White paper: Bridge to Passwordless best practices
Most organizations work with multiple services and applications, and thus different authentication protocols, to meet all their security needs. Oftentimes, the protocol is predetermined by the application or service provider. However, in other cases, a business or systems integrator has some flexibility on which integration approach or third party to use. When it comes to authentication choices, there is typically no such thing as a silver bullet. The YubiKey was designed with this in mind to support multiple methods for authentication, enabling users and integrators to utilize the best method for each solution.
YubiKeys have multiple authentication protocols, spanning One-Time Passwords (OTP), CCID (smart card), and Universal 2nd Factor (U2F). Each protocol has support for different services and apps, much like a toolbox, allowing the user to select the correct tool for the task at hand.
OTP supports protocols where a single use code is entered to provide authentication. These protocols tend to be older and more widely supported in legacy applications. The YubiKey communicates via the HID keyboard interface, sending output as a series of keystrokes. This means OTP protocols can work across all OS/Environments that support USB keyboards, as well as with any app that can accept keyboard input. Some common services that use OTPs are network devices like VPNs and local authentication services with user login, as support for OTPs tend to be the most straightforward to integrate.
CCID, or smart cards as their interface is more commonly called, is another supported protocol on the YubiKey. The YubiKey identifies itself as a smart card reader with a smart card plugged in, so it will work with most common smart card drivers. Windows has native support, Linux has the OpenSC project, and macOS has support for smart cards natively on Sierra (10.12) and higher. The YubiKey allows 3 different CCID protocols to be used simultaneously – PIV, as defined by the NIST standard for authentication; OpenPGP for encryption, decryption, and signing; and OATH, for client apps like Yubico Authenticator and Windows Hello. The open source nature of the supported smart card protocols make them ideal for integrating with existing environments, such as Windows Authentication, Active Directory Federated Services, SSH or OpenPGP, and derived services.
FIDO U2F is the newest protocol supported by the YubiKey. Developed by Yubico and Google, the U2F protocol provides strong authentication without requiring a complex backend or framework to support it. Turning traditional authentication on its head, FIDO U2F makes the authentication device (like the YubiKey) the authentication provider. It issues unique keys to the services it is authenticating against, ensures each service does not have any information about the others, and removes the need for a central authentication service. With FIDO 2.0, the specification is growing to meet evolving industry needs, while ensuring that the previous generation is not rendered obsolete. The security built into the U2F protocol makes it ideal for web applications or customer-facing apps, which may be exposed to attacks on the information in transit between the user client and server.
Each protocol has strengths and weaknesses, restricting the situations where each one is most effective. However, the YubiKey resolves this limitation by supporting all of the different protocols on a single device, all at the same time. Like a carpenter using the right tool in his toolbox for the job at hand, users and integrators are able to secure their applications and services with the YubiKey using the appropriate protocol for each environment.
To learn more about the protocols supported by the YubiKey, please refer to our Developer site.