated “seed” public key.

In elliptic curve cryptography, a private key is simply an integer p and the corresponding public key P = p * G is p times the generator element G for the curve group. In the initial setup, the backup security key creates a “seed” key pair (s, S) and transfers the public key S to the primary security key. To generate a backup public key, the primary security key performs an ephemeral elliptic curve Diffie-Hellman (ECDHE) key exchange with the seed public key S: it generates a random key pair (e, E) and computes e * S. It uses HKDF to expand e * S into an integer c and a HMAC key m, and computes a backup public key P = c * G + S. Finally, it computes a HMAC signature over E, P and the server’s web address, and returns E, P and the HMAC signature to the server.

The backup security key can derive the corresponding public key p using E as follows. First, the server sends E and the HMAC signature to the backup security key. Since the backup security key has the seed private key s, it can compute s * E = s * e * G = e * S and thus compute the same c and m as before. Now it can verify the HMAC signature, to make sure the backup key is valid for this server and this security key, and compute the private key p = c + s. p forms a valid key pair with P since P = p * G = (c + s) * G = c * G + S. This private key p can now be used to create an authentication signature, and the server can accept it since it already trusts the public key P.

This is actually not a wholly new idea – it’s also been proposed as the basis of the Dual-Key Stealth Address Protocol for blockchains. However, until now we weren’t able to find a cryptographic proof that the raw elliptic curve operations are secure. Thanks to Dr. Manulis and his team’s work on ARKG, we are confident that our proposal meets the highest security standards and is suitable for use with WebAuthn.

 

 

 

 

Christopher Harrell

Getting a biometric security key right

Today, we are excited to share some updates regarding the next highly-anticipated members of our YubiKey family: the upcoming YubiKey Bio in both USB-A and USB-C form factors. The YubiKey Bio will be the first product to introduce biometric capabilities (in addition to PIN) to our portfolio of YubiKeys. 

Yubico has been considering adding biometrics to our line of security keys for quite some time, and while biometric authentication seems straightforward at first, there is quite a lot of engineering to get it right and meet the standards that people have grown to expect from a YubiKey. A great piece of hardware does not live in isolation; it needs to work with a larger ecosystem to be usable. When we launch new products, we set the highest bar for security, usability, durability, and design, and we do everything in our power to not compromise on any of these traits.

The FIDO-enabled YubiKey Bio is currently in private preview, being tested and reviewed by many of our enterprise customers and technology partners. We have received excellent feedback on our product designs, and now our goal is to further ensure that the overall user experience is smooth with a wide range of platforms and FIDO-based use cases.  We welcome you to sign up here to receive updates on the YubiKey Bio, including those about general availability.

Below, we are sharing a short video demonstrating how the YubiKey Bio works, sharing some behind-the-scenes information on the engineering process, and diving into some of the considerations when using a biometric authenticator such as the YubiKey Bio. 

Why biometrics?

The concept of using biometric and fingerprint sensors for user verification has been around for decades. However, wider user acceptance was achieved with general availability and accessibility of fingerprint sensors in smartphones. It is end-user convenience that has been driving this adoption, not necessarily security.

The challenge with biometric authenticators has been to get cross-platform support, standardization, and a good user experience much like what already exists with biometric sensors that are built into laptops, tablets, and mobile phones. Fortunately, FIDO2 has helped this cause by expanding from user touch to also support biometrics, including fingerprints, facial recognition, etc. Yubico continues to work with browser platforms and the FIDO ecosystem to optimize the user login flow, but there is still work to do for a seamless experience for both consumers and enterprises, consistently across different end user devices.

Usability considerations for biometrics

On smartphones, fingerprint authentication is an integral part of the system. A screen and well-defined user interface makes it fairly easy and intuitive to set up a fingerprint on a mobile device and manage lockouts. The story is different for a small, portable security key like the YubiKey that needs to work across platforms and services.

As opposed to a correct PIN, a correct finger cannot always be read by fingerprint sensors. Variables in skin texture, such as moisture or temperature, can introduce scanning issues. To address this, the YubiKey Bio will default to biometrics, but will allow the PIN to be used if there are issues.

Biometric authentication can be a convenient alternative to typing a PIN, especially when the user needs to authenticate to a system multiple times per day. However, with FIDO, the leading online services do not always require daily use of either a password, PIN, or a security key, which already adds improved convenience for users. For example, after registering a YubiKey to services and applications, a user may only need to authenticate once to make the phone or computer a trusted device, and may only need it again for new devices or risky operations. 

This unmatched user experience for strong authentication is a core reason the FIDO standards are winning mass adoption. Users should keep this in mind when considering the YubiKey Bio for the purpose of simplicity or ease of use; for non-daily use it may not have as great of an impact on convenience compared to use cases where authentication is more frequent.

Security and privacy features of the YubiKey Bio

Yubico will never compromise on security, and it’s imperative to protect the privacy of our users. Biometric sensor technology has come a long way in recent years. However, there are still security tradeoffs. Artificial fingerprints (spoofs) can still be used to impersonate a user and we felt that it was important enough to consider that, in addition to other biometric-specific threats, as part of our threat models when we began engineering the YubiKey Bio.

For example, in 2015, the Office of Personnel Management (OPM) breach included fingerprints for individuals that had applied for government clearances and had access to national secrets. A leak of this caliber leads to legitimate concerns that a sophisticated adversary may use fingerprint spoofs to physically attack a user’s biometric device. 

Threats against biometric systems also include how the biometric is processed. Security weaknesses in biometric components could undermine the security of the system. To reduce the potential impact of a security flaw, we separated the biometric subsystem from the key’s core functionality.

Furthermore, we store the enrolled fingerprint templates and perform biometric matching in a dedicated secure element to protect it from both digital and physical attacks. We then encrypt the communication between this biometric secure element and the one we use for the core YubiKey software to mitigate eavesdropping and replay attacks.

It’s important to note that all fingerprint sensors we tested were susceptible to high quality spoofed fingerprints created with a cooperative enrolled user, including those in popular phones and laptops, and the one in the YubiKey Bio. We believe with sufficient skill and practice that this can be done even with latent prints without the cooperation of the enrolled user. An example of this was demonstrated at the Chaos Communication Congress by using photographs of hands to create a spoof of the enrolled user’s fingerprints. However, the vast majority of potential attackers are not physically near to their victims and do not have physical access to their devices.

Even so, to make fingerprint spoofing harder, the Yubico team did extensive research and tested many different fingerprint sensors. The results informed our components selection, tuning, and development for the YubiKey Bio. We believe that our device is tuned well for usability and spoof rejection compared to similar devices on the market.

Because watching a user type their PIN, replicating fingerprints, or stealing YubiKeys are all attacks that fall into the domain of patient, skilled, physically-present attackers, some users may still wish to choose a device — like the YubiKey Bio — that allows for more convenience with the choice of using a PIN or fingerprint. We believe that offering the best biometric security key on the market as an option to those users makes sense.

FIDO and WebAuthn biometric experiences

The YubiKey Bio will protect users by requiring an enrolled finger match (or optionally a PIN + touch for some FIDO2 use cases) for all uses. It will work everywhere that FIDO U2F, FIDO2, or WebAuthn is supported today.

Like the YubiKey 5 Series, the YubiKey Bio enables a passwordless experience when FIDO2 is supported by the service, and where a security key resident credential is used instead of a username and password. Unlike the YubiKey 5 Series, users can achieve these FIDO-based experiences using just a fingerprint match instead of always requiring a PIN + touch.

Today, a few services support this enhanced experience, but we expect the number will grow over time. In the demo video above, we chose to use the passwordless option of our own demo site because it was the simplest way to show this experience without being distracted by third party service and account options.

What makes a YubiKey a YubiKey? 

Since the first YubiKey was launched in 2008, and over the years, our customers have appreciated the core values that represent a YubiKey: usability, security, durability, and in a sleek form factor. The YubiKey Bio follows these same design principles.

To stay up to date on YubiKey Bio general availability, and to apply for the closed preview program, sign up here. To speak with a Yubico sales representative about whether the upcoming YubiKey Bio may be right for your organization, contact us here

Mary Mangione

The Ultimate YubiKey Experience pack, and your chance to win one!

We just launched the new Ultimate YubiKey Experience pack, designed for anyone who wants to use a variety of YubiKey 5 Series form factors. The new pack delivers our five most popular devices, and also the addition of an unboxing experience like never before, complete with a ‘Y’ book featuring extensive details about Yubico, our mission, and device features. 

Not only is this a great pack for any organization who wants to begin their YubiKey journey (why try one flavor when you can try them all), but also a unique holiday gift to help protect family, friends, or employees from account takeovers.

The Ultimate YubiKey Experience Pack comes with a YubiKey 5 NFC, YubiKey 5C NFC, YubiKey 5Ci, YubiKey Nano and YubiKey C Nano.

But the experience doesn’t end there. Starting today, and running through November 20, 11:59 PT, we will be giving 10 of these packs away for free! 

To join the campaign and try your chance at winning, we’re looking for fun, cool, and creative photos or videos of YubiKeys in action, where they go with you, or in beautiful places around the world. Some samples are below. It’s easy to enter: just submit your best YubiKey photo(s) or video(s) on Twitter using the hashtag #YubiExperience and tag @Yubico to be part of our contest*. The 10 most creative submissions will be selected to win one of the Ultimate YubiKey Experience packs!

share your #YubiExperience

We can’t wait to see where your YubiKey takes you. 

 

* International shipments may be subject to customs fees and duties, including those related to import and export. Not valid for customers shipping to China, Afghanistan, Russia, Ukraine, North Korea, Iran, Sudan or Syria. Not valid for resale or shipment to freight forwarding companies.

 

Ashton Tupper

Improve your company’s cyber security training with top tips from a behavioral researcher

Today marks the final stretch of National Cyber Security Awareness Month (NCSAM), and for the final week, we decided to sit down with Sal Aurigemma, PhD, Associate Professor of Computer Information Systems at the University of Tulsa, to get his take on enterprise security training. 

As with many other things that have been impacted by COVID, enterprise security training is no different. Many organizations are heavily reliant on training and preparedness programs at the moment to help employees navigate the adoption of new technologies and processes, as well as mitigate threats from the rising number of phishing and man-in-the-middle attacks. But just how effective are these programs, and are they actually influencing user behavior? We’ll find out. 

Dr. Aurigemma has more than 20 years of experience in the information technology industry as both an educator and behavioral researcher. Dozens of students come through Dr. Aurigemma’s undergraduate and masters programs each year to learn about proper cyber security hygiene using tools like the YubiKey, and he’s explored topics related to security policy compliance and end-user security practices in his research over the years. 

What is the biggest problem you see with employee training programs today?

Perhaps the most frustrating problem I see in the organizations I have worked for, and those I work with today, is a pervasive “check-box” approach to information security awareness training. By this I mean one of two things, and often both:  

1) It is still somewhat treated as a one-and-done compliance checklist that is completed on an annual or quarterly basis. With the possible exception of anti-phishing testing where organizations use tools and services to run their own phishing campaigns, there is little to no reinforcement of the reason behind why it’s important to safeguard the organization. 

2) A one-size-fits-all training doesn’t work. We know that we have certain sectors of our workforce that are more likely to be targeted by potential adversaries. Yet, in many cases, the training given across the workforce is largely the same, even though the threat and techniques can vary based upon the target. 

What are three things organizations can do to improve the efficacy of their cyber security training programs?

My number one recommendation is the hardest to achieve – make sure that your infosec awareness training is properly resourced. This means that you have enough people running the program and those people are properly trained to create and administer effective training programs. If your organization treats security training as a collateral duty, do not be surprised when it fails to meet expectations.

Secondly, ditch the one-size-fits-all approach, at least when it comes to security training and attention. We know certain groups of employees are targeted more often than others, or targeted in different ways, so we need to prepare them accordingly. For example, senior executives, IT system administrators, and HR team members are the top three target populations, and they are typically targeted using different techniques. Their training should reflect that. The same goes for different employee demographics — the lessons or examples that are most impactful for one group of employees may be very different for others.  

Finally, I would recommend that every organization develops a set of training outcome metrics and then use them to continually assess and improve your training programs. This can be challenging, but it is worth the effort. If you have certain employees or employee groups that keep “failing” some aspect of your training, that is a sign that your training and/or security mitigations are not sufficient. But, you won’t know that unless you measure and monitor.  

How do you foresee the influx of remote work, spurred by COVID, impacting the approach to cyber security training? How should organizations adjust and what should they consider that maybe they haven’t before? 

My primary fear is that the increase in remote work will further distance employees from the security training staff and the messages they bring. What we don’t want is more “watch this video to complete your training” requirements that replace impactful interactions with the organization’s security staff (whether face-to-face or virtual). 

Given that the work-from-home movement is here for a while, or possibly here to stay for some organizations, it is somewhat critical to do a complete review of your security training needs and develop a plan to adjust accordingly. For example, does your current security training plan account for the significantly greater emphasis on remote connectivity and interactions, and the increasing threats — like phishing and man-in-the-middle attacks — that come with that? Do your employees understand which threats are now more prevalent or dangerous than before because of the extension of the workplace to their home office network? 

In an ideal world, this shift to remote work would be the catalyst organizations need to embrace a more tailored security awareness training approach that accounts for an employee’s job role, location, access, experience level, and other demographic characteristics. If and when we return to a more normal workplace life, we will be better positioned to continue to adapt and improve our security awareness programs.

Not all employees will follow through with best practices, even with a perfect training program. What are the primary factors that inhibit users from adopting new security technologies or practices?

A significant portion of my research activities are focused on better understanding inhibitors and facilitators of sound security behaviors, and if I had to narrow it down to three potential reasons why people do not take security actions, even when they know they should, I would say it is due to:  

1) Threat apathy 

2) Response efficacy

3) Inconvenience

Threat apathy occurs when individuals do not pay attention to security because they do not consider the recommended or required security action (and its related threat) to be important. It could be because they don’t feel important enough to be a target of cybercriminals, or that they believe their online accounts aren’t worth stealing. Overcoming threat apathy requires the use of convincing and compelling security messaging that explains why the action is important, on a personal and organizational level, and the potential consequences of failure.  

Response efficacy is an academic way of saying that people may not know enough about, or have confidence in, a particular recommended security action. A great example of this is two-factor authentication (2FA). It is not a secret that we should use 2FA wherever and whenever we can. However, most people don’t know the differences between the various types of 2FA mechanisms, which ones are more secure than others, or how they work. Security training programs should not just articulate the threat and required security actions; they must also make it clear that the requested actions are sufficient to the task and, to some extent, explain how.  

Inconvenience is a real factor that influences our security behaviors.  As humans, we are constantly calculating the costs and benefits of doing things and we generally know what happens when the costs outweigh the benefits. Enterprises have to design and implement security mitigations with this in mind and work to balance maximizing the security benefit while minimizing or eliminating the inconvenience factor. If we don’t design security mitigations with the end-user in mind, the end-user may find ways to avoid or diminish the effectiveness of those mitigations.

On the contrary, what have you observed to be primary motivators for adopting new security technologies or practices?  

One of the latest research trends in behavioral information security that I feel strongly about is a shift from sanction or threat-based compliance to one that adds positive reinforcement and messaging. By this I mean that many security policies and training programs are focused on “compliance-or-else” messaging. In short, employees have something to fear if they don’t follow the rules. Fear-uncertainty-doubt (FUD) is used too much in the cyber security literature and it also lives in our training programs. 

While I do believe that there needs to be some actual consequences for willful and malicious non-compliance with security rules, we also know that fear alone is not a good enough motivator. We see that in many aspects of modern society, not just in cyber security. My fellow researchers and I have conducted numerous experiments that show that building up and emphasizing the positive psychological capabilities of end-users to combat a security threat is significantly more effective than relying on fear and promises of reprisal alone. We have found that end-users are much more likely to adopt new security technologies and practices when they feel: 

1) More capable of taking security actions and working through issues related to the required tasks 

2) More hopeful that their actions are effective

3) More optimistic about their resulting security posture

It’s impossible to eliminate the element of human error, especially when it comes to protection against sophisticated phishing or man-in-the-middle attacks, so what other steps should organizations be taking — outside of training — to ensure they have a comprehensive approach to security?

In my opinion, the best way to minimize the effect of human error (or conscious rebellion) on security practices is to reduce the opportunities to make bad decisions.  This means designing your security mitigations in a way that reduces the cognitive load and choices your end-users have to make.  

A perfect example of this is having your employees use YubiKeys for 2FA or passwordless login. At a time when phishing attacks are virtually undetectable — even to the most well-trained eye — this is exactly the type of technology that you should be using to support your training initiatives. But make sure that the burden of configuring the YubiKeys does not fall all on the end-user and make sure that you are using the right form factor for the employee’s electronic devices.  

Likewise, you don’t want your employees or end-users choosing passwords that are weak or previously compromised. But, don’t put the onus on the end-user to know what that means – do it for them when you are registering accounts or during password changes. Offloading as many volitional security activities as possible from your end-users and limiting the opportunities to deviate from strong security practices should be primary considerations for every security activity.  

Learn more about how the YubiKey can complement your organization’s cyber security training endeavors with a fool-proof 2FA solution proven to eliminate account takeovers from phishing and man-in-the-middle attacks. 

Ashton Tupper

Internet security myth-busters: Debunking 3 common misconceptions about two-factor authentication

October is National Cyber Security Awareness Month and this year, it comes at a time when we are using online services more than ever. The pandemic has forced many of us to almost entirely rely on our digital identities to work, shop, learn, and generally keep in touch, putting the resilience of authentication technologies to the test. 

In April, Google reported 18 million daily malware and phishing emails related to COVID-19 over the course of just one week. Six months later, and there are still no signs of social engineering attacks slowing. If anything, we’ve learned that phishing scams are not just targeting executives or people of power — everyday individuals are also at risk and it’s important that every person has the means in place to combat these kinds of attacks. The first step: turn on two-factor authentication (2FA) wherever you can

Feeling hesitant, or that 2FA might not be for you? We’re here to put a couple of myths to rest, and offer a few tips for Cyber Security Awareness Month, so you can make more informed decisions about boosting your online security

Cyber security myth #1: Strong and unique passwords will keep you secure enough 

Regardless of your password length or the amount of unique characters you use, passwords were not built to withstand motivated hackers and their evolving threats. Don’t get us wrong, proper password management and hygiene is incredibly important, which is why we support a multitude of password managers. But we also urge you to take your online security one step further.

We recommend setting up two-factor authentication (2FA) on all of your accounts — even with your password manager — for an extra layer of security beyond your username and password. This ensures that hackers have to break through two barriers to access your account instead of just one. YubiKey 2FA in particular is designed to minimize threats from remote hackers as it requires physical access to the key to log in. 

Cyber security myth #2: All two-factor authentication is created equal

While any kind of 2FA is better than none at all, it’s important to understand which methods may still leave you vulnerable to attacks. For example, SMS codes or mobile authenticator apps are still no match for advanced cyber security threats like SIM swapping, mobile malware, phishing scams, and man-in-the-middle attacks

As long as your 2FA method of choice is reliant on you to recognize that you’re being targeted by a hacker, human error will always be a possibility and vulnerabilities will continue to exist as even the most vigilant users are prone to being tricked. The ultimate solution that has been proven to protect against phishing and man-in-the-middle attacks 100% of the time is a security key, like the YubiKey. Starting at just $20, it’s a small investment to make for your online security

Cyber security myth #3: Two-factor authentication is complicated and time consuming

There’s typically a misconception that two-factor authentication makes you jump through too many hoops and is a hassle. In truth, it can be incredibly simple to use and doesn’t always involve copying and pasting one-time passcodes. 

There are solutions, like the YubiKey, that require just one touch or a tap of the key to log in. You can even set your phone or laptop to be a trusted device and it will only require you to log in with your YubiKey once, as long as you are on that machine. 

Another user-friendly tip: enable YubiKey 2FA on a social identity provider, like Google, Facebook, Microsoft Accounts and others, and leverage these services to register and sign in to other applications. By doing this, you are extending the same level of security on your Google, Facebook, or Microsoft account to every other service, all without requiring additional effort on your end. When thinking about upping your security, remember that strong authentication doesn’t have to be complicated, in fact, it can — and should be — seamless. 

Staying safe from hackers might seem daunting or out of your control at the moment – but it’s actually much easier than you might think. And now that we’ve debunked three of the most common cyber security myths around two-factor authentication, we hope you’ll take the necessary steps to better protect your online accounts.

If you’re interested in getting started with two-factor authentication using the YubiKey, visit the Yubico store to purchase one today, and secure your favorite applications like Google, Twitter, Facebook, Dropbox, and more

Cropped shot of an unrecognizable businessman sitting alone in his home office and working on his laptop
Chad Thunberg

Responding to the rising wave of social engineering attacks against remote workers

By now, it’s clear the pandemic has provided perfect conditions for many types of social engineering attacks. We’ve seen plenty of reports and warnings from the FBI, CISA, Interpol, and other reputable organizations about the growth in coronavirus-related attacks, from spear-phishing to vishing, ransomware, and more, as the world adapts to remote working and its associated risks. 

In many ways, social distancing and remote work have created more fertile conditions for hackers, but the types of social engineering attacks we’re seeing today aren’t too different from what we’ve seen in the past. So, why are we still seeing major breaches making news headlines on a regular basis? 

If history has taught us one thing it’s that hackers will always capitalize on the human element. Uncertainty, fear, distraction, isolation, and confusion can all contribute to increased vulnerabilities among users. And as we continue to face a rapidly shifting global news agenda, we can’t possibly anticipate the next twist in the pandemic or major news event that opportunistic hackers will exploit. Look at the rise in phishing attacks related to COVID stimulus and relief for example. 

We expect to see continued social distancing and increased virtual interactions long after the pandemic subsides, which means that enterprises must rely on strong authentication to protect against the rising wave of social engineering attacks. As we lose confidence in the security of systems and information with an increasingly decentralized work environment, it’s critical to re-establish trust with your users. Here’s how:

Employee education and training is not enough.

Educating employees to be on the look-out for COVID-related scams, while essential, is not a comprehensive response. No matter how much user education about phishing or social engineering takes place, some attacks will still succeed. As long as user action is required, and there is a reliance on users to identify phishing and man-in-the-middle attacks, vulnerabilities will continue to be an issue. 

It’s time to overhaul your 2FA strategy.

Organizations cannot afford to continually rely on passwords, recovery questions, or basic two-factor authentication (2FA) to protect against future social engineering attacks. These are methods proven time and time again to fall short in the face of mobile malware, SIM swapping, and phishing attacks. Hackers are getting more savvy, and we must as well. 

User experience is critical to your organization’s safety.

In a world where we are physically remote from coworkers or IT, and juggling home and work life, strong authentication must work at scale on a variety of devices, across business-critical applications, and within different environments. The better the user experience, the easier it is to deploy across and to secure the enterprise — unlike complex point solutions that only protect a niche set of users.

So, yes, the rise in COVID-related attacks is a real and present danger. But we can’t assume this is a temporary threat or unique to COVID. It is simply the latest version of an ongoing rise in social engineering attacks that demands a stronger response. Every day we are helping businesses large and small adapt to their new normal. Are you ready for yours?

Accelerate your digital transformation with hardware-backed strong authentication for your leading cloud-based services. Google Cloud, Microsoft Azure Active Directory, and many other day-to-day business applications offer built-in and seamless integration with the YubiKey.

A polling location station is ready for the election day.
Ronnie Manning

Preserving democratic integrity and election security is a job for all of us

As we enter the final month of the 2020 U.S. presidential race, election security and fraud is top of mind for many. With the memory of the 2016 Podesta breach still fresh, we are a nation braced for cyber-attack impact. 

Experts agree that, while countless security improvements have been made since 2016, we should expect more vigorous phishing attacks, data theft, ransomware, and disinformation efforts in the coming weeks. And while legions of cyber security professionals work around the clock to protect this apparatus of our democracy, we must all be vigilant to defend against foreign adversaries or domestic actors who seek to sow chaos or tamper with election outcomes. The truth of the matter is that election security extends far beyond the political organizations themselves. 

For years, Yubico has worked closely with state, local, and federal governments — recently in partnership with Defending Digital Campaigns (DDC) and Microsoft AccountGuard  — to secure everything from bi-partisan campaigns to candidates’ email accounts with the YubiKey. Based on this extensive work to safeguard democratic electoral processes, there are three observations that underscore the pressing need for all of us — every business, every individual — to play a role in securing elections and re-infusing trust into our democratic process: 

The conditions are perfect for phishing season 

Hackers thrive on fear, anxiety, and confusion. They leverage these emotions to facilitate social engineering attacks. When emotions are running high, people are more likely to fall for a phishing attempt. To put it another way, they’re less likely to stop and question the authenticity of an email or text message before clicking on a link or offering up their credentials. This year, fear, anxiety, and confusion are in bountiful supply, making the conditions perfect for phishing

Politically-motivated hackers exploit unsuspecting targets 

In a phishing attack, a hacker can turn almost anyone into a weapon for use in their mission — whether that’s to help a particular candidate or simply cause unrest. 

Take the latest Twitter breach for example. According to WIRED, hackers sent out thousands of phishing emails and phone calls to Twitter employees in an effort to gain access to accounts of well-known and influential users. The consequences of such an account takeover in the final days of an election campaign could be catastrophic. Even if the breach were recognized immediately, the damage would be almost impossible to contain. 

In Twitter’s case, the company has focused intently on minimizing the chances of such an attack happening again — an exemplary effort that we would encourage other companies to mimic. Among other measures, the company recently announced it is rolling out phishing-resistant security keys. 

Hackers can work their way from account to account in order to get closer to their target. For example, they might target an individual that is a friend of someone who works at a large, influential company, or target a campaign volunteer instead of the campaign manager. Ultimately, their final target could be anyone whose identity can be used to influence public sentiment.  

Private companies see an increase in hacktivist threats

Experts report that private companies are seeing an increase in hacktivist threats in the run-up to the election. Media organizations, universities, and nonprofits are all at risk due to their profiles and roles in influencing the public, but almost any business could serve a purpose for a politically-motivated hacker

The recent SendGrid breach illustrates this well. SendGrid customers distribute large volumes of email with a high delivery rate. If those account credentials get into the wrong hands, it’s easy to see how they could be used to deliver political disinformation to millions of voters, opposing candidate campaign members, or media organizations.  

“Given the current climate in the U.S. and the amount of activism going on, I think it’s fair to assume that hacktivism activity would parallel community-level activities, since the web is just an extension of activities in real life,” said Michael Kaiser, president and CEO of Defending Digital Campaigns, and former executive director of the National Cyber Security Alliance in a recent SC Magazine article. “I fully expect disrupting a campaign, person or organization viewed as an opponent — in order to convey a message or do greater harm — would be part of the hacktivism playbook.” 

The message is clear: any individual, in any organization can be an accessory to an attack. That’s why every organization — political or not — must ensure it is authenticating every user. Passwords are too easy to steal, while basic two-step authentication can be vulnerable to phishing and man-in-the-middle attacks. Making strong authentication available at scale, with physical hardware keys like the YubiKey, is a trusted way to ensure the identity of every user at every login point. 

The stakes are high — we must do all we can collectively to protect individuals, protect organizations, and protect democracy.

Olivier Sicco

Yubico expands partnership with Infinigate into the UK and celebrates channel program growth across EMEA and APAC

This year has been challenging and with an increase in remote workers, the need for organizations to protect their workforce from phishing attacks and credential theft has never been stronger. With remote work on the rise, and strict compliance guidelines being implemented, organisations are required to rapidly adapt best of breed security technologies, including modern authentication standards in order to secure sensitive data. 

Building on our goal of making strong authentication available to everyone, Yubico has taken many expansion steps to bring strong authentication to organisations around the world. Across EMEA and APAC, we have realised that our customers would benefit greatly from a wider range of channel options. By expanding our network of channel partners, introducing a new channel partner program, and offering new YubiKey subscription services globally, Yubico has been able to better support our channel partners and reach new milestones in 2020. 

Growing Yubico’s UK channel landscape with Infinigate

After years of successful collaboration in many European countries, we are now expanding our partnership with Infinigate — named CRN’s 2019 UK Security Distributor of the Year — into the UK market. Based on our successful partnership in other markets across EMEA, Infinigate has become a perfect choice to help Yubico execute our ambitious growth plans for 2021 and beyond. 

“Yubico is an exciting vendor for us. The technology is truly market-leading and they are pioneers in the security key space”, said Justin Griffiths, Managing Director at Infinigate UK. “Enabling our partners to provide their customers with cutting-edge security is Infinigate UK’s primary focus, and Yubico powers us to deliver broader solutions and even stronger security. Their technology ecosystem also integrates with some of our existing vendors, such as CyberArk, Entrust, Idaptive, and HID, as well as key technology providers including Google, Microsoft, and AWS.”

Infinigate brings a wealth of expertise in the cybersecurity space and will be a great addition to Yubico’s channel landscape in the UK&I. Our existing distributor, Distology, has consistently delivered a great value-add to customers and resellers in the UK, and will continue to be an integral part of our go-to market strategy.  

Celebrating milestones with Yubico’s Partner Program and YubiEnterprise Subscription 

Earlier this year, we launched the Yubico Partner Program for EMEA and APAC. Designed for companies of all sizes and profiles, it simplifies the onboarding process for new resellers and distributors. Based on performance, Yubico partners are classified in one of three tiers — Authorized, Certified, and Certified Gold — with Certified Gold partners considered extensions of Yubico’s team in terms of product knowledge and commitment to excellent customer experience. 

YubiEnterprise Subscription, our new service-based YubiKey offering, was recently made available in EMEA and APAC on September 23. Now, Yubico channel partners across the world — including the United Kingdom, France, Germany, Nordics, BeNeLux, Australia, and more — can efficiently sell strong YubiKey authentication at scale.

Since Yubico was founded in 2007, YubiKeys have been sold on a per-device basis but with the increased need for flexibility within certain organisations, it is possible to purchase YubiKeys on a per-user basis with YubiEnterprise Subscription, and experience predictable OpEx spending. The replacement of lost or stolen YubiKeys, and upgrades to new YubiKey models, such as the most recent YubiKey 5C NFC are additional benefits included in the service.

Continuing scalable growth in EMEA and APAC

Yubico’s network of resellers in EMEA and APAC has grown significantly over the past few months, and we intend to keep this momentum as we enter into 2021. Our channel partners bring valuable expertise on all levels, including local procurement, logistics, and technical expertise – not to mention, they also help customers reach their business goals with Yubico’s technology. 

We will continue to invest in our channel partners and equip them to continue offering tailored support to organisations on the path to modernising their authentication processes and solutions.

Jerrod Chong

Minecraft or math lessons: which one could be the cause of your company’s next social engineering attack?

Your child’s math lesson is a clear and present threat to your company data, and believe it or not, their Minecraft addiction could very well be the cause of your next enterprise-grade social engineering attack.

In the past few weeks, millions of children returned to online learning, and simultaneously — and perhaps unknowingly — your company’s cyber attack surface has grown exponentially. Children are borrowing their parents’ old unpatched laptops, downloading or signing in to a half-dozen new learning apps, and after Zoom school is out for the day, some are settling in for an evening of gaming or video streaming. Meanwhile, frazzled parents are logging into the same learning apps from their corporate laptops, or checking their work email from a personal device during virtual back-to-school night. 

The ease with which a hacker can move from a personal account to a corporate one is becoming increasingly apparent, and the combination of remote work and school isn’t helping your organization’s case. For anyone tasked with protecting their organization from malware and cyber security breaches, here is what you need to consider during the 2020 back-to-school season.

Your employees’ families are your users now, too.

You can’t be sure that the person logging into your company-issued laptop is actually your VP of sales, or their 10-year-old child with a homework deadline. In the same way, you also can’t be sure that a normally-cautious employee in accounting isn’t accessing your finance system from the same device that someone else in their household used for an epic two hours of video gaming just the night before. 

No matter which way you slice it, your employees’ family members may be using your corporate PCs for school purposes, and employees may be logging into work apps from personal devices. 

Your users are more vulnerable to a phishing attack.

Remote learning is a patchwork of hastily assembled apps and online services, each requiring separate logins. It’s confusing, and hackers thrive on confusion. It’s easy for an attacker to spoof one of these services and issue a fake password reset that harried parents and kids will fall for. And in general, we humans are much more susceptible to social engineering attacks in times of fear and uncertainty (hackers thrive on those too). 

There’s no line between personal account takeovers and enterprise security breaches.

With the blurring of home and work screen time, it’s much easier for a hacker with access to a user’s personal account (a learning app, a gaming account, or Gmail) to gain credentials for a corporate one using simple spoofing techniques. As security pros know, of course, this is not new — many major enterprise breaches have begun with a compromised personal account. But now, it’s so much easier and faster for a hacker with access to a work computer to log onto a corporate VPN with phished credentials or read a user’s work email when users are at home. 

With these considerations in mind, the way we approach enterprise security must change. Gone are the days of protecting your most privileged users. It doesn’t matter how the hackers get in your corporate network, the point is, once they’re in they can go almost anywhere they please — and hackers will always take the path of least resistance. 

To remain secure amidst remote working and beyond, enterprises must adopt a zero trust mentality and authenticate every user, every time, on every service. This must be done with a form of strong authentication, like YubiKeys, that cannot be spoofed by email phishing attacks or man-in-the-middle attacks, and for productivity’s sake, must be almost seamless to the user.

So, Minecraft or math lessons? Either could be the social engineering attack that invites hackers into your corporate data. One thing is sure —unless you have strong authentication enabled for all remote employees, hackers will capitalize on the current situation and find a way in. And don’t forget to restart your computer or browser after a patch is available!

To deploy YubiKey strong authentication across your entire organization, regardless of employee location, read more about YubiEnterprise Services.

Sebastian Elfors

How NIST and eIDAS revisions are shaping the future of e-identification

This blog is co-authored by John Fontana, Standards Analyst at Yubico. 

On both sides of the Atlantic, standards and regulations on electronic identification are being revised more or less simultaneously. In the United States, the National Institute of Standards and Technology (NIST) accepted public comments on its SP 800-63-3 Digital Identity Guidelines last month, which is on track for a scheduled revision in 2022. In the European Union, the eIDAS regulation is also up for review. 

As an active member in the FIDO Alliance, W3C, Better Identity Coalition, and OpenID Foundation, Yubico was invited to provide input on both the NIST and eIDAS revisions. While this takes place on a predetermined schedule, our feedback was heavily influenced by our learnings and observations from the COVID-19 pandemic and the influx of remote work. This shaped a majority of our recommendations, which were focused on improving guidance on strong authentication and remote identity proofing. 

NIST SP 800 63-3 

NIST last revised its Digital Identity Guidelines in June 2017 just as multi-factor authentication (MFA) entered a robust innovation cycle led by FIDO protocols. The latest revision intends to evaluate recent improvements to authentication standards and technologies (WebAuthn), and other new identity and access management innovations. 

Last month, Yubico submitted comments and suggestions that ensure stronger identity assurance and authentication, and address the need to eliminate persistent vulnerabilities in aging authentication technologies such as SMS and OTP. 

    • We asked that the updated guidelines address modern attack vectors, and re-classify grading systems to recognize credential phishing resistance as a distinct and important advancement in modern hardware authenticators that are needed to close security holes.
    • We also suggested NIST recognize and classify new identity proofing and binding techniques for strong remote identification systems. Additionally, we recommended guidance around a combination of technologies that support authenticated and protected communication channels for security techniques such as verifier impersonation resistance. 
    • Lastly, we pointed out that the previous NIST Digital Identity Guideline revisions showed an affinity for hardware-backed, web-based strong authentication as defined by FIDO and WebAuthn. We emphasized that this innovation must continue in the 800-63-4 revision. 

eIDAS

In Europe, eIDAS (EU regulation 910/2014), is subject for revision and open for feedback to a public consultation. The EU Commission proposed three new options for the revised eIDAS regulation, and Yubico submitted feedback accordingly:

    • Option 1 would revise and complement the existing eIDAS framework. In this scenario, our recommendation is that eIDAS should specify well-defined rules for remote identity proofing, be harmonized with the EU Cybersecurity Act, require phishing resistance, reuse pre-approved eID products for notification, allow for backup eID schemes during disasters, and make the ‘High’ level of assurance mandatory for access to Qualified Trust Service Providers.
    • Option 2 would extend the scope of eID schemes to the private sector. We are positive to this initiative, since existing identity providers would extend the reach of notified eID schemes, which could also be aligned with the PSD2 requirements on financial transactions. The eID approval process and the architecture of eIDAS-Nodes would however have to be adjusted for private identity providers.
    • Option 3 would introduce a European Digital Identity scheme (EUid). Instead of a pan-European EUid, we believe that federated solutions would allow for better international interoperability, higher scalability, and be based on modern technology.

Yubico’s complete response to the eIDAS inception impact assessment can be found at the EU Commission portal. In addition to our eIDAS contributions, Yubico also provided feedback to promote remote identity proofing for ETSI TS 119 461, the European Telecommunications Standards Institute’s (ETSI) new standard on identity proofing. 

Fortunately, the development of legislation and standards for electronic identification continues to progress in the US and EU with consistent input from leading security and identity experts across the globe. As we account for evolving threat landscapes and innovative technologies that offer the best combination of security and usability, we can collectively continue to serve and protect governmental agencies, the private sector, and citizens even better in the future.

To learn how the YubiKey can be used for national electronic ID-card projects and eIDAS-compliant eID schemes, such as the National Digitalisation Programme at the Faroe Islands, read more here

To learn how the YubiKey FIPS Series can enable government agencies and regulated industries to meet the highest authenticator assurance level 3 requirements from the NIST SP 800-63 guidance, read more here

Ashton Tupper

Our family is growing! Meet our newest member… the YubiKey 5C NFC

The YubiKey 5C NFC and the YubiKey 5Ci on a keychain.

Today is the day that many of our YubiFans have been waiting for — Yubico’s latest form factor, the YubiKey 5C NFC, is here! It’s the first security key featuring dual USB-C and near-field communication (NFC) connections in addition to multiple authentication protocols, including PIV for smart card login.

As one of our most long-awaited and sought-after form factors, we can’t wait to share in the excitement with you. Here’s just a few reasons why we love the YubiKey 5C NFC, and suspect you will too:

It’s the modern security key to work with modern devices. 
USB-C connectors are growing in popularity, and many of the latest laptops and computers, from MacBooks to Windows Surface Pros, are making the switch from traditional USB-A ports. Meanwhile, the major mobile platforms — Android and now iOS — support hardware authentication over NFC for a tap-and-go experience. 

The YubiKey 5C NFC combines both USB-C and NFC connections on a single security key, making it the perfect authentication solution to work across any range of modern devices and leading platforms such as iOS, Android, Windows, macOS, and Linux. 

It’s the first USB-C and NFC-compatible security key with multi-protocol support, including smart card. 
As part of the YubiKey 5 Series, the YubiKey 5C NFC is equipped with Yubico’s signature multi-protocol support. In addition to compatibility with modern standards like FIDO2 and WebAuthn, the YubiKey 5C NFC can also be leveraged as a smart card — a feature that is beneficial for hundreds of enterprises and particularly those within the government sector

The full range of multi-protocol support includes: FIDO2 and WebAuthn, FIDO U2F, PIV (smart card), OATH-HOTP and OATH-TOTP (hash-based and time-based one-time passwords), OpenPGP, YubiOTP, and challenge-response. This flexibility is an invaluable benefit, specifically for enterprises, as it allows one key to work across a wide range of services and applications ranging from email clients, identity access management (IAM) solutions, VPN providers, password managers, social media platforms, collaboration tools, and many more

It’s the newest security key to secure remote work with ease. 
Working from home isn’t set to disappear anytime soon, and even after shelter in place and social distancing guidelines are lifted, we’re bound to see an increase in remote work around the world. Companies are challenged with establishing trust with employees and their devices outside of the traditional confines of a secured office environment. 

Security keys are the proven method to protect against phishing and man-in-the-middle attacks 100% of the time, and they come with the added benefit of being easy to use. One touch or tap to authenticate is all that’s needed — a significant benefit when most employees are struggling to balance the increasing overlap of personal and work responsibilities. With the ability to work across modern devices, the YubiKey 5C NFC is the perfect fit for securing your at-home workers with ease. 

Looking to start (or add to) your YubiKey collection? Head over to the Yubico store today and order a YubiKey 5C NFC for $55 USD. And while you’re at it, don’t forget to add in some YubiStyle covers to personalize your key. 

The YubiKey 5C NFC is also available for enterprise customers as part of our recently added YubiEnterprise Service offerings. YubiEnterprise Subscription and YubiEnterprise Delivery allow organizations to quickly and cost-effectively deploy YubiKey authentication at scale, regardless of employee locations.

Stina Ehrensvard

How YubiKeys are made: Security at scale

The first YubiKey was manufactured in Sweden in 2008. A few years later, part of our team moved from Stockholm to California, and we expanded our production capabilities to this part to the US West coast. It was a conscious choice to manufacture our products in the two democratic countries that were close to our innovation teams and main customers. To further safeguard the security of our products, we have the last decade continued to make investments across the entire supply chain, summarized in more details in this page on Yubico secure manufacturing

The Yubico innovation team has been internationally recognized for creating game changing product designs and security protocols in our industry. What many may not know is that we also invented new methods for manufacturing USB keys in a monoblock form factor. A glimpse of how YubiKeys are made can be seen in this video from our main manufacturing plants in Sweden. 

Today, we are launching and ramping up volume production for our fourth USB-C device, the YubiKey 5C NFC. In 2016, before USB-C was commonly available on laptops on Android phones, we launched the first USB-C security key in keychain form factor. Two years later we introduced the YubiKey C Nano, which is probably the industry’s smallest USB-C authenticator ever made. And last year, we introduced the YubiKey 5Ci, the world’s first USB-C and Lightning dual-connector security key.

The YubiKey 5C NFC is a welcomed new member of the YubiKey family. After unexpected delays due to COVID-19, it’s finally here. Requested by our customers and meeting the core features and values that signifies a genuine YubiKey — quality, security, robustness, and usability in a minimalistic design. 

Andreas Ohrbeck

Build your Passwordless offering with Microsoft Azure AD and YubiKeys – Limited Time Offer

COVID-19 has disrupted the business norm and forced most organizations, including many Yubico partners, to adjust their security strategies. Our partners have had to recommend and implement the right technologies that will enable their customers, who are now managing expanded remote workforces, to achieve secure access to critical applications – all while maintaining business continuity.  

Companies have become smarter about how they address:

  • Investments in cybersecurity
  • BYOD and connectivity to internal networks
  • Employee productivity 
  • VPN overload

A recent Forrester Report¹ cited 10 security and risk technologies to pay attention to as a result of the pandemic, with one major disruptor being  the shift away from weak password requirements. Many authentication solutions that were good enough a few years ago, do not protect against modern malware, phishing or man in the middle attacks. By moving beyond passwords to hardware-based security keys, organizations are enabling the strongest form authentication, that is proven to mitigate account takeovers, with unsurpassed ease-of-use. 

It has been our long standing mission to make the internet safer for everyone. By being a pioneer for security keys with our YubiKey, and co-creating open security standards such as FIDO2 and WebAuthn, major platform companies, like Microsoft, are helping to drive the global business world towards the elimination of passwords. 

Microsoft has been incorporating FIDO2 flows that support YubiKey strong authentication features that work natively with Azure Active Directory, Windows 10 and Microsoft 365 applications. Incorporating these types of identity verifications in conjunction with hardware-based authentication, hardens the security and mitigates remote phishing attacks. 

Together with Microsoft, we are announcing a Go Passwordless Pilot Program where qualified Services Providers (e.g. systems integrators, consulting services) in Canada, EU, UK and US can nominate their customer to pilot the Azure Active Directory Passwordless flow. For a limited time, Yubico and Microsoft are offering 25 free YubiKeys to up-to 100 qualified customers to pilot the Microsoft Azure AD Passwordless flow and YubiEnterprise Delivery (YED) service

“I believe this offering is a compelling program. It fits well with our respective missions to help everyone achieve more and make the internet safe for everyone.” – Sue Bohn, Partner Director of Program Management in the Identity Division at Microsoft.

To get started and check qualifications:

    1. Services Provider will need to identify a customer (500+ Azure AD Users) that has the technical FIDO2 requirements to go passwordless 
    2. Enroll your organization into the program. If you have an Azure AD + Yubico Passwordless practice – share the link with us when you sign up!
    3. Then, nominate the customer for the pilot
    4. If you and your customer are selected for the pilot, we will contact you for shipping details

Pilots requirements: Windows 10 version 1903 or later, Azure Active Directory and Yubico’s YubiKey 5 series, Microsoft Azure AD MFA enabled users, and integrate Azure AD with Microsoft and 3rd party applications; such as Office 365, Salesforce, and ServiceNow.

Services Partners such as Patriot Consulting (US), InSpark (NL),  ThirdSpace (UK) Skill (NO), Magellan Securite (FR), SPIE (FR) have already built  Microsoft 365 integrations with YubiKeys. Nominate your customer by going to Go Passwordless Customer Pilot Program

We encourage businesses to build their practice by incorporating strong, hardware-based authentication methods. 

Stina Ehrensvard, CEO and founder of Yubico and Sue Bohn, Partner Director of Program Management in the Identity Division at Microsoft, discuss the Go Passwordless Pilot Program and how both companies are helping to drive open standards and passwordless momentum.

¹ Csar, Andras; et al, “The Top Security Technology Trends To Watch, 2020,” June 30, 2020

Christopher Harrell

How modern phishing defeats basic multi-factor authentication

Two years ago, at the internet security conference Black Hat US, the Yubico team was invited to speak about how advanced phishing works and how FIDO authentication standards and YubiKeys can help mitigate these attacks.

Today’s hackers increasingly hijack one-time use codes and push notifications during the brief window when they are valid, and the attack and account takeover is all but invisible for the user.

With the recent spike in spear phishing using these methods, we decided to build on our previous work and show what it’s like to be phished with these modern techniques when using several types of basic multi-factor authentication.

If some of these terms are unfamiliar, don’t worry, we will go over them in this video.

Acknowledgements

These links have the details of the recent attacks. Krebs’ article in particular shows screenshots of some of the phishing pages used against several targets. Twitter was even quite open and posted publicly about their related security incident.

A different set of similar attacks happened over the last few years and are very serious. Amnesty International has three in-depth articles which detail phishing techniques used by seemingly politically motivated attackers against human rights defenders, journalists, and civil society organizations in the Middle East, Egypt, and Northern Africa during 2018 and 2019. This is a clear example of how attackers know their victims, and will use things they care about (security) to try and trick them.

Also not covered here are attacks on SMS based authentication where the phone network is leveraged via backbone connections or sim swaps to intercept the code that the victim was supposed to get. Read below to learn more about this:

The way I was able to make fairly clean phishing pages over the course of roughly a day was by using the open source phishing framework called Evilginx2 by Kuba Gretzky and hacking in some tweaks and javascript. If you’re interested in the details of how these attacks are done under the hood, or want to see some other great examples against other services, please see Kuba’s fantastic talk here.

Young photographers in modern office with cameras. Creative and stylish youth.
Ronnie Manning

New Yubico for Free Speech Program Arms Nonprofits with Strong Authentication

2020 continues to be a challenging year in many ways for all of us, but today, we’re proud to share some hopeful news — Yubico is introducing the Yubico for Free Speech Program, an initiative designed to defend digital privacy, online security, and free speech for at-risk individuals and nonprofit organizations. 

As of July 1, 2020, Yubico has committed to donate one YubiKey for every 20 YubiKeys purchased on yubico.com. Using these keys, we will equip nonprofit organizations, and the populations they serve, with the power of hardware-backed security — free of cost. Our goal is to enable these organizations to safely continue their important work of serving, empowering, and protecting vulnerable populations most at risk of targeted cyber attacks. 

Enabling YubiKey protection for at-risk individuals

For years, Yubico has worked with nonprofit organizations like Freedom of the Press, ISC Project, Electronic Frontier Foundation, Defending Digital Campaigns, and the Human Rights Foundation. With the Yubico for Free Speech Program and Yubico’s new donation initiative, we have formalized this work to reach a wider range of organizations that align with our shared desire of upholding and protecting free speech, including: 

  • Non-profit organizations that protect journalists, freelancers, and writers from doxing and other targeted attacks in an effort to uphold transparent, fair, and ethical reporting.
  • Human rights organizations and activist groups focused on ending racism, sexism, LGBTQ violence, domestic abuse, and other social justice issues around the world. 
  • Bi-partisan networks that fight to preserve democratic integrity by securing political campaigns, political candidates, and election processes.

Why free speech matters to Yubico 

Free speech is an important human right, and one that aligns closely with Yubico’s greater mission: to make the internet safer for everyone. We believe that free speech and free press play a critical role in exposing injustice and inequality, and we also know that free speech is under attack in many ways and for many groups of people. Coercive force, disinformation, doxxing, and cyber attacks are used across the globe each and every day to silence voices that matter. 

Yubico has a longstanding partnership with Freedom of the Press where we’ve donated YubiKeys to secure their organizations and the individuals they work with. “At Freedom of the Press, we encourage all of our clients and trainees to use Yubikeys to secure their accounts and important communications. This new program will make hardware tokens available to so many who have wanted to bolster their security, but couldn’t quite justify the expense. We’re thrilled to support Yubico in their initiative to bring a safer internet to those on the front lines of great causes” – Harlo Holmes, Director of Newsroom Digital Security at Freedom of the Press.

We believe that freedom of speech must not only be protected, but also exercised — at home, at work, in the streets, and online. This is the path to educating ourselves and others, while evolving as a society.

Join the cause 

If you are with a nonprofit organization that values free speech and defending human rights and you are interested in protecting yourself or others online, apply to join our Yubico for Free Speech Program here

Please also join us in helping this program grow! Here’s what you can do: 

  • Purchase any of our products from yubico.com to contribute to the amount of YubiKeys we are able to donate, or
  • Share your favorite nonprofits with us if you believe they could benefit from strong authentication and would be a fit for this program. 

We thank you for your support!

Dennis Hills

Exploring clientDataJSON in WebAuthn

Calling all developers! Today, we’re kicking off our first-ever post in our new technical blog series specifically designed for our developer community. Each month, we will be selecting a new technical topic to cover in more depth. 

To start our series, we dive into the clientDataJSON object as part of the Web Authentication or WebAuthn specification. WebAuthn is an exciting standard that has garnered a lot of interest, but it can often feel complicated to get started. 

WebAuthn defines a client/server ceremony API performing user registration and authentication. For registration, the user, via a client (web browser or mobile app), requests to register a hardware authenticator with a server. For authentication, that user, via a client app, attempts to login to a server with that previously registered authenticator. During these two ceremonies, there’s data passed back and forth between the client and the server. 

The clientDataJSON object is key to the WebAuthn API data exchange. If you are building a desktop or mobile application, the building and encoding of the clientDataJSON object needs to be done using a library or SDK.

First, let’s go over the high-level aspects of WebAuthn and then we can dive into details about what the clientDataJSON object is, its purpose and its attributes, and finally explain encoding and decoding of this object.

What is WebAuthn?

Web Authentication, or WebAuthn, is a W3C-recommended specification that defines an API for enabling the creation and use of public key-based credentials, for the purpose of strongly authenticating users. See the W3C Specification for more information.

The idea behind WebAuthn is to rid the world of password authentication (something you know) by replacing it with public key authentication (something you have). 

For password authentication, a user generates a password which is passed to the server, where it is stored in a database. During user authentication, the user-generated password is sent to the server for validation against the stored password. If the password matches, the user is authenticated and can access the service offerings or features.

For WebAuthn public key authentication, strong hardware-backed public/private-key credentials are created and stored by an authenticator, such as a YubiKey, during registration. The private key is securely stored on the authenticator and is never shared, while the server stores the public key portion in the database.

During user authentication, the server sends pseudo randomly generated challenges to the client for the authenticator to sign. The signature, which takes a hash of the clientDataJSON along with the authenticatorData, is signed over by the private key. This signature proves possession of the private key and assurance that the challenge, relying party (RP) ID, and origin were not tampered with, all without ever sharing the private key or requiring the user to provide a static password. Replay attacks are prevented by the pseudo-randomness of the challenge.  Phishing attacks are prevented by this signing of the challenge with the private key that is scoped to the RP ID (domain). In addition to measures to counter replay and phishing attacks, the web authentication API also prevents compromised credentials (username + password) in that a password is never passed to or stored by the RP, hence the term “passwordless”.

What is clientDataJSON?

At a high level, the WebAuthn specification is really just an exchange of challenges and responses performed during two types of ceremonies; registration and authentication. The clientDataJSON object, always populated by the client (browser or app), is sent in response to the RP server during registration and authentication. 

The object, populated by the client, has three required properties: a type, a challenge, and an origin. The type can be either webauthn.create” for a registration response or “webauthn.get” for an authentication response. The challenge value is the actual challenge that was sent by the RP during the create or get ceremony. The origin contains the effective domain name of the endpoint to which the client is connecting during the WebAuthn registration or authentication. 

Now that we know about the properties, let’s find out the purpose of each property and how these are integrated to control the Web Authentication flow.

clientDataJSON Use Cases 

The clientDataJSON is used to determine the current state or flow of the WebAuthn ceremony. The type attribute tells the RP whether this client data is a registration or authentication response to a server challenge. 

The most important responsibility of the clientDataJSON is storing the effective domain of the connected client. In the WebAuthn API spec, the client browser or application is responsible for capturing the effective domain of the connected endpoint and storing it in the origin attribute during the registration (create) and authentication (get) ceremony. The public keypair generated by the authenticator is considered to be “origin-based”, which means the keypair can only be used to authenticate a user when the client is connected to the same domain (origin) endpoint to which it was originally connected (or matches a subset of the server domain) at the time when the keypair was generated. I’ll go into this in more detail later.

The last responsibility of the clientDataJSON is to capture the cryptographic challenge sent by the RP during registration or authentication. The challenge is randomly generated by the RP and sent to the client during a challenge. The client captures the challenge in the challenge attribute and passes this back to the server.

clientDataJSON Properties

The clientDataJSON object (after decoding) has the following properties:

Property Definition Required/Optional
type Contains a string with one of two values:

Required Value(s): “webauthn.create” or “webauthn.get

webauthn.create” → A new credential is being created during REGISTRATION.

webauthn.get” → An existing credential is retrieved during AUTHENTICATION

Required
challenge The base64url encoded version of the cryptographic challenge sent from the relying party’s server (RP). The original challenge value is passed via the relying party (RP) through PublicKeyCredentialRequestOptions.challenge or PublicKeyCredentialCreationOptions.challenge. Required
origin The effective domain of the requester given by the client/browser to the authenticator.  Required

Encoding and Decoding clientDataJSON Properties

With only three main attributes, the clientDataJSON object is pretty straightforward; however, according to the W3C spec, the JSON string is converted into an ArrayBuffer before being transported back to the RP and then back to a string on the server side before validation. The ArrayBuffer is being used for efficiency and optimal performance when speaking binary to the authenticators.

The conversion to and from an ArrayBuffer is the most confusing for developers. The good news is, for most WebAuthn solutions, developers can rely on a Web Authentication API supporting web browser as the client to handle the interaction with the external authenticator. Those browsers have already implemented the client API requirements using the FIDO2 Client to Authenticator Protocol (CTAP) specification. CTAP is an application layer protocol used for communication between a client (browser) or a platform (operating system) with an external authenticator such as the YubiKey. 

If you are building a mobile, desktop, or IoT application without the use of a browser, you will need to implement the CTAP Authenticator API using a library, or a mobile SDK for iOS or Android.

On the server side, the RP receives the object as an ArrayBuffer and must be decoded and parsed. 

Here’s what the hashed clientDataJSON object within the client response looks like when received by the relying party during registration:

Here’s what the hashed clientDataJSON object within the client response looks like when received by the relying party during registration:

 

Here’s what the parsed clientDataJSON object looks as a JSON string:

Here’s what the parsed clientDataJSON object looks as a JSON string:

 

In the examples below, the server converts the ByteArray to a JSON object and then parses and validates the data.

Here’s a Java example of how the Yubico Java Server demo handles the clientDataJSON:

Here’s a Java example of how the Yubico Java Server demo handles the clientDataJSON:

 

Here’s a JavaScript example from the Firefox developer guide:

Here’s a JavaScript example from the Firefox developer guide:

 

Relying Party Validation of WebAuthn clientDataJSON 

Once the RP receives the registration or authentication response from the client and converts the ByteArray to a JSON object, it’s ready to parse and validate the three attributes. At this point, the server can validate any of the attributes in any order. 

The origin value is the most important validation. The client browser or app determined the endpoint/domain during the request for authentication to the server. The server must then validate that the “origin” string matches at least a subset of the valid domain string of the RP as part of the Relying Party Identifier (RP ID). 

Conclusion

The clientDataJSON consists of only three required attributes but plays a critical role in the Web Authentication flow between the client and server. In this post we learned that this object is populated by the client during the registration and authentication flows in order to determine the type of ceremony (registration or authentication), the origin of the connected client, and the current challenge from the server. The data is transported as an ArrayBuffer by the client and then decoded and parsed by the server. The RP can reject any authentication attempts if the client object is not encoded properly, contains an incorrect challenge, or the client origin does not match the domain (RP identifier) associated with the JSON string.

Building and encoding the clientDataJSON object is the client responsibility, but that work is typically handled for you by a web browser that supports Web Authentication. However, if you are building a desktop or mobile application, that work will need to be done using a library or SDK of your choice following the Web Authentication API structure as defined by the W3C spec.

Resources

Yubico WebAuthn Developer Guide
W3C WebAuthn Spec
Mozilla MDN Web Docs
Yubico iOS SDK – WebAuthn Client
Github WebAuthn API wrapperWebAuthn API wrapper that translates to/from pure JSON using base64url 
Yubico WebAuthn Server (Java)

[url=file_closeup.php?id=74653397]
[img]file_thumbview_approve/74653397/2/[/img]
[url=file_closeup.php?id=27762468]
[img]file_thumbview_approve/27762468/2/[/img]
[url=file_closeup.php?id=86267001]
[img]file_thumbview_approve/86267001/2/[/img]
[url=file_closeup.php?id=41886470]
[img]file_thumbview_approve/41886470/2/[/img]
[url=file_closeup.php?id=41880126]
[img]file_thumbview_approve/41880126/2/[/img]
[url=file_closeup.php?id=41882644]
[img]file_thumbview_approve/41882644/2/[/img]

[url=/search/lightbox/5542306] - the Capitol LB -
[img]/file_thumbview_approve/6581839/2/[/img]
Jeff frederick

5 reasons why the government and other public sector agencies should care about WebAuthn

Federal, state and local governments and other public sector agencies have important responsibilities that support a functioning community – everything from national security to public transit, public education, public safety, state parks, financial services, energy and power grids, and many more services are all tax funded and managed by the public sector. While these are vital components to life as we know it, the sheer amount of personal and sensitive information required to uphold these critical operations puts agencies at constant risk of being compromised.

Government and other public sector run systems and data are accessed daily not only by employees and contractors, but also by partners and citizens, exponentially increasing the likelihood of security breaches related to account takeovers. In fact, remote hacks continue to occur at an alarming rate, while also growing more advanced. According to the 2020 Verizon Data Breach Report, organized criminal groups were behind 55% of breaches, and nation-state or state-affiliated actors were behind 38% of breaches. 

While CAC and PIV cards are de-facto authentication methods across various Federal agencies within the public sector, there are many cases where they’re not suitable, and passwords do not provide enough security to defend against the volume of sophisticated attacks. Fortunately, WebAuthn, a core component of the FIDO Alliance’s FIDO2 set of specifications, is a modern, phishing-resistant web authentication standard that is now supported across all computing platforms. WebAuthn makes it easy for websites, services, and applications to offer strong authentication with the option of removing the reliance on passwords entirely. This could include government hosted web-based applications and services – like the Department of Motor Vehicles –  that are both employee and customer facing. 

Here are 5 reasons why the Federal government and other public sector agencies should care about WebAuthn:

Standardized strong authentication 

For the first time, the standardization of strong authentication is possible. Imagine setting up simple multi-factor authentication (MFA) across digital public sector services and having a convenient, consistent, and secure login. WebAuthn enables just that across all major browsers and operating systems, empowering services and apps to make strong authentication available to end users.

Improved security 

The public sector has access to critical information and stores sensitive data, meaning a breach could impose on the safety and security of millions of constituents. With the help of public key cryptography, WebAuthn raises the bar for strong authentication and provides strong MFA security for users, including public sector employees, contractors, partners and citizens.

Seamless user experience 

Through a WebAuth API, strong authentication is accessible for web and mobile apps, eliminating the hassle of password resets and SMS codes, allowing users the convenience to sign in by tapping a security key. The WebAuthn API enables IT teams and developers to easily and quickly integrate WebAuthn into existing and new services, providing a consistent and seamless authentication experience for their users. 

WebAuthn also gives users a broad range of choices for authenticating, from biometrics to hardware security keys. 

Improved productivity 

Resetting passwords is no longer an issue with WebAuthn. With the possibility of passwordless login, it eliminates the time spent and frustrations that stem from managing passwords. This time saved extends to help desks and support centers – for both internal public sector employees and external users – who no longer have to devote resources to resetting and maintaining passwords.

Reduced costs 

Breaches, especially for government and other public sector entities, can be detrimental in many ways, including confidential data loss, lost productivity and financial burdens. WebAuthn helps reduce negative financial impacts associated with breaches and support costs, allowing government and other public sector services to repurpose budget that was previously designated to maintain and manage infrastructure and passwords. 

Interested in learning more about the benefits of WebAuthn in the public sector? Download the Yubico white paper series, WebAuthn for the Public Sector, here .  Additionally, you can view Yubico’s on-demand webinar on the topic here

Internet crime and protection concept. Hand finding the unprotected account
Luke Walker

4 reasons to consider a security-first approach to product development

The internet is a powerful invention. It was originally built for collaboration, but it’s far surpassed the capabilities anyone could have expected, and has become a core function of society. As developers, we contribute to these incredible advancements every day, but it’s also our job to help protect and preserve the future of the internet.   

To put it simply, the internet was not originally built with security in mind — much like the automobile. But over time we’ve recognized the need to protect internet users and the sensitive data that is shared. We now expect to have security features built into our products and services similar to how we expect to purchase a car that comes equipped with airbags, seatbelts, alarm systems and more. 

Nevertheless, security can still be an afterthought in the product development lifecycle — but it shouldn’t be. The cyber security landscape is evolving and organizations must evolve with it. Here are four reasons why your organization should consider adapting a security-first mindset when building the next generation of innovative solutions. 

Recovering from a data breach is a costly mistake 

The financial disparity a data breach can cause is catastrophic, especially for smaller businesses. A data breach costs businesses $3.92 million on average, not to mention organization’s continue to incur residual costs for years after the initial data breach. Reversing these repercussions are far more costly than investing in a strong security foundation from the start. Establish principles of privilege-based access, strong authentication, and minimize risk from the get-go, to save your organization money, time, and negative brand exposure down the road. 

Negative brand reputation decreases customer trust

A data breach can cause substantial damage to a brand’s image and reputation, including a loss of customer trust. In fact, studies show that 65% of data breach victims lose trust in an organization after a breach, and 80% of consumers will avoid using a service if their information was compromised. 

Strong security is a competitive differentiator 

With an ever-evolving security landscape fueled by a growing remote workforce, a forward-looking security perspective will become a standard among consumers and enterprises, and strong security options will set your organization apart from other competitors. 

Operators, system administrators, and developers who shift from a perimeter-focused approach to a comprehensive multi-layered approach that protects all elements — networks, endpoints, cloud services, and mobile devices — will succeed.

A seamless user experience builds customer loyalty

When done properly, good security can play an important role in improving your customer’s product experience. In fact, it can make or break the experience all together. Take passwords for example. No one likes them, they’re hard to remember, and they do very little in terms of offering adequate protection against account takeovers. Yet, they are still used widely across the internet and oftentimes, account creation or log in can be a customer’s first interaction with a website or mobile app. 

“When product development prioritizes security early on, the resulting product offers a better user experience from day one,” explains Josh Aas, Executive Director, Let’s Encrypt. “There are few things as disruptive to user experience as security mechanisms bolted on as an afterthought.”

When security is a forethought rather than an afterthought, it provides an opportunity to design a seamless and enjoyable user experience from start to finish. 

Ultimately, a security-first mindset can help your organization avoid detrimental repercussions caused by data breaches and reap the benefits for your bottom line, your customers, and your brand. 

At Yubico we value strong authentication as a critical piece of this puzzle, but we also recognize that there are many other security aspects that must be taken into consideration (and work together) to ultimately make the internet a safer place for everyone. That’s why we’ve chosen to partner with our friends at Let’s Encrypt — a non-profit organization that issues TLS certificates.

Starting today, Let’s Encrypt is giving the first 500 people, who donate $50 or more during their 2020 Summer Giving Campaign, a coupon to redeem a free Security Key NFC by Yubico at yubico.com.  

Developers who are interested in implementing strong YubiKey authentication with open standards can join the Yubico Developer Program to gain access to open source libraries and servers, implementation guides, training resources and more.

Ashton Tupper

From Security Geek to Security Chic: YubiStyle covers now available for purchase

When thinking about security, we typically have a list of features that are important to us as users. Is it secure? Yes. Is it easy to use? Yes. Is it durable? Yes. But who ever said that security has to be boring? Not us! 

As of today, we’re excited to share that you can now purchase YubiStyle covers from the Yubico store. After all, you have a security solution that works really good, and now you can make it look really, really good. 

Purple YubiStyle

Double Rainbow YubiStyle

Geode Blue YubiStyle

 

 

 

 

 

 

 

With 11 new designs and solid colors suited for our keychain models, pick the style that works for you and personalize your YubiKey. Not only are you likely to make your co-workers jealous, but differentiating your YubiKeys is especially useful for those of you that carry several security keys – and we all know that having multiple YubiKeys registered to your accounts is the way to go.

Visit the Yubico store today to pick up a YubiStyle (or two) of your choice, and add some flair to your security wardrobe. Are you ready to go from security geek to security chic? 

Available now! Works with YubiKey makes it easy for services to self-verify and for users to submit integrations for listing
Camila Brindis

Available now! Works with YubiKey makes it easy for services to self-verify and for users to submit integrations for listing

Changing the world can’t be done alone. That’s why integrations play such a critical role in our mission to make the internet safer. We often like to say that we have created  the key, and our partners build the locks. With this in mind, we launched Works with YubiKey (WWYK), our technology alliance program for products, apps, and services that integrate with Yubico hardware and software. 

Since first launching in 2018, the program has seen remarkable growth, and has enabled us to work with hundreds of global companies sharing the same commitment to protecting devices, accounts, and most importantly, people. 

Today, we’re expanding on this momentum with significant updates to our WWYK Program. These updates will empower even more companies to build support for the YubiKey and YubiHSM into their products, and make it easier for our users to discover all of the integrations that enable hardware-backed authentication on our online catalog

Designed to address varying needs, we’re introducing two new tracks to program membership—self-verified and Yubico-verified—and also made it possible for our community of users to submit YubiKey integrations for catalog listing.

Yubico-verified

The Yubico-verified track provides a way for companies, who wish to engage in a deeper business relationship with Yubico, to help amplify their YubiKey integration and work together as business partners. Want to partner with us? Let us know.

Self-verified

Yubico now provides a self-verification checklist for companies who wish to verify their own integrations and ensure they have the essential features to meet our usability guidelines. This track enables companies to independently manage their own catalog listings, and engage in periodic marketing activities without any joint business plans. Verify your integration now

Lastly, we’re providing a way for you, our users, to submit community listings for YubiKey integrations that you know and love, and may not yet be listed in our catalog. We also encourage you to tweet at your favorite companies to request that they build support for YubiKey authentication.

With these new updates to the Works with YubiKey Program, we hope to provide companies with a new platform for showcasing their products and commitment to user security, and at the same time, ensure that users don’t miss out on all the great integrations available today.

If you are interested in becoming a Works with YubiKey Program member, but don’t yet support Yubico products, start with our Developer site.

Camila Brindis

3 Factors to Consider on the Path to Digital Transformation

Digital transformation, by definition, is the use of new, fast, and frequently-changing digital technology to solve problems. When done successfully, digital transformation can help businesses be more agile, so they can quickly innovate and adapt. Recent reports have shared that 56% of surveyed CEOs said digital improvements have led to increased revenue, and digital-first companies are 64% more likely to achieve their business goals than their peers.

Digital transformation is exceedingly relevant today, as it has been the past few months during the COVID-19 pandemic, given the dramatic shift in how companies operate across the globe. To keep up with the demands of a remote workforce, many companies were forced to adopt cloud-first strategies and modernize in haste, without having enough time to consider implications to cost, complexity, and security. 

Cost: Develop an investment strategy.

Many companies have made the mistake of adopting modern technology for technology’s sake, without being able to achieve business outcomes. Of the $1.3 trillion spent on digital transformation in 2018, an estimated $900 billion was wasted when initiatives didn’t meet their goals. That’s 70% of the overall spend! As with any big investment, companies headed toward digital transformation need to develop a solid strategy before investing in new technology, so they don’t end up paying for services and tools they don’t actually need. 

Complexity: Adopt technology that enhances—not slow down—productivity.

Digital transformation, with its many advantages, also introduces new complexity. Companies now need to adopt new infrastructures, deploy new applications, acquire new services, and support new customers (both internal and external) more than ever before. The challenge can be exponential.

Jake King, Co-Founder and CEO of Cmd shared the need for modern approaches that enable the workforce without slowing them down. “As mission-critical, data-rich environments move to the cloud, it’s more than just the platform that is changing. These applications are accessed by lots of employees in iterative cycles that are getting faster and faster. ”

A new report emphasizes this, sharing that 56% of individuals will only adopt new technologies that are easy to use and significantly improve account security. According to Dr. Shimrit Tzur David, CTO and Co-Founder of Secret Double Octopus, companies must consider strategies that meet the challenge of balancing usability with security. “To fully enjoy the benefits of digital transformation, companies should adopt innovative mechanisms like passwordless authentication that deliver a seamless and easy user experience across the enterprise while dramatically boosting security,” she said. 

Security: Enable strong authentication across systems and services.

With the adoption of new technology, and a rapid increase of employees and customers who rely on this technology, comes a new and sometimes unforeseen set of security risks. With remote work on the rise, unsecured WiFi networks and the use of multiple computers and mobile devices have given hackers plenty of new attack vectors and surfaces to exploit. 

Hed Kovetz, CEO and Co-Founder of Silverfort identified SSH credentials used to access business servers as a high-value target for hackers, as they are used by developers and systems administrators who may have higher access levels to critical systems and data. 

“Securing remote access doesn’t end at the VPN. It’s important to protect all forms of remote access, especially RDP/SSH to internet-facing servers and administrative interfaces like PsExec,” he said. “It’s also important to monitor and analyze access beyond the perimeter, to on-premise and cloud resources, in order to detect and respond to threats.”

Understanding that security is only as good as its weakest link, Shashank Rajvanshi, Product Management Consultant at RSA shares that digital risk can be managed through a practical, phased approach. “Since passwords represent the weakest link, the first step in minimizing risk is adding layers of security using multi-factor authentication (MFA), and eventually going passwordless with methods like FIDO-based authentication,” he said.

James LaPalme, VP and GM of Authentication at Entrust Datacard also highlighted the benefit of enabling strong authentication at the user level. “The ability to quickly and securely verify identities is a critical requirement for digital transformation,” he said. “High assurance MFA delivers the security, flexibility, and scale required for a successful digital transformation.”

As we’ve learned from the statistics and from our industry peers, digital transformation is no longer a buzzword, but an imperative for which companies must consider cost, complexity, and most importantly, security. “On the path to digital transformation, consider security at every step,” said Robert Freudenreich, CTO of Boxcryptor. “There are many advantages to digitization if you protect your business properly.”

Learn more about the path to digital transformation by tuning into our recent Q&A roundtable webinar with panelists from Entrust Datacard, RSA, and Secret Double Octopus. Watch it on demand now.

A detailed interior view of the US Capitol Building dome Washington DC
Guido Appenzeller

Yubico Expands FIPS 140-2 Certification to YubiKey 5 Series and YubiHSM2

Today, we are happy to share that the YubiKey 5 Series firmware has completed testing by our NIST accredited testing lab, and has been submitted to the Cryptographic Module Validation Program (CMVP) for FIPS 140-2 certification, Overall Level 2, Physical Security Level 3. Soon, the YubiKey 5 Series firmware will also be submitted for FIPS 140-2 Level 1 certification, and the YubiHSM 2 firmware will be submitted for FIPS 140-2 Level 3 certification for the first time. 

Yubico has a large number of customers that rely on our YubiKey FIPS Series security keys to keep their organizations secure, as well as compliant to government and industry regulations. With this continued certification effort, Yubico is not only doubling down on our commitment to support our current and future FIPS customers, but we are expanding the options that are available, including more certification levels and a broader range of FIPS-compliant product offerings. 

YubiKey 5 FIPS Series

We are excited to be certifying another hardware module type that offers Physical Security Level 3. This allows YubiKeys to be used when Authentication Assurance Level 3 is required, and enables compliance to Federal Risk and Authorization Management Program (FedRAMP), and Defense Federal Acquisition Regulation Supplement (DFARS). 

With both Level 1 and Level 2 certifications under way, the upcoming YubiKey 5 FIPS-validated platform will give our customers the flexibility to meet the level of compliance that is best suited for their particular needs. Key benefits of the new series will include:  

    1. Additional form factors: The YubiKey 5 FIPS Series will include new FIPS 140-2 validated form factors such as the YubiKey 5 NFC, YubiKey 5Ci, and the upcoming YubiKey 5C NFC. The YubiKey 5C Nano and YubiKey 5 Nano will also be available. Together, this combination of form factors will provide our customers with a range of choices, and open up new use cases for strong authentication on both iOS and Android mobile platforms. 
    2. FIDO2 certification: The YubiKey 5 FIPS Series will be the first line of FIDO2-enabled security keys to receive FIPS 140-2 certification. Yubico is a core contributor to the FIDO2 standard, and has helped drive native support in all major browsers and operating systems, as well as its rapid adoption in the commercial space. More recently, we have seen a surge in interest from government agencies as well. 
    3. Multi-protocol support: The YubiKey 5 FIPS Series will continue to support all of the standard protocols that are offered in our current YubiKey FIPS Series: FIDO U2F, PIV, Yubico OTP, OATH OTP (TOTP and HOTP), and OpenPGP. 

YubiHSM 2 FIPS

For the first time, we will also be pursuing FIPS 140-2, Level 3 certification for our YubiHSM 2 Hardware Security Module (HSM). We are excited about the prospect of offering a cost-effective, small-footprint Level 3 device. 

For more information on the YubiKey as a government-approved CAC and PIV card alternative, please listen to our on-demand webinar, “Modern CAC/PIV alternatives: Securing government teleworkers & mobile devices.”

To stay up to date on the YubiKey 5 Series certification progress, please visit the CMVP’s Module-in-Process List. Yubico will continue to release information on the YubiKey 5 FIPS Series and YubiHSM 2 FIPS as details become available. 

Kanika Thapar

Yubico releases Android SDK to improve mobile app security

Calling all enterprise developers and technology partners! Today, Yubico’s Android SDK is made generally available to equip you with the tools you need to quickly and efficiently build YubiKey support into your mobile apps. Together with the Yubico iOS SDK, you can now provide a seamless and consistent login experience for your customers and employees, regardless of their mobile device. 

With the launch of our Android SDK, we are now making it easier for apps to add YubiKey support using the YubiOTP, OATH (TOTP and HOTP), and PIV authentication protocols over both USB and NFC connections. Not all applications rely on modern authentication protocols like FIDO — particularly in the enterprise — and our new SDK delivers a uniform integration experience for all developers regardless of the authentication flow they choose.  

Fortunately, customers who are building apps with FIDO authentication can continue to use the native Android platform support.

3 benefits of YubiKey authentication on mobile devices

When it comes to mobile authentication, there are some key benefits of using a portable hardware-backed authenticator like the YubiKey in comparison to other mobile-dependent solutions like SMS or Google Authenticator. 

    1. Mobile phones are not purpose-built for security. They are multi-purpose computing devices that, by nature, have a larger attack surface. An external, single-purpose authentication device like the YubiKey significantly minimizes the level of risk exposure to malware or phishing attacks. 
    2. YubiKey authentication is up to four times faster than copying and pasting one-time codes. Not only is this a more preferred and enjoyable user experience, but it has also been shown to reduce support costs within an enterprise by up to 92%. 
    3. In some cases, app developers may want to require step-up authentication to complete a high-risk action, such as transferring a large sum of money or updating an address. As a general rule of thumb, an additional form of user verification — one that is not tied to a user’s device, which can be stolen or compromised — delivers the best level of security.

Achieving mobile security with the YubiKey in healthcare and beyond

Allscripts, a leader in healthcare information technology solutions, is one of the first companies actively working with the Yubico Android SDK to make YubiKey support available in the upcoming releases of Allscripts Sunrise™ Mobile and Allscripts Professional™ EHR Mobile and Desktop.

Due to the complex compliance requirements and fast-moving nature of hospitals or other healthcare environments, it’s important that doctors, nurses, and medical staff have quick, yet secure, access to critical systems and information.

“By integrating directly with the Yubico SDK, Allscripts is improving the multi-factor authentication (MFA) experience that is needed to comply with the electronic prescription of a controlled substance (EPCS),” said Steve Pascht, Allscripts Senior Solutions Manager. “It’s easier for providers to use hard tokens on mobile and desktop platforms by simply plugging in — and eventually tapping — the YubiKey without having to read, remember, re-type, or copy and paste OTP codes when prescribing controlled substances.”

In addition to healthcare, the advantages of YubiKey mobile authentication spans many industries including financial services, manufacturing, retail, and technology, many of which have already integrated our iOS SDK into their apps. 

Get started with building YubiKey support into your mobile app

At Yubico, we strongly believe in the power of the ecosystem and community development. Developers and partners building enterprise and consumer apps are key to how Yubico architects products and we are committed to enhancing our software portfolio to enable all use cases across all platforms. 

If you’re interested in building a YubiKey-enabled mobile app or you would like to explore the latest Android SDK, check out our Github repo or developer guides.

Ashton Tupper

Google enhances mobile security on iOS with YubiKey support via NFC and Lightning

We are excited to share that Google has added WebAuthn support on iOS, which begins rolling out to users starting today! This means that you can now use YubiKeys on your iPhone and iPad when accessing Google’s iOS apps and web services on the Safari browser. The expanded support of strong hardware-based authentication can now be used via the Lightning connector (YubiKey 5Ci) and NFC (YubiKey 5 NFC, Security Key NFC). For individuals with YubiKey models that may not be NFC enabled, it is also possible to use the Apple Lightning to USB Camera Adapter.

In other words, you can now protect your personal and work Google Accounts, the Advanced Protection Program (Google’s strongest account security offering), and even services like Meet, Nest, and YouTube, with the most secure and easy-to-use security keys on Apple devices.

Many individuals and organizations around the world rely on Google products to power their day-to-day applications and communications, and provide fast and simple logins into many other web-based services. Now, this new functionality on iOS opens the door to every single Google user, to heighten their mobile security with increased YubiKey options.

With today’s rapidly growing remote workforce, G Suite administrators will benefit from this added level of protection to secure employees regardless of location. Earlier this year, Google shared that they’ve seen no evidence of a successful phishing attempt on accounts enrolled in APP to date. With added Lightning and NFC support, organizations and users can now achieve zero account takeovers on iOS.

The YubiKey 5Ci is the only multi-protocol USB-C and Lightning equipped security key to provide strong authentication on iOS devices and a range of other USB-C enabled machines. Today’s news adds to the growing list of services that support the YubiKey 5Ci and Lightning connection including: 1Password, Bitwarden, Dashlane, Idaptive, Keeper, Okta, and more.

To celebrate this milestone, we are offering a limited-time exclusive promotion for Google Cloud and G Suite customers. Account administrators can request a one-time introductory discount of $20 off any two (2) YubiKey 5 Series, up to 20 keys ($200 maximum discount value), for their employees to experience the ease-of-use, strong security, and diversity of YubiKey form factors. This promotion is available globally until June 30, 2020, and can be redeemed via this link.

Additionally, for large organizations with remote and dispersed workforces who want to add YubiKey protection to their G Suite Accounts, they can immediately benefit from our new YubiEnterprise Delivery service. YubiEnterprise Delivery allows organizations to easily ship YubiKeys directly to individual employees, partners, and customers across the globe.  

For more details on this new functionality and to learn how Yubico can help to secure your organization, register for our upcoming webinar “Securing Google and G Suite Accounts with YubiKeys” on June 10, 10:00 AM PST.

Unrecognizable male voter holds in his hand a ballot above the ballot box
Ronnie Manning

Acing election security in 2020: A conversation with Defending Digital Campaigns

2020 is a big year for the US electoral system, and with society moving to a remote structure amidst the current climate, elections may very well be the next big sector to feel an impact. US citizens could find themselves voting entirely remote — possibly through mobile phones or otherwise — changing the election security landscape as we know it. 

Remote or not, election security is not a new challenge. From securing voter registration databases to preventing account takeovers for political candidates and government officials, federal, state and local governments have been trying to get their hands around election security for years. Yet, one of the fundamental cornerstones of effective governance is ensuring the security and integrity of elections and other political processes. 

Voting systems have seen little technology innovation throughout the course of US history, until more recently. Some states for example, have started implementing mobile solutions to help with the tracking and recording of polling results. These trends will only continue with COVID as a forcing function, and governments that are not equipped to securely embrace a virtual voting system at scale, will have hard lessons learned.

As a government-approved authentication solution, YubiKeys are used by many agencies and political campaigns. In fact, Yubico is a Defending Digital Campaigns (DDC) partner to help secure campaigns as they navigate the uncertainties of the 2020 election cycle. 

To share some perspective from the front lines of election networks, we recently sat down with Michael Kaiser, President and CEO of DDC, to discuss what’s top of mind for this year’s election security.

What kind of work does your organization do? 

Defending Digital Campaigns (DDC) was founded with a focused mission of providing free and cost-reduced cybersecurity products services to federal campaigns. We serve the House, Senate, and presidential campaigns as well as national parties and committees. DDC works with companies to come up with offerings to the campaign ecosystem and provides some support to get products implemented.

What risks do political campaigns, candidates and election networks face around the world? 

We can expect more vigorous phishing attacks, data stealing, ransomware, disinformation and misinformation efforts. The kind of attacks that do occur will be based on the motivations of the perpetrators. It could be nation states trying to divide us and be disruptive, a person in our own country opposed to a particular candidate, or cybercriminals stealing data to be monetized by conducting scams like business executive compromise, or seeking payments through ransomware. 

Most cybersecurity professionals I talk to believe that phishing remains a major vector of attack. Credential stealing is one of the ways attackers gain broad access to a network and from there instigate malicious activities. People are vulnerable to social engineering efforts, and creating and sending phishing emails is not a heavy lift for cybercriminals. Specifically, we do expect to see more ransomware and stepped attacks to steal confidential, potentially embarrassing, or detrimental data. As we get closer to elections, attacks may increase and the more we will see attempts to disrupt our campaign process.

Are we seeing cyber security risks to the US 2020 presidential elections? How are these risks different from those in prior elections?

For bad actors wanting to disrupt our democracy, cause chaos, steal a wealth of data to manipulate people or monetize, presidential campaigns are prime targets. As we have seen in previous cycles, the impact of a cyber incident on presidential campaigns can be significant.

Presidential campaigns need to be viewed as large enterprises. They grow quickly to many thousands of geographically spread out employees and volunteers, have tremendous amounts of data, and are highly dependent on a full spectrum of technology – all ingredients for increasing risk. 

What measures are you advising campaigns, political candidates and election networks to take to ensure they are protected?

The Federal Election Commission Advisory Opinion that allows DDC to bring free or reduced cybersecurity services to bipartisan campaigns is for federal campaigns — House, Senate, presidential — and national parties and committees. The vast majority of campaigns eligible for DDC’s help are House campaigns that likely have between 5-15 people at the core of the campaign that need to be protected. 

From the way we think about cybersecurity, these campaigns look a lot like small businesses. And while that’s true in some ways, they differ in others. These campaigns have what I call “squishy” perimeters. They use many volunteers and consultants and there are many other critical people in the orbit of the campaign, including a candidate’s spouse and children and close confidants.

We focus on making sure campaigns implement the basics: multi-factor authentication, encrypted communications, and protected websites. We encourage campaigns to focus on who needs protection because they have access to the campaigns core and confidential workings. We also encourage that campaigns take advantage of security features that might be built into the systems they are already using such as Windows, Microsoft Office or GSuite.

How do you see Yubico partnering with Defending Digital Campaigns to help ensure the integrity of elections?

YubiKeys represent a foundational and critical building block of any cybersecurity effort. Protecting credentials is step one for every campaign in the country and Yubico addresses that issue directly and comprehensively. DDC is thrilled to have Yubico as one of it’s partners.

Learn more about how Yubico helps governments ensure election integrity by securing sensitive information across government elections and political campaigns. 

 

Guido Appenzeller

Quickly and easily secure remote workers with YubiKeys through YubiEnterprise Delivery

In the current situation of social distancing, record percentages of employees working from home have added complexities to securing the workforce. In fact, many of our customers have expressed that the actual distribution of YubiKeys to remote, individual employees is a real challenge. To help fix this issue, we are excited to release our second YubiEnterprise Services offering today: YubiEnterprise Delivery. 

With YubiEnterprise Delivery, US and Canada-based organizations can ship YubiKeys directly to employees, partners, and contractors in more than 30 countries across the US, Canada, and Europe. Delivery requests can be entered online via the YubiEnterprise console individually, in bulk through a CSV file upload, or programmatically through an API. Leveraging the API option enables IT administrators to fully automate the distribution of keys as part of the user onboarding and allows for integration with in-house service catalogs like ServiceNow. 

While Yubico takes care of the shipping logistics and simplifies YubiKey distribution, enterprises can focus on what matters – securing the workforce. Whether your organization has experienced an uptick in remote workers, has scarce IT resources, or has hiring surges throughout the year, YubiEnterprise Delivery makes it easy to quickly distribute YubiKeys to employees no matter their location.

For Remote Workers

IT administrators can experience cost-effective, turnkey shipping and tracking capabilities, with YubiKey delivery directly to employees’ doorsteps.

For Limited IT Teams 

Typically, IT teams are stretched thin managing the many business-critical applications that keep an organization running. By simplifying delivery, distribution, and management of inventory, organizations can operate efficiently without hindering security or productivity. 

For Seasonal Hiring 

Managing security logistics and inventory has its challenges when hiring activities increase during specific times of the year. With the combination of YubiEnterprise Subscription and Delivery, Yubico customers have the flexibility to accommodate hiring surges and focus on the busy season ahead. 

With YubiEnterprise Subscription, organizations can seamlessly add users midterm to existing subscriptions. Benefits also include the ability to replace or upgrade 25% of your user subscription with new YubiKeys, which can be leveraged to accommodate employee churn, lost keys, or support an influx of seasonal workers. With these options, added users can quickly receive YubiKeys via YubiEnterprise Delivery. 

If you’re looking for an easy, flexible solution to improve your organization’s security landscape, let YubiEnterprise Services own the logistical difficulties. Work with your Yubico sales representative to set up your YubiEnterprise Delivery console with your YubiKey order today. 

For a limited time only, any qualifying Yubico customer that purchases a 3-year YubiEnterprise Subscription with prepayment before June 26, 2020 will be eligible for free YubiEnterprise Delivery shipments within the US and Canada until September 30, 2020.

For terms and conditions, as well as YubiEnterprise Delivery pricing details please visit our YubiEnterprise Services page

To learn more about the business advantages of YubiEnterprise Services, view the on-demand webinar, YubiEnterprise Services: Hardware Authenticators as a Service

Camila Brindis

Password Management: Securing Businesses with Small, Yet Mighty Teams

Now more than any other time in history, businesses are working remotely. Going virtual, while enabling collaboration and helping to maintain regular business operations in these trying times, introduces a fair amount of challenges.   

Data shows that businesses with smaller teams have been increasingly targeted by hackers and cybercriminals in recent years. In fact, about one third of the 850 global businesses in this study report suffering a cyberattack in the last year.  

Poor password hygiene in the workplace continues to be a problem. Data shows that employees consistently set basic, formulaic, and recycled passwords that can be easily exploited.  For any organization, this poses a security risk, and can lead to a loss of money, draining of IT resources, and a damaged brand. Businesses adapting to remote working infrastructures should prioritize password best practices to enable their newly remote teams to work efficiently and securely.  

So what’s the first step?  A fast and affordable way to ramp up security for a small yet mighty team is with a password manager. Password managers mitigate the inherent challenges of memorizing dozens of complex passwords by storing users’ passwords in an encrypted vault. Additionally, password managers can generate unique and extremely strong passwords for each online account and service.  

The next step is to enable YubiKey two-factor authentication (2FA) to your password manager to ensure that the passwords in your vault are protected by a physical key, regardless of operating system. The YubiKey delivers the strongest, hardware-based defense against phishing and other threats leading to account takeovers. The combined solution of a password manager and a YubiKey is an easy way for businesses to bolster account login security—no matter the size of their team. 

At Yubico, we take pride in our ecosystem of technology partners, a number of whom are password managers and services that advocate for better password management. 

“The workplace is changing more rapidly than we ever imagined, and this brings new security considerations. To keep a tight grip on who can access, amend, and share your data stored using the cloud, it’s best to use a password manager like 1Password in combination with multi-factor authentication.”

Matt Davey, COO, 1Password

“At Bitwarden, we empower individuals, teams, and organizations to store and share sensitive data easily and securely. We are proud to partner with Yubico to build a strong security foundation for our users.”

— Gary Orenstein, Chief Customer Officer, Bitwarden

“Our world and workspaces are changing fast due to the current crisis. Private devices are now used for work, which leaves user credentials at risk and in need of protection. With a smart password manager protected with a YubiKey, you keep important and confidential company data secure.”

— Sergej Schlotthauer, VP Security & Strategic Alliances, Matrix42

“Don’t give attackers a single target. Use a different password everywhere, a different email address, or alias with subscriptions, and protect your accounts with a hardware authenticator. Your other accounts won’t be at risk in the event one account is compromised.”

— Ricardo Signes, CTO, Fastmail

As your business transitions to an increasingly remote working environment, consider investing in a password manager plus the YubiKey for easy to use, hardware-backed 2FA. Want to learn more? Watch our roundtable Q&A with 1Password to hear expert insights and best practices on effective password management.

Space travel
Yubico Team

Star Wars Day Promo: May the 4th Be With You!

You don’t have to travel to a galaxy far, far away to find a more wretched hive of scum and villainy. Sadly, our world is facing an ever-growing number of phishing attacks from data smugglers (work with us here). But there is hope. A new force has awakened…

You.

And you’re armed with this… a YubiKey. The YubiKey is the spark that’ll light the fire to bring an end to account takeovers. With it, you are a security Jedi with the power to prevent attacks with just the touch of your finger.

As the weapon of choice for a security Jedi, the YubiKey is not as clumsy or random as SMS or mobile apps. Rather, it’s an elegant tool for a more civilized age – this is the way.

To celebrate Star Wars Day, we’re including a limited-edition galactic YubiStyle cover with any qualifying YubiKey purchase made on our e-commerce store during May the 4th.* Armed with this unique YubiKey, you will restore balance to your digital accounts, but hurry, these will be gone faster than light speed. To make a purchase, visit the Yubico Store

May the 4th be with you!

*Promotion is valid for all purchases including a YubiKey 5 NFC, YubiKey 5C, Security Key by Yubico, or Security Key NFC by Yubico. Offer begins at 12:01am PT on 5/4 and ends at 11:59pm PT on 5/4.

Mature men at home during pandemic isolation have conference  call
Sebastian Elfors

YubiKey secures remote workers during COVID-19 as government-approved alternative to PIV and CAC cards

In the matter of just one week, Google reported that it saw more than 18 million daily malware and phishing emails related to COVID-19. That’s an astonishing number, and one that is not likely to slow down any time soon. 

For organizations across the globe, it is imperative to quickly, securely, and affordably fill existing security gaps to effectively support remote workers. For government agencies, the stakes are even higher. It is critical to protect and sustain our government infrastructures in a time when many citizens are relying on these services more than ever before. 

Preventative measures against phishing are not new, but scaling them quickly across an organization is. This is uncharted territory for many government agencies, and the Personal Identity Verification (PIV) and Common Access Card (CAC) authentication infrastructure lacks the convenience and flexibility required to support a rapid shift to remote work environments. While PIV and CAC set a high bar for security, they rely on in-person identification to issue credentials — an impractical requirement when servicing droves of new remote workers or renewing recently expired credentials. 

US government releases guidance on securing remote workers

Recognizing the immediate need for increased security without disrupting productivity, the United States White House Office of Management and Budget (OMB) released a directive for the broader government. The memo acknowledges three main points: 

    1. Not all agencies may be able to issue PIV credentials during the time of remote work.
    2. Agencies are directed to use the breadth of available technology capabilities to fulfill service gaps and deliver mission outcomes. 
    3. Agencies should be prepared to issue an alternate credential or authenticator for physical and logical access.

YubiKey approved as PIV alternative for strong authentication 

For federal entities, we know that this means finding applications and solutions — like the YubiKey — that already have the government seal of approval and a federal terms of service agreement to enable rapid and seamless deployments. 

“A FIDO security key can help bridge the gap,” explains Jeremy Grant, Managing
Director of Cybersecurity at Venable, and former Senior Advisor to the Obama Administration’s National Strategy for Trusted Identities in Cyberspace. 

“Much like the PIV card, FIDO security keys leverage public key cryptography for authentication, which can’t be phished — an important benefit at a time when we’re seeing an explosion of COVID-related phishing attacks,” continues Grant. “Agencies can mail FIDO security keys directly to employees needing strong authentication, and because they work via USB and NFC, they don’t require a specialized reader as PIV cards do.”

FIDO security keys are 1 of 3 government-approved alternate authenticators, according to the Department of Defense. This guidance was released as early as 2018, demonstrating that the US government recognized the need for agile, adaptable, and affordable security solutions far before COVID-19. 

Global governments recommend multi-factor authentication to protect remote workers  

Efforts from the US government are underscored by similar initiatives by many other leading government agencies around the world. For example, the British NCSC (National Cyber Security Centre) and European Union Agency For Cybersecurity (ENISA) both issued guidance on best practices to secure citizens and employees working remotely, and strongly recommended multi-factor authentication (MFA) as a top priority. 

For more information on the YubiKey as a federally-approved authentication solution, tune into our latest on-demand panel webinar with Danelle Barrett, former US Rear Admiral, and Director Navy Cyber Security and Deputy Chief Information Officer. 

Additionally, read how FIDO2 is aiding eIDAS (electronic identification, authentication and trust services) as the legal basis for cross-border interoperability of electronic identification, authentication, and electronic signatures amongst EU Member States

Over the shoulder view of woman using laptop with blank screen. Female blogger is working at home. Smart phone and coffee cup are lying on wooden table.
Guido Appenzeller

3 reasons to use Yubico Authenticator on desktop computers

Did you know that the Yubico Authenticator app is available for desktops as well as mobile devices? Today, we are excited to announce the support of the Yubico Authenticator desktop versions on their respective platform stores (Mac App Store, Microsoft and Snapcraft). 

Achieving strong protection with authenticator apps  

Authentication mechanisms today need to be highly secure, usable and portable, and these are the exact same principles we used to build Yubico Authenticator. Similar to other authenticator apps, Yubico Authenticator generates a one-time code used to verify your identity as you’re logging into various services. However, unlike other authenticator apps, the secrets are stored in the YubiKey rather than in the app itself, making it necessary for a user’s YubiKey to be physically present to receive the time-based codes. 

Because secrets are stored on your YubiKey, if you change phones or laptops, there is no porting or re-registering of accounts required, regardless of operating system. Furthermore, the secrets cannot be stolen from the hardware key. 

Yubico Authenticator advantages for desktop users

With recent availability of Yubico Authenticator on the Mac, Windows, and Linux app stores, we are able to seamlessly deliver the same security, portability and usability benefits of the product to desktop users. Besides simplifying and accelerating the authentication experience across many services and platforms, Yubico Authenticator for desktop carries specific advantages. It enables two-factor authentication (2FA) across unique environments including: 

Desktop VPN authentication 

Yubico Authenticator for desktop enables seamless VPN integrations by generating one-time codes with desktop VPN clients such as Cisco Anyconnect, Pulse Secure, or AuthLite. With the recent influx of remote workers, this is particularly useful in helping to secure employees who are working from home. 

Mobile-restricted environments 

Not all corporate setups allow for the use of mobile devices, making it impossible to use mobile-based authentication methods such as SMS or authenticator apps. Since Yubico Authenticator stores secrets on the YubiKey, users are able to replicate the same time-based codes that would be on a mobile device, on the desktop. This is particularly advantageous for corporate setups where mobile devices are restricted, such as call centers or doctor’s shared devices. 

Multi-device sign in 

In a recent survey from Ponemon Institute, individuals use an average of 5 devices to access online accounts. With a YubiKey and Yubico Authenticator, the same secrets are accessible on desktop computers as well as mobile devices. This makes it easy to authenticate without needing to re-register every service with the authenticator app on different platforms. 

Setting up Yubico Authenticator for desktop 

Simply download the app for Windows, macOS, or Linux depending on the machine you’re using. Open the app, insert your YubiKey, and begin adding the accounts you wish to protect by scanning the QR code provided by each service. Yubico Authenticator is also available for download on iOS (iPhones and iPads) and Android operating systems. 

Now you’re all set! Start using the Yubico Authenticator app and your YubiKey to securely login as a second factor to your services. 

For added convenience, head over to the Yubico store to pick up a YubiKey 5Ci for seamless authentication across desktop and mobile devices!  

Yubico Team

Top Yubico Partners to Modernize your Workplace Login

The workplace is evolving and expanding well beyond the four walls of a corporate office, and with this expansion comes new questions about how to secure employee login. In 2019, fifty-one percent (51%) of IT professionals said their organization experienced a phishing attack, making it dire for organizations to identify solutions that employees can use to access critical workplace systems and data while staying safe from rising attacks.

As your organization is on the path to modernizing workplace login, security at the individual user level is more critical than ever. Secure login is fundamental to preventing unauthorized access, and when done really well, results in: 

Through our extensive partner network, Yubico offers organizations a broad range of choices in the way users can securely log into their workstations and computers. Whether aiming for a cloud-first or hybrid environment, strong authentication can be implemented to protect access everywhere, all based on the systems users need to access.

Last month, we shared 5 ways the YubiKey can protect your remote workforce from phishing and other attacks. This month, we are featuring five of our partners to share tips on how our joint technologies can enable your organization to modernize the login experience to desktops and laptops as well as cloud-based apps and services. 

Intercede

“Strong authentication is fundamental to modernizing the workplace. YubiKeys provide seamless multi-factor authentication (MFA), while systems like MyID give IT teams the control they need to issue and manage YubiKeys simply and at scale.” – Allen Storey, Chief Product Officer, Intercede

Microsoft

“The best experience you can give your users is one that doesn’t require them to learn new ways or new habits. Rather than distributing new usernames and passwords, you can leverage the credentials they already use to sign in to their devices.”- Sue Bohn, Director of Program Management, Microsoft 

OneLogin

“MFA doesn’t have to be difficult. OneLogin’s Trusted Experience Platform enables users to leverage WebAuthn with hardware-backed YubiKey MFA for access to enterprise apps and services. With our integration, companies can reduce MFA friction with OneLogin SmartFactor, and increase their overall security posture.” – Brandon Simons, Director of Product Management, OneLogin

SecureW2

“By partnering with Yubico, we’re making it easy to deploy the YubiKey as a smart card using our onboarding software plus PKI Services to secure app authentication, VPN, desktop logon, and more.” – Tom Rixom, CTO,  SecureW2

Bottom line: Organizations undergoing digital transformation require modern, secure, and flexible authentication approaches to protect critical data. Whether you’re considering MFA by adding another layer of protection on top of a username and password, or potentially replacing passwords altogether, the multi-protocol YubiKey is equipped to handle it all. 

Join our upcoming partner roundtable discussions to hear expert insights and best practices on modernizing workplace login. Use the links below to sign up now! 

 

Stina Ehrensvard

Staying safe in our physical and digital worlds

Most of our lives are now connected on the internet. We stay in touch with our loved ones, order food, talk to our doctors, do our banking — and now, many of us also work from home. 

We are all facing challenges we did not predict a few weeks ago. Never before has our society been more dependent on the internet, and never before have people been more vulnerable. Each individual is now exposed to more phishing attacks and we are seeing a new wave of cyber threats capitalizing on the fear surrounding the pandemic.

While hero first responders and doctors are fighting for lives attacked by a biological virus, the global IT security standards community is doing its best to protect us in the digital world. The human body and the internet are both amazing complex structures that will always be attacked, but we are resilient. 

Last year at BlackHat USA, the conference issued its annual 2019 Black Hat USA Attendee Survey, in which one question asked what cybersecurity technologies have been most effective for data security and privacy online. The response was clear: multi-factor authentication (MFA). MFA was the highest ranked security tool for protecting enterprise data, with 82% of respondents citing it as effective. 

History has shown that if we come together and collaborate on solutions, we can invent cures. During the last decade, our team at Yubico has worked closely with internet giants and open standards bodies, and together we invented the best authentication solutions to prevent remote account takeovers: FIDO U2F, FIDO2 and WebAuthn. See the stats below, or read the full research here. 

Since a few weeks ago, most of the Yubico team is working from home, but we have been fortunate to continue to serve our customers, partners and developer community around the world. Moving ahead, we are committed to help make the world safer by continuing to contribute to open security standards, and providing free open source tools and support for technology that makes a difference. We will also continue to donate YubiKeys to non-profit organizations supporting a free open internet and free speech to safeguard security for the world at large.  

Without doubt, the world is in a crisis. But no matter how difficult things get, there is often a way, and through these challenges we can boost our spirits and immune system if we find things that make us smile. A couple of weeks ago, the Yubico team made a short video to explain how FIDO authentication works, which made me smile. I hope it can do the same for you.


Stay healthy and safe. 

P.S. — If you want a dog to look at a computer screen, show cat videos. To learn more about how to secure your remote workers, tune into any of our upcoming and on-demand webinars on BrightTALK

Fahter is showing his daughter things on a laptop
Chad Thunberg

A CISO’s best advice for protecting a rapidly evolving remote workforce

As Yubico’s Chief Information Security Officer (CISO), I am responsible for the company’s security, risk management, and compliance programs. I have more than 20 years of experience solving complex security scenarios, but I have yet to encounter the unique landscape that we are collectively facing as IT leaders. 

Many of my peers and businesses across the globe are suddenly navigating new security complexities associated with managing a remote workforce — and it’s tough. Not only are IT teams scrambling to establish or scale technical infrastructures that can protect a rapidly growing remote workforce, but employees are also facing their own set of challenges. 

Individuals are working from home that have never worked outside of an office before; fear, uncertainty and doubt are on the minds of many; and most everyone is distracted by the influx of news, lack of social connection, or disrupted home routines. The unfortunate reality is that hackers thrive in times of crisis when the likelihood of human error are in their favor. 

While the state of current events can feel disheartening — even impossible — there are ways for organizations to immediately elevate their remote work security posture while also helping employees to feel supported. The following three areas will provide some immediate benefits to any organization, and will foster a more resilient working environment for everyone as we move forward together. 

Deploy strong authentication technology to secure remote access. 

Strong multi-factor authentication, like the YubiKey, serves an important role in providing an additional level of confidence in a user’s proof of identity. This is especially important with the changes in workflows. Behavioral- and heuristics-based detection controls may not function as well as intended, at least in the near term. Companies will need to rely on preventative measures until their detection systems are re-tuned and adapted.

Additionally, companies should expect to see an influx of social engineering attacks on all employees, but also specifically targeted at support personnel. These individuals are going to be inundated with support calls from employees, and will be working quickly — maybe even around the clock — to resolve issues. It’s the perfect environment to capitalize on user error, and I suspect we’ll see an increase in stolen credentials and hijacked accounts as a result. 

Maintain endpoint security, and plan for increased use of personal devices. 

Without oversight into employees’ work environments, it is necessary to have increased confidence in the endpoints that are accessing the company infrastructure. Environmental factors can pose significant threats including the unauthorized use of corporate assets by family members or the use of personal devices to access corporate assets. Both of these scenarios can increase the likelihood of a successful malware, ransomware, or phishing attacks. 

Using anti-malware or firewall software, strong authentication for computer logins, and simple best practices like frequent software updates or screen locking are critical to maintaining control of endpoints in unsecured work environments. 

Establish backups to address ransomware threats for remote workers.

A remote workforce is more likely to work offline and to store information on both company-issued devices and personal machines. A successful ransomware attack on either may lead to a greater impact on the employee and company. 

Successful recovery will require frequent and automatic backups of that information. Backups should happen seamlessly and not require the user to be connected to the corporate network via VPN.  

One of the main reasons I chose to join Yubico is to help address fundamental security issues facing the world. I believe now more than ever, our mission is critical to help ensure frontline and remote employees can work seamlessly without additional security risks. 

Even after companies begin to reduce their remote workforce and transition back to in-office working parameters, a business continuity plan with these three focal points will provide a sustainable security foundation to mitigate future risk.  

If you’re looking for other helpful tips on securing your remote workforce, tune into our on-demand webinar, 5 Ways to Protect Remote Workers From Account Takeover.’ Yubico’s Chief Solutions Officer, Jerrod Chong, shares some of the best practices for protecting identity and access management (IAM) platforms, VPN and VDI solutions, computer logins, SSH sessions, password managers, and more. 

Concentrated female paramedic in uniform using digital tablet
Alex Yakubov

The Critical Role of Frontline Workers

I am in awe of how the world is coming together, setting aside our differences and making bipartisan decisions to do what’s right for humanity and to help everyone adjust to a more remote and distanced coexistence. Security professionals, risk and legal officers, operations leads, and finance heads everywhere are working through plans to ensure their employees are supported and safe, all while trying to avoid unintended business consequences down the line. 

At Yubico and Axiad, we know that user groups often vary, including those that can make the shift to work from home, and others — like medical, and public safety professionals — that cannot due to the nature of their work. In fact, eighty percent (80%) of the global workforce doesn’t actually sit at a desk. 

The United States Department of Labor reports almost 70 million Americans work in occupations including services such as healthcare practitioners, protective/public safety, food preparation, building cleaning and maintenance, personal care, natural resources, construction, production, shipping, transportation, and more. 

The critical role that frontline workers are playing in today’s health crisis emphasizes the need to enable productivity (like preventing lock-outs due to forgotten passwords), maintain compliance, and eliminate complexity. 

To help navigate top authentication challenges facing frontline workers, Yubico and Axiad are hosting four (4) virtual meetups for security professionals in the NYC, San Francisco, Midwest, and South Central areas. A current Yubico and Axiad customer will also join to facilitate a discussion on handling temporary workers, emergency licensure laws, and other real-world scenarios currently facing many enterprises. 

Attendance is limited, so make sure to sign up today and reserve your spot! 

New York

April 14, 2020 at 10am ET

Midwest

April 15, 2020 at 10am CT

South Central

April 23, 2020 at 10am CT

San Francisco Bay Area

April 28, 2020 at 10am PT

If you aren’t able to make one of these virtual meetups, please contact us and we will be happy to schedule a private discussion around your unique needs. 

Thank you for doing your part to keep the world safe! We are honored that millions trust Yubico to solve their toughest authentication challenges.

 

Ronnie Manning

Top 10 tips from employees for working from home

Recently, remote access has become the new way of working for many businesses and our team at Yubico has also had to adapt to this new reality.  

Last week, we published the first entry in our remote working blog series: 5 ways the YubiKey can protect your remote workforce from phishing and other attacks. Now, with our second blog, we wanted to provide some insight — in a lighter tone during these challenging times — on remote work tips direct from Yubico employees. We asked our team for their top remote working best practices, and summarized the list below. We hope our team’s advice can be useful for anyone working from home. 

Q: How do you successfully work from home?

  1.  “Create a work-only space. Whether that be a spare bedroom or a corner in your kitchen. It should be devoid of all other home projects or distractions.”
  2.  “Create or buy an ‘On air’ sign to hang on your office door or otherwise display so others in the house know when you need uninterrupted work time.”
  3. “Posture and ergonomics are important. Move around and stretch and take as many walking calls as you can, and if possible outside. Fresh air also gives clarity to the brain.” 
  4. “Fuel yourself! Don’t get hung up on work so much that you forget to eat and drink.”
  5. “When possible, use the video when communicating with your teammates. Even though we are working independently, it can make it feel like we’re at the office together.” 
  6. “For every 30 minutes spent staring at your screen, look away for at least 20 seconds to focus on something outside your window. Your eyes will thank you.” 
  7. “When working at home with cats, be sure to CLOSE your laptop any time you leave it for more than a minute or two, because cats, attracted to the warmth, love to sit on the keyboard.”
  8.  “Take advantage of working at home, like taking a couple of minutes to chat with your family or put the laundry in the dryer. Those small breaks sprinkled through the day will make you more productive.”
  9. “Over communicate across all of the teams you are working with, as nuances might be lost when working remotely.”
  10. “Use a YubiKey, or some form of two-factor authentication, whenever and wherever you can to protect your work and personal applications.”  

So how are you coping with working from home? What is the best advice you can give? Please join the conversation! Click here to send a tweet with the hashtag #YubiHome (get it?!), and share your advice for anyone who may be new to working remotely. 

For additional information on how organizations are using YubiKey to protect remote workers, sign up for our webinar on March 26, ‘Enabling employees to work securely from home’.

The last few weeks have set new high records of account takeovers and phishing attacks across the globe. At Yubico, we are dedicated to continue to serve our customers and make working from home safer for all. 

 

Alex Yakubov

Diablo Valley College students implement WebAuthn in 24 hours

What do you get when you mix six hundred developers, twenty-four hours, twelve challenges and a mass of cash and prizes? The nation’s largest challenge-driven hackathon, hosted by DeveloperWeek in San Francisco.  

Hackathon participants get just twenty-four hours to create a working proof of concept to solve some of the world’s most pressing problems. Yubico challenged developers with a user-centric approach to security. We were looking for the best integration of strong two-factor, multi-factor or passwordless authentication with the YubiKey to protect sensitive user information. Ten teams took on the challenge, all with excellent use cases and implementations, but we could only nominate one winner. 

This year, Yubico chose FoodHopa as the winner of the 2020 Yubico DevWeek Hackathon Challenge. FoodHopa was born out of the simplest of concepts — how can environmentally conscious college students help reduce carbon emissions and save the world while feeding themselves and their friends, all on a shoestring budget? 

FoodHopa engineers, Michael Winailan & Scott Sunarto

Developed by engineering students Michael Winailan and Scott Sunarto, FoodHopa aims to match restaurants with surplus food to hungry eaters. The idea is that one driver delivers food to one centralized location instead of making multiple deliveries to multiple locations. By bringing eaters together, utilizing surplus food from restaurants, and reducing food delivery to one location, FoodHopa succeeds in reducing food waste and carbon emissions at the same time.  

In just a few short hours, Michael and Scott built a mobile app for party-goers (eaters) and a web app for party hosts (drivers) and restaurant operators. Using a web-based management platform, restaurant operators can log in to the web app using a passwordless login flow with a YubiKey. This was all built on the WebAuthn standard.

When asked why they chose to go passwordless, the savvy students told hackathon judges that a passwordless login flow was important for three reasons:

  • The food and beverage industry experiences high employee turnover rates, and YubiKeys are easy to re-issue to new employees.
  • Inconsistent hourly work schedules make it challenging to remember a complex password.
  • Memorizing complex passwords is hard, which results in weak or shared passwords among coworkers. 

Enabling a passwordless login flow and providing YubiKeys for each restaurant employee that needs to interact with the web app ensures both the restaurant and their customers’ information is kept private and secure.

FoodHopa integrates with WebAuthn and YubiKeys

What’s next for these savvy students? The FoodHopa team hopes to productize their app and take it to the marketplace by implementing credit card payments through their app. By adding strong multi-factor authentication using YubiKeys into their payment flow, they will be well on their way to achieving PCI (Payment Card Industry) compliance.  

Hackathon submissions don’t typically prioritize security—especially when the focus is on building an MVP as quickly as possible. Yubico has increased our participation in hackathons over the past few years in an effort to change that behavior, while also exploring better ways to empower non-security engineers to integrate strong authentication. If you’re hosting an upcoming hackathon, and would like Yubico to participate, please let us know at dev-mktg@yubico.com

Are you interested in integrating security into the products, services, and applications that you’re building? Check out Yubico’s developer website to get started and sign up for the Yubico Developer Program mailing list to be notified of new documentation and resources, as well as get early access to SDKs and new products.

Jerrod Chong

5 ways the YubiKey can protect your remote workforce from phishing and other attacks

In today’s enterprise journey to digital transformation, remote work is on the rise. Advancements in technology make it possible for employees to work from anywhere, but also introduce a new set of challenges for IT departments. Unsecured WiFi networks, unmanaged personal mobile devices, and phishing scams make it easy to steal user credentials and difficult to  securely manage geographically dispersed teams. 

While the concept of remote work is not new, it is becoming more prevalent for modern businesses. Recent global events are driving these numbers even higher, making it imperative for organizations to set processes and systems in place that not only secure remote workers, but do so without hindering productivity. We are already seeing hackers taking advantage of the current state of business uncertainty with targeted phishing attacks, making it imperative to develop a business contingency plan that includes protecting the workforce when working remotely. Enterprises need to ask, “Can employees access systems remotely without introducing new risks and vulnerabilities?” 

Enabling multi-factor authentication (MFA) should be one of the top requirements for a work from home policy. The YubiKey 5 Series and FIPS-validated YubiKey Series offer an easy-to-use, durable, and multi-function solution for all employees regardless of device type, operating system, or location. If you’re already using or want to use YubiKeys in your organization today, there are likely several other ways that you could be benefiting from strong hardware-backed authentication. 

With remote and distributed workers on the rise, here are five tips to ensure that your employees are protected from phishing and beyond, with YubiKeys: 

  • Enable MFA for identity access management (IAM) systems and identity providers (IdPs) — The best cloud and hybrid environments leverage IAM solutions to enable employees to work without the hassle of multiple usernames and passwords. Many of the leading IAM vendors offer native YubiKey support including Axiad, Duo, Google Cloud, Microsoft Azure Active Directory, Okta Workforce Identity, PingID, RSA SecurID Suite, and others. If you’re already using any of these services, you can immediately improve the level of security across your entire organization by simply turning on MFA with YubiKeys.
    • IAM vendors and IdPs can also be used for Single Single On (SSO) to other business critical messaging or video conferencing apps such as Microsoft Teams, Google Hangouts and Zoom. 

    • Secure VPN access with MFA — With an increase in remote workers, comes an increase in the number of people utilizing a VPN to access the corporate network. Pulse Secure and Cisco AnyConnect, can be configured to work with a YubiKey as a smartcard (PIV) for remote access. Other VPN applications that offer native support for YubiKeys use the one-time password (OTP) capabilities. 

    • MFA for computer login — Whether you’re using a Mac or Windows machine, there are several options for securing your computer login with the YubiKey. One of the most effective ways is to leverage the smart card functionality of the YubiKey, and use the key in addition to a PIN, to lock down access to a computer. Most recently, Yubico has been working very closely with Microsoft to enable native YubiKey support in Microsoft Azure Active Directory for a FIDO-based passwordless login experience. It is now available in public preview for hybrid environments as well. 

  • Step up authentication for password managers — If you are like the majority of respondents in a recent Ponemon Institute report and are still making your employees manage passwords with sticky notes and human memory, then it’s time to ditch that plan fast. Remote workers or not, your employees need a simple and safe way to create, store, and manage passwords. The YubiKey integrates with several enterprise-grade password managers including 1Password, Dashlane, Keeper Security, LastPass, and more
  • Use a YubiKey to generate one-time time-based passcodes — Many of the services or applications you’re using internally may support time-based one-time passcodes  (OTPs) — such as Google Authenticator or Authy — as a two-factor authentication method. Did you know that you can actually replace those authentication apps with the Yubico Authenticator application and a YubiKey? Instead of the one-time passcodes being stored within a mobile device or computer, secrets are stored in the YubiKey. This allows users to generate the OTP codes within the app by inserting or tapping the YubiKey to a device. Yubico authenticator is compatible with iOS, Android, PC and Mac.

For additional information on how organizations are using YubiKey to protect remote workers, sign up for our March 26 webinar on Enabling employees to work securely from home.

On behalf of all of Yubico, we’re committed to making secure login easy and available for everyone. To discover more YubiKey use cases, check out our solutions page. If you have questions about deploying YubiKeys within your organization, please contact us for more information.

Stina Ehrensvard

Why we designed the YubiKey the way we did

The first YubiKey was launched in 2008, inspired by the word ‘ubiquity’ and with the mission to make simple and secure logins available for everyone. At the time, we were less than 10 people in the company, but our strategy was simple: if we focused on further developing the YubiKey technology in close collaboration with a handful tech giants, we could help make the internet safer for all.  

Today, 12 years later, we are closer to this goal. Since Yubico released the first-ever FIDO security key in 2014, now all leading platforms and browsers have made support for the YubiKey and the FIDO and WebAuthn standards that we pioneered. A growing number of FIDO-compatible authenticators have also entered the market, including those that are built into computers and phones — which is how we envisioned it. More organizations adopting the standards will continue to grow the ecosystem, and also benefit YubiKey users.

There may never be one silver bullet for all authentication needs, but the YubiKey is designed to cover as many use cases as possible. The current YubiKey product line is a direct result of continuous innovation and collaboration with our customers, partners and users to achieve the highest levels of security, usability and durability. Below is a high-level summary of the design and production choices Yubico has made and why. 

An external authenticator minimizes the attack surface

FIDO authenticators are now being integrated directly into phones and computers, which will be great for growing adoption for consumers and a long tail of use cases. However, these multi-purpose components also come with a larger attack vector and potential security risks such as the Intel Spectre issue

Security experts for both the physical and digital world agree that minimizing the attack surface is critical for a stronger defense. To improve security for online accounts, we created the YubiKey as an external authenticator that is solely focused on authentication and encryption, and is not tied to the internet. In comparison to built-in authenticators, the YubiKey is also made to function without batteries, work across all computers and phones, and be an affordable cross-device root of trust. 

Small devices reduce environmental footprint

The YubiKey is designed to last: a solid monoblock design, no batteries, no moving parts. The most common YubiKey keychain design weighs similar to a credit card, and we designed all our products and packaging to be as low weight and flat as possible to help minimize shipping volume and carbon footprint. 

USB and NFC are secure and easy-to-use form factors

Some FIDO authenticators — including phones, computers or security keys — use Bluetooth Low Energy (BLE) communication during the authentication flow. However, Bluetooth was primarily designed for audio, not for security. Though security improvements have been made since the initial BLE specifications were created, there is still a risk of being compromised within a range of a few meters. Additionally, BLE adds complexity for users, which increases the amount of help desk support calls and associated costs.

Research has shown that large FIDO-based user deployments with USB and NFC YubiKeys have resulted in zero account takeovers and 92% reduction of support calls, with tens of millions of cost savings. 

Secure elements offer strong physical protection

Allowing more people to scrutinize code is generally good for security, but unfortunately, major open source security issues, such as Heartbleed, are also a reality.

The initial YubiKey was built on off-the-shelf USB components. To improve the physical security of the YubiKey, we later decided to build all of our hardware on secure elements, which are also used for chip-based credit cards and passports. Secure elements provide authenticity of origin for the components, and help to prevent a fraudster who has physical possession of a device from extracting or altering the code.

State-of-the-art secure elements do not allow for open source implementations, since these chips are proprietary and restricted in terms of documentation and tools. To safeguard the quality and integrity of Yubico products, our security and engineering teams run continuous internal and third-party security reviews. 

Biometrics and PINs will coexist in a passwordless world

FIDO and WebAuthn will soon help us forget our complicated passwords and replace them with physical FIDO authenticators using strong public key cryptography. These devices will be the first strong factor (what you have), and can be combined with a PIN (what you know) or biometrics (what you are).

Though biometrics offer convenience, a static image such as a fingerprint is not necessarily more secure than a PIN. Later this year, Yubico will launch the YubiKey Bio that will support both fingerprint and PIN. The product will arrive in a slim, robust design and with improved security features compared to what is available on the market today. 

Supply chain matters

Yubico products are manufactured in the US and Sweden. We made this a conscious choice to ensure the integrity of our products. FIDO only certifies interoperability, but currently does not set any security policies or perform product security reviews. Therefore, it is up to users and service providers to choose vendors they trust. 

Authentication continues to evolve

The YubiKey was designed with the future in mind. To enable a seamless path from today to tomorrow, we added both legacy and modern security protocols on a single device. 
To allow one authenticator to work across a wide range of systems, services and applications, the YubiKey supports static password, one-time password (OTP), PIV (smart card), OpenPGP, FIDO U2F and FIDO2. 

Yubico’s new YubiEnterprise subscription model allows businesses to upgrade a percentage of their YubiKeys as new models and features are introduced.

Following our mission to make the internet safer for all

With the growing market of FIDO authenticators, our customers ask us what options to consider. Our general response is to make support for FIDO2 and WebAuthn, try out many of the authenticators available, and then let users’ feedback and deployment statistics help guide the decision. With open standards, service providers and users are not locked into one vendor or design option, but can choose to move as the market evolves. 

At Yubico, we will continue to innovate, drive open standards, and focus on our customers to earn market share and long-term trust. 

Ronnie Manning

Yubico continues to win global industry recognition in 2020

We’re just a couple months into 2020 and Yubico has already had the honor of receiving award recognition from several leading organizations for our efforts in developing innovative solutions that address some of today’s most pressing security challenges. 

Innovation Award for Mobile Accessories, IHS Markit

At CES 2020, Yubico was presented with the Innovation Award for Mobile Accessories by IHS Markit for our industry-pioneering YubiKey authentication technologies supporting NFC (near-field communication), USB-C, and Lightning mobile connections. 

Most Innovative Product, TEISS

At a ceremony in Stockholm in early February, Yubico’s CEO and Co-founder, Stina Ehrensvärd, was awarded ‘Business Game Changer of the Year’ by top Swedish businesses for Yubico’s standards work and the company’s vision and execution to modernize hardware authentication. To quote the panel of judges, The winner has infused courage in its own organisation to contribute to a solution for one the biggest problems in our modern society; stolen login credentials. In close collaboration with the tech giants, her company has developed a new global internet security standard for securing access to online services for millions of people around the world.

On February 12, at The European Information Security Summit (TEISS), Yubico and the YubiKey brought home the Most Innovative Product or Service of the year award. And most recently, heading into RSAC 2020, Yubico was again honored to be included in several award nominations for both our company and executives. 

Industry Changemaker, Microsoft

At the first-ever Microsoft Security 20/20 event this past Sunday evening, Yubico was awarded ‘Identity Trailblazer’, and Stina took home recognition as ‘Industry Changemaker’ for demonstrating excellence in innovation, integration, and customer implementation with Microsoft technology. These honors, presented by Microsoft, speak directly to the strong collaboration between our companies, and our joint efforts to replace weak passwords with strong, cryptographic passwordless authentication. 

Identity Trailblazer, Microsoft

“Solving our mutual customers’ security challenges is very much a team sport,” said Andrew Conway, General Manager, Security Product Marketing, Microsoft Corp. “We are pleased to recognize these leaders in the ecosystem at Microsoft’s inaugural security awards.”

We truly thank our fans and users who have been with us on this awesome journey. This industry recognition would not be possible if it wasn’t for the tireless work from every Yubico employee, and our amazing customers and supporters.

Ronnie Manning

Passwordless login, YubiKey 5C NFC, YubiKey for RSA SecurID® Access, and more at RSAC 2020

The annual RSA Conference never disappoints with the rush of exciting sessions, new products, and innovative demos. Yubico looks forward to this event every year, and today, we are kicking off our presence at RSAC 2020. Are you attending? If so, we’d love to see you. Stop by Yubico’s booth (S-3103), catch our speaking session, and visit some of our partners to learn how we are working together to solve today’s complex authentication and security challenges.

RSAC 2020 YubiStyles

Visit our booth (just look for the big, green Yubico column) to see the YubiKey in action, learn about our new YubiEnterprise services and partner integrations, and experience the simplicity of passwordless and mobile logins. We’ll also be discussing what to expect from Yubico’s product roadmap, including our upcoming YubiKey 5C NFC. And be sure to grab an exclusive YubiStyle cover, designed specifically for RSA Conference attendees, to personalize your YubiKey.

YubiKey for RSA SecurID® Access

Look for Yubico’s Chief Product Officer, Guido Appenzeller, who will be discussing Cloud & Modern Workforces with other thought leaders during a Fireside Chat on Tuesday, February 25 at 3:00pm, at the RSA booth theatre (N-5845) in the North Hall. 

Additionally, RSA and Yubico’s FIDO-based authentication solution for the enterprise, YubiKey for RSA SecurID® Access, is expected to be generally available on March 9, 2020 for current and prospective RSA customers. Organizations of all sizes can purchase an enterprise-grade identity assurance platform and authentication solution to streamline company-wide deployments. A live demo of the YubiKey for RSA SecurID® Access will be available at the RSA booth, and more information is available on RSA.com/start.

Works with YubiKey stand

Along with RSA, you’ll recognize many other Yubico partners on the show floor featuring a “Works with YubiKey” stand. If you spot one, be sure to stop by to say hello and see a demo of their YubiKey integration and enterprise use cases. Exhibiting partners include:

If you’re not attending the RSAC this year, but have interest in any of the information mentioned above, please get in touch with us! Additionally, you can sign up for our newsletter to get the latest in Yubico news, updates, and important announcements. 

 

Ronnie Manning

Yubico releases 2020 State of Password and Authentication Security Behaviors report

Today, Yubico released its second annual State of Password and Authentication Security Behaviors Report, conducted by Ponemon Institute. The study surveyed 2,507 IT security practitioners in Australia, France, Germany, Sweden, United Kingdom, and United States, as well as 563 individual users.  

Last year’s report strictly focused on IT security professionals and their password and authentication behaviors and beliefs, so in this year’s report we were curious to see if any of these habits improved. Additionally, we wanted to see how their security practices or preferences compared to the individual users — employees and customers — that IT professionals are serving. 

Ultimately, we discovered that both IT practitioners and individuals are engaging in risky security practices. Password problems continue to prevail, two-factor authentication (2FA) lacks adoption, and mobile use introduces a new set of security challenges and complexities. 

What’s also interesting about this year’s report is that we can see the gaps between the solutions and technologies that IT security respondents are implementing, and the preferences from individual users. 

These findings underscore the need for easy-to-use and highly-secure solutions for IT professionals and individual users to reach a safer future together. The good news is that we are well on our way with the growing adoption of FIDO and WebAuthn open standards. Today, WebAuthn is supported in all major platforms and browsers, bringing the benefits of security keys and the promise of passwordless login to millions around the world — two solutions that both IT and individual respondents rated as desirable. 

See our infographic below for a high-level view of some of the most salient findings. 

To download the full research report and infographic, please visit yubico.com/authentication-report-2020. To learn more about cybersecurity trends on the path to digital transformation, sign up for the upcoming Yubico webinar on March 18 at 10 a.m. PST.

Guido Appenzeller

Newly available YubiEnterprise Services make it easy for organizations to streamline YubiKey procurement and delivery

Today marks a milestone in Yubico history. For the first time ever, we are now offering a service-based solution for enterprises in need of a simple and efficient way to purchase and deliver YubiKeys at scale: YubiEnterprise Services. 

Until now, enterprises have struggled to effectively and easily implement YubiKeys across an entire organization, leaving many gaps in security. With YubiEnterprise Services, companies will be able to eliminate the logistical, budgetary, or planning challenges associated with achieving company-wide security with YubiKey authentication. These added benefits continue to deliver on Yubico’s mission of making strong authentication accessible to everyone.

YubiEnterprise Subscription and YubiEnterprise Delivery are the first two services offered, initially to customers in the US and Canada, with a phased rollout in Europe and other regions. YubiEnterprise Subscription is available today, and YubiEnterprise Delivery will be available Q2 2020. Key benefits include: 

YubiEnterprise Subscription 

  • Improved cost efficiencies — Businesses with a minimum initial purchase for 750 users or more can subscribe to a 3-year or 1-year license on a per-user basis, lowering the overall cost to entry for the industry-leading authentication solution. With the grouping of YubiKeys into tiers, customers have the flexibility to choose YubiKeys at the time of fulfillment.
  • Predictable spending — With a per-user pricing model versus per-key pricing model, IT departments don’t need to worry about how many YubiKeys they’ll need over a certain period of time. They only need to consider how many users require support. This allows organizations to better plan and experience predictable spending. 
  • Flexible YubiKey upgrades — Similarly, IT departments do not need to determine which YubiKey models will best support their growing authentication needs. Customers can choose the YubiKeys that suit their needs today, and can easily upgrade their devices to the newest form factors in the future, such as the upcoming YubiKey 5C NFC or YubiKey Bio

YubiEnterprise Delivery 

  • Streamlined shipping, tracking, and delivery — Customers can request single or bulk YubiKey shipments directly to end-users at any time. Yubico maintains the customer’s YubiKey inventory, validates addresses, automatically calculates shipping costs and applicable taxes, and notifies administrators and end-users with tracking information. Delivery services are automatically calculated and deducted from customers’ prepaid shipping credits with Yubico. 
  • Consolidated visibility into product inventory— With access to a self-service administrator console, customers can easily gain visibility into YubiKey inventory, access shipping statuses, and generate reports all in one centralized location. The console is available through Yubico’s user interface, or can be directly integrated into existing IT software using public APIs. 
  • Cost-efficient outsourced logistics — Enterprises can reduce the costs typically associated with managing YubiKey inventory. Not only can customers continue to buy YubiKeys in bulk at a discounted rate, but Yubico handles all shipping, tracking, and delivery services as needed. As a result, this also reduces support cases associated with shipment tracking and notification for end-users. 

For additional details, including access to pricing information and early application for YubiEnterprise Delivery, visit our YubiEnterprise web page

To learn more about the business advantages of YubiEnterprise Services, sign up for our upcoming webinar, YubiEnterprise Services: Hardware Authenticators as a Service, on February 20 at 10 a.m. PST time. 

Professional Development programmer working in programming website a software and coding technology, writing codes and data code, Programming with HTML, PHP and javascript.
Guido Appenzeller

What’s new in Yubico PIV Tool 2.0?

New open authentication standards, FIDO2 and WebAuthn, have been getting a lot of attention lately with tech giants like Apple joining industry adoption. As a core creator of these standards, we celebrate these milestones, but our mission here at Yubico is to make a safer internet for all. In addition to driving new open web standards, our teams are also continuously working to support other authentication use cases or needs. 

Today, we released Yubico PIV Tool 2.0. Many large companies and government agencies deploy YubiKeys as a user-friendly alternative to smart cards for public key infrastructure (PKI), and the PIV Tool helps with programming and managing YubiKeys. It allows users to import keys and certificates and generate keys on the device, among other operations. 

If you are an enterprise or individual working with YubiKeys and PKI, the PKCS#11 module of the PIV Tool has a number of new capabilities that may help you with programming and managing YubiKeys. As a result, the 2.0 release is now compatible with:

The new functionality in PIV Tool 2.0 is primarily in the PKCS#11 module (YKCS11). With these new additions, developers can now:  

  • Open multiple parallel PKCS#11 sessions and the module is thread safe.
  • Receive an attestation certificate for keys stored on the YubiKey PIV interface using standard PKCS#11 function calls.
  • Utilize new padding options for RSA operations, specifically PSS padding for signatures/verification and OAEP padding for encryption/decryption.

The YKCS11 module updates also support a number of new functions to talk to a YubiKey:

  • Encryption – EncryptInit, Encrypt, EncryptUpdate, EncryptFinal
  • Decryption – DecryptInit, Decrypt, DecryptUpdate, DecryptFinal
  • Digest – DigestInit, Digest, DigestUpdate, DigestFinal
  • Signatures – SignUpdate, SignFinal (SignInit/Sign were already supported)
  • Signature Verification – VerifyInit, Verify, VerifyUpdate, VerifyFinal
  • Other Functions – InitToken, GetObjectSize, SeedRandom, GenerateRandom

A complete list of all the supported functions in Yubico PIV Tool 2.0, as well as new YKCS11 attributes, can be found here. Download Yubico PIV Tool 2.0 here, or learn more about the PIV (smart card) functionality of the YubiKey, and its varying use cases.

Pile of newspapers folded and stacked under the Christmas tree. Fresh daily papers with news in the morning with selective focus, blurred background with bokeh
Ronnie Manning

USC journalism students embrace YubiKeys as part of new security training

With Data Privacy Day just around the corner, nothing is a more fitting topic than securing a free and open internet — an internet where thoughts and ideas can all be openly expressed with the assurance that the identities of those sharing are protected and preserved. A particular population that falls into this category, and that closely aligns with our mission here at Yubico, is journalists. 

Journalists are at high risk of targeted cyber attacks, and security and privacy are critical to the safety and livelihood of many of these individuals. Today, we’re excited to announce that Yubico and Freedom of the Press are joining forces once again to deliver digital security training and resources to University of Southern California (USC) Annenberg School for Communication and Journalism students — the first education initiative of its kind. 

The training curriculum, jointly developed by USC Annenberg and Freedom of the Press, will teach students how to identify the common cyber threats in a newsroom and what security practices to employ. Meanwhile, tools like the YubiKey will equip students to defend against rising phishing attacks and credential theft by protecting their email, social media, password manager, and file sharing accounts. As part of the ongoing program, roughly 250 students will receive the same training as part of their mandatory curriculum by the end of the Spring semester. 

We recently sat down with Marc Ambinder, adjunct professor of journalism at USC who is leading the school’s efforts, to get his perspective on the growing importance of security for journalism students like his own. 

Security is a rising concern across all industries. Why do you think this is the first initiative of its kind for journalism students, and what precedent do you hope to set?  The pace of journalism is fast, and the toolkit that journalists must obtain, then apply, and then perfect, in order to be effective is evolving. But the threat landscape has evolved more quickly, thanks in large measure to the platforming of news and our immersion in the digital world. This hits employers too; most journalists don’t receive anything more than a basic standard module even after they graduate journalism school. We aim to give our students not just the tools but an approach that they can use throughout their careers to better secure themselves, their colleagues and their sources.

In your opinion, what are some of the top security concerns that this next generation of journalists needs to be aware of as they enter newsrooms across the country?  Thanks to the ubiquity of metadata —  and the relatively easy (and low-cost) ways that malicious actors can track it — and poor digital hygiene practices, a lot of our students’ future colleagues might work in ways that make them less safe. The goal here is to give our students a way to help themselves and help others.  My other major concern is that the barrier to entry for harassing, doxxing, and sabotaging journalism is much lower than it used to be, and anyone — a state actor or a troll — can truly wreak havoc by stealing passwords, outing sources, or exposing personal information. 

You’ll be providing the students with various tools during their training, one of which is the YubiKey. Why did you select the YubiKey as a two-factor authentication method, and what unique benefits do you think it offers journalists? While I can’t endorse specific products, I happen to be a personal YubiKey user myself, so I chose the product because your company was top of mind. Yubico immediately understood the value of what we were trying to do. Using a key for two-factor authentication can be an immediate game-changer in terms of reducing the spear-phishing / phishing threats, which are still a major attack vector. Using the keys makes it much harder for anyone to break into social media and work-product apps that we all use. 

In your eyes, what would qualify as a successful training? In other words, what do you hope the students will take away from this? I want our students to use the tools that we are giving them, including YubiKeys. I want them to feel the keys in their hands, and then find ways of incorporating them in their daily digital lives. I want them to understand why having a separate key is safer than using SMS authentication methods or another device. 

For more information on how the YubiKey can help protect high-risk individuals, visit our media page

 

Fredrik Krantz

YubiKey protects nations: eIDAS and eID projects in Europe

Security has been moving to the forefront of government regulations — and rightfully so. From DFARS to FIPS, PSD2, GDPR, and eIDAS, nations and service providers are being forced to address user security and privacy with a more mindful approach. For years, Yubico has helped organizations like GOV.UK deliver secure authentication options and meet regulatory compliance requirements, and today, we’re seeing this work expand. 

Several Europen countries are now in the process of deploying modern web authentication, including YubiKeys, for their citizens. This comes in large part due Yubico’s recent work around the eIDAS regulation (Electronic Identification, Authentication and Trust Services), which was introduced by the EU Commission in 2014 to provide a predictable regulatory environment for secure and seamless electronic interactions in the European Single Market.

During the past five years, the eIDAS regulation has been widely adopted by the EU member states, and several eIDAS-compliant services and schemes have been rolled out across the European continent. However, what continues to trouble eIDAS Qualified Trust Service Providers is how to ensure that users are securely authenticated to their service, so that they get sole control over the remote signature creation.

In order to address this challenge, Yubico has designed a solution whereby FIDO2 can be used to secure access to a remote signing service and give users sole control over the signature creation process. 

Using a YubiKey, FIDO authentication is used for unlocking the signing key and certificate at the service provider.

 

In addition to securing remote signing solutions, the YubiKey can also be used for national electronic ID-card projects and eIDAS-compliant eID schemes, such as the National Digitalisation Programme at the Faroe Islands. Digital identity is one of four major pillars in the new digital infrastructure and will be launched in 2020.  

Yubico is partnering with Nexus to deliver the eID solution, which will enable all Faroese citizens, above the age of 15, to securely and easily access government and banking services with a YubiKey 5 Series device. The resulting eID scheme will be classified as eIDAS assurance level ‘high’, which allows it to be recognized across all European online services.

“One of the reasons we chose Yubico’s YubiKey, is the fact that it is supported on almost all major mobile and desktop platforms and embraced by top internet players, including browser suppliers. In the near term, we see it as an added benefit to our citizens to offer an eID while at the same time offering an easy way to secure their online presence,“ said Janus Læarsson, Chief IT Architect, Talgildu Føroya.

The next generation of the National Digitalisation Programme at the Faroe Islands will support  FIDO2, the emerging open standard for web authentication, which will allow the YubiKey to be accredited as an eID card. 

Yubico is very active in projects, standardization and cutting-edge technology that are related to eIDAS and national eID projects in Europe. Sign up for our newsletter to stay tuned for more exciting news announced during 2020.

Alex Yakubov

Yubico and RSA team to deliver FIDO-based authentication to enterprises

As more organizations undergo digital transformation initiatives, identity and access management (IAM) is becoming more critical than ever before. IAM sits at the heart of every business, which is why Yubico is excited to announce a new partnership this week at Gartner IAM Summit with one of the longest standing IAM vendors on the market: RSA. 

YubiKey for RSA SecurID® Access

Today, we expand our partnership with RSA with the upcoming availability of YubiKey for RSA SecurID® Access, a joint solution that offers enterprises a new path to modern FIDO-based authentication. 

This partnership will enable current and future RSA customers to purchase an enterprise-grade identity assurance platform and a range of authentication solutions — including YubiKey for RSA SecurID® Access — all from the same vendor, RSA. RSA customers will enjoy a consistent user experience without having to engage multiple vendors to solve their identity management and authentication challenges. 

RSA has more than 25 years of experience in securing and managing complex enterprise IT environments and applications, and Yubico is the pioneer of secure and easy-to-use YubiKey hardware-based authentication. Together, our combined technologies solve the need to secure enterprises and their customers in a scalable way, all while delivering a frictionless user experience. 

“The benefits of bringing RSA and Yubico together are so apparent that customers were engaging both companies prior to the partnership,” said Jim Ducharme, VP Products, RSA Identity and Fraud & Risk Intelligence. “Together, we will combine the secure, robust identity assurance of RSA SecurID® Access with the convenient access and FIDO2 features of the YubiKey. The strategic partnership helps enterprises address the evolving threats and challenges faced by today’s dynamic workforce, from ground to cloud.” 

The initial YubiKey for RSA SecurID® Access offering will have the same form factor as the YubiKey 5 NFC, and is expected to be available for RSA customers in March 2020. Additional form factors are also expected to become available later in the year. 

“Our partnership with RSA demonstrates a shared commitment to protect millions of users from security breaches,” said Jerrod Chong, Chief Solutions Officer, Yubico.This collaborative effort combines RSA’s long-standing expertise in identity and access management, with Yubico’s proven leadership in standards and innovation, to bring forward a unified FIDO-based hardware authentication solution for enterprises, their partners and their customers.” 

As we approach a new year, Yubico looks forward to engaging our strong ecosystem of partners to continue driving value for our users in innovative ways. The better the customer experiences that we can deliver together, the closer we get to securing millions worldwide. 

For enterprises interested in receiving more information on the YubiKey for RSA SecurID® Access, please visit: rsa.com/start

Gartner IAM Summit attendees can stop by the Yubico (#233) or RSA (#104) booths for more information on the benefits of pairing strong YubiKey authentication with RSA SecurID® Access.

Stina Ehrensvard

Native support for WebAuthn and FIDO is finally here on iPhones and iPads

Yubico was founded with the mission of making simple and secure logins ubiquitous. In 2008, we launched the first YubiKey for seamless, one-touch authentication. In 2012, in close collaboration with Google, Yubico’s inventions evolved into the FIDO Universal 2nd Factor (U2F) open authentication standard, and in 2014 it was launched in Gmail and Chrome. In collaboration with Microsoft and the FIDO Alliance, the standard evolved into FIDO2, with the W3C web standards body certifying the standard under the name WebAuthn. 

With each passing year, Google, Opera, Mozilla, Microsoft, and Brave browsers have added support. Now, with Apple adding native support for FIDO and WebAuthn in iOS and iPadOS 13.3, these standards are supported by all leading platforms and browsers. Today, developers can make easy-to-use, privacy-preserving, strong authentication available to all users across all leading platforms and devices.

Here are the highlights of native WebAuthn and FIDO support on iOS:

    • iOS and iPadOS 13.3+ natively support FIDO-compliant security keys, like the YubiKey, using the WebAuthn standard over near-field communication (NFC), USB, and/or Lightning as appropriate to the Apple hardware being used.
    • Currently, the WebAuthn second-factor use case (the FIDO U2F user experience) is the only log in flow that is supported. Security key-based biometrics or PIN (without the use of username and password) are not supported yet.
    • Web apps via Safari, or mobile apps calling SFSafariViewController ASWebAuthenticationSession should work. If a service fails to work, it is likely that the provider is unaware that native support is now available on iOS, and needs to update their web flow. Please contact your service provider to make support.

With today’s announcement, Yubico now offers two great user experiences on iOS using a simple tap or a physical connection. Authentication via NFC is supported by the YubiKey 5 NFC or Security Key NFC by Yubico by just tapping the YubiKey at the top of an iPhone (7 and above). Authentication via physical connection is supported by the YubiKey 5Ci by plugging the YubiKey into the Lightning or USB-C port of an iPhone or iPad.

So, what can you do? 

Developers and online services can learn how to rapidly add support, including how to enable native support on iOS. If you are a developer, sign up to join the Yubico Developer Program to be informed on the latest reference documentation, testing tools, and open source servers.

Individuals and companies who want easy, secure access to their daily online accounts — including those in financial, healthcare, and government services — can accelerate adoption by requesting support for YubiKey and WebAuthn.

Today, Yubico is humbled by the many contributions our entire community has made, and would like to extend our utmost gratitude to every one of you that helped bring us one step closer to internet security ubiquity! 

Ronnie Manning

Yubico Authenticator App for iOS Now Supports NFC

Did you know that you can use a YubiKey to protect your online accounts even if a service doesn’t offer built-in support for security keys? That’s right. With the Yubico Authenticator app, individuals can use a YubiKey to secure any service or application as long as it supports other authentication apps as a two-factor authentication (2FA) option. These include Authy, Google Authenticator or Microsoft Authenticator. 

For years, Yubico Authenticator has been available for Windows, Mac, Linux and Android platforms, but not iOS. This changed in October when Yubico released the first Yubico Authenticator for iOS with Lightning support. And today, we’re happy to announce that the iOS app has support for near-field communication (NFC) as well, thanks to Apple’s recent NFC updates

With today’s news, the Yubico Authenticator app series now works seamlessly across all major desktop and mobile platforms, with full support for Windows, Mac, Linux, Android and iOS. 

So, what’s the difference between using Yubico Authenticator or another authentication app? Instead of storing the time-based one-time passcodes on a mobile phone or computer, Yubico Authenticator generates and stores one-time codes on the YubiKey. A user must present their physical key in order to receive the code for login. This not only eliminates security vulnerabilities associated with a multi-purpose computing device, but also offers an added layer of convenience for users that work between various machines. Yubico Authenticator provides a good balance of usability, security and portability. 

See how it works in the video below. 

To get started with Yubico Authenticator on mobile, download the app from the Apple Store or Google Play.

Additional information on Yubico Authenticator can be found at yubi.co/yubicoauthenticator

Ronnie Manning

Yubico Reveals First Biometric YubiKey at Microsoft Ignite

Today, at Microsoft Ignite, Yubico is excited to preview the long-awaited YubiKey Bio. It is the first YubiKey that will support fingerprint recognition for secure and seamless passwordless logins, which has been a top requested feature from many of our YubiKey users. 

YubiKey Bio preview device.

The YubiKey Bio delivers the convenience of biometric login with the added benefits of Yubico’s hallmark security, reliability and durability assurances. Biometric fingerprint credentials are stored in the secure element that helps protect them against physical attacks. The result? A single, trusted hardware-backed root of trust delivering a seamless login experience across different devices, operating systems, and applications. With support for both biometric- and PIN-based login, the YubiKey Bio leverages the full range of multi-factor authentication (MFA) capabilities outlined in the FIDO2 and WebAuthn standard specifications. 

Ignite attendees can see a live demo of passwordless sign-in to Microsoft Azure Active Directory accounts using the YubiKey Bio during Alex Simons’ keynote on Tuesday, November 5.

In keeping with Yubico’s design philosophy, the YubiKey Bio will not require any batteries, drivers, or associated software. The key seamlessly integrates with the native biometric enrollment and management features supported in the latest versions of Windows 10 and Azure Active Directory, making it quick and convenient for users to adopt a phishing-resistant passwordless login flow. 

“As a result of close collaboration between our engineering teams, Yubico is bringing strong hardware-backed biometric authentication to market to provide a seamless experience for our customers,” said Joy Chik, Corporate VP of Identity, Microsoft. “This new innovation will help drive adoption of safer passwordless sign-in so everyone can be more secure and productive.”

Over the past few years, Yubico has worked with Microsoft to help drive the future of passwordless authentication through the creation of the FIDO2 and WebAuthn open authentication standards. During this time, we’ve built YubiKey integrations with the full suite of FIDO2-enabled Microsoft products including Windows 10 with Azure Active Directory and Microsoft Edge with Microsoft AccountsToday, we continue on this journey together with Microsoft’s announcement to extend support for FIDO2 security keys, like the YubiKey, to hybrid Active Directory environments. Early next year, enterprise users will be able to authenticate to on-premises Active Directory integrated applications and resources, in addition to providing seamless Single Sign-On (SSO) to cloud- and SAML-based applications.

To take advantage of strong YubiKey authentication in Azure Active Directory environments, please refer here for more information. To stay tuned on product updates and general availability, please join our YubiKey Bio mailing list. 

This blog has been updated with additional information as of November 5, 2019. 

Alex Yakubov

4 security tips: for developers, by developers

As National Cybersecurity Awareness Month comes to an end, our focus turns to what the developer community can do to stay cyber smart all year long. We’ve already talked about access management, and shared tips on how to protect your personal accounts. Today, we offer tips from the Yubico Developer Team to developers looking to up their security game. 

The best way to get started is by securing yourself, then help others. Get a password manager and enable strong two-factor or multi-factor authentication across all your personal and work accounts (read last week’s blog for 10 Steps from Yubico to Protect Your Personal Accounts).

Now, let’s get into some more technical things you can do.

1. Secure your operating and development environments with encryption. You can do this with tools like EgoSecure Data Protection FDE, which provides easy and effective protection for your laptop. The encryption and decryption of data is completely transparent to authorized and authenticated users, which makes the solution simple to use. To enhance security, EgoSecure’s full disk encryption application supports two-factor authentication during pre-boot authentication using the YubiKey.


“We believe hardware-backed multi-factor authentication plays a very important role in cybersecurity because it protects privacy without compromising ease of use.”– Sergej Schlotthauer, Vice President of Security Strategic Alliances, Egosecure (Egosecure is a Matrix42 company

2. Keep your code signing certificates and data safe by using developer tools that support multi-factor authentication. You can even sign code with the YubiKey by securely storing your code signing certificate on the YubiKey itself. We talk a lot about FIDO, but the YubiKey also supports OpenPGP. Our latest firmware update included a number of enhancements to the OpenPGP implementation including ECC support, attestation, and multiple operations per touch. Read about it here.

3. Extend your security discipline to all of your devices, not just those that touch your corporate network. Attacks are often successful because of a weak point made available through a personal account.


“With the rise of bring-your-own-device programs and remote work, the attack surface has shifted from corporate networks to endpoints. Thus, a modern security strategy must consider all endpoints, including mobile devices”– Dr. Dominik Schürmann, CEO, Cotech

Here’s a hot tip if you’re building YubiKey support into your product. Cotech provides ready-to-use animations to assist end-users on how to use security keys, and shows the smartphone-specific sweet-spot where NFC works best. With the Hardware Security SDK, Android developers enable strong, hardware-backed YubiKey security leveraging modern authentication protocols, such as Universal 2nd Factor (U2F).

4. Strong authentication doesn’t have to be hard to implement for yourself or your users. Be sure to leverage modern protocols such as FIDO2 or WebAuthn along with a YubiKey. We are constantly impressed by the different use cases brought to us by companies from all over the world. Take for instance, Gandi. Because a domain name is used for websites, email addresses, SSL certificates, and more, they are valuable assets for individuals, organizations, and businesses. Gandi offers two-factor authentication with the YubiKey to make sure only authorized users can access an account.


“Whether they’re working for profit, the common good, or fun, our customers’ projects are tied to their domains. Our job as service providers is to keep them safe. Staying on the cutting edge of security technology is essential to that mission.”– Andrew Richner, Head of Communication, Gandi US

If you’re also serious about integrating security into the products, services, and applications that you’re building, check out Yubico’s Developer website. Sign up for the Yubico Developer Program mailing list to be notified of new documentation and resources, as well as get early access to SDKs and new products. 

Already have a YubiKey? Discover all of the places you can enable it now by visiting our  Works with YubiKey catalog. If you don’t have a YubiKey, you can pick one up from our web store or even on Amazon.

Alex Yakubov

Staying safe online beyond national cybersecurity awareness month

Last week, we talked about access management and its role in securing businesses from cyber threats as part of our National Cybersecurity Awareness Month (NCSAM) campaign. Today, we will take you through what’s putting your personal accounts at risk, and share tips from our partners on how to stay better protected.

Let’s start by identifying some of the biggest threats to personal accounts —  phishing, SIM swapping, and database leaks. 

Phishing

By using fake websites and emails that look genuine, attackers lure you into providing your login credentials, personally identifiable information (PII), and other private data, such as banking and credit card numbers. This is called phishing. These stolen credentials are used to take over your account. From there, an attacker can lock you out and even compromise your other accounts through password reset flows. 

Last year, 51% of respondents in our 2019 State of Password and Authentication Security Behaviors Report said they have experienced a phishing attack on their personal accounts, while 44% experienced one at work.  

SIM Swapping

SIM swap attacks are becoming increasingly more common, particularly for individuals with a lot to lose financially. In these scenarios, the attacker poses as the account holder (usually through various pieces of PII they’ve gathered elsewhere) and convinces your mobile service provider that you are switching from your current phone to another phone. Once complete, the attacker can intercept one-time passcodes (OTP) sent to your mobile phone number now associated with the phone in their possession.

Once this is achieved, the attacker can essentially perform password resets on any of your accounts that leverage text-based (SMS) 2FA. In most cases, if you’re using the same email address for all your accounts, then the attacker really only needs access to your email account after the SIM swap. Here’s a real-life example that cost one individual $100,000

Database Leaks

A database leak occurs when a service provider is breached and the attacker accesses the database of stored user credentials. The information from those databases often end up on the black market for other attackers to use. There are countless examples of database leaks we could reference (hackers stole one billion Yahoo! login credentials in 2016, the Equifax breach affecting 143 million American consumers in 2017). There’s really nothing you can do as the account holder to ensure the service provider is properly storing your password. 

You’ve probably been told that the longer and more complex you make your password, the stronger it will be. Sure, long passwords with numbers and symbols are hard to guess, but even the most complex and unique passwords won’t stop attackers when they’ve stolen the account password itself from a poorly protected database. That’s why it’s a good idea to use a different password for each and every account you have. Doing so can limit your risk and exposure in the event a password database of a service you use is breached.

Our Advice

You don’t have to feel defeated or helpless against these attacks, and you can still protect your accounts by simply enabling strong two-factor authentication (2FA) or multi-factor authentication (MFA) across the services you use. There are multiple types of 2FA and MFA — avoid SMS (we explain why here). We believe hardware is not only easy to use, but also stronger given that these attacks are all remote-based. Using hardware security keys, like YubiKeys, require physical possession. Since you’re here reading our blog, we recommend you check out the YubiKey and explore all the services that work with YubiKeys.

Most of us have friends or family members in need of basic account security advice. The trick is figuring out how to help without losing them in the details as you watch their eyes glaze over with boredom or confusion. Below, you’ll find 10 steps that any person can take to protect their personal accounts from the attacks we talked about today. If you feel your personal threat model isn’t addressed by this blog, hang tight! More tips are coming!

10 Steps from Yubico to Protect Your Personal Accounts 

1. Get a YubiKey (Hot Tip: We recommend a 2-pack so you have a backup!)

2. Register your YubiKeys with your personal email account(s) (e.g. gmail, Fastmail, Outlook.com or other supported email services)

3. Remove SMS 2FA from your email account(s)

4. Call your mobile service provider, and request a security PIN 

5. Get a Password manager (Hot Tip: You can use your new password manager to store your security PIN from your mobile service provider!)

6. Register your YubiKeys as a second factor for your password manager

7. Store all of your account passwords in your password manager

8. Make sure you reset each account’s password to be unique (Hot Tip: Most password managers have a password generator feature!)

9. Download Yubico Authenticator to all of your devices to use with accounts that support authenticator apps (Hot Tip: Find registration instructions for your favorite services in our Works with YubiKey Catalog!)

10. Enable 2FA/MFA and enroll your YubiKeys on all of your accounts 

Through the years, we’ve developed software and hardware 2FA solutions to better protect users online. We’ve been fortunate enough to forge partnerships with global leaders in password management, browsers and platforms, cloud services, and many more, as part of our Works with YubiKey Program. Check out some awesome tips from our partners below.


“2FA, plus a password manager, is the best way to protect your data. If someone were to learn your password for an account, they’d need that second factor to access it, making account takeover much less likely.”  Jeff Shiner, CEO, 1Password


“Sensitive accounts like banking, email, and social media warrant an additional layer of protection. Having strong, unique passwords for every account is a necessary first step in securing our digital lives.”  Emmanuel Schalit, Co-Founder & CEO, Dashlane


“Cryptocurrency is built on the fundamental promises of security and freedom. To deliver on these promises, people need to be in control of their security, and have the opportunity to choose the measures that suit their needs.”Mike Rymanov, CEO, DSX


“Don’t give attackers a single target. Use a different password everywhere, a different email address or alias with subscriptions, and protect your accounts with a hardware authenticator. Your other accounts won’t be at risk in the event one account is compromised.”Ricardo Signes, CTO, Fastmail


“It’s a great time to get cyber-checked. With data breaches becoming more frequent, one of the most basic precautions is to use strong, unique passwords for every account along with 2FA. That is the first step towards protecting yourself against account takeover.” – Craig Lurey, CTO, Keeper
If you don’t see the service you use on our catalog, ask them to implement strong authentication with the YubiKey by tweeting at them to add support.

Guido Appenzeller

Yubico Login for Windows Application Now Generally Available

Today, the Yubico Login for Windows application (formerly Windows Logon Tool) is now generally available, providing a simple and secure way for YubiKey users to securely access their local accounts on Windows computers. Over the past six months, we’ve received valuable feedback from many of our public preview users, and have a clear path forward for ongoing improvements to the application. 

The primary benefits of Yubico Login for Windows include: 

    • Highly secure and easy-to-use multi-factor authentication (MFA) for login using local accounts to Windows workstations 
    • Simple configuration for up to 10 individual users 
    • Fast enrollment for backup YubiKeys
    • Easy recovery mechanisms for lost YubiKeys

Yubico Login for Windows is designed to provide strong MFA for logging into local accounts on Windows 7, Windows 8.1 or Windows 10 computers. It is not suited for logging into any of the following accounts: Azure Active Directory (AAD), Active Directory (AD), Microsoft accounts (e.g. username@outlook.com, username@hotmail.com, username@live.com).

While Yubico Login for Windows is now only applicable for securing local accounts, there are other solutions to secure AD and AAD accounts with MFA. Thanks to an ongoing partnership and collaboration between Yubico and Microsoft, YubiKey MFA is also an option for organizations with AAD or AD environments. For computers joined to cloud-based AAD, passwordless authentication with the YubiKey is currently supported in Azure AD preview. For accounts managed by AD, the YubiKey enables authentication as a PIV-compliant smart card (Windows 7+, Microsoft Windows Server 2008 R2+). 

For more information on the Windows login options available with the YubiKey, and to download the current version of Yubico Login for Windows, please visit our computer login tools pageThe multi-protocol YubiKey 5 Series or YubiKey 4 Series keys are required for compatibility with Yubico Login for Windows.

Alex Yakubov

National Cybersecurity Awareness Month: shining a spotlight on secure access

October is National Cybersecurity Awareness Month (NCSAM), and here at Yubico, we’re doing our part to raise awareness on the importance of cybersecurity and staying safe online. 

Billions of login credentials and user records are routinely leaked — sometimes in the course of a single year — and can cause significant damage to those who fall victim. By enforcing two-factor (2FA) or multi-factor authentication (MFA), you make it harder for hackers to crack the account. 

We recommend investing in access management platforms, such as Identity Access Management (IAM) and Privileged Access Management (PAM), which enable you to proactively take steps to enhance cybersecurity for your users. In recent years, leaders in IAM and PAM have innovated to deliver high security, without compromising ease of use, to address the challenges of an increasingly online workforce. In doing so, these services implemented support for stronger, more modern forms of user authentication.

In honor of NCSAM, we’ve asked some of our IAM and PAM partners to provide tips for enterprises looking to tackle these challenges. 


Yves Audebert, President and Co-CEO, Axiad IDS

“Validating identities and ensuring trust across every entity that interacts with the enterprise network is vital to business operations. IT leaders will need an agile identity platform that balances risks, compliance, and user experience.”


Robert Freudenreich, CTO, Boxcryptor

“In a time when data is the new instrument of power, citizens need to start defending themselves against the excessive collection of data. Protecting your cloud with zero knowledge encryption is a good starting point.”


Mike Nelson, VP of IoT Security, DigiCert

“With our growing list of connected devices, protecting consumer privacy starts with implementing security fundamentals to ensure that data is encrypted, devices only trust properly authenticated connections, and that code running on each device is secure.”


Sam Srinivas, Director of Product Management, Google Cloud

“Other security controls are virtually irrelevant if an attacker can get through the front door by phishing your credentials. Google was an early adopter of FIDO security keys to provide a defense against the dangers of targeted phishing attacks.”


James Litton, CEO and Co-Founder, Identity Automation

“IAM does more than just help IT staff create user accounts; it enables productivity and provides a solid security foundation by addressing authentication and rights management. IAM must be the core of your security program to effectively secure your data and systems.”


Allen Storey, Chief Product Officer, Intercede

“Cyberattacks affect enterprises and individuals alike. Now is the time for cybersecurity best practices to become standard practices as more step up to deploy strong multi-factor authentication with a credential management system and hardware security keys.”


Greg Keller, Chief Strategy Officer, JumpCloud

“We fundamentally believe that the system is the gateway to securing IT. Focusing on where the work happens—the computer in front of you—allows you to protect not only the security of individuals but also their customers.”


Todd Peterson, Director of Product Marketing, One Identity

“With the steep rise in security breaches caused by threat actors using credential theft, it’s become clear that adding additional factors to the authentication process—across all types of users—can dramatically reduce your risk.”


Matt Hurley, VP Global Channels and Strategic Alliances, OneLogin

“Organizations are looking at ways to better secure their environment and reduce password dependency. Integrating identity management with a strong authentication method makes it convenient for end users to adopt advanced login sequences while enhancing privacy.”


Anirban Banerjee, CEO and Founder, Onion ID

“Securing privileges in a fast paced, changing landscape of applications, servers, containers, and endpoints can be very challenging. We believe that easy yet strong authentication is the cornerstone of an effective PAM strategy.” 


Joakim Thorén, CEO, Versasec

“Breaches are a reality both from outside and within the enterprise. Securing a company’s most vital assets with strong, easily managed two-factor authentication solutions is more than critical – it’s a moral imperative.”

Since 2007, Yubico has driven the development of open standards, and collaborated with hundreds of companies worldwide through our Works with YubiKey Program to bring secure, hardware-backed authentication methods to light.

Discover all the Identity Access Management and Privileged Access Management platforms that enable strong authentication with the YubiKey on the Works with YubiKey catalog. Contact our partners to learn more about their solution.

Wendy Spies - SVP of New Businesses
Stina Ehrensvard

Wendy Spies Joins Yubico as SVP of New Business to Drive YubiHSM Growth

Today, I am excited to share that we have added yet another stellar member to the Yubico leadership team: Wendy Spies. Wendy comes from Microsoft where she most recently directed engineering strategy and business development for cloud and AI to build new products and markets. She will be focusing on similar things here at Yubico in the role of SVP of New Business with an initial focus on YubiHSM. 

Wendy has more than 23 years of experience building everything from payment and hardware solutions to games and software. She has taken seven notable companies from conception to financial exit and has a long and proven track record of driving exponential growth for companies, teams, and products. Her secret? “Working with and hiring folks that are a lot smarter than me, focusing on customer needs, and measuring our success by delivering extraordinary products efficiently.”

It’s safe to say that we are lucky to have Wendy on board, and I am personally excited about the expansion of strong female leadership here at Yubico. Please join me in welcoming Wendy into the YubiFamily. To learn a little more about her background, expertise, and vision for Yubico, here is an excerpt from a recent interview between Ronnie Manning, our SVP of Communications, and Wendy.

What led you to join Yubico? 

Yubico was the right choice for me because each person I met with was clearly in the learning zone. Collaboration is high, and the customer focus is turned up to eleven. 

I believe that every day, one step at a time, Yubico can make the world better through product development, new standards, growing partnerships, and excellent teamwork. In the end, it wasn’t about joining a big or small company, consumer or enterprise —  it was about relentless customer focus and knowing that I was joining a team that would always have my back. This is the recipe for making profound, positive change the world, creating a lot of value, and having a really fabulous time doing it. I hope everyone finds their Yubico. 

In your opinion, what makes a team successful?  

Throughout my career, I’ve found that there are two simple criteria that seem to bring the magic at work.

Build a team that 1) you would want to fight the zombie apocalypse with — this takes talent, passion, and opportunity and 2) is relentlessly focused on driving customer value. 

When you bring together talent, passion, and opportunity, you are in the zone nearly every day at work, but that doesn’t always guarantee success. You must also ensure that the team is relentlessly focused on driving customer value. Are these individuals in a learning mode? Do they come from a humble point of inquiry and are they prepared to truly listen when you answer? And are they actively talking about customers and partners?  

When I focus on the customer with a team of folks who have a listening and iterative mindset, we build unique customer experiences, solve wicked hard problems, and create so much value for users. Everyone wins: employees, customers, and investors.

What do you look forward to most during your time here at Yubico? 

I am proud to be part of a team at Yubico that’s securing the net for everyone and everything. We know that the only way we can do that is to make security truly easy to use. 

I look forward to the passwordless future we are building. I look forward to working across boundaries to solve some of the hardest problems of the internet. I look forward to no longer hearing stories about good folks getting their accounts hacked because passwords stink, and because hackers continue to have more resources than we do. I look forward to no longer hearing stories about devices and data being compromised because solutions are so complex that it is almost impossible to think of all of the threats, and even more impossible to remove them. And lastly, I look forward to the day when everyone can believe and see that security and usability can live together hand-in-hand. Strong vision. Clear plan. Sustained effort.

What do you see as the biggest market opportunity for the YubiHSM product line and how do you envision driving its growth?  

I see the YubiHSM as a natural extension of our YubiKey product line for devices and data. As a lot of folks know, anywhere a key is stored and even remotely available for others, it is at risk of being stolen — either by people on the inside of an organization, or sometimes even on the outside. The YubiHSM is a portable, low-cost solution. It can help with everything from code signing and protecting API calls to securing root of trust for something as complex as industrial IoT environments, something as legacy-bound as physical infrastructure (e.g. reactors and dams), and something as simple as cold wallets. While a few other solutions like secure enclaves and SGX could be used to solve this problem, YubiHSM provides protection for your keys in hardware that is physically isolated from operations on the server, creating yet another layer of security. This layer of security, combined with a simple, small attack surface form factor, can make it easier to adopt this technology without breaking the bank. 

When you’re not busy changing the world and driving businesses and teams toward success, what do you do for fun? 

I love to engage in activities that require such deep concentration that I cannot possibly worry about the problems of the world or what to make for dinner. This ranges from the beautiful shared moments with my family playing board games to spending time early in the morning in my tiny garage throwing heavy weights into the air.  

The Yubico team will continue to grow! If you’re interested in a career in cybersecurity at Yubico, check out our open job opportunities here.

Jerrod Chong

Yubico iOS Authentication Expands to Include NFC

This week, at the annual September iPhone event, Apple introduced new functionality that allows the full range of YubiKey authentication on iOS via near field communication (NFC). This has been many years in the making, back in Oct 2017 we even wrote about when this day would come.

Previously, NFC on iOS was read-only, which meant that it couldn’t support modern authentication protocols like FIDO U2F, FIDO2/WebAuthn that require both read and write capabilities – but now that has changed. With these recent updates, iPhone users (running iOS 13+) can experience mobile NFC authentication with a YubiKey 5 NFC or Security Key NFC by Yubico on apps and browsers that have added support. 

Coming right on the heels of our new YubiKey 5Ci, iOS users now have a broad and complete choice of secure authentication options, based on their preference and use cases. NFC-enabled YubiKeys will work with compatible apps and browsers on iPhones 7 or later running iOS 13. Older iPhone models, most iPads, and some iPods will work with the YubiKey 5Ci through its Lightning connector on select apps and browsers.

The YubiKey 5C NFC is coming soon!

That’s not all. Based on feedback and suggestions from our customers (we hear you!), we are happy to announce a sneak preview of YubiKey 5C NFC, our upcoming USB-C security key enabled with NFC. This key will provide yet another authentication option for all environments supporting iOS, Android, Windows, MacOS, and more, all on one key. Arriving this coming Winter*, this new device will deliver the same multi-protocol functionality and user experience of the YubiKey 5 Series. Sign up here to receive updates on product availability. 

This announcement supports Yubico’s long-standing YubiKey vision: to deliver secure hardware-based authentication across any operating system and platform. Our goal is to support all authentication use cases across any computing device, as we recognize that individuals use multiple phones, operating systems, laptops, tablets, or desktops each day to access work and personal accounts. 

To coincide with this new NFC functionality, Yubico will also be rolling out updated software for end users and developers on iOS. On mobile iOS devices, users will soon be able to use the Yubico Authenticator application to communicate over NFC, USB and Lightning connection to generate a 6 digit, time-based code commonly used by many services for 2-factor authentication. This is similar to Google Authenticator, with the main differentiator being the user credential is stored on the external YubiKey, versus internally on the mobile device, making it extremely portable to get the one-time codes either on mobile devices and/or desktop computers.  We expect to introduce the new Yubico Authenticator for iOS in the coming months. 

Developers who are interested in adding YubiKey support for desktop or mobile users, can access Yubico’s wide range of libraries on the Yubico developer site, including SDKs for Android and iOS app developers. We are also in the process of updating our Yubico Mobile SDK for iOS to support the new iOS NFC authentication capabilities. This will allow applications to implement modern authentication protocols such as FIDO2 and support the YubiKey over both Lightning and NFC connections. 

Please visit the Yubico developer website to sign up for updates and to get access the current Yubico Mobile SDK for iOS.

*Due to current circumstances, we’re experiencing delays with the upcoming launch of the YubiKey 5C NFC. We’re working to get the key out as soon as possible, and appreciate your patience! If you’d like to be notified of updates, sign up here.

Stina Ehrensvard

Yubico Adds New Round of Investment and Grows Board of Directors

Today, Yubico is excited to announce it has received a new round of investment led by Meritech Capital Partners, a top tier venture capital firm based in Palo Alto, CA.   

Existing investors include the Silicon Valley-based leading VCs Andreessen Horowitz (a16z) and NEA, Swedish growth equity firm Bure, and renowned Silicon Valley entrepreneurs Marc Benioff, CEO & Founder of Salesforce, and Ram Shriram, Yubico Chairman and Google founding board member. 

“Yubico has built an amazing company. We love the technology, the respect they have earned in the open standards community, and the enthusiasm from their customers. Beyond the efficient business and big market opportunity, Yubico presents a very special culture, unique in the security market. We are looking forward to working with Yubico to make their technology truly ubiquitous,” Says Paul Madera, Managing Director, Meritech.  

Yubico has been profitable the last seven years, attracting nine of the top 10 internet brands and millions of users in 160 countries. With this investment, we have more fuel to continue accelerated growth, and we welcome Meritech and the new funds to scale operations across our entire organization.

In conjunction to the company backing by Meritech, Paul Madera, Managing Director, will be joining the Yubico board of directors.  

Meritech is making an investment into the company of $25M for a company valuation of $600M. In addition, existing major investors are increasing their holdings, investing $15M in secondary shares, in connection with this round.

Guido Appenzeller

What’s New in YubiKey Firmware 5.2.3

When we launched the YubiKey 5Ci on August 20, we also introduced a new firmware to the YubiKey 5 Series: version 5.2.3. Currently, this firmware is only being shipped in the YubiKey 5Ci, however, we expect to roll out this version to all YubiKey 5 Series devices over the next month. While it is a minor update, 5.2.3 firmware has a number of features and improvements as it relates to the FIDO and OpenPGP protocol stacks.

FIDO

For FIDO2, the new firmware adds an enhanced privacy mode. This enables sites to require a PIN when a YubiKey is registered with their service. The FIDO PIN of the YubiKey must be used in order to reveal what sites the authenticator was registered to. This feature is intended for services that want to protect the privacy of what sites their users have visited for a variety of reasons. For example, assume a user registers the YubiKey with “some-website.com” and at a later point, they travel to a country where the content on “some-website.com” is discriminated against. From this person’s  YubiKey, it would not be possible to tell that the key was registered to “some-website.com” without using the PIN.

The FIDO protocol has also seen a number of technical improvements, which are supported in YubiKey firmware 5.2.3:

  • Removal of RSA, as we didn’t see any use of it in practice
  • Addition of  Ed25519 signature support, a modern ECC curve
  • Addition of  credential management to allow the deletion of FIDO resident keys
  • Addition of PIN and no PIN support to the FIDO HMAC-secret extension for offline operations
  • Implementation of signature counters with even more privacy features including keeping per-credential offsets and randomly increasing counter values 

OpenPGP 

YubiKey Firmware 5.2.3 also has a number of enhancements to the OpenPGP implementation on the YubiKey. Most of them are related to a number of the features from the OpenPGP Smart Card Specification version 3.0 and above.

ECC Support

OpenPGP 3.0 introduced support for Elliptic Curve Cryptography in addition to RSA. ECC today is by many considered a better choice for many applications and has a number of advantages including faster cryptographic operations and smaller key sizes. 

YubiKey Firmware version 5.2.3 and above specifically supports signatures (ECDSA) and key exchange (ECDH) from the OpenPGP 3.4 spec for the following curves.

From ANSI X9.62/FIPS-186-3:

  • ansix9p256r1
  • ansix9p384r1
  • ansix9p521r1

From RFC5639:

  • brainpoolP256r1
  • brainpoolP384r1
  • brainpoolP512r1

In addition to the PGP 3.X spec, the YubiKey now also supports:

Attestation

Firmware 5.2.3 also adds attestation for keys generated on device ( this capability has already been available in our PIV application stack since we launched the YubiKey 5 Series). Specifically, a YubiKey can attest that an asymmetric key was generated on, and never left, the YubiKey. For example, a company could require that all developers sign their commits with a company-provided YubiKey that had the private key generated on device. Using the attestation keys, the system will reject any keys that were generated outside of the YubiKey and imported. Attestation was added as a Yubico-specific extension in version 3.4 of the OpenPGP Smart Card Specification. Documentation for how this feature can be used is found here on the Yubico developer site.

Multiple Operations per Touch

YubiKeys can now be configured to allow multiple operations over a short period of time with a single touch to the key, a capability that was previously available in the PIV application of the YubiKey 5 Series. This can be helpful for batch signing/encryption or operations that are composed out of multiple cryptographic primitives. The behavior can be enabled or disabled by the user.

Yubico is always working to advance the functionality and security of our YubiKeys, and we thank our users for their product feedback and support to drive technical improvements like the ones listed above. 

To determine which firmware your YubiKey 5 Series device has, please use the YubiKey Manager.

Ronnie Manning

Say Hello to Simple, Secure Login on iOS with the YubiKey 5Ci

Today marks an exciting milestone, not only in the history of Yubico, but in the history of security keys and mobile devices. Yubico celebrates more than a decade of cutting edge contributions to the authentication market with its latest innovation, the YubiKey 5Ci, now available for purchase at our Yubico store.  

The YubiKey 5Ci is the world’s first iPhone- and iPad-friendly* security key designed to deliver strong hardware-backed authentication over a Lightning connection. But that’s not all. This key is also equipped with a USB-C connector for securely accessing hundreds of Works with YubiKey applications and services on Mac, Windows, and Android devices as well. 

The unique dual-connector functionality of the YubiKey 5Ci, along with the signature multi-protocol features of the YubiKey 5 Series, make this key the perfect solution for consumers and enterprises alike. With support for FIDO2, WebAuthn, FIDO U2F, OTP (one-time password), PIV (Smart Card), and OpenPGP in a single device, the YubiKey 5Ci delivers strong multi-factor (MFA), second-factor (2FA), and single-factor passwordless authentication across a wide range of devices and use cases.

Featured Works with YubiKey iOS partner integrations.

For all our iOS users out there, we know that you’re eager to get started with the YubiKey 5Ci. Thanks to our strong ecosystem of partners, we are proud to launch the YubiKey 5Ci with native iOS app support from 1Password, Bitwarden, Dashlane, Idaptive, Keeper SecurityLastPass, and Okta. Monkton Rebar and XTN also support the YubiKey 5Ci in their latest software development kits. 

You can also access some of your favorite services with the YubiKey 5Ci through the Brave iOS browser, which is the first and only iOS browser to support WebAuthn over the Lightning connector at this time. These services include: Bitbucket.org, GitHub.com, Login.gov, Twitter.com, and 1Password.com.

Yubico continues to collaborate with services and applications on their support of the YubiKey 5Ci, with the goal of our users’ favorite, day-to-day apps being added soon. Partners with anticipated YubiKey 5Ci app support include: Dropbox, Keeper Security, SecMaker, and more. 

If you see some services or browsers that aren’t listed above, please help us by expressing your desire to secure your accounts on iOS with the YubiKey. 

Developers, if you’d like to step up the security of your iOS apps or browsers, we’ve made it easy for you. Visit developers.yubico.com/yubikey5ci to get access the Yubico Mobile SDK for iOS, along with other helpful resources such as implementation guides, webinars, or reference code. 

Get started with simple and secure authentication today. The YubiKey 5Ci is available for purchase on yubico.com at a retail price of $70 USD. 

*The YubiKey 5Ci works on iPad models with a Lightning connector, however, some capabilities are not compatible via USB-C with the iPad Pro 3rd generation. 

Ashton Tupper

Find Yubico at Black Hat

If you happen to be in Las Vegas this week and you find yourself strolling past the intersection of Las Vegas Boulevard and Harmon Avenue, look up. You might just recognize the friendly green color plastered all over the world’s highest resolution LED screen. 

You guessed it. Yubico is taking Vegas by storm for the annual Black Hat conference. 

Find the Yubico billboard at the corner of Las Vegas Blvd. and Harmon Ave.

Custom Black Hat YubiStyle covers.

 

If you don’t catch our cheeky message on the iconic Las Vegas billboard, stop by the Yubico booth (#465) to get the latest YubiKey updates along with some cool swag. See a demo of secure iOS login over a lightning connection with our upcoming YubiKey 5Ci, or grab a few of our custom YubiStyle covers designed just for Black Hat attendees. These are only available for a limited time, so get them while you can. 

You may even spot a few YubiKeys elsewhere on the show floor. Our impressive partner network will feature ‘Works with YubiKey’ stands at each of their booths. If you see one of these, stop by to say hello and learn more about how the YubiKey works with OneLogin, Duo, Microsoft, 1Password, and more.

Our full list of partners at Black Hat include: 

Works with YubiKey stand.

  • OneLogin (#2030)
  • Duo (#675)
  • Thycotic (#1410)
  • 1Password (#2323)
  • Microsoft (#654)
  • ManageEngine (#1365)
  • Okta (#2518)
  • Cmd (Cmd Beach Bungalow at the Mandalay Bay Pool Deck)
  • PingID  (#2129)

 

To stay up to date on Yubico events, or to receive year-round updates on Yubico news, sign up for our newsletter and other mailing lists here

 

 

Jacob Jurilla

The Journey to Passwordless in the Enterprise

Today, Microsoft announced that the passwordless capabilities for Azure Active Directory (Azure AD) are in public preview, reaching a major milestone in enabling passwordless authentication in the Enterprise.

Azure AD provides an identity platform with access management, scalability, and reliability for connecting users with all the apps they need. With FIDO2 and WebAuthn passwordless authentication support now in public preview for Azure AD, users can register a YubiKey 5 Series security key with Azure AD, to enhance account security and enable passwordless login.

YubiKey Passwordless Starter Kit

Yubico is happy to have partnered with Microsoft in today’s announcement. For a limited time, we are offering complimentary YubiKey Passwordless Starter Kits to eligible organizations, who are Microsoft 365 customers interested in beginning their passwordless journey. 

The starter kit includes two multi-protocol YubiKeys, the YubiKey 5 NFC and YubiKey 5C. The YubiKey 5 NFC is compatible with USB-A ports and near field communication (NFC). The YubiKey 5C is compatible with USB-C ports. 

With the multi-protocol YubiKey 5, organizations can begin the journey to passwordless in the cloud, securing existing applications with Azure MFA or smart card login, and be ready for newer applications supporting FIDO2 and WebAuthn authentication.

The YubiKey 5 Series multi-protocol support includes FIDO2, WebAuthn, FIDO U2F, smart card (PIV), Yubico OTP, OpenPGP, OATH-TOTP, OATH-HOTP, and Challenge-Response functionality on a single device, to deliver passwordless, single-factor, second-factor, or multi-factor secure login. 

To verify eligibility and request a YubiKey Passwordless Starter Kit (while supplies last), please visit https://www.yubico.com/passwordless-offer. 

Want to learn more? Register for our upcoming webinar, Go Passwordless with Yubico & Microsoft: WebAuthn, FIDO2 & Azure Active Directory, taking place on July 30, 2019 at 9:00 AM PDT. You’ll hear from Yubico and Microsoft experts on the passwordless journey, key benefits, and how to enable passwordless login with Azure AD.

 

Ronnie Manning

WebAuthn sees rapid growth and adoption: Visit us at Identiverse to see WebAuthn in action

The new web authentication standard, known as WebAuthn, was recently approved by the World Wide Web Consortium (W3C) in March, and is rapidly gaining momentum. Since 2007, Yubico has been driving the development of open standards, and collaborating with partners to bring more secure authentication methods to users.  Through these combined efforts, we co-created WebAuthn.

What makes WebAuthn so noteworthy is that it is supported by all major platforms and browsers, providing users with greater choice of simple authentication methods that protect against phishing attacks. With WebAuthn, users can choose to use any combination of external authenticators, such as a security key, and internal authenticators, such as a biometric keypad on a computer, to secure access to web services and applications. That’s huge.

Microsoft, Google, and Mozilla already support WebAuthn in their web platforms and browsers. Support is currently on the developer preview version of Apple Safari. Upcoming support on Brave browser has been announced by Brave Software. Along with the platform and browser support, a growing number of web services have also rolled out WebAuthn support to their users, including Login.gov, Singular Key, Daon, Isosec, Twitter, and Ping Identity, with more services committed to launching support in the near future.

WebAuthn is quickly gaining momentum, so we asked some of our Works with YubiKey partners to share why they decided to implement support. Here’s what they said:

Jasper Patterson, Web Developer, 1Password

“Our goal at 1Password is to make it easy for people to stay safe online, and adopting modern standards like WebAuthn helps us achieve that. Integrating WebAuthn into our existing two-factor implementation took about a week. The API is well designed and easy to work with for developers.”

WebAuthn offers significant security gains over traditional time-based one-time password (TOTP) or SMS-based two-factor authentication (2FA), all thanks to its secure design based on public key cryptography.

Yves Audebert, CEO, Axiad IDS

“Extending Axiad ID Cloud to support WebAuthn/FIDO2 is a step forward in providing a passwordless and frictionless authentication experience to our customers. Axiad ID Cloud leverages all the features offered by YubiKeys to further our commitment to meeting our customers’ authentication needs.”

Axiad ID Cloud is a standards-based higher-trust identity assurance platform that provides multi-factor authentication (MFA) and dedicated PKI services to secure digital interactions. Axiad IDS expects to roll out support in the back half of this year.

Ben Goodman, SVP, Global Business and Corporate Development, ForgeRock

“ForgeRock is excited to offer WebAuthn as a native authentication option for our identity platform. Hardware authentication enabled by WebAuthn provides a more secure user authentication option, while simultaneously making for an easier, more frictionless experience. This is a “Win-Win” for end-users and application owners.”

ForgeRock’s Intelligent Authentication technology has the capability to orchestrate a multitude of authentication options. WebAuthn support enables ForgeRock to seamlessly extend that functionality to a whole new breed of devices and authenticators.

Jeff Broberg, Sr. Director, Product Management, OneLogin

“WebAuthn simplifies the rollout and adoption of MFA by enabling users to leverage authenticators across mobile and desktop platforms in a more integrated fashion. Combining external authenticators, like the YubiKey, with desktop and mobile biometric sensors benefits both enterprise admins and end users.”

Adopting strong and simple authentication is critical to secure corporate resources from advanced cyber identity threats. With WebAuthn support, OneLogin expands their portfolio of strong authenticator options and makes it simpler for users to choose an authenticator that works best with their primary device.

Arshad Noor, CTO, StrongKey

“We recognize that behavior change is no easy task. Our implementation of FIDO2 and the certification of our FIDO2 server enable us to provide the ease and convenience of WebAuthn to our customers and their users through a safer and more user-friendly alternative to passwords.”

StrongKey has been committed to providing the strongest possible level of encryption and authentication technology to keep data safe for almost two decades. With WebAuthn support, StrongKey delivers phishing-resistant authentication to their users.

Jai Dargan, VP Product Management, Thycotic

“We’re excited to be a part of the Works with YubiKey program, and work together to educate customers about the benefits of strong, hardware-backed MFA.”

Thycotic and Yubico share the same vision that security should be easy to use, even for large organizations with dispersed teams and hundreds of thousands of assets to protect.

Yubico offers free resources and tools for rapidly implementing WebAuthn into an app or service. Visit the Yubico For Developers page to get started. To experience WebAuthn first-hand, visit our WebAuthn demo site.

Learn more about WebAuthn by downloading the WebAuthn Solution Brief, or chatting with us at the Yubico booth (#417) at Identiverse on June 25-27, 2019.

Alex Yakubov

Yubico Announces YubiKey for Lightning Partner Preview Program

Today, Yubico is happy to announce the launch of our YubiKey for Lightning Partner Preview Program, the next phase of the YubiKey for Lightning Private Preview Program announced earlier this year.

This is an exciting step forward for both Yubico and the Works with YubiKey ecosystem. With the launch of the Partner Preview Program, our goal is to enable more web services and applications (relying parties) to improve the protection of customer accounts and the entire account lifecycle with cross-platform support.

The YubiKey for Lightning Partner Preview Program includes access to iOS and Android SDKs to allow organizations to unify the user experience across all mobile platforms. Partners will also receive access to a YubiKey 5Ci preview device (formerly the YubiKey for Lightning), for development and testing. The YubiKey 5Ci has both a USB-C and Lightning connector on one device and will be generally available later this year. As part of the multi-protocol YubiKey 5 Series, the YubiKey 5Ci gives developers the option of securing their iOS apps using the FIDO2, WebAuthn, U2F, OTP, PIV (smartcard) or OpenPGP protocols for passwordless or two-factor authentication.

YubiKey for Lightning participating partners

Since launching the initial YubiKey for Lightning Private Preview Program, several notable partners have been working with us to provide feedback on our iOS developer resources. We would like to extend a special thank you to those partners, including: 1Password, Brave Software, Dashlane, DoD PKI Purebred, Keeper Security, LastPass, Secmaker, XTN, and more.

We look forward to enabling a growing list of compatible services, providing out-of-the-box uses with everyone’s favorite iOS applications when the YubiKey 5Ci becomes generally available later this year.

As Yubico extends hardware authentication capabilities to iOS, the YubiKey will be supported across all major platforms, allowing it to be the trust anchor for the rightful owner and serve as a portable root of trust across any computer or mobile device.

For developers interested in adding YubiKey support into their iOS mobile apps, we welcome you to apply for the YubiKey for Lightning Partner Preview Program here.

New YubiKey 5Ci demonstrations and previews of partner supported applications can also be seen at Identiverse this week, at the Yubico booth #417.

Alex Yakubov

1Password rolls out WebAuthn, and enhanced YubiKey support

Yubico has been a major contributor to the development of open standards for authentication from the initial development of the U2F specification to the latest W3C approved WebAuthn. As we see more services upgrade to modern authentication standards, we can’t help but share in the excitement.

We are thrilled to share that 1Password, a password manager used by millions of individuals and 47,000 business customers worldwide, today announced support for WebAuthn, the new global standard for secure authentication on the web.

A popular request by users, 1Password has enabled the option to use WebAuthn compatible Security Keys, like the YubiKey, for two-factor authentication (2FA). This provides the highest level of hardware-based security and a great user experience for those who want to use the same security key across services, browsers, and applications.

“1Password and Yubico share a common mission—to make it simpler for people to stay safe online,” said Jeff Shiner, 1Password CEO. “Yubico’s focus on security and user-friendly design aligns with our goals here at 1Password, making YubiKey 2FA a great extra layer of protection for 1Password customers.

Previously, 1Password users were able to leverage YubiKeys as a second factor using the Yubico Authenticator app over Time-based One Time Password (TOTP). With the upgrade to WebAuthn support, 1Password takes a leap forward by enabling easier to use, faster and the most secure 2FA for their users. WebAuthn uses asymmetric (public-key) cryptography and phishing-resistant origin bound key validation for registering and authenticating with websites.

Register your YubiKey with your 1Password account today by logging in to your app and following these setup instructions, or viewing 1Password’s how-to video.

Want to know more about WebAuthn? Visit our “What is WebAuthn?” resource to get an overview of what it is and how users can benefit. Interested in implementing support for WebAuthn? We have developer resources for the rapid integration of WebAuthn on our developer website.

Special Offer for Yubico customers

1Password helps businesses and families increase their online security and cut down on digital clutter by combining industry-leading security and award-winning design to make secure password management easy for everyone.

To celebrate this announcement, 1Password is offering Yubico customers three (3) months free on a 1Password Families account. The promotion is valid only for new customers, and is active for a limited time. Go to 1Password’s site to learn more.

Jerrod Chong

5 Reasons to Upgrade Your Web Authentication to WebAuthn

Authentication has made significant progress over the past five years. It has matured beyond passwords with the introduction of a variety of two-factor authentication methods, and most recently, we have the advent of passwordless logins with WebAuthn, the new global standard for web authentication.

WebAuthn now sets a new bar for user authentication and is considered best in class for protecting user accounts. With support in all major browsers and platforms, WebAuthn offers the opportunity for services to easily offer a wide choice of strong authentication methods to users, including a passwordless experience. This consists of using security keys or built-in authenticators such as biometric readers.

To experience the WebAuthn login experience, please take a look at our demo site where you can try out registering different authentication methods using WebAuthn.

For those curious about the additional benefits of passwordless login, we put together a list of five reasons to upgrade to WebAuthn authentication.

Widespread Accessibility

One of the key differentiators of WebAuthn, is the widespread acceptance and adoption of the technology across major browsers, operating systems and devices. To date, Microsoft Edge, Mozilla Firefox, Google Chrome and Google Android have already added support for WebAuthn, and Apple most recently announced WebAuthn support by default in Safari Technology Preview Release 83.

Additionally, the growing availability of built-in authenticators on computers and phones is providing users new options for authentication. As a service provider, this enables you to offer fast, convenient, and secure authentication options for all kinds of users, regardless of what kind of device or operating system they are using.

Improved Security for Customers & the Business

WebAuthn replaces weak password-based login or knowledge-based answers recovery with strong public key cryptography with origin checking to prevent phishing. By making strong authentication the baseline for using built-in and external hardware authenticators, users are protected from account takeovers. A recent study by Google reviewed more than 350,000 wide-scale and targeted attacks, and showed that security keys were the most effective at stopping account takeovers. Not only does the elimination of password-based login protect customers from the threats of credential theft and phishing, but it also relieves your organization from the vulnerabilities associated with storing and protecting millions of user credentials.  

Improved Customer Experience & Brand Loyalty

The average US consumer tries to keep track of over 14 different passwords across all their websites and services. Business users are estimated to be responsible for memorizing and using an even greater number of passwords, reaching up to as many as 191. The sheer number of passwords required for daily digital activities inevitably results in forgotten passwords, password resets, or at the worst, account takeovers due to weak or reused passwords. As a result, passwords degrade customer experiences, reduce brand loyalty, and contribute to lost revenue.

Passwordless login with WebAuthn provides an experience that is faster and more secure than usernames and passwords, transforming the online user experience into the familiar split-second convenience of using an ATM card. WebAuthn also enables users lacking cellular access to still authenticate when they typically might not be able to with authentication methods like one-time codes sent to mobile devices via text messages.

Lower Operational Costs

When users forget their passwords, they often end up calling help desks or support centers, consuming valuable time from support staff. In fact, Gartner estimates that password reset inquiries account for 20 to 50 percent of all help desk calls, which can cost large companies between $5 million and $20 million annually.

WebAuthn enables support and IT departments – including service desks and call centers — to be free from the operational overhead incurred from having to create, store, cycle, and reset passwords. It can simplify user on-boarding and given that password resets currently represent the number one IT support cost, passwordless login promises to significantly reduce workloads in IT call centers where agents today spend considerable time setting and resetting user passwords.

Simple & Flexible Integration Options

WebAuthn introduces the option for strong single-factor, two-factor, or multi-factor authentication. With this expanded choice of authentication flows, developers choosing to add WebAuthn support will have the option to select the authentication model that best suits their use cases and customers. This is specifically useful for organizations who require a higher level of authentication security or who may prefer a layered approach (ex: a PIN, biometric or gesture for additional protection) for certain in-app actions like changing a personal information or transferring a large sum of money.

WebAuthn is also backwards-compatible with FIDO U2F authenticators for a second factor use case. This means that all previously certified FIDO U2F security keys, such as the YubiKey 4 or YubiKey NEO, will continue to work as a form of second-factor authentication login with WebAuthn-enabled authentication flows.

 

To learn more about the WebAuthn open standard and how it can benefit your organization, read our ‘Going Passwordless’ whitepaper. We also offer full development resources on our developer site to enable rapid WebAuthn implementations.

Stina Ehrensvard

WebAuthn wins support in Safari, Twitter, Coinbase and hundreds of more services

“And the winner is… WebAuthn!”

A few weeks ago at the European Identity Conference (EIC) in Munich, WebAuthn won the award for Best Future Technology and Standard Project. As a co-chair of the W3C WebAuthn working group and lead authors of FIDO U2F/FIDO2, Yubico was invited to receive the award on behalf of all who collaborated on the standard.

John Fontana, co-chair of W3C WebAuthn WG and member of the Yubico open standards team, at EIC award ceremony

There is no doubt that the winning authentication standard is gaining momentum. Last week, Apple enabled default WebAuthn support on macOS in its Safari Technology Preview, while Twitter and Coinbase announced their upgrade from FIDO U2F to WebAuthn. At Yubico, our team is busier than ever supporting hundreds of services across the globe in their process of making support for the YubiKey, Security Keys and WebAuthn.

Initially deployed by all the leading internet companies, we are excited to see WebAuthn adoption expanding across a wider range of industries,regions, and use cases including the protection of electronic identities for European citizens, blockchain technology services and financial institutions. One of the leading banks was encouraged to make support for WebAuthn after one of their customers approached them with the question, “How come authenticating to my Google and Facebook account is more secure than the service that holds my money?”

The FIDO U2F, FIDO2 and WebAuthn names can be confusing, but they are all part of the same standards initiative. The varying naming conventions are a result of the further development and expansion from the industry consortium FIDO Alliance (FIDO U2F and FIDO2) to the W3C web standards organization (WebAuthn). In March 2019, W3C approved the WebAuthn standard, which is built-on, and backward compatible with U2F.  

We encourage all services to implement or migrate to WebAuthn so their end users have more choices from  an ever-expanding list of browsers and authentication options including one-factor, two-factor and passwordless login. With free open source servers and development resources available from Yubico and others, service providers are rapidly making support for WebAuthn to stop phishing and radically cut support costs. Users enjoy safer and easier login with the growing options of built-in and external FIDO/WebAuthn authenticators, also known as security keys. This award winning web authentication standard let’s everyone win — except the fraudsters!

To learn more about the WebAuthn open standard and how it can benefit your organization, read our ‘Going Passwordless’ whitepaper. We also offer full development resources on our developer site to enable rapid WebAuthn implementations.

Ronnie Manning

YubiKey Summer Showcase: InfoSecurity, Gartner Security & Risk, Identiverse

We’re gearing up for a busy and exciting month here at Yubico. We have a full event schedule, a handful of speaking sessions on trending security topics, and we will be showcasing many of our Works with YubiKey partners. In other words, you won’t want to miss this.  

YubiStyle Covers

If you are looking to integrate the YubiKey into your application or service, please check out our Works with YubiKey program for all the details and how you can get involved.  

So, where will we be during the month of June? Here are all the places you can find us and our partners in the coming weeks — and don’t forget to pick up a YubiStyle cover when you see us.

 

InfoSecurity Europe, London — June 4-6, Booth #J120

Stop by Yubico booth #J120 at InfoSecurity Europe and catch our latest passwordless login demos. We will be demonstrating the multi-protocol authentication capabilities of the YubiKey and also an early look at our YubiKey for Lightning Private Preview device for iOS.

Several Works with YubiKey partners will also be at InfoSecurity Europe showcasing the benefits of YubiKey authentication. Curious how the YubiKey works with Duo (booth #F140), ManageEngine (booth #D80), OneLogin (booth #C225), Microsoft (booth #D220), Thycotic (booth #C230), and StrongKey (booth #M147)? Be sure to stop by their booths to find out.

“Yubico is a key player in the FIDO community and it’s exciting to partner with them to help promote a world without passwords.” — Jake Kiser, COO, StrongKey

“In an age where identity theft is on the rise and almost every data breach involves a compromised user account, strong authentication should be an organization’s first line of defense.” — ManageEngine

Gartner Security & Risk, National Harbor, MD — June 17-20, Booth #450

Visit us at booth #450 to talk all things cybersecurity and privacy. Once again, we’ll be demo-ing passwordless account logins using WebAuthn and the YubiKey.

Don’t miss Works with YubiKey integrations at our partner booths as well. Drop by and say hello: ForgeRock (booth #625), Thycotic (booth #651), Microsoft, and Okta (booth #629).

“Yubico provides a standardized way to balance usability and security. When using YubiKeys with ForgeRock’s out-of-the-box FIDO2 support, our joint customers get secure multi-factor authentication paired with an outstanding user experience.” Ben Goodman, Senior Vice President, ForgeRock

Identiverse, Washginton, D.C. — June 25-28, Booth #417

Stop by Yubico booth #417 for Yubico’s latest announcements and YubiKey demos during Identiverse. Several Yubico experts are also taking the stage at Identiverse to discuss everything from passwordless authentication to open standards and identity anchors.

  • Wednesday, June 26 | 2:00 – 2:15pm | Portable Root of Trust Explained
    In the Solutions Theater in the expo hall, Nick Charpentier, Solutions Engineer at Yubico, will discuss the concept of hardware authenticators as a portable root of trust to achieve a secure, ubiquitous experience across all devices.
  • Wednesday, June 26 | 5:35 – 6:00pm | Netflix’s Journey with WebAuthn
    Jerrod Chong, Chief Solutions Officer at Yubico, and Tejas Dharamshi, Senior Security Software Engineer at Netflix, will discuss Yubico and Netflix’s collaboration on a move to modern strong authentication with WebAuthn while maintaining a frictionless user experience.
  • Wednesday, June 26 | 4:25 – 4:50pm | Is Your 2FA Broken?
    John Bradley, Senior Solutions Architect at Yubico, will discuss various second-factor authentication techniques and how effective they are against advanced phishing threats.
  • Thursday, June 27 | 9:00 – 9:30am | Standards: The Bedrock of Identity
    John Bradley, Senior Solutions Architect at Yubico, will join a panel of standards experts on the keynote stage to discuss, debate, and provide insight into the world of open standards and how they may change our world in the next five years.
  • Thursday, June 27 | 4:25 – 4:50pm | Understanding Identity Trust Anchors
    Derek Hanson, Vice President of Solutions Architecture and Standards at Yubico, will discuss how identity attributes are managed, validated, secured and updated so that the systems and processes that are reliant on identity proofing have a solid foundation.

That’s not all. See what’s new with current and future Works with YubiKey integrations by stopping by any of our partner booths: Axiad IDS (booth #419), Microsoft (booth #303), Ping Identity (booth #601), ForgeRock (booth #411), Okta (booth #516), and OneLogin (booth #416).

“In today’s digital world, trusted identity requires that all the entities that interact with an organization be authenticated. Mobile and cloud identity solutions eliminate the need for organizations to choose between security, ease-of-use and ease-of-management.” — Yves Audebert, Chairman, President and Co-CEO, Axiad IDS

To stay up to date on these events, or to receive year-round updates on Yubico news, sign up for our newsletter and other mailing lists here.

Stina Ehrensvard

The YubiKey as the WebAuthn Root of Trust

The new web authentication standard, WebAuthn, that was recently announced by W3C, is rapidly gaining adoption by leading platforms and services. WebAuthn is an evolution of the FIDO U2F standard, spearheaded by Yubico and Google, and successfully deployed since 2014 by millions of users with YubiKey security keys. Yubico helped to create WebAuthn to extend the standard beyond external security keys to include new internal built-in fingerprint readers and facial recognition technologies. Having these choices is important to drive widespread support for simple, strong and passwordless authentication methods.  

In this new authentication landscape, an external security key, such as the YubiKey, takes on the important role of a root of trust. As users move between different platforms and computing devices, having this portable root of trust is essential for enabling rapid bootstrapping on new devices and for recovering when devices are lost, stolen or replaced.

Below is a roundup of some of the best use cases for an external hardware-based authenticator:

  • Device Loss, Theft, or Compromise —In the case that a phone or computer is lost, stolen or replaced, the YubiKey can be used as an easy method to re-establish trust with online accounts and re-register the internal authenticator on a new device. With an external root of trust like the YubiKey, where the user’s credential cannot be tampered with, it allows a high degree of trust to be transferred from device to device and establish all of them as a trusted entity, thereby protecting the account.
  • Multi-Device Access — In today’s digital age, users rarely work from a single device or platform. It’s common to move from a mobile device to desktop, laptop, or tablet, and even between personal and work devices. Having a portable external authenticator that can work across computing devices makes these transitions seamless. With options to connect via NFC, USB-A, USB-C, and soon Lightning, the YubiKey meets the needs of every internet user.
  • Mobile-Restricted Environments — Not all work environments allow employees or contractors to have a mobile phone. Call centers, manufacturing floors, and remote locations are some of the environments where a hardware authenticator is a preferred solution.
  • High Security Applications — Without ties to the internet or a multi-purpose chip or computing device, the attack vector naturally becomes much smaller on an external hardware authenticator. There are certain scenarios where services may choose to require step-up authentication to complete a high-risk action, such as transferring a large sum of money between bank accounts, or updating an address. The YubiKey can be used as an additional form of validation and quickly re-verify the user before the action is taken.  
  • Uninterrupted Access – We designed the YubiKey to provide optimal levels of durability. It is crush and water resistant and does not require batteries, so it eliminates the chance of the device being uncharged.
  • Integration with Legacy Systems — Most enterprises use a variety of systems, platforms, and devices, and not all of these support newer authentication standards such as FIDO and WebAuthn. Also, for use cases that require a corporate credential for computer login and remote access, digital signatures for code signing, key escrow for email encryption, or privilege access for older operating environments, the YubiKey’s multi-protocol functionality helps address a wider range of enterprise security needs.  
  • Authentication Backup — Regardless of how users are securing their accounts, it is always a best practice to have a backup method in case the primary method of authentication is lost, stolen, broken, or inaccessible. The YubiKey is an affordable, simple option that users can carry on their keychain, tuck into a wallet, or store in a safe place for convenient access at any time.

With a growing list of strong authentication options supported by WebAuthn, and the ability to solve use cases across device type, operating system and service, now is the time for companies to add WebAuthn to their services. Developers can take advantage of Yubico’s developer resources to extend user authentication options. To try out the WebAuthn authentication experience please visit the Yubico WebAuthn demo site.

There are more than 3 billion people in the world connected to the internet who need — and deserve — a better more secure experience. Let’s work together toward making the internet a safer place for everyone!

Alex Yakubov

YubiHSM 2 Now Compatible with EJBCA from PrimeKey

The YubiHSM 2, the world’s smallest hardware security module from Yubico, is now compatible with EJBCA software for a range of public key infrastructure (PKI) use cases. Available for all YubiHSM 2.1 and newer devices, Yubico’s updated Setup Tool, which adds support for PrimeKey EJBCA, is accessible in our latest YubiHSM 2 open source software development kit (SDK).

When it comes to maintaining your customers’ trust, it’s imperative to protect against data theft and compromise, and hardware security modules (HSMs) are table stakes. Traditionally, this has meant dedicating an entire rack—or more—in the server room.

Enter the YubiHSM 2. These thumbnail-sized hardware devices deliver enhanced protection for cryptographic keys, are more affordable than traditional HSMs ($650 MSRP), require very low power, are ultra-portable, and plug into any USB-A port—minimizing space requirements for deployment. The sheer size and cost alone open up incredible new use cases. Imagine an autonomous vehicle with its own YubiHSM 2—no need to compromise on trunk space.

“The priorities for us in developing PrimeKey’s EJBCA have always been flexibility and the ability to support different use cases. With the YubiHSM 2, we enable a cost efficient and portable HSM alternative that simplifies the process to secure your CA keys,” said Chris Job, Team Leader, PrimeKey Professional Services.

With our latest YubiHSM 2 open source SDK, and support for PrimeKey EJBCA, YubiHSM 2 users can leverage PrimeKey and Yubico open source software and tools for implementing PKI. Collaborating with PrimeKey, and adding support for PrimeKey EJBCA on the YubiHSM 2 further delivers Yubico technology to organizations where open source is preferred or even required. The YubiHSM 2 now supports two certificate authorities—Microsoft Windows CA and PrimeKey EJBCA—offering greater flexibility to those looking to secure an organization’s most important data with an HSM.

Interested in learning more?

Licensing Information

The YubiHSM 2 SDK is intended for use in development and production environments in conjunction with YubiHSM 2, pursuant to Yubico’s terms and conditions of sale and license. By downloading and installing the SDK you agree to the terms of this license. The released SDK source code is licensed under the Apache 2.0 license. Third party software included in the YubiHSM 2 SDK, and their respective licenses, are listed in the licenses directory inside the SDK package.

Derek Hanson

Yubico Login for Windows Application Now Available in Public Preview

Every day, YubiKey users are protecting access to their data in cloud services like Gmail, Dropbox, and password managers, but these very same people also need to protect access to desktop and laptop computers as well. Thanks to the multi-protocol capabilities of the YubiKey, they can. The YubiKey can be used to log in to Linux, Mac, or Windows machines.

One of the more popular use cases we hear about is logging into Windows machines, which is why we designed the Yubico Login for Windows Application. The tool provides a simple and secure method for YubiKey users to secure access to their Windows computers. Today, we are opening the public preview program for the application.

Yubico Login for Windows Application

The Yubico Login for Windows Application will deliver a simplified configuration experience, enabling users to help protect their computers with a YubiKey. In addition, this application will enable new core features such as enrollment for backup YubiKeys and lost YubiKey recovery mechanisms.

These features make this application the most robust authentication tool that Yubico has provided for standalone Windows computers.

The preview program gives participants the ability to download the new Yubico Login for Windows Application, test the application, and provide feedback on the experience. This is your chance to influence the features prior to the upcoming official release.

The Yubico Login for Windows Application is best suited for:

Individuals that have local accounts on Windows 7, Windows 8.1 or Windows 10 computers.

Individuals or organizations that prefer local accounts created on their computers in order to keep sensitive information localized as opposed to taking advantage of a more connected Windows 10 experience (such as using Outlook.com, OneDrive, Live.com, Hotmail.com etc.).

Organizations that have a mix of Windows 7 and Windows 10 computers and do not use Azure Active Directory or Active Directory.

The Yubico Login for Windows Application is not ideally suited for:

Users who typically log into Windows computers with a Microsoft Account (e.g. username@outlook.com, username@hotmail.com, username@live.com, etc.).

Users who utilize the following sign-in options for their local account: Windows Hello (face, fingerprint, or iris), PIN, or picture password.

If you are interested in joining the public preview program for Yubico Login for Windows Application please sign up here. The preview offering and a configuration guide will be made available after sign-up.

Stina Ehrensvard

A Big Day for the Internet: W3C Standardizes WebAuthn

Today’s standardization of WebAuthn by the World Wide Web Consortium (W3C) marks a milestone in the history of open authentication standards and internet security, and Yubico is excited to be a part of it. Through close collaboration with the global internet standards community and the internet giants, Google and Microsoft, we achieved the near-impossible: the creation of a global standard for web authentication that is on track to be supported by all platforms and browsers.

With much of our personal and business lives now online, the need for stronger security has never been more important to protect our digital identities. With WebAuthn, we are addressing the problem behind the vast majority of security breaches — account takeovers due to stolen online credentials.

We have invested considerable time from our engineering staff in the development of this new standard, including being one of nine Specification Editors, being one of two co-chairs for the W3C WebAuthn group, and having six working group members. When I asked one of our engineers from this group how he liked his job, he responded, “It’s one of the most interesting and scary projects I’ve ever had. We are writing code that will impact the internet security of billions of people, so we feel the responsibility to get this right!”

From start to finish, the WebAuthn spec development has been more than a three-year process, but for Yubico, this is a culmination of more than a decade of innovation and seven years of standards work. Starting first with FIDO U2F, then FIDO2 and now WebAuthn, these standards are a natural evolution built upon each other to bring together new important security capabilities for the modern web:

Driverless, one-touch authentication with a single authenticator that can be used across any number of services with no shared secrets.

Public key cryptography to defend against phishing and man-in-the-middle attacks at scale.

Single-factor, multi-factor and passwordless authentication for web and mobile applications.

WebAuthn recognizes the importance of security keys as well as platform authenticators, such as built-in biometric sensors, by embracing broad support for a choice of authentication devices and modalities. Yubico supports this approach because it fosters widespread adoption of stronger authentication. We contributed to this standard to help as many people as possible stay safe online. Moving forward, the YubiKey will be valued as a high-privacy, high-security authentication choice. In addition, it will take on the important role of the Root of Trust, enabling seamless bootstrapping to new devices and rapid recovery from lost and stolen devices when built-in authenticators are not enabled or no longer accessible.

Microsoft Edge, Mozilla Firefox, Google Chrome and Google Android have already added support for WebAuthn, and Apple Safari is actively testing the API. Additionally, Microsoft Accounts and Dropbox have WebAuthn support. Many more online services will soon follow.

Since FIDO U2F was first launched in Gmail in 2014, Yubico has provided free open source code, and guided the vast majority of online services integrating the standard. We continue this work with WebAuthn. Developers and online services can rapidly add support, including “upgrading” from an existing U2F deployment, by signing up to join the Yubico Developer Program to be informed on the latest reference documentation, testing tools and open source servers.

Individuals and companies who want easy, secure access to their daily online accounts — including those in financial, healthcare, and government services — can accelerate adoption by requesting support for YubiKey and WebAuthn. WebAuthn works with all existing U2F and FIDO2 YubiKeys.

WebAuthn standardization is the foundation for the first-ever web authentication standard designed with scalable public key cryptography and phishing protections, and we can now all help to make the internet safer for everyone.

Want to see WebAuthn in action? Stop by the Yubico booth this week at RSA (#S2162), Scale17x (#519), or Gartner IAM Summit Europe (#S12).

Ronnie Manning

Yubico Releases the 2019 State of Password and Authentication Security Behaviors Report

In conjunction with Data Privacy Day, Yubico is releasing today new research in a report entitled, The 2019 State of Password and Authentication Security Behaviors Report, conducted by Ponemon Institute. The findings reveal that despite a growing understanding of security best practices, user behavior is still falling short. The problem? Passwords continue to trip up users and compromise security and many users are not taking advantage of stronger two-factor authentication solutions that are available.

The annual Data Privacy Day initiative, led by the National Cyber Security Alliance (NCSA), has grown in popularity each year — and with good reason. Massive data breaches like the recent Collection #1 continue to happen. With nearly 773 million records exposed, including email addresses and passwords, Collection #1 is one of the largest breaches to date; and yet, are individuals taking the actions needed to protect their online accounts? According to the report findings, it appears not.

Are we becoming more security-minded, and better yet, are we following best practices? Some of the most interesting stats revealed that: (Click to Tweet your favorites!)

2 out of 3 (69%) respondents share passwords with colleagues to access accounts

51 percent of respondents reuse passwords across business and personal accounts

57 percent of respondents who have experienced a phishing attack have not changed their password behaviors

67 percent of respondents do not use any form of two-factor authentication in their personal life and 55 percent of respondents do not use it at work

57 percent of respondents expressed a preference for a login method that does not involve the use of passwords

Beyond the above listed highlights, the full 2019 State of Password and Authentication Security Behaviors Report delivers further data on the following topics:

How privacy and security concerns affect personal password practices

Risky password practices in the workplace

Authentication and account security in organizations

Differences in password practices and authentication security behaviors by age

Differences in password practices and authentication security behaviors by country (Germany, France, UK, USA)

To read more of the research highlights, please check out our infographic below or download our full research report here.

Stina Ehrensvard

Yubico Expands Executive Team with Addition of Guido Appenzeller, Chief Product Officer

Happy New Year from Yubico! We are very excited for the upcoming year and 2019 has already kicked off with two new product announcements at CES, and now we’re expanding the Yubico family.

As of two weeks ago, we added another member to our executive team: Guido Appenzeller. Guido joins us as the Chief Product Officer of Yubico to focus on product development and strategy, a critical role to the company’s continued innovation and success in making strong authentication truly ubiquitous. Previously, he served as CTO of VMWare, Consulting Professor at Stanford, and the founder of two start-ups.

Please join me in welcoming Guido into the YubiFamily. To learn a little more about Guido here is an excerpt from a recent interview between Ronnie Manning, our VP of Communications, and Guido.

From founding two different start-ups to working as CTO for VMWare, you have had experience with both large and small companies. While each phase of company growth presents its own set of challenges, which growth phase would you say you enjoy the most and why? 
Both have been incredible experiences. I love small companies because of their agility and speed. You spot a new opportunity and with a good team you can have a product in the market months later. On the other hand, being an executive in a large company puts huge resources at your disposal. At VMware, we entered new markets by buying the market leader and then accelerating it with an enterprise sales team of several thousand people. In the end for me, it boils down to where I can have more overall impact and usually that is in a smaller company.

What’s the single biggest lesson you’ve learned in your career about successfully growing a company, and how do you plan to bring that to your role at Yubico? 
The two most important things about growing a company is the market and the team. Yubico is in a great market and solving a key problem: how to make the internet secure. Stina, Jakob and the team have done a great job creating a culture that focuses on security while at the same time emphasizing a fun user experience. That’s actually pretty rare for a security company. My goal is to keep this culture while building the lightweight process that’s needed to take Yubico through the next phases of its growth.

You have a long history of leading companies through successful growth periods. In an ideal world, how do you envision Yubico’s growth to unfold over the next 1-5 years?
The short-term opportunity for Yubico is to replace passwords as the main authentication method in the internet. This is a huge shift. It would all but eliminate phishing while actually improving usability. But this is just scratching the surface. Having inexpensive hardware with advanced cryptographic functionality opens up new applications for payments, messaging security, IoT security and secure infrastructure. Long term, these are the areas that excite me most.

What are the most exciting and daunting aspects of working in the cybersecurity industry?
Security is often an afterthought. We have a rich history in the technology industry of first building systems where we ignore security, then recognizing our error and eventually bolt on a security solution that is awkward to use and difficult to understand. I think what initially got me excited about the YubiKey is that it is one of the very few security products that is easy to understand and that end users actually love to use.

When you’re not busy tackling the roles and responsibilities of a Chief Product Officer, what are most likely to be doing?
I love the outdoors and like exploring the world on foot, scuba diving or behind the controls of a small airplane that I have flown all the way from California to the Caribbean. I am an avid gamer with my kids or alone, and recently have been spending more and more time in Virtual Reality.

The Yubico team will continue to grow in 2019. If you’re interested in a career in cybersecurity at Yubico, check out our open job opportunities here.

Ronnie Manning

Yubico Launches the Security Key NFC and a Private Preview of the YubiKey for Lightning at CES 2019

Hello from Las Vegas. Today, we have some exciting news for you that’s coming straight from the CES show floor. We are introducing two new device form factors: our latest next-generation security key, Security Key NFC by Yubico, and a private preview of our YubiKey for Lightning. We are giving live demos of both of these keys at the CES Yubico booth (#312).

The Security Key NFC

The Security Key NFC is our newest addition to our distinctive blue Security Key Series, offering USB-A and NFC (near-field communication) for tap-and-go authentication over the FIDO U2F and FIDO2/WebAuthn protocols on computers and supported mobile devices (like an Android phone or a NFC reader attached to a Windows 10 computer). With the option of multiple communication methods, this one key is able to deliver a simple and seamless user experience across multiple devices for strong multi-factor, two-factor (2FA), and single-factor passwordless authentication.

Today, the Security Key NFC works out of the box with hundreds of services already supporting FIDO U2F and FIDO2 authentication protocols: including Microsoft (for passwordless login), Google, Facebook, Twitter, Dropbox, a growing list of password managers, and many more FIDO2 and U2F compatible websites. And as the the latest hardware authenticator from Yubico, it’s built to last. It’s made in the USA and Sweden with reinforced fiberglass that is hermetically sealed and injection molded into a monolithic block, delivering exceptional physical durability.

The Security Key NFC by Yubico is available beginning today for $27 at the Yubico online store.

YubiKey for Lightning — Private Preview

If you are a Yubico follower, you’ve probably heard that Yubico’s goal is to make strong, simple authentication truly ubiquitous, across all services, devices, and operating systems. Historically iOS has presented some challenges to achieving that mission, which is why we’re extremely excited to announce a private preview of our newest YubiKey for Lightning.

YubiKey for Lightning

The YubiKey for Lightning is a multi-protocol hardware authenticator designed with both USB-C and Lightning connectors. By supporting the two most common connectors for Mac and iPhones, the new YubiKey for Lightning, is designed to provide seamless authentication across compatible desktop and mobile devices.

We are also formally launching the YubiKey for Lightning Program as an extension of our Lightning Project announced in August 2018. If you are a developer or service that would like to support strong hardware authentication on iOS, we invite you to work with us by applying to participate in the YubiKey for Lightning Program. Selected participants will have access to the private preview of YubiKey for Lightning and also the Yubico Mobile iOS SDK for Lightning.

Today the YubiKey for Lightning is in private preview to selected participants in the Yubikey for Lightning Program, with general availability still to be announced.

 

Stina Ehrensvard

2018: A Year in Review for Yubico

2018 was an awesome year for Yubico. It was full of new product launches, business milestones, a growing team of super stars, and industry-leading innovations. It’s hard to believe that all of that happened in just one year, but it’s amazing to see how much can be accomplished together when we focus on our mission of making security available for all.  

Over the years, I’ve also learned that it’s necessary to reflect on all of these accomplishments as an entrepreneur, a CEO, or an employee. This time of pause allows us to evaluate the lessons learned, set new goals, and carefully build upon the work we’ve already done. So, as we cross into 2019, here’s a quick look back at some of Yubico’s finest moments of 2018.

We invested a significant amount of time and resources into product innovation and released several major new products, all of them being the first of their kind on the market.

The YubiKey 5 Series

The Security Key by Yubico is the first-ever security key to support FIDO2 and WebAuthn, the new global authentication standards for passwordless logins that Yubico is also the leading contributor to.

The YubiKey 5 Series is the first-ever multi-protocol security key series to support FIDO2 and WebAuthn.

The YubiKey FIPS Series is the first-ever multi-protocol FIPS 140-2 validated security key series.

A major part of the Yubico mission is spent on working with the larger internet ecosystem, providing them with the insight and resources they need to be successful in protecting their users’ data and privacy. As a result, several major services and leading platforms and browsers have made support for FIDO2, WebAuthn, and YubiKey strong authentication.

Twitter adds support for FIDO U2F authentication with a YubiKey.

AWS Identity and Access Management adds support for FIDO U2F authentication with a YubiKey.

LastPass is the first iOS app to add support for strong YubiKey authentication via NFC.

Microsoft Accounts adds support for YubiKey and FIDO2 to allow users to login to their accounts without a username and password.  

Additional browser support continues for WebAuthn from Chrome, Firefox, Edge, and Safari.

The developer community is core to what we do here at Yubico, and while we’ve offered free and open source code since our launch in 2008, this year we created dedicated resources to expand our offerings.

Mobile SDK for iOS enables YubiKey authentication on the iPhone

The Yubico Developer Program is the first source for developers to gain access to YubiKey integration resources such as webinars, SDKs, implementation guides, and more.

Yubico launches the official Works with YubiKey Program to further guide and promote service provider’s YubiKey integrations.  

The Mobile SDK for iOS was released to allow any iOS mobile app to rapidly add support for hardware-based two-factor authentication using YubiKey OTP over NFC.

The Yubico Lightning Project was announced, extending the capabilities of the Yubico Mobile SDK for iOS to support FIDO U2F/2 authentication over a lightning connection.

The YubiHSM open source SDK was released to allow developers to integrate with the YubiHSM 2 and enable its security capabilities for greater protection of cryptographic key material.

Last but not least, we continued to grow Yubico as a trusted leader in strong authentication with new financial investments and the addition of new talent across the globe.

The Yubico team reached 160 people, representing 25 different nationalities, and based in eight countries: Sweden, USA, Germany, UK, Chile, Singapore, Australia and Japan.

Yubico received investment from top-tier investor Andreessen Horowitz (a16z) in support of our mission to create a safer internet at scale. Martin Casado, general partner for a16z, also joined the Yubico board of directors.

2018 was incredible, and we plan to top it with what’s to come in 2019! Be the first to know about new products and more by signing up for our mailing list.

Alex Yakubov

YubiHSM 2 Now Qualified for AWS IoT Greengrass Hardware Security Integration

We are excited to announce that Amazon Web Service (AWS) Internet of Things (IoT) Greengrass users can now use  the YubiHSM 2, Yubico’s ultra-portable hardware security module, for secure key storage. AWS IoT Greengrass software provides local compute, messaging, and data caching for the IoT devices, enabling users to run IoT applications across the AWS cloud and local devices.

The Internet of Things (2018) research report from Business Insider Intelligence predicts that there will be more than 55 billion IoT devices by 2025, up from about 9 billion in 2017. While reaping many advantages like increased efficiency and productivity, this rapid growth in adoption provides a new playground for malicious actors creating real challenges for security and privacy.

Connecting everything to the cloud creates the potential for a single point of failure, which is why protecting access to servers is of paramount importance. A prime threat to access is storing root keys for servers in software. Root keys stored in software can be stolen, accidentally distributed, or misused, and can potentially lead to catastrophic security breaches.

AWS IoT Greengrass enables customers to leverage a hardware root of trust, such as the YubiHSM 2, for private key storage, and end-to-end encryption for messages sent between AWS IoT Greengrass Core and the AWS cloud, as well as between the AWS IoT Greengrass Core and compatible local devices. This provides AWS IoT Greengrass customers with the option to configure their AWS IoT Greengrass Core to use the private keys generated and stored on the YubiHSM 2.

“Security and compliance are primary considerations for customers as they begin their respective cloud journeys. Organizations need true cloud visibility, which is the foundation of security and controls. The integration of YubiHSM 2 with AWS IoT Greengrass is a great example of a way for customers to have greater visibility into local compute, messaging, and data caching for the Internet of Things (IoT), ” said Troy Bertram, General Manager, Worldwide Public Sector Business Development, AWS. “The integration of YubiHSM 2 with AWS IoT Greengrass provides AWS customers with another avenue to maintain the strong hardware-backed security for cryptographic digital key generation, storage, and management.”

Since our initial launch of the YubiHSM 2 last year, many of our customers have approached us looking for a way to protect keys on servers. Complaints of traditional rack-mounted and card-based HSMs offering limited applicability at a significantly higher cost have led customers to our innovative alternative hardware security module. The YubiHSM 2 provides strong hardware-backed security for cryptographic digital key generation, storage, and management. The nano-sized YubiHSM 2 fits inside a server’s USB port and does not require additional hardware, significantly bringing down costs and simplifying the deployment process.

We’re excited for the collaboration with AWS IoT Greengrass. This announcement follows our recent release of our open source software development kit (SDK) for the YubiHSM 2. Now, more developers can rapidly integrate the YubiHSM 2’s capabilities into apps across a wider array of architectures and platforms. The YubiHSM 2 SDK enables developers to build products that communicate seamlessly with the YubiHSM 2 through the industry standard PKCS#11, and extend a range of high security functions and use cases for the greater protection of cryptographic keys.

The open source YubiHSM 2 SDK highlights Yubico’s commitment to transparency and trust. We continue to encourage the developer and security communities to join us in our mission to make strong hardware-backed security more accessible to organizations of all sizes.

Learn more about this new feature, and how AWS IoT Greengrass works with the YubiHSM 2. Want to integrate Yubico technology into your solution? Start here.

Ronnie Manning

Password-less Login with the YubiKey 5 Comes to Microsoft Accounts

We’ve done it! Together, with Microsoft, we’ve officially made it possible for hundreds of millions of Microsoft users around the world to log in without a password on their personal Microsoft accounts (MSA), with a YubiKey 5 or Security Key by Yubico.

With the latest update to Windows 10 (version 1809) and existing native support in Edge, all consumer Microsoft accounts now support password-less login via FIDO2/WebAuthn. Yes, no passwords.

With a Microsoft account and the YubiKey, you can quickly and securely log in (and automatically single-sign-on) to all of these Microsoft services on Edge:


That’s one login, zero passwords, and effortless access to your most loved Microsoft services.
Let’s just take a moment for that to sink in.

Today’s announcement from Microsoft is a landmark in the history of authentication. The first driverless, one-touch authentication USB device was launched in 2008, in the form of the original one-time password (OTP) YubiKey. To improve protection against phishing and advanced attacks, and make it work with any number of services with no shared secrets, Yubico co-created U2F with Google, that was later contributed to the FIDO Alliance.

To remove the need for a username and long complicated passwords, we worked with Microsoft and the FIDO Alliance to evolve U2F into FIDO2 for password-less login.  We say thank you to everyone who has been part of making this a reality. 

“Password-less sign-in is a transformational change to how business users and consumers access devices and applications. It combines industry-best ease of use and security to create an experience people are going to love and hackers are going to hate,” said Alex Simons, Corporate Vice President, Microsoft Identity Division. “FIDO2 is a key part of Microsoft’s push to eliminate passwords and devices like the YubiKey 5 are a great example of how we’re working with partners to make this transformation a reality.”

How To Register A YubiKey with Your Microsoft Account

To take advantage of this new, advanced security feature, you will need to simply register your FIDO2-enabled YubiKey 5 Series or Security Key by Yubico with your Microsoft account. This feature is available on any Windows PC with the Windows 10 version 1809 update and Microsoft Edge installed.

You have the option to do so either by USB-A or USB-C port (YubiKey 5 NFC, YubiKey 5 Nano, YubiKey 5C, YubiKey 5C Nano, Security Key by Yubico) or by NFC (near-field communication) wireless connection (YubiKey 5 NFC).  

  1. To begin, launch Microsoft Edge on the latest Windows 10 update (version 1809) an visit Microsoft account page and sign in as you normally would and click on Security > More security options, select Set up a security key.
  2. Identify what type of YubiKey you have (USB or NFC) and select Next.
  3. You will be redirected to the setup experience where you will insert or tap your YubiKey 5 or Security Key. This action generates a unique public-private key pair between your YubiKey and your Microsoft account, and only the YubiKey stores the private key. It never leaves your device.The public key is stored with the Microsoft service to allow for verification of your authentication.  
  4. You will then be prompted to set a unique PIN to protect your key. This PIN is stored locally on the YubiKey—not with Microsoft accounts.  
  5. Take the follow-up action by touching YubiKey gold sensor.
  6. Name your security key so that you can distinguish it from other keys (we always recommend setting up an additional YubiKey for back up)
  7. Sign out and open Microsoft Edge, select use security key instead, and sign in by inserting or tapping your key and entering your PIN.

That’s it! You have successfully replaced your Microsoft account password with strong, hardware-based authentication using public key cryptography to protect against phishing and man-in-the-middle. For more details, visit yubico.com/go-password-less/microsoft and if you want to see more, check out our fun promo videos here and here!!!

Authenticating Beyond Your Microsoft Account

In addition to FIDO2, the YubiKey 5 series supports: FIDO U2F, PIV (smart card), OpenPGP, Yubico OTP, OATH-TOTP, OATH-HOTP, and challenge-response. This means the same device that you use to protect your Microsoft account can be used to protect your password manager, social media accounts, and your logins to hundreds of services. Check out the Works with YubiKey catalog to discover other services that support the YubiKey.

Alex Yakubov

The Modern Workplace Journey: Experience MFA Everywhere with PingID and the YubiKey

One of the most frequent questions I’m asked to talk about is what sets the YubiKey apart from other security keys. At Yubico, we pride ourselves on making the highest quality, most durable and innovative authentication devices on the market, including the first-ever multi-protocol security keys which combine FIDO2, U2F, one-time password (OATH-HOTP and OATH-TOTP), PIV-compatible smart card, and OpenPGP in one authenticator. This multi-protocol support is a critical feature for organizations in the process of modernizing strong authentication for everything that employees, vendors, and users access on a daily basis, as one single YubiKey can meet varying authentication needs.

The journey to modernizing authentication also often starts with finding the right Identity Access Management (IAM) solution, which is why Ping Identity, the leader in Identity Defined Security solutions, is a critical member of the Yubico Ecosystem. Yubico is excited to work with Ping Identity to strengthen the authentication choices for PingID customers.

Starting today, current and prospective PingID customers considering a YubiKey implementation are invited to learn more about our joint solution through Ping Identity’s YubiKey Experience Pack initiative. A co-branded experience pack will be available to PingID customers as a special complimentary offer designed for admins to experience the many benefits of our joint solution. Each pack features two (2) of our latest YubiKey 5 Series devices and a PingID Quick Start Guide. The YubiKey 5 Series supports two-factor, multi-factor and passwordless authentication, so as the future of authentication progresses toward passwordless logins, PingID customers will be equipped with an authentication device that can do it all.

Setting up YubiKey authentication with PingID is easy. Users can self-register the YubiKey with their PingID account without needing additional software or drivers.

“Ping Identity is committed to providing the most secure multi-factor authentication experience and emerging authentication standards for its customers,” stated Monica Hamilton, Head of Technology Alliances and Business Development at Ping Identity. “By working with Yubico, we are able to provide secure login options with a hardware device for added user convenience, especially in scenarios where a mobile phone cannot be utilized or is not preferred.”

Yubico is also thrilled to be one of Ping Identity’s Global Sponsors for IDENTIFY 2018. Today, we’re kicking off IDENTIFY San Francisco, and November 7 marks the third and final event in the series, IDENTIFY New York. Stop by our kiosk and chat with us about your journey to modernizing the workplace. Still need a ticket to IDENTIFY 2018? Use code YUB524 in the online registration portal for a complimentary pass courtesy of Yubico. Qualifying customers can request the YubiKey Experience Pack for PingID customers by contacting sales@pingidentity.com while supplies last! Learn more about how Yubico and Ping Identity work together.

Alex Yakubov

The Modern Workplace Journey: Experience MFA Everywhere with PingID and the YubiKey

One of the most frequent questions I’m asked to talk about is what sets the YubiKey apart from other security keys. At Yubico, we pride ourselves on making the highest quality, most durable and innovative authentication devices on the market, including the first-ever multi-protocol security keys which combine FIDO2, U2F, one-time password (OATH-HOTP and OATH-TOTP), PIV-compatible smart card, and OpenPGP in one authenticator. This multi-protocol support is a critical feature for organizations in the process of modernizing strong authentication for everything that employees, vendors, and users access on a daily basis, as one single YubiKey can meet varying authentication needs.

The journey to modernizing authentication also often starts with finding the right Identity Access Management (IAM) solution, which is why Ping Identity, the leader in Identity Defined Security solutions, is a critical member of the Yubico Ecosystem. Yubico is excited to work with Ping Identity to strengthen the authentication choices for PingID customers.

Starting today, current and prospective PingID customers considering a YubiKey implementation are invited to learn more about our joint solution through Ping Identity’s YubiKey Experience Pack initiative. A co-branded experience pack will be available to PingID customers as a special complimentary offer designed for admins to experience the many benefits of our joint solution. Each pack features two (2) of our latest YubiKey 5 Series devices and a PingID Quick Start Guide. The YubiKey 5 Series supports two-factor, multi-factor and passwordless authentication, so as the future of authentication progresses toward passwordless logins, PingID customers will be equipped with an authentication device that can do it all.

Setting up YubiKey authentication with PingID is easy. Users can self-register the YubiKey with their PingID account without needing additional software or drivers.

“Ping Identity is committed to providing the most secure multi-factor authentication experience and emerging authentication standards for its customers,” stated Monica Hamilton, Head of Technology Alliances and Business Development at Ping Identity. “By working with Yubico, we are able to provide secure login options with a hardware device for added user convenience, especially in scenarios where a mobile phone cannot be utilized or is not preferred.”

Yubico is also thrilled to be one of Ping Identity’s Global Sponsors for IDENTIFY 2018. Today, we’re kicking off IDENTIFY San Francisco, and November 7 marks the third and final event in the series, IDENTIFY New York. Stop by our kiosk and chat with us about your journey to modernizing the workplace. Still need a ticket to IDENTIFY 2018? Use code YUB524 in the online registration portal for a complimentary pass courtesy of Yubico. Qualifying customers can request the YubiKey Experience Pack for PingID customers by contacting sales@pingidentity.com while supplies last! Learn more about how Yubico and Ping Identity work together.

Jerrod Chong

Introducing the YubiKey 5 Series with New NFC and FIDO2 Passwordless Features

Today, we are announcing some exciting news that we know you’ve all been waiting for. The 5th generation YubiKey has arrived!

Our new YubiKey 5 Series is comprised of four multi-protocol security keys, including two much anticipated new features: FIDO2 / WebAuthn and NFC (near field communication).

The YubiKey 5 Series is the industry’s first set of multi-protocol security keys to support FIDO2 / WebAuthn, the open authentication standard that Yubico helped to pioneer, along with Microsoft and others. All leading platforms and browsers have either made support or are engaged in this standards work, expanding authentication choices using authentication devices, such as a YubiKey, with or without a username and password. Each key in the YubiKey 5 series supports: FIDO2 / WebAuthn, FIDO U2F, PIV (smart card), OpenPGP, Yubico OTP, OATH-TOTP, OATH-HOTP, and challenge-response.

With the new YubiKey 5 series, Yubico provides a solution that not only works for today’s authentication scenarios, but into tomorrow’s, helping to bridge the gap from existing solutions to a future of passwordless login. Users will receive the same trusted security, ease of use, and durability expected from a YubiKey, but will now have the added option of passwordless logins using FIDO2:

Authentication options with the YubiKey 5 Series.

 

Single-Factor Authentication (Passwordless) with the YubiKey 5 Series – The YubiKey 5 security keys can be used alone for strong single-factor authentication, requiring no username or password to login — just tap or touch to authenticate.

Second-Factor Authentication with the YubiKey 5 Series – Used alongside a username and password, the YubiKey 5 series offers a strong second factor of authentication. This is the YubiKey integration that exists today with services like Google, Twitter, and Facebook, and it is most familiar to our users.

Multi-Factor Authentication (Passwordless + PIN + Touch) with the YubiKey 5 Series – The YubiKey 5 series can be used in conjunction with a PIN for user verification. In this case, the PIN unlocks the device locally and touch is still required for the YubiKey to perform the authentication.

 

With this expanded choice of authentication modes, developers choosing to add support for the YubiKey will have the option to choose the authentication model that best suits their use cases and customers. Implementation resources for all of the YubiKey-supported protocols can be found on the Yubico Developer website or through the Yubico Developer Program mailing list.

Another much anticipated feature added with the YubiKey 5 series, is the addition of NFC to the YubiKey 5 NFC device, allowing for a seamless and secure tap-and-go experience with mobile devices or external NFC readers.

YubiKey 5 NFC

YubiKey 5 NFC

Combining the security and usability features of FIDO2 passwordless authentication and tap-and-go NFC provides an optimal user experience, and drastically improves security and productivity. This is especially beneficial in fast-paced, dispersed working environments within sectors such as financial services, healthcare, and retail point-of-sale (POS). FIDO2 is the first open standard authentication protocol that can take tap-and-go authentication to the masses.

The YubiKey 5 Series includes: YubiKey 5 NFC, YubiKey 5 Nano, YubiKey 5C, and YubiKey 5C Nano. To determine the key that is best for you, please reference the online comparison chart, or take our YubiKey quiz!

Beginning today, YubiKey 5 Series security keys are available for purchase exclusively at Yubico.com. Shop our store, and be one of the first to own a YubiKey 5!

Alex Yakubov

Taking strong, hardware-backed MFA where mobile phones can’t go

With security breaches becoming a growing and expensive problem, organizations are embracing identity and access management (IAM) platforms with multi factor authentication (MFA). This technology enables organizations to address expanding security concerns and regulatory requirements within and beyond their employee base, while also reducing complexity for the end user by having as few as one identity to access all the different tools, systems, and programs required to do their jobs.

Our work with the IAM vendor community has proven there are many scenarios where mobile phone use is restricted or even prohibited for varying reasons. Call centers and hospitals, as well as high-security environments like government agencies and financial institutions, require strong authentication to protect sensitive data and assets.

For instance, call centers are tightly controlled environments from a time/work perspective. Performance control is another important aspect—the less distractions, the higher throughput from staff. Arguably more important is privacy. Call centers do not allow mobile phones in an effort to protect customer data from misuse and abuse, which means another form factor becomes essential to enabling MFA.  

Yubico Partner, Ping Identity, offers an Identity as a Service (IDaaS) platform called PingID. With the YubiKey and PingID together, customers receive a comprehensive hardware-backed MFA solution for both high-security and phone-free environments. The joint enterprise-wide solution offers tailored authentication policies for administrators, and at the same time, provides simple, secure access for users.

“Ping Identity’s partnership with Yubico gives an enterprise the convenience and flexibility of mobile app-based or hardware-based MFA to deliver the right level of assurance to match risk across an ever-increasing number of access points. With MFA everywhere these days, admins are looking for a way to centrally manage all MFA use cases. Native support for YubiKey helps an organization get much closer to that goal,” said Edward Killeen, Partner Marketing Manager, Ping Identity.

With PingID, admins easily define advanced authentication policies and layer strong YubiKey MFA when and where needed. This affords users the flexibility to harness hardware-backed protection at any time and from anywhere. PingID’s native support for certified YubiKey hardware and YubiOTP (One Time Password) also enables enterprises to eliminate the need to manually type codes, not only saving on time, but also improving employee productivity. A strong testament to durability and reliability, the YubiKey does not require batteries or network connectivity, so it is always on and accessible.

Using PingID and the YubiKey together helps enterprises safeguard their most sensitive data, and effectively mitigates the risk of security breaches. For more information on how PingID and the YubiKey work together, download our joint solution brief here or visit yubico.com/works-with/ping-identity/.

Heavy Thunderstorm and lightning over the night City, Storm and Rain
Jerrod Chong

Yubico Extends Mobile SDK for iOS to Lightning

Earlier this year, Yubico announced a Mobile SDK for iOS to enable Yubico OTP authentication over NFC on iPhones. Today, we are pleased to announce that we are extending the Yubico Mobile SDK to enable rapid implementation of FIDO U2F over a lightning connection for iOS apps. We invite developers to join the Yubico Lightning Project to work with us to broaden authentication options for iOS applications.

The reality is, overall usage of mobile devices is on the rise. In fact, 79% of internet use is predicted to be on mobile by the end of 2018. Yubico’s goal has always been to make strong, simple online security truly ubiquitous, regardless of service, device, and/or operating system. However, making a hardware authenticator, such as the YubiKey, work in a secure and seamless way with iOS has been a challenge for us and the rest of the industry over the past few years.

We have researched and prototyped various iOS solutions and believe that NFC (near field communication) and USB are optimal communications transports for external authenticators because of security and usability. While it’s always possible that Apple may further open up support for NFC or USB interfaces in the future, this is currently limited or not accessible on today’s iOS devices.

The Yubico Lightning Project is designed to address these issues, with rollout in several phases. Phase one introduces our extended Mobile SDK for iOS, which enables developers to add U2F authentication to iOS apps via a lightning connection. This approach enables apps and services to have out-of-the-box U2F support. Following phases will be communicated in the future.

“Our customers love the security and ease of use of U2F Yubico security keys on their Keeper desktop and web app. Providing this ability to all users on their iPhone and Android devices is an amazing and exciting capability we’ll be ready to deploy as soon as it becomes available,” said Craig Lurey, CTO and Co-Founder of Keeper Security.

“Multi-factor authentication is a must for all organizations, helping to mitigate credential-based attacks and ensuring only the right people have access to the information they need to do their work. By working with companies like Yubico alongside our own MFA offering, we’re able to continue to provide organizations with options for simple, seamless ways to layer security on all of the devices the modern workforce is using today,” said Joe Diamond, Sr. Director of Security Product Marketing, at Okta.

Developers who are interested in taking advantage of strong U2F authentication for iOS apps, are invited to sign up here to receive more information about the Lightning Project. We also encourage you to sign up for the Yubico Developer Program mailing list to stay updated on new developer resources as they become available.

Ronnie Manning

Let’s Meet! Catch YubiKey Demos, Developer Resources & More at Black Hat

This week, we’re headed to Las Vegas for none other than the Black Hat Expo, and we’ll be showcasing all kinds of YubiKey goodness. We’ll be at booth #463, so if you’re there stop by to say hello.

Here’s a taste of what you can expect:

Passwordless Login Demos

If you’ve been keeping up with us and the authentication space, you’ll know that a passwordless future is here thanks to the introduction of the new FIDO2 open standard.

Yubico is a core contributor to this standard, and we’ve got a device that can deliver on the passwordless login experience — the Security Key by Yubico. And you guessed it, we’ll be demoing a tap-and-go login flow (no passwords needed) at Black Hat on an Azure Active Directory environment with the Security Key by Yubico. Catch a sneak peek!

New Developer Resources

We’ve been hard at work on our recently launched Yubico Developer Program, and we’re happy to share some of our latest resources with you at BlackHat.

One of our hottest new offerings is our Mobile SDK for iOS. In case you missed it, LastPass leveraged our Mobile SDK for iOS to enable the YubiKey NEO to authenticate to the LastPass iOS app via NFC (we’ll have demos at the booth). The Mobile SDK for iOS is hosted on our developer site and open for all developers to use.

If you haven’t heard about our Developer Program, sign up for our mailing list and we’ll keep you in the loop on what’s new.

Look for me!

Featured YubiKey Integrations

Here at Yubico, we like to say, “The YubiKey works with many, many locks.” We’ve built so much power, security, and usability into one little device, and those features are built upon by all of the services and applications that support the YubiKey.

That’s why we love our technology partners so much. Keep your eyes peeled and see if you can spot the “Works with YubiKey” standees when you’re walking the show floor.

Several of our partners will have these featured at their booths and will be giving demos of their own YubiKey integrations.

If any of this sounds interesting, or even if you’d just like to meet the people behind the key, please come say hi. We’re at booth #463, and we’d love to meet you and talk all things YubiKey.

Jerrod Chong

One Step Closer to Passwordless Login with Microsoft Edge Support for FIDO2 & WebAuthn

The industry moved one step closer to passwordless login with this week’s Microsoft announcement that starting with Microsoft Edge build 17723, the browser will support FIDO2 strong first-factor and multifactor passwordless login, and second-factor authentication.

Now, with Chrome, Firefox, and Edge all engaged to support WebAuthn, we have two-thirds of all major web browsers backing this next-generation protocol. In March this year, W3C Web Authentication Working Group announced that WebAuthn reached Candidate Recommendation (CR) status, meaning with high interoperability, any browser could add support.

This is exciting news for developers, application creators, and those who want to secure their services with WebAuthn and FIDO2 to enable a passwordless login experience.

As a leading contributor and driver of the FIDO2 and WebAuthn open authentication standards, Yubico is committed to helping the larger developer community navigate implementation. Earlier this year we launched a new Developer Program to help developers rapidly integrate with these new standards. Over 1000 companies have registered to date with the program to find resources to help them become successful in integrating FIDO2. Most recently Yubico hosted an expert FIDO2/WebAuthn webinar series focused specifically on FIDO2 and WebAuthn education and deployment:

  • FIDO2 Authentication Demystified
  • FIDO2 WebAuthn Data Flows, Attestation, and Passwordless Technical Overview
  • FIDO2 WebAuthn Server Validation Technical Overview

With new WebAuthn browser support available in Edge, Chrome, and Firefox, a FIDO2 compatible hardware-based authenticator — such as the Security Key by Yubico — can replace a username and password as a much stronger form of single-factor authentication. WebAuthn still allows for the second-factor authentication and also support the use of PIN or biometrics with both external and platform authenticators for a multi-factor passwordless login experience.

The FIDO2 momentum is strong and we encourage developers and security architects interested in the new standard to sign up for our Yubico Developer Program mailing list to stay up-to-date on workshops, webinars, implementation guides, reference code, APIs and SDKs. New content is being added on an ongoing basis with the next FIDO2 resources becoming available later this month.

For those that are still unfamiliar with FIDO2 and WebAuthn, visit our latest blog that answers some of the most common questions we’ve received about the standard so far.

(Browser market share percentage via statcounter)

FIDO2, Security Key by Yubico
Jerrod Chong

10 Things You’ve Been Wondering About FIDO2, WebAuthn, and a Passwordless World

Armed with a mission to deliver a more secure internet, Yubico has been working closely with Microsoft, Google, the FIDO Alliance and W3C to create and drive open standards that pave the way for the future of passwordless login. The FIDO2 standard is the new standard enabling the replacement of weak password-based authentication with strong hardware-based authentication using public key (asymmetric) cryptography.

FIDO2 has created quite a buzz in the security community, and as with any new technology, there’s always a bit of a learning curve. Earlier this year, we introduced our updated Yubico Developer Program to help developers get up to speed quickly with FIDO2 and WebAuthn.  

In the past few weeks, we have run a FIDO2 webinar series for developers to provide background on the FIDO2 specification and how to implement. During the course of this webinar series, we have answered many questions about the specifics of the FIDO2 standard and WebAuthn, including how it relates to our new Security Key by Yubico, and the evolution of a passwordless world. We wanted to share the most commonly asked questions and answers, that you also may have wondered about.

Are FIDO2 and WebAuthn the same thing? If not, how are they different?

FIDO2 is comprised of two standardized components, a web API (WebAuthn) and a Client to Authenticator Protocol (CTAP). The two work together and are required to achieve a passwordless experience for login. The earlier FIDO U2F protocol working with external authenticators is now renamed to CTAP1 in the WebAuthn specifications.

With Chrome and Firefox announcing WebAuthn API and CTAP1 support as the client, and Dropbox now integrating with the WebAuthn API, this has kicked off a flurry of integration activities by other services. Most recently, Microsoft Edge released support for WebAuthn API, CTAP1 and CTAP2, making it the browser with the widest authentication support.

Is FIDO2 backwards-compatible with current YubiKey models?

The WebAuthn component of FIDO2 is backwards-compatible with FIDO U2F authenticators via the CTAP1 protocol in the WebAuthn specifications. This means that all previously certified FIDO U2F Security Keys and YubiKeys will continue to work as a second-factor authentication login experience with web browsers and online services supporting WebAuthn.

The new FIDO2 passwordless experience will require the additional functionally of CTAP2, which is currently only offered in the new Security Key by Yubico. CTAP2 is not supported in previous FIDO U2F Security Keys, or current YubiKey 4 series, or the YubiKey NEO.

Is FIDO2 considered single factor, two-factor or multi-factor authentication?

Login with a FIDO2-enabled hardware device, such as the Security Key by Yubico, offers a greater choice for strong authentication including:

  • single factor passwordless
  • two-factor (2FA)
  • multi-factor authentication (MFA)

With FIDO2, a hardware-based authenticator — such as the Security Key by Yubico — can replace a username and password as a much stronger form of single factor authentication. Users can also continue to use the Security Key by Yubico as a second factor. Finally, for added security, a FIDO2 hardware authenticator can be combined with an additional factor, such as a PIN or biometric gesture, to enable strong multi-factor authentication.

How secure is FIDO2 compared to FIDO U2F and other 2FA solutions?

Single factor login with FIDO2 offers strong authentication as a single factor. In many cases, this single factor authentication is more secure than other forms of two-factor authentication (such as SMS), as there are no secrets that can be phished remotely when using FIDO2. FIDO2 single factor uses the same strong public key cryptography with origin checking to prevent phishing just like FIDO U2F, but with the additional convenience of not needing usernames and passwords as the first factor to identify the user.

Will FIDO U2F become obsolete with the expansion of FIDO2?

FIDO2 WebAuthn is backwards compatible with FIDO U2F authenticators, so over time, we expect FIDO2 will subsume FIDO U2F.

Is there an option to use FIDO2 in conjunction with an additional factor such as a pin or biometrics? Is this recommended?

Hardware authenticators supporting CTAP2 can add user verification by requiring users to use a PIN or biometric to unlock the hardware authenticator so it can perform its role. This preference is primarily dependent on the implementor’s threat vectors as well as use cases. For example, a large banking institution may want to consider the use of a PIN in conjunction with a security key for a higher level of assurance, while a warehouse-based shared kiosk environment may not.

The Security Key by Yubico is enabled with the full CTAP2 specs, and is fully enabled to support several passwordless experiences including single factor touch-and-go using the hardware authenticator (no need for a username) as well as use of a PIN with touch of the hardware authenticator.

What’s the difference between a PIN and password?

As stated above, one of the allowances with FIDO2 is the option to combine hardware-based authentication with an additional factor such as a PIN. This has many of you wondering, “Well, isn’t that the same as needing to remember a password?”

A PIN is actually different than a password. The purpose of the PIN is to unlock the Security Key so it can perform its role. A PIN is stored locally on the device, and is never sent across the network. In contrast, a password is sent across a network to the service for validation, and that can be phished. In addition, since the PIN is not part of the security context for remotely authenticating the user, the PIN does not need the same security requirements as passwords that are sent across the network for verification. This means that a PIN can be much simpler, shorter and does not need to change often, which reduces concerns and IT support loads for reset and recovery. Therefore, the hardware authenticator with a PIN provides a passwordless, phishing-resistant solution for authentication.

How does FIDO2 affect a company’s password policy of replacing passwords every 90 days?

With FIDO2, there’s no need to replace passwords, as there are no passwords required.

For those combining a hardware authenticator with a PIN, it’s important to note that PINs do not demand the same security requirement as a password. A PIN and a password are different. Since a PIN is not part of the security context for remotely authenticating the user (the PIN is not sent over the network for verification), it can be much simpler and less complex than a password, and does not need to be changed with the same frequency (or at all), which eases enterprise concerns about PIN reset and recovery.

What services provide support for FIDO2? When can we expect additional services to roll out support?

Chrome, Firefox, and Dropbox have implemented support for WebAuthn second-factor login flow. Beginning with build 17723, Microsoft Edge now supports the candidate release version of WebAuthn. This latest version of Edge is able to support FIDO2 strong single factor and multi-factor authentication, in addition to the second factor. The Yubico Developer Program offers comprehensive resources for those interested in adding support for FIDO2.

What if I lose my Security Key by Yubico? Without a password, am I locked out of my account?

Best practice is always to ensure that you have a backup Security Key in place, should you misplace your primary device. The Security Key by Yubico contains no identifiable information, so if it were to be found, it could not immediately be used to login without knowing the identity of the owner and to which accounts it is registered. The reality is that the primary attack vector for consumers and enterprises is remote account takeover — whether by credential theft, phishing scams, or man-in-the-middle attacks. FIDO2 and the Security Key by Yubico are specifically designed to protect against these types of threats.

For those who are concerned with physical threats, the option is there to require multi-factor authentication using a PIN for additional protection. That way, if someone obtains a stolen Security Key, they will still need to know which accounts it is registered with, and also have access to your additional factor (PIN) to be able to log in.

A significant benefit of an open authentication standard is that the number of implementations are limitless. With Microsoft Edge, Google Chrome and Mozilla Firefox working as the client and Dropbox working as the service, all have announced WebAuthn support with many more in the works. We’re well on our way to the future of passwordless login!

Do you want to be a part of the future of passwordless login?

If you are a developer who is interested in adding support for FIDO2, sign up for our Developer Program mailing list to stay up-to-date on workshops, webinars, implementation guides, reference code, APIs and SDKs. Also, our series of FIDO2 virtual events is now available for on-demand viewing.

If you’d like to read more about FIDO2, check out our recent blog post, “What is FIDO2?”

Intuit Developer Hangout Blog Crown
Alex Yakubov

Accountants Protecting Sensitive Data and Yubico Developer Program Updates

We just received some stats from our friends over at QuickBooks—the number of apps used by the Small Business Market is projected to grow threefold in the next few years. The QuickBooks Online Community is comprised of more than 3.2 million small businesses, 200 thousand accountants/bookkeepers, and thousands of 3rd party app developers. That’s a lot of apps and accounts with access to sensitive data!

With similar visions and missions targeted at developers, it’s about time we joined forces to share tips and resources across communities. Join Yubico and Intuit’s David Leary, host of the Intuit Developer Friday Morning Hangout, this Friday at 9am PT for a chat about YubiKeys and why security is vital to the QuickBooks Online Ecosystem of small business owners, accountants, bookkeepers, and 3rd party app developers.

Check out this video to learn more about the QuickBooks Online Ecosystem and APIs:

Yubico Developer Program Updates

The Yubico team is continuously improving the Yubico Developer Program with input and feedback received directly from our community members. We appreciate hearing from so many of you since announcing our revamp plans earlier this year. Top requests include more instructional content, code samples in additional languages, a path to obtain early access to alpha/beta hardware, guidance on how to connect with other developers, and general clarity on the developer program. We’re actively working on each of these areas and look forward to your continued feedback and input.

In case you missed it: We recently hosted three instructional webinars on FIDO2, which you can view on demand here. Also, today, we expanded our mailing list to include the option to select the types of email communications you choose to receive from us. The different sub-categories include a Developer Program Updates newsletter, product announcements, surveys, event invitations, and alpha/beta program invitations. Fear not — this doesn't mean we're going to email you at all hours of the day. It's important to us that you only receive the types of communications you care about most.

You can join the Yubico Developer Program mailing list here. Shortly after, you'll receive a welcome email and the ability to manage your email preferences. View a copy of our July Newsletter here.

Curious about the Yubico Developer Program? Learn more here and check out our developer site, including how to connect with the Yubico developer community.

Stina Ehrensvard

The Key to Trust

As the principal inventor behind both the Security Key and U2F protocol, we are true supporters of open standards. To realize our mission of making secure login ubiquitous, we designed the original Security Key, and provided the majority of the open source code and test tools for FIDO U2F and the latest version of the standard, FIDO2, which offers a passwordless experience.

Innovation is core to all we do, and as the ecosystem continues to mature, U2F and FIDO2 functionality will come in many different form factors, communications methods (USB/BLE/NFC) and features, from Yubico and others.

Over the past several years, Google has deployed hundreds of thousands of FIDO U2F-enabled Yubico devices internally with amazing results. Today, Google released their own version of a security key, and while we have received the question if we were part of this production, these devices are not manufactured by Yubico.

Yubico strongly believes there are security and privacy benefits for our customers by manufacturing and programming our products in the USA and Sweden.

Google’s offering includes a Bluetooth (BLE) capable key. While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.

Yubico is a believer in NFC, and the YubiKey NEO design has proven at scale to deliver a superior contactless user experience for U2F.  Also, Yubico will soon announce another secure and user friendly solution for iOS.

YubiKey authentication devices

The FIDO U2F and FIDO2 standards work has been a long, challenging and inspiring journey convincing and engaging all leading platforms and browsers to subscribe to the Yubico mission: to make secure login easy and available for everyone.  

U2F is just one tool in the YubiKey toolbox. Today, the majority of our customers use our multi-function YubiKeys across multiple applications, services, and operating systems. In addition to FIDO U2F, we offer smart card (PIV), Yubico OTP, OpenPGP, and OATH-HOTP/TOTP, in a single device, over both USB and NFC, as well as in USB-C form factors. 

Yubico continues to work closely with Microsoft, Google and the global open standards community on FIDO2, the passwordless evolution of U2F. This next-generation standard enables the option to use a security key as a single factor, with an optional PIN or biometrics on the user device, removing the need for service providers to store and manage passwords.

We will continue to create market defining authentication products, which we are currently demonstrating at Google Cloud Next, booth #S1426. We welcome you to join us.

Ronnie Manning

5 Simple Ways to Get Started with Your YubiKey

What are your go-to apps? There are several applications and services that many of us use weekly, and in most cases, daily — Gmail, Facebook, Dropbox, a password manager — and the good news is that all of these support the YubiKey for strong authentication. And now, there is one more to add to the list!   

As of last month, Twitter users can now protect their accounts with FIDO U2F two-factor authentication using a YubiKey or Security Key by Yubico. This new feature is now available to all 328 million of Twitter’s monthly active users for both personal and business accounts.

Twitter has some simple set up instructions here for using on your computer. Once you register your YubiKey with Twitter, you will be required to present the key each time you login to your account in the future. It will ask for your username and password, and then it will ask for your YubiKey. Just insert the YubiKey into your computer’s USB port and after it starts blinking, tap it.

The YubiKey NEO is our mobile-friendly device that is equipped with near field communication (NFC). This works by just tapping the YubiKey NEO to the back of your phone. However, Twitter does not yet have support for the YubiKey in their mobile app, but we hope that this will be a feature they add in the near future.

The YubiKey is great for protecting against remote hackers trying to access your account, but you may be thinking, “What if I forget my key?” Twitter has it set up for you to have a backup form of two-factor authentication on your account as well. For example, you could use Google Authenticator or our Yubico Authenticator app to set up your backup on a second YubiKey. These forms of authentication will also be useful for mobile users. That way, you can use a YubiKey on your computer and an authenticator app for your phone.

Best practice is to have multiple YubiKeys set up for your accounts. One on your keychain, or one in your wallet, or one in a safe place at home will help to make sure you’ve always got a backup YubiKey nearby. Many services let users set up multiple YubiKeys with their account for this very reason. Twitter only allows one key at the moment. If you want more than one YubiKey on your Twitter account, or would like to have YubiKey support on mobile, help us out by sending a tweet to tell them what you’d like to see.

One of the best features of the YubiKey is that you can use just one key for any number of services and accounts. Here are the instructions on how to quickly get your other accounts secured with a YubiKey:

Google: Fun fact. Google was the first web service to support the use of U2F and YubiKeys. See how to get started with Google and the YubiKey here.

Facebook: Don’t make the mistake of overlooking the need to protect this social media account. Facebook contains a lot of personally identifiable information that can be used to advance a hacker’s efforts. See how to get started with Facebook and the YubiKey here.

Dropbox: Whether you’re sharing vacation photos or business documents, make sure your files stay safe from prying eyes. See how to get started with Dropbox and YubiKey here.

Password Managers: Did you know that the YubiKey works with 17 password managers? See how to get started with your favorite password manager and the YubiKey here.

Don’t see one of your favorites? Don’t worry. We have plenty of other services — for individual users and businesses — that support the YubiKey. You can see the full list here.

If you’d like to get started using a YubiKey, head over to the Yubico store to shop for the key that suits you best!

Ronnie Manning

Stina Ehrensvard Wins 2018 Female Executive of the Year

Today, we are excited to announce that Yubico’s CEO and Founder, Stina Ehrensvard, was named Female Executive of the Year by the Women World Awards for the second year in a row!

This news comes on the heels of several major announcements that we’ve shared over the past few weeks — YubiKey for iOS, FIPS 140-2 YubiKey Series, Andreessen Horowitz investment, FIDO2 passwordless logins — and we couldn’t be happier to keep the momentum going by celebrating Yubico’s founder and the milestones we’ve achieved together.

The Women World Awards are an annual industry and peers recognition program honoring women in business and the professions and organizations of all types and sizes from around the world. The program encompasses the world’s best in leadership, innovation, organizational performance, and new products and services from every major industry in the world.

The Female Executive of the Year category highlights individual women whose accomplishments in the last year set an impressive standard for the company as well as industry norms. Stina was selected as the Gold Winner in this category due to her significant contributions and innovations to advance the current state of internet security. Most notably, Yubico’s work in developing FIDO2 and driving new paths for the next generation of online security: passwordless logins.

“It’s an honor to be named a winner by Women World Awards,” said Stina. “These awards are an encouraging reminder that each year, Yubico is one step closer to seeing our vision of a safer internet for all become a reality. I’m proud of everything the Yubico team has done to get us there, and has been able to accomplish over the last year.”

To read more about Stina’s entrepreneurial journey and Yubico’s mission, check out her recent interview with Compelo magazine.

Jerrod Chong

Now available! FIPS 140-2 validated YubiKey series

Today, we’re excited to announce the certification and availability of our YubiKey FIPS series, the first multi-protocol FIPS 140-2 validated security keys.

FIPS 140-2 is a US government computer security standard, published by the National Institute of Standards and Technology (NIST), that covers the use of cryptographic functionality such as encryption, authentication, and digital signatures. The FIPS 140-2 validated YubiKeys meet the most stringent security requirements of US federal agencies.

The YubiKey FIPS Series includes keychain and nano form-factors for USB-A and USB-C interfaces.

The YubiKey FIPS series uses the YubiKey 4 Cryptographic Module that received FIPS 140-2 validated at Overall Level 2, Physical Security Level 3 with certificate number 3204. At this level, the YubiKey FIPS series meets Authenticator Assurance Level 3 (AAL3) as defined in NIST SP800-63B, that enables compliance with Federal Risk and Authorization Management Program (FedRAMP)  and Defense Federal Acquisition Regulation Supplement (DFARS) requirements.

FIPS certification is essential for many branches of the US government and contractors, in addition to those in the private sector that collect and transmit sensitive but unclassified (SBU) information.

The YubiKey FIPS Series hardware authentication devices include keychain and nano form-factors for USB-A and USB-C interfaces. The YubiKey FIPS Series is the only FIPS validated multi-protocol security key in the market supporting five authentication protocols; FIDO U2F, smart card (PIV), Yubico OTP, OpenPGP, and OATH-HOTP/TOTP.  Now, federal entities and federal-compliant enterprises can comply with the high assurance security requirements for on-premise or cloud deployments using the YubiKey FIPS Series.

Companies including Google, Facebook, Salesforce and thousands more trust the YubiKey to protect account access to computers, networks and online services. Now, we are able to deliver the same simple, trusted protection as a FIPS validated solution.

For more information and technical details on the new product line, visit the YubiKey FIPS page. Starting at $46, YubiKey FIPS Series security keys are available now for purchase online at the  Yubico store or by contacting Yubico Sales.

WebUSB in Google Chrome and Responsible Disclosure

Authored by Venkat Venkataraju & Jesper Johansson

Yubico Blog Update and Statement – 6/18/18

On June 13, 2018 we published this blog post and security advisory regarding WebUSB issues in Chrome. In hindsight we realize that we did not give enough credit in our blog post and security advisory to the foundational work done by Markus Vervier and Michele Orrù, who highlighted and demonstrated the first security vulnerability in WebUSB at OffensiveCon, and which was subsequently written up in a WIRED article. After posting, we communicated with them, apologized for this, and made updates to the blog post and security advisory to make sure proper credit was given.

Building on the publicly available information about work by Markus and Michele described in the article, Yubico investigated the issue and developed our own proof of concept (PoC) test tools. In the process we discovered additional issues with WebUSB and began outreach with Google on March 1st. Yubico first spoke with the researchers on March 2nd. The formal bug report which Yubico submitted to Google on March 5th, referenced the OffensiveCon talk by Markus and Michele and their original public announcement of the CCID issue in the first sentence. We submitted this privately to protect our customers and the broader U2F ecosystem.

Markus and Michele’s research provided a critical foundation, and we made a mistake by not clearly acknowledging them for their original research in our security advisory. We learned only on June 13, after we published our advisory, that Markus and Michele also discovered and reported HID issues to Google. We understand that better communication after the issue was fixed would have ensured that all parties were in sync, and will use this as an opportunity for improvement.

Yubico has always strived to be transparent and we regret the missed opportunity to work more collaboratively with Markus and Michele. Historically, Yubico has worked closely with security researchers across the globe and we are committed to continue to do so.

————-end update—————–

To improve the entire security ecosystem, Yubico is a strong believer in responsible disclosure practices. We believe that the best outcome happens when security researchers  confidentially provide research and reporting to an impacted company, so a fix can be in place before any public disclosure to help protect users from the exploitation of the vulnerability.

This year, Yubico worked with Google under responsible disclosure to address WebUSB vulnerabilies in Google Chrome that affected the entire ecosystem of FIDO U2F authenticators, manufactured by Yubico and well as other vendors.

The original issue first surfaced in a news article in March 2018 describing how security researchers Markus Vervier and Michele Orrù had demonstrated how to circumvent the FIDO U2F origin check using WebUSB functionality in Google Chrome and the YubiKey NEO’s USB CCID U2F interface.

Once Yubico was informed of the CCID issue, our own researchers quickly discovered there was a broader set of security concerns within WebUSB that affected the entire ecosystem of FIDO U2F authenticators. To help protect the U2F ecosystem, we disclosed these issues to Google in early March and worked closely with their engineering teams on a mitigation plan to address this issue and secure all U2F customers.

With the May 29, 2018 release of Chrome 67, Google fixed the WebUSB vulnerability and the issue could no longer affect any (Yubico or other) U2F authenticators. To read the detailed report of the WebUSB issue in Chrome, please visit our Security Advisories page for full analysis.  

For this research and disclosure, Google awarded Yubico a bug bounty in the amount of $5,000, which Yubico has opted to donate to charity. Yubico chose Girls Who Code, a non-profit that aims to support and increase the number of women in computer science. Additionally, Google has matched the donation with another $5,000, resulting in a $10,000 donation to Girls Who Code, to further support efforts at increasing diversity in our field.

The security ecosystem is only as strong as the weakest link and if we, as a community of vendors and security researchers effectively and respectfully work together, we can secure not only end users, but the entire ecosystem from continually evolving threats.  

For the protection of everyone, we encourage all researchers to responsibly disclose any discovered security concerns to the affected company so they may implement a fix before any public disclosure. To contact the security team at Yubico please email security@yubico.com.


June 13th Update:
We were just made aware that the original researchers reported the Windows HID issue to Google around the same time we submitted it to Google. We were not aware of this at the time, we independently discovered it while investigating the public CCID issue, and followed standard responsible disclosure practices by sending all our findings, including the Windows HID issue, only to the affected vendor in order to afford maximum protection for the ecosystem. 

 

Alex Yakubov

Yubico showcases FIDO2 at InfoSecurity Europe 2018

We’re gearing up for Europe’s biggest information security event of the year: InfoSecurity Europe 2018. Following our announcement with Microsoft at RSA 2018, we’re excited to showcase in Europe the new use cases made possible by the FIDO2 standard, including passwordless single factor, second factor and multi-factor authentication. Come see the new Security Key by Yubico in action at booth J120 at Olympia London from June 5 to 7. Yubico will be demonstrating passwordless login on Windows 10 and the latest iOS mobile offering with LastPass.

Along with the recent announcement of our new FIDO2-enabled security key, we introduced a new Yubico Developer Program with a FIDO2 track. InfoSecurity Europe attendees (and those who are reading this blog) can sign up for early access to resources to support implementation of FIDO2, including the first How-to FIDO2 webinar scheduled for June 14.

Also, joining us in the exhibit hall are five Yubico Technology Partners. Stop by the Yubico booth to learn about these valuable partnerships. We also encourage you to visit their booths, see what they have to offer, and the integration of the YubiKey with their services!

        

Not attending the event? Learn more about these partnerships by clicking the logos.