YubiKey NEO & FIDO U2F: One Key for All Apps

October 13, 2014 4 minute read

I’ve been in this business for a long time and watched a lot of promise collapse and a fair number of snake oil salesmen flourish.

Strong authentication is one of those technology conundrums that always seems to be partially solved. The drawbacks of traditional one-time passcodes are well understood and we’ve always truly known their shelf life was limited.

I have been searching for something that would be more appropriate in today’s Internet, that would move past “partially solved” and would blossom into elegant simplicity spanning the technology, the plumbing and the user.

My eyes were opened to the answer while watching a room full of engineers work with their code — checking out, checking in, deploying live —and authenticating each time as they supported a massive cloud service that counts billions of users around the globe.

To cross each virtual security boundary the engineers simply press a small flashing Yubico YubiKey tucked into their USB ports to activate strong authentication. They were taking advantage of their body’s ability to hold an electrical charge and trigger a capacitance sensor.

A few years ago when I first saw this technology, I underestimated the capacitive touch. I did not think it had the needed security properties, but what I missed was how important it was to the end-user.

Once I realized that error, I began adding in the significance of the hermetically sealed, driverless YubiKey that is impervious to viruses and malware. I thought about its improvements over second-factor mobile devices that hackers can compromise, and over single sign-on, where conventional wisdom says authentication should happen as infrequently as possible then shared across domains boundaries.

I now understand security isn’t about limiting authentications but making hundreds, even thousands of them per day as easy as pushing another key on a computer keyboard. It’s a user-experience that requires zero training, even for technology’s bellwether grandmothers.

In addition, a previously missing piece is coming into focus with the FIDO Alliance’s Universal Second Factor (U2F) protocol, adding the standards-layer to enable one key to authenticate to all applications in our ecosystems while maintaining trust and end-user privacy.

Today, Yubico is releasing its YubiKey NEO with support for U2F and delivering it in two form-factors. This key will hold the promise of a significantly more secure online consumer experience, and a dramatic increase in enterprise security and ease-of-use.

This combination of all these factors (pun intended) leads me to believe we have our device and our extended shelf life for a proper “what you have” factor from a multi-factor authentication perspective.

And it has been a powerful enough epiphany for me after 30 years promoting and advancing strong authentication that I have joined Yubico as Chief Business Officer to explore this innovation and see it through to what I believe will be its rightful place in the security landscape.

As you will see in the coming weeks, my faith in these advancements will be validated by some of the most successful and influential Internet companies with arguably the largest end-user populations on the planet.

We can now challenge conventional wisdom around authenticating once then propagating credentials. I am a firm believer in SSO technology for gluing together computing across boundaries and would argue our SSO engines should play the primary role in directing identity traffic. They are, and will remain, essential in modern web architectures.

But, I argue fresh primary credentials trump older secondary credentials every time.  Application designers have never thought of a world where it is possible or desirable to verify primary credentials not just one time but many times. That world is coming into focus and I’m exited to have a front row seat, again.

Share this article:

Recommended content

Thumbnail

Built-in FIDO authenticators and YubiKeys are making the internet safer for all

In 2007, Yubico set out to protect as many people as possible by making secure login easy and available for everyone. We are happy Apple has joined Yubico, Google, and Microsoft on this journey by implementing W3C WebAuthn/FIDO compatible platform authenticators and are pleased to say that now all major platforms have adopted the standards ...

What is DNS Spoofing?

Learn More What is phishing? And how to prevent it 5 best practices for companies serious about data privacy What is a data breach? Developer Resources What is U2F? Developer FAQ

What is a Man-in-the-Middle (MiTM) Attack?

Learn More Why the YubiKey wins Creating the unphishable security key Developer Resources Security breaches and webauthn

What is FIDO U2F?

Where did U2F come from? U2F was created by Google and Yubico, and support from NXP, with the vision to take strong public key crypto to the mass market. Today, the technical specifications are hosted by the open-authentication industry consortium known as the FIDO Alliance. U2F has been successfully deployed by large scale services, including Facebook, Gmail, Dropbox, GitHub, and many more. Click here for a ...