Yubico is committed to enabling YubiKey integrations for all of our technology partners and enterprise customers with the least amount of friction and time-to-market as possible. With this goal in mind, we are very excited to announce the public general availability of our Yubico Authenticator for iOS app that now supports YubiKey-based smartcard login alongside OATH credentials. For both smartcards and OATH, a YubiKey is required with the app as the credentials reside on the YubiKey. This now unlocks more use cases, and enhances security, by allowing users to securely access smart card-protected resources like certificate-based VPN and email from their iOS mobile devices using hardware security keys. US government agencies requiring the highest authenticator assurance at level 3 (AAL3), will need an authenticator like a PIV compliant smart card or FIDO/WebAuthn security key that is validated with FIPS 140 Level 2 overall and Level 3 physical security. YubiKeys are validated at these levels with Certificate #3914 and able to be used as both a PIV smart card and FIDO/WebAuthn security key for logging into mobile devices, laptops and desktops.
The Growing Customer Need
With remote work exploding and a continually expanding attack surface in both public and private sectors, we saw the need for our customers to provide secure mobile authentication without compromising on user experience or compliance.
According to the latest U.S. Office of Management and Budget (OMB) draft release on Federal Zero Trust Strategy in support of Executive Order 14028, “Improving the Nation’s Cybersecurity”, “Agency systems must require internal users to use a phishing-resistant method to access their accounts. For routine self-service access by agency staff, contractors, and partners, agency systems must discontinue support for authentication methods that fail to resist phishing, such as protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications.”
Furthermore the guidance states, “This requirement for phishing-resistant protocols is necessitated by the reality that enterprise users are among the most valuable targets for phishing, but can be given phishing-resistant tokens, such as PIV cards, and be trained in their use. For many agency systems, PIV or derived PIV will be the simplest way to support this requirement. However, agencies’ highest priority should be to rapidly implement a requirement for phishing-resistant verifiers, whether this is PIV or an alternative method, such as WebAuthn.”
Our federal customers want to ensure that authenticators with the highest authenticator assurance level (AAL3) can be used on iOS devices, including access to smartcard-protected resources such as email, and secure signing of documents.
Last year, Apple opened up the cryptotokenkit that allows access to security tokens and cryptographic resources from the iOS keychain. This enables the public part of the smartcard certificate on YubiKeys to securely move to the iOS keychain (the private part of the smartcard certificate never leaves the YubiKey). With this capability our customers can now leverage the new Yubico Authenticator for iOS app to securely onboard the certificate from the YubiKey to the iOS keychain and then use that credential across any native app like Safari or any app that has an embedded Safari browser.
How does the Smartcard Capability in the Authenticator for iOS App Work?
Three easy steps for one-time registration:
- Have a PIV-enabled YubiKey with a smartcard certificate provisioned on it
- Download the Yubico Authenticator for iOS app on your iPhone with v14.2 or later
- Open the app, insert the YubiKey or tap over NFC and follow simple steps to upload certificate to iOS keychain
That’s it! Now you can use this certificate across multiple apps like the Safari browser, certificate-based VPN, and document signing.
How to Get Started?
After an extensive private beta across US and Europe with our public sector and enterprise customers, we are excited to announce the general availability of this app in our iOS app store. All you need is a PIV-enabled YubiKey! Any key from the YubiKey 5 Series or the YubiKey 5 FIPS Series offers multi-protocol capabilities, including Smart card/PIV functionality.
Yubico is the pioneering company behind modern, mobile, user friendly and phishing resistant hardware-based authentication solutions, proven to stop account takeovers at scale. We are excited to have worked with Apple in bringing this new PIV smart card functionality first to the iOS market for our customers and partners, offering accountability and reporting for all routes-to-market:
- Smartcard usage across apps: Turnkey solution to onboard smartcard certificates to keychain launching today
- Smartcard usage within an app: iOS and Android SDKs’s supporting smartcard support
Apple has been a pioneer in building highly secure and user friendly mobile devices. With the cryptotokenkit enhancements, Apple opens up the ecosystem to build easy to use, and secure apps on its platform for public sector and enterprises alike. It also incentivizes the iOS developer ecosystem and technology partners like MDM vendors and VPN solutions to invest heavily in iOS apps in order to better enable their use cases.