Showing results for: Yubico Developer Program

Intuit Developer Hangout Blog Crown
Alex Yakubov

Accountants Protecting Sensitive Data and Yubico Developer Program Updates

We just received some stats from our friends over at QuickBooks—the number of apps used by the Small Business Market is projected to grow threefold in the next few years. The QuickBooks Online Community is comprised of more than 3.2 million small businesses, 200 thousand accountants/bookkeepers, and thousands of 3rd party app developers. That’s a lot of apps and accounts with access to sensitive data!

With similar visions and missions targeted at developers, it’s about time we joined forces to share tips and resources across communities. Join Yubico and Intuit’s David Leary, host of the Intuit Developer Friday Morning Hangout, this Friday at 9am PT for a chat about YubiKeys and why security is vital to the QuickBooks Online Ecosystem of small business owners, accountants, bookkeepers, and 3rd party app developers.

Check out this video to learn more about the QuickBooks Online Ecosystem and APIs:

Yubico Developer Program Updates

The Yubico team is continuously improving the Yubico Developer Program with input and feedback received directly from our community members. We appreciate hearing from so many of you since announcing our revamp plans earlier this year. Top requests include more instructional content, code samples in additional languages, a path to obtain early access to alpha/beta hardware, guidance on how to connect with other developers, and general clarity on the developer program. We’re actively working on each of these areas and look forward to your continued feedback and input.

In case you missed it: We recently hosted three instructional webinars on FIDO2, which you can view on demand here. Also, today, we expanded our mailing list to include the option to select the types of email communications you choose to receive from us. The different sub-categories include a Developer Program Updates newsletter, product announcements, surveys, event invitations, and alpha/beta program invitations. Fear not — this doesn't mean we're going to email you at all hours of the day. It's important to us that you only receive the types of communications you care about most.

You can join the Yubico Developer Program mailing list here. Shortly after, you'll receive a welcome email and the ability to manage your email preferences. View a copy of our July Newsletter here.

Curious about the Yubico Developer Program? Learn more here and check out our developer site, including how to connect with the Yubico developer community.

Stina Ehrensvard

What is FIDO2?

Last month, open authentication standards reached an important milestone; Microsoft launched support for FIDO2 and CTAP, and the World Wide Web Consortium (W3C) won approval for WebAuthn. Since then, Yubico has received questions on how these efforts are related, what role FIDO U2F and Yubico have in the mix, and what organizations can implement now — and in the future — to enable simple, strong authentication for employees and end-users. This blog will bring some clarity to those questions.

What is the difference between FIDO U2F and FIDO2?

U2F was developed by Yubico and Google, and contributed to the FIDO Alliance after it was successfully deployed for Google employees. The protocol is designed to act as a second factor to strengthen existing username/password-based login flows. It’s built on Yubico’s invention of a scalable public-key model in which a new key pair is generated for each service and an unlimited number of services can be supported, all while maintaining full separation between them to preserve privacy.

Essentially, FIDO2 is the passwordless evolution of FIDO U2F. The overall objective for FIDO2 is to provide an extended set of functionality to cover additional use-cases, with the main driver being passwordless login flows. The U2F model is still the basis for FIDO2 and compatibility for existing U2F deployments is provided in the FIDO2 specs.

What is WebAuthn & CTAP?

A new, extensible web authentication API, called Webauthn, has been developed within W3C, which supports both existing FIDO U2F and upcoming FIDO2 credentials.

The FIDO U2F client-side protocol has been renamed CTAP1, and a new, extensible client-to-authenticator protocol (CTAP2) has been developed to allow for external authenticators (tokens, phones, smart cards etc.) to interface with FIDO2-enabled browsers and Operating Systems

WebAuthn and CTAP2 are both required to deliver the FIDO2 passwordless login experience, but WebAuthn still supports FIDO U2F authenticators, since CTAP1 is also part of the WebAuthn specification.

How can organizations deploy FIDO2?

So, what can organizations do if they are aiming to provide support for FIDO2? We recommend making support for WebAuthn as it works with existing FIDO U2F authenticators and also FIDO 2 authenticators.

Mozilla Firefox 60 recently added support for WebAuthn, Chrome 67 will be shipping with WebAuthn support in the near future, and Microsoft has already announced they will support WebAuthn in Edge browsers. The U2F web API continues to work for U2F authenticators, but is limited to the Chrome and Opera browsers.

To evaluate WebAuthn with FIDO U2F and FIDO2 authenticators today, Yubico offers a test service at, and soon we will provide more complete open source FIDO2 servers on GitHub. Organizations can sign up for updates from the Yubico Developer Program to get information on FIDO2 and WebAuthn resources.

So, what’s our role in all of this?

From Yubico’s perspective, we’re proud and pleased to see our vision of one single security key to any number of services become a reality. We’ve watched this vision progress from our launch of the first YubiKey in 2008, to early U2F development in 2011, to the launch of FIDO2 in 2018.

With WebAuthn providing a seamless evolution from U2F to FIDO2, and with upcoming support for built-in authenticators and additional use-cases, WebAuthn becomes the center of a ubiquitous ecosystem for authentication.

Our mission has always been to drive standards and adoption by providing technical specifications, open source components, and developer tools; and to be the gold standard for authenticators. With the open standards ecosystem growing, we see the vision of providing strong authentication for everyone coming true.

Interested in exploring FIDO2 and passwordless login? Get started today with the Security Key by Yubico.

Ronnie Manning

Yubico at RSA 2018: Passwordless Logins, Developer Programs, and More

Heading to RSA in San Francisco next week? We’ll be there too, celebrating our 10th year at the conference!

Be sure to stop by Booth #S2241 to see all the awesome things we will be showing, and if you haven’t registered for the conference yet, use this code (X8EYUBIC) for a free expo pass on us.  

An industry first, we are showcasing passwordless login with the just released Security Key by Yubico, the first hardware authentication device to support both FIDO U2F and FIDO2. Yubico is a leading contributor to the new FIDO2 open authentication standard which shares many of the same characteristics as FIDO U2F: public key cryptography, no shared secrets, and no drivers or client software. However, with FIDO2, there’s no need for passwords as user credentials are tied directly to the Security Key. The device can also be conveniently paired with PINs, biometrics, or other human gestures as an additional factor.

At Yubico we’re constantly innovating to make simple, secure authentication a standard for the industry. Along with the announcement of our new FIDO2-enabled security key, we are also announcing our new Yubico Developer Program to provide resources for rapidly enabling strong authentication in web and mobile applications across all our supported protocols including FIDO U2F, PIV (smart card), OpenPGP, OTP (one-time password), the new FIDO2 protocol and for the YubiHSM2. Developer resources include workshops, webinars, implementation guides, reference code, APIs and SDKs. RSA attendees (and those who are reading this blog) will be able to sign up for early access to resources to support implementation of FIDO2.

We also invite you to join our CEO & Founder, Stina Ehrensvärd, and SVP of Product, Jerrod Chong, who will be speaking on the importance of strong authentication for today and tomorrow’s cyber landscape.

Stina’s speaking session at CyberScoop’s Cyber Talks

  • 10 Percent Is Too Little: Time to Pay Attention to Two-Factor Authentication
  • Monday, April 16 at 11:20am PT
  • Four Seasons Hotel San Francisco

Jerrod’s speaking session at Security B-Sides SF

  • Simple. Open. Mobile: A Look at the Future of Strong Authentication
  • Monday, April 16 at 11:00am PT
  • City View at Metreon

Yubico is extremely proud of  what we’ve accomplished over the last ten years. The YubiKey is used by millions around the globe and works with hundreds of services right out of the box, and this number is rapidly growing. That’s one key for an unlimited number of personal or business accounts.

At RSA, be on the lookout for Yubico Technology Partner booths to see how the YubiKey seamlessly integrates with their services. Participating Yubico Technology Partners include:

Yubico at Booth #S2241

If you’re attending RSA next week, please stop by our booth and say hi! We will have team members on site to answer any questions, provide product demonstrations, offer recommendations for specific use-cases and chat about the new Security Key by Yubico and Yubico Developer Program.

Also, make sure you follow us on Twitter for updates during the show. We’ll see you there!

Alex Yakubov

Yubico Launches Passwordless Login with new Security Key and FIDO2

Today, together with the FIDO Alliance, we made a big announcement that paves the way to a passwordless future. We revealed the new Security Key by Yubico as well as our new Developer Program, both of which support the new FIDO2 open standard for passwordless authentication.

Why is this important? Think of a time when you have created a new account and didn’t have to create a new password.

For all of us, the account creation process for any application or online service has always started with the pairing of a password to your username, but with today’s announcement that is going to change. With FIDO2, it’s now possible to redesign the process to remove the weak link of passwords, and we’re gearing up to support the ecosystem and developer community to make that happen. Whether you’ve followed Yubico for years, or you’re just learning about us, read ahead to find out more about the significance of the FIDO2 project.

 The FIDO2 Project

In 2011, Yubico invented the concept of a single security key to protect user accounts from phishing and unauthorized access, for any number of services with no shared secrets. We worked with Google to further develop this concept to what today is the FIDO U2F standard.

Now, Yubico has worked in collaboration with Microsoft on the evolution of the FIDO U2F authentication standard, to create FIDO2. With FIDO2, the Security Key with its strong authentication can now solve multiple use case scenarios and experiences:

  • — second factor in a two factor authentication solution
  • — strong first factor, with the possession of the device only, allowing for a passwordless experience like tap and go
  • — multi-factor with possession of the device AND PIN, to solve high assurance requirements such as financial transactions, or submitting a prescription.

Capabilities enabled by the FIDO2 project

FIDO2 has already received support from the FIDO Alliance, World Wide Web Consortium (W3C), and all major web browsers to aid in its global standardization and adoption. With this foundation, FIDO2 is positioned to help services, applications, and enterprise organizations seamlessly transition to a more secure, easy to use replacement for the static password.

Read more about FIDO2 here. If you’re interested in developing with this new standard, you’ll need a Security Key by Yubico and we encourage you to sign up for FIDO2 updates as part of our newly announced Yubico Developer Program.

NEW  Security Key by Yubico

The Security Key by Yubico delivers FIDO2 and FIDO U2F in a single device, supporting existing U2F two-factor authentication (2FA) as well as FIDO2 implementations.

The new Security Key by Yubico supports both the Web Authentication (WebAuthn) API, and Client to Authenticator Protocol (CTAP) which are required for FIDO2-based authentication.

FIDO2 and the Security Key are delivering on trusted, touch-and-go authentication for the modern, flexible and mobile workforce that is meeting the needs of our on-demand society. Together, these technologies will be integrated into many verticals including: retail, healthcare, transportation, finance, manufacturing, and more.

We will be demonstrating the new Security Key by Yubico and new FIDO2 functionality at the RSA South Expo hall at Booth #2241. You can purchase one up from our webstore today ($20 USD). Read more about the Security Key by Yubico here.

 NEW  Yubico Developer Program

This year marks the 10 year anniversary of the launch of the first YubiKey, that millions of users in more than 160 countries around the world love for its ease of use, security, and affordability. We made our YubiKeys available with free open source servers that encouraged adoption and growth of a thriving ecosystem of services supporting our technology. We’ve learned a lot from our partnerships, which is why we today announced a formalized Developer Program. This provides developers with the resources to rapidly integrate the YubiKey with mobile and computer login, across all our supported protocols including U2F, Yubico OTP, PIV-compatible Smart Card, OpenPGP, OATH (HOTP/TOTP), and the new FIDO2 Client to Authenticator Protocol (CTAP) specification, and the YubiHSM.

We encourage developers and security architects interested in FIDO2 to sign up for updates as part of the Yubico Developer Program, to get access to resources needed to aid in early implementations of the FIDO2 open authentication standard.

Alex Yakubov

What’s guarding your domain from unauthorized access?

Domains are a frequent target for phishing attacks that pose serious privacy risks and potential losses of millions of dollars in brand damage, lost revenue, stolen data, and recovery efforts. The threat of phishing greatly underscores the need to protect the front door to your domain.

We are excited to announce that Gandi is the first domain registrar to integrate support for the YubiKey and FIDO U2F authentication. With this new integration, Gandi customers benefit from greater security to safeguard domains and critical assets, such as SSL certificates, contained within.

The YubiKey delivers strong defense against phishing at the time of login, complementing Gandi’s promise to provide secure access to domain names, easy third-party integration, and powerful tools for everyone. Gandi is excited to offer users a more secure and easy-to-use 2FA protocol with FIDO U2F, and strongly encourages users to get YubiKeys.

“The user-experience was a big factor in our decision to integrate support. The ability to easily manage multiple tokens for multiple users offers a real-world example,” said Andrew Richner, Head of Communication at Gandi US. “The other factor is obviously security. Time-based one-time password (TOTP) has a few weaknesses that the challenge-response of U2F corrects. The resulting difficulty to phish a U2F user makes the YubiKey very attractive as a 2FA option. We love the portability and durability of YubiKeys too.”

Since adopting YubiKey support, Gandi reports that user feedback has been positive. “Our users have come to expect Gandi to be on top of new technology, and to offer a high level of security. We’re finding that it’s these customers in particular who are excited to spread the word about using Gandi and YubiKey together,” he added.

Gandi’s service features easy-to-use domain management tools that enable users to define access rights by organization, team, and individual, as well as delegate domains and hosting to collaborators no matter the organization structure or size. A domain at Gandi comes with a number of free services, including email addresses, http forwarding, an SSL certificate, and domain name system (DNS) management.

Gandi demonstrates a strong commitment to security and trust—all important values shared by Yubico—that is evident in our joint effort to provide a secure authentication solution to domain management. Learn more about what you can do with Gandi and the YubiKey.