Flexible Modern Authentication with the Multi-Protocol YubiKey

July 5, 2017 3 minute read

Most organizations work with multiple services and applications, and thus different authentication protocols, to meet all their security needs. Oftentimes, the protocol is predetermined by the application or service provider. However, in other cases, a business or systems integrator has some flexibility on which integration approach or third party to use. When it comes to authentication choices, there is typically no such thing as a silver bullet. The YubiKey was designed with this in mind to support multiple methods for authentication, enabling users and integrators to utilize the best method for each solution.

YubiKeys have multiple authentication protocols, spanning One-Time Passwords (OTP), CCID (smart card), and Universal 2nd Factor (U2F). Each protocol has support for different services and apps, much like a toolbox, allowing the user to select the correct tool for the task at hand.

OTP supports protocols where a single use code is entered to provide authentication. These protocols tend to be older and more widely supported in legacy applications. The YubiKey communicates via the HID keyboard interface, sending output as a series of keystrokes. This means OTP protocols can work across all OS/Environments that support USB keyboards, as well as with any app that can accept keyboard input. Some common services that use OTPs are network devices like VPNs and local authentication services with user login, as support for OTPs tend to be the most straightforward to integrate.

CCID, or smart cards as their interface is more commonly called, is another supported protocol on the YubiKey. The YubiKey identifies itself as a smart card reader with a smart card plugged in, so it will work with most common smart card drivers. Windows has native support, Linux has the OpenSC project, and macOS has support for smart cards natively on Sierra (10.12) and higher. The YubiKey allows 3 different CCID protocols to be used simultaneously – PIV, as defined by the NIST standard for authentication; OpenPGP for encryption, decryption, and signing; and OATH, for client apps like Yubico Authenticator and Windows Hello. The open source nature of the supported smart card protocols make them ideal for integrating with existing environments, such as Windows Authentication, Active Directory Federated Services, SSH or OpenPGP, and derived services.

FIDO U2F is the newest protocol supported by the YubiKey. Developed by Yubico and Google, the U2F protocol provides strong authentication without requiring a complex backend or framework to support it. Turning traditional authentication on its head, FIDO U2F makes the authentication device (like the YubiKey) the authentication provider. It issues unique keys to the services it is authenticating against, ensures each service does not have any information about the others, and removes the need for a central authentication service. With FIDO 2.0, the specification is growing to meet evolving industry needs, while ensuring that the previous generation is not rendered obsolete. The security built into the U2F protocol makes it ideal for web applications or customer-facing apps, which may be exposed to attacks on the information in transit between the user client and server.

Each protocol has strengths and weaknesses, restricting the situations where each one is most effective. However, the YubiKey resolves this limitation by supporting all of the different protocols on a single device, all at the same time. Like a carpenter using the right tool in his toolbox for the job at hand, users and integrators are able to secure their applications and services with the YubiKey using the appropriate protocol for each environment.

To learn more about the protocols supported by the YubiKey, please refer to our Developer site.

Share this article:

Recommended content

Thumbnail

Future-Proofing Authentication and Compliance for Healthcare Organizations

Healthcare continues to remain one of the most highly targeted industries by cyber criminals. In fact, with the COVID-19 pandemic, the industry has seen a doubling of the number of cyber attacks – attacks which are both costly ($9.23 million, on average) and disruptive. What’s even more troubling is that these attacks are likely to ...

Thumbnail

GitHub no longer accepts passwords for Git authentication, secure your accounts with YubiKey

GitHub has been a longstanding supporter of strong security for its customers and developer communities. From its most recent support for using U2F and FIDO2 security keys for SSH, to its 2019 announcement of Web Authentication (WebAuthn) support for security keys and 2015 Universal Second Factor (U2F) support, the company has continued to give its ...

Thumbnail

Everything you need to know about the revised eIDAS regulation

In June 2021, the EU Commission announced its plans for a revised eIDAS regulation. eIDAS (electronic IDentification, Authentication and trust Services) is the EU regulation 910/2014 on electronic identification and trust services in the EU. It came into force in 2014, so the revision is a major update to eIDAS. The past two years the ...

Thumbnail

Yubico brings the YubiKey to the .NET ecosystem with its new desktop SDK

In continuation with our mission to bring strong authentication to the world, Yubico is excited to announce that integrating the YubiKey into your .NET application or workflow will now be easier than ever before. This is enabled with the introduction of the new YubiKey SDK for Desktop. With this Desktop SDK, you can now add ...