Alex Yakubov

Yubico and RSA team to deliver FIDO-based authentication to enterprises

As more organizations undergo digital transformation initiatives, identity and access management (IAM) is becoming more critical than ever before. IAM sits at the heart of every business, which is why Yubico is excited to announce a new partnership this week at Gartner IAM Summit with one of the longest standing IAM vendors on the market: RSA. 

YubiKey for RSA SecurID® Access

Today, we expand our partnership with RSA with the upcoming availability of YubiKey for RSA SecurID® Access, a joint solution that offers enterprises a new path to modern FIDO-based authentication. 

This partnership will enable current and future RSA customers to purchase an enterprise-grade identity assurance platform and a range of authentication solutions — including YubiKey for RSA SecurID® Access — all from the same vendor, RSA. RSA customers will enjoy a consistent user experience without having to engage multiple vendors to solve their identity management and authentication challenges. 

RSA has more than 25 years of experience in securing and managing complex enterprise IT environments and applications, and Yubico is the pioneer of secure and easy-to-use YubiKey hardware-based authentication. Together, our combined technologies solve the need to secure enterprises and their customers in a scalable way, all while delivering a frictionless user experience. 

“The benefits of bringing RSA and Yubico together are so apparent that customers were engaging both companies prior to the partnership,” said Jim Ducharme, VP Products, RSA Identity and Fraud & Risk Intelligence. “Together, we will combine the secure, robust identity assurance of RSA SecurID® Access with the convenient access and FIDO2 features of the YubiKey. The strategic partnership helps enterprises address the evolving threats and challenges faced by today’s dynamic workforce, from ground to cloud.” 

The initial YubiKey for RSA SecurID® Access offering will have the same form factor as the YubiKey 5 NFC, and is expected to be available for RSA customers in March 2020. Additional form factors are also expected to become available later in the year. 

“Our partnership with RSA demonstrates a shared commitment to protect millions of users from security breaches,” said Jerrod Chong, Chief Solutions Officer, Yubico.This collaborative effort combines RSA’s long-standing expertise in identity and access management, with Yubico’s proven leadership in standards and innovation, to bring forward a unified FIDO-based hardware authentication solution for enterprises, their partners and their customers.” 

As we approach a new year, Yubico looks forward to engaging our strong ecosystem of partners to continue driving value for our users in innovative ways. The better the customer experiences that we can deliver together, the closer we get to securing millions worldwide. 

For enterprises interested in receiving more information on the YubiKey for RSA SecurID® Access, please visit: rsa.com/start

Gartner IAM Summit attendees can stop by the Yubico (#233) or RSA (#104) booths for more information on the benefits of pairing strong YubiKey authentication with RSA SecurID® Access.

Stina Ehrensvard

Native support for WebAuthn and FIDO is finally here on iPhones and iPads

Yubico was founded with the mission of making simple and secure logins ubiquitous. In 2008, we launched the first YubiKey for seamless, one-touch authentication. In 2012, in close collaboration with Google, Yubico’s inventions evolved into the FIDO Universal 2nd Factor (U2F) open authentication standard, and in 2014 it was launched in Gmail and Chrome. In collaboration with Microsoft and the FIDO Alliance, the standard evolved into FIDO2, with the W3C web standards body certifying the standard under the name WebAuthn. 

With each passing year, Google, Opera, Mozilla, Microsoft, and Brave browsers have added support. Now, with Apple adding native support for FIDO and WebAuthn in iOS and iPadOS 13.3, these standards are supported by all leading platforms and browsers. Today, developers can make easy-to-use, privacy-preserving, strong authentication available to all users across all leading platforms and devices.

Here are the highlights of native WebAuthn and FIDO support on iOS:

    • iOS and iPadOS 13.3+ natively support FIDO-compliant security keys, like the YubiKey, using the WebAuthn standard over near-field communication (NFC), USB, and/or Lightning as appropriate to the Apple hardware being used.
    • Currently, the WebAuthn second-factor use case (the FIDO U2F user experience) is the only log in flow that is supported. Security key-based biometrics or PIN (without the use of username and password) are not supported yet.
    • Web apps via Safari, or mobile apps calling SFSafariViewController ASWebAuthenticationSession should work. If a service fails to work, it is likely that the provider is unaware that native support is now available on iOS, and needs to update their web flow. Please contact your service provider to make support.

With today’s announcement, Yubico now offers two great user experiences on iOS using a simple tap or a physical connection. Authentication via NFC is supported by the YubiKey 5 NFC or Security Key NFC by Yubico by just tapping the YubiKey at the top of an iPhone (7 and above). Authentication via physical connection is supported by the YubiKey 5Ci by plugging the YubiKey into the Lightning or USB-C port of an iPhone or iPad.

So, what can you do? 

Developers and online services can learn how to rapidly add support, including how to enable native support on iOS. If you are a developer, sign up to join the Yubico Developer Program to be informed on the latest reference documentation, testing tools, and open source servers.

Individuals and companies who want easy, secure access to their daily online accounts — including those in financial, healthcare, and government services — can accelerate adoption by requesting support for YubiKey and WebAuthn.

Today, Yubico is humbled by the many contributions our entire community has made, and would like to extend our utmost gratitude to every one of you that helped bring us one step closer to internet security ubiquity! 

Ronnie Manning

Yubico Authenticator App for iOS Now Supports NFC

Did you know that you can use a YubiKey to protect your online accounts even if a service doesn’t offer built-in support for security keys? That’s right. With the Yubico Authenticator app, individuals can use a YubiKey to secure any service or application as long as it supports other authentication apps as a two-factor authentication (2FA) option. These include Authy, Google Authenticator or Microsoft Authenticator. 

For years, Yubico Authenticator has been available for Windows, Mac, Linux and Android platforms, but not iOS. This changed in October when Yubico released the first Yubico Authenticator for iOS with Lightning support. And today, we’re happy to announce that the iOS app has support for near-field communication (NFC) as well, thanks to Apple’s recent NFC updates

With today’s news, the Yubico Authenticator app series now works seamlessly across all major desktop and mobile platforms, with full support for Windows, Mac, Linux, Android and iOS. 

So, what’s the difference between using Yubico Authenticator or another authentication app? Instead of storing the time-based one-time passcodes on a mobile phone or computer, Yubico Authenticator generates and stores one-time codes on the YubiKey. A user must present their physical key in order to receive the code for login. This not only eliminates security vulnerabilities associated with a multi-purpose computing device, but also offers an added layer of convenience for users that work between various machines. Yubico Authenticator provides a good balance of usability, security and portability. 

See how it works in the video below. 

To get started with Yubico Authenticator on mobile, download the app from the Apple Store or Google Play.

Additional information on Yubico Authenticator can be found at yubi.co/yubicoauthenticator

Ronnie Manning

Yubico Reveals First Biometric YubiKey at Microsoft Ignite

Today, at Microsoft Ignite, Yubico is excited to preview the long-awaited YubiKey Bio. It is the first YubiKey that will support fingerprint recognition for secure and seamless passwordless logins, which has been a top requested feature from many of our YubiKey users. 

YubiKey Bio preview device.

The YubiKey Bio delivers the convenience of biometric login with the added benefits of Yubico’s hallmark security, reliability and durability assurances. Biometric fingerprint credentials are stored in the secure element that helps protect them against physical attacks. The result? A single, trusted hardware-backed root of trust delivering a seamless login experience across different devices, operating systems, and applications. With support for both biometric- and PIN-based login, the YubiKey Bio leverages the full range of multi-factor authentication (MFA) capabilities outlined in the FIDO2 and WebAuthn standard specifications. 

Ignite attendees can see a live demo of passwordless sign-in to Microsoft Azure Active Directory accounts using the YubiKey Bio during Alex Simons’ keynote on Tuesday, November 5.

In keeping with Yubico’s design philosophy, the YubiKey Bio will not require any batteries, drivers, or associated software. The key seamlessly integrates with the native biometric enrollment and management features supported in the latest versions of Windows 10 and Azure Active Directory, making it quick and convenient for users to adopt a phishing-resistant passwordless login flow. 

“As a result of close collaboration between our engineering teams, Yubico is bringing strong hardware-backed biometric authentication to market to provide a seamless experience for our customers,” said Joy Chik, Corporate VP of Identity, Microsoft. “This new innovation will help drive adoption of safer passwordless sign-in so everyone can be more secure and productive.”

Over the past few years, Yubico has worked with Microsoft to help drive the future of passwordless authentication through the creation of the FIDO2 and WebAuthn open authentication standards. During this time, we’ve built YubiKey integrations with the full suite of FIDO2-enabled Microsoft products including Windows 10 with Azure Active Directory and Microsoft Edge with Microsoft AccountsToday, we continue on this journey together with Microsoft’s announcement to extend support for FIDO2 security keys, like the YubiKey, to hybrid Active Directory environments. Early next year, enterprise users will be able to authenticate to on-premises Active Directory integrated applications and resources, in addition to providing seamless Single Sign-On (SSO) to cloud- and SAML-based applications.

To take advantage of strong YubiKey authentication in Azure Active Directory environments, please refer here for more information. To stay tuned on product updates and general availability, please join our YubiKey Bio mailing list. 

This blog has been updated with additional information as of November 5, 2019. 

Alex Yakubov

4 Security Tips: For Developers, By Developers

As National Cybersecurity Awareness Month comes to an end, our focus turns to what the developer community can do to stay cyber smart all year long. We’ve already talked about access management, and shared tips on how to protect your personal accounts. Today, we offer tips from the Yubico Developer Team to developers looking to up their security game. 

The best way to get started is by securing yourself, then help others. Get a password manager and enable strong two-factor or multi-factor authentication across all your personal and work accounts (read last week’s blog for 10 Steps from Yubico to Protect Your Personal Accounts).

Now, let’s get into some more technical things you can do.

1. Secure your operating and development environments with encryption. You can do this with tools like EgoSecure Data Protection FDE, which provides easy and effective protection for your laptop. The encryption and decryption of data is completely transparent to authorized and authenticated users, which makes the solution simple to use. To enhance security, EgoSecure’s full disk encryption application supports two-factor authentication during pre-boot authentication using the YubiKey.


“We believe hardware-backed multi-factor authentication plays a very important role in cybersecurity because it protects privacy without compromising ease of use.”– Sergej Schlotthauer, Vice President of Security Strategic Alliances, Egosecure (Egosecure is a Matrix42 company

2. Keep your code signing certificates and data safe by using developer tools that support multi-factor authentication. You can even sign code with the YubiKey by securely storing your code signing certificate on the YubiKey itself. We talk a lot about FIDO, but the YubiKey also supports OpenPGP. Our latest firmware update included a number of enhancements to the OpenPGP implementation including ECC support, attestation, and multiple operations per touch. Read about it here.

3. Extend your security discipline to all of your devices, not just those that touch your corporate network. Attacks are often successful because of a weak point made available through a personal account.


“With the rise of bring-your-own-device programs and remote work, the attack surface has shifted from corporate networks to endpoints. Thus, a modern security strategy must consider all endpoints, including mobile devices”– Dr. Dominik Schürmann, CEO, Cotech

Here’s a hot tip if you’re building YubiKey support into your product. Cotech provides ready-to-use animations to assist end-users on how to use security keys, and shows the smartphone-specific sweet-spot where NFC works best. With the Hardware Security SDK, Android developers enable strong, hardware-backed YubiKey security leveraging modern authentication protocols, such as Universal 2nd Factor (U2F).

4. Strong authentication doesn’t have to be hard to implement for yourself or your users. Be sure to leverage modern protocols such as FIDO2 or WebAuthn along with a YubiKey. We are constantly impressed by the different use cases brought to us by companies from all over the world. Take for instance, Gandi. Because a domain name is used for websites, email addresses, SSL certificates, and more, they are valuable assets for individuals, organizations, and businesses. Gandi offers two-factor authentication with the YubiKey to make sure only authorized users can access an account.


“Whether they’re working for profit, the common good, or fun, our customers’ projects are tied to their domains. Our job as service providers is to keep them safe. Staying on the cutting edge of security technology is essential to that mission.”– Andrew Richner, Head of Communication, Gandi US

If you’re also serious about integrating security into the products, services, and applications that you’re building, check out Yubico’s Developer website. Sign up for the Yubico Developer Program mailing list to be notified of new documentation and resources, as well as get early access to SDKs and new products. 

Already have a YubiKey? Discover all of the places you can enable it now by visiting our  Works with YubiKey catalog. If you don’t have a YubiKey, you can pick one up from our web store or even on Amazon.

Alex Yakubov

Staying Safe Online Beyond National Cybersecurity Awareness Month

Last week, we talked about access management and its role in securing businesses from cyber threats as part of our National Cybersecurity Awareness Month (NCSAM) campaign. Today, we will take you through what’s putting your personal accounts at risk, and share tips from our partners on how to stay better protected.

Let’s start by identifying some of the biggest threats to personal accounts —  phishing, SIM swapping, and database leaks. 

Phishing

By using fake websites and emails that look genuine, attackers lure you into providing your login credentials, personally identifiable information (PII), and other private data, such as banking and credit card numbers. This is called phishing. These stolen credentials are used to take over your account. From there, an attacker can lock you out and even compromise your other accounts through password reset flows. 

Last year, 51% of respondents in our 2019 State of Password and Authentication Security Behaviors Report said they have experienced a phishing attack on their personal accounts, while 44% experienced one at work.  

SIM Swapping

SIM swap attacks are becoming increasingly more common, particularly for individuals with a lot to lose financially. In these scenarios, the attacker poses as the account holder (usually through various pieces of PII they’ve gathered elsewhere) and convinces your mobile service provider that you are switching from your current phone to another phone. Once complete, the attacker can intercept one-time passcodes (OTP) sent to your mobile phone number now associated with the phone in their possession.

Once this is achieved, the attacker can essentially perform password resets on any of your accounts that leverage text-based (SMS) 2FA. In most cases, if you’re using the same email address for all your accounts, then the attacker really only needs access to your email account after the SIM swap. Here’s a real-life example that cost one individual $100,000

Database Leaks

A database leak occurs when a service provider is breached and the attacker accesses the database of stored user credentials. The information from those databases often end up on the black market for other attackers to use. There are countless examples of database leaks we could reference (hackers stole one billion Yahoo! login credentials in 2016, the Equifax breach affecting 143 million American consumers in 2017). There’s really nothing you can do as the account holder to ensure the service provider is properly storing your password. 

You’ve probably been told that the longer and more complex you make your password, the stronger it will be. Sure, long passwords with numbers and symbols are hard to guess, but even the most complex and unique passwords won’t stop attackers when they’ve stolen the account password itself from a poorly protected database. That’s why it’s a good idea to use a different password for each and every account you have. Doing so can limit your risk and exposure in the event a password database of a service you use is breached.

Our Advice

You don’t have to feel defeated or helpless against these attacks, and you can still protect your accounts by simply enabling strong two-factor authentication (2FA) or multi-factor authentication (MFA) across the services you use. There are multiple types of 2FA and MFA — avoid SMS (we explain why here). We believe hardware is not only easy to use, but also stronger given that these attacks are all remote-based. Using hardware security keys, like YubiKeys, require physical possession. Since you’re here reading our blog, we recommend you check out the YubiKey and explore all the services that work with YubiKeys.

Most of us have friends or family members in need of basic account security advice. The trick is figuring out how to help without losing them in the details as you watch their eyes glaze over with boredom or confusion. Below, you’ll find 10 steps that any person can take to protect their personal accounts from the attacks we talked about today. If you feel your personal threat model isn’t addressed by this blog, hang tight! More tips are coming!

10 Steps from Yubico to Protect Your Personal Accounts 

1. Get a YubiKey (Hot Tip: We recommend a 2-pack so you have a backup!)

2. Register your YubiKeys with your personal email account(s) (e.g. gmail, Fastmail, Outlook.com or other supported email services)

3. Remove SMS 2FA from your email account(s)

4. Call your mobile service provider, and request a security PIN 

5. Get a Password manager (Hot Tip: You can use your new password manager to store your security PIN from your mobile service provider!)

6. Register your YubiKeys as a second factor for your password manager

7. Store all of your account passwords in your password manager

8. Make sure you reset each account’s password to be unique (Hot Tip: Most password managers have a password generator feature!)

9. Download Yubico Authenticator to all of your devices to use with accounts that support authenticator apps (Hot Tip: Find registration instructions for your favorite services in our Works with YubiKey Catalog!)

10. Enable 2FA/MFA and enroll your YubiKeys on all of your accounts 

Through the years, we’ve developed software and hardware 2FA solutions to better protect users online. We’ve been fortunate enough to forge partnerships with global leaders in password management, browsers and platforms, cloud services, and many more, as part of our Works with YubiKey Program. Check out some awesome tips from our partners below.

 

“2FA, plus a password manager, is the best way to protect your data. If someone were to learn your password for an account, they’d need that second factor to access it, making account takeover much less likely.”  Jeff Shiner, CEO, 1Password


“Sensitive accounts like banking, email, and social media warrant an additional layer of protection. Having strong, unique passwords for every account is a necessary first step in securing our digital lives.”  Emmanuel Schalit, Co-Founder & CEO, Dashlane


“Cryptocurrency is built on the fundamental promises of security and freedom. To deliver on these promises, people need to be in control of their security, and have the opportunity to choose the measures that suit their needs.”Mike Rymanov, CEO, DSX


“Don’t give attackers a single target. Use a different password everywhere, a different email address or alias with subscriptions, and protect your accounts with a hardware authenticator. Your other accounts won’t be at risk in the event one account is compromised.”Ricardo Signes, CTO, Fastmail


“It’s a great time to get cyber-checked. With data breaches becoming more frequent, one of the most basic precautions is to use strong, unique passwords for every account along with 2FA. That is the first step towards protecting yourself against account takeover.” – Craig Lurey, CTO, Keeper
 

If you don’t see the service you use on our catalog, ask them to implement strong authentication with the YubiKey by tweeting at them to add support.

Guido Appenzeller

Yubico Login for Windows Application Now Generally Available

Today, the Yubico Login for Windows application (formerly Windows Logon Tool) is now generally available, providing a simple and secure way for YubiKey users to securely access their local accounts on Windows computers. Over the past six months, we’ve received valuable feedback from many of our public preview users, and have a clear path forward for ongoing improvements to the application. 

The primary benefits of Yubico Login for Windows include: 

    • Highly secure and easy-to-use multi-factor authentication (MFA) for login using local accounts to Windows workstations 
    • Simple configuration for up to 10 individual users 
    • Fast enrollment for backup YubiKeys
    • Easy recovery mechanisms for lost YubiKeys

Yubico Login for Windows is designed to provide strong MFA for logging into local accounts on Windows 7, Windows 8.1 or Windows 10 computers. It is not suited for logging into any of the following accounts: Azure Active Directory (AAD), Active Directory (AD), Microsoft accounts (e.g. username@outlook.com, username@hotmail.com, username@live.com).

While Yubico Login for Windows is now only applicable for securing local accounts, there are other solutions to secure AD and AAD accounts with MFA. Thanks to an ongoing partnership and collaboration between Yubico and Microsoft, YubiKey MFA is also an option for organizations with AAD or AD environments. For computers joined to cloud-based AAD, passwordless authentication with the YubiKey is currently supported in Azure AD preview. For accounts managed by AD, the YubiKey enables authentication as a PIV-compliant smart card (Windows 7+, Microsoft Windows Server 2008 R2+). 

For more information on the Windows login options available with the YubiKey, and to download the current version of Yubico Login for Windows, please visit our computer login tools pageThe multi-protocol YubiKey 5 Series or YubiKey 4 Series keys are required for compatibility with Yubico Login for Windows.

Alex Yakubov

National Cybersecurity Awareness Month: Shining a Spotlight on Secure Access

October is National Cybersecurity Awareness Month (NCSAM), and here at Yubico, we’re doing our part to raise awareness on the importance of cybersecurity and staying safe online. 

Billions of login credentials and user records are routinely leaked — sometimes in the course of a single year — and can cause significant damage to those who fall victim. By enforcing two-factor (2FA) or multi-factor authentication (MFA), you make it harder for hackers to crack the account. 

We recommend investing in access management platforms, such as Identity Access Management (IAM) and Privileged Access Management (PAM), which enable you to proactively take steps to enhance cybersecurity for your users. In recent years, leaders in IAM and PAM have innovated to deliver high security, without compromising ease of use, to address the challenges of an increasingly online workforce. In doing so, these services implemented support for stronger, more modern forms of user authentication.

In honor of NCSAM, we’ve asked some of our IAM and PAM partners to provide tips for enterprises looking to tackle these challenges. 


Yves Audebert, President and Co-CEO, Axiad IDS

“Validating identities and ensuring trust across every entity that interacts with the enterprise network is vital to business operations. IT leaders will need an agile identity platform that balances risks, compliance, and user experience.”


Robert Freudenreich, CTO, Boxcryptor

“In a time when data is the new instrument of power, citizens need to start defending themselves against the excessive collection of data. Protecting your cloud with zero knowledge encryption is a good starting point.”


Mike Nelson, VP of IoT Security, DigiCert

“With our growing list of connected devices, protecting consumer privacy starts with implementing security fundamentals to ensure that data is encrypted, devices only trust properly authenticated connections, and that code running on each device is secure.”


Sam Srinivas, Director of Product Management, Google Cloud

“Other security controls are virtually irrelevant if an attacker can get through the front door by phishing your credentials. Google was an early adopter of FIDO security keys to provide a defense against the dangers of targeted phishing attacks.”


James Litton, CEO and Co-Founder, Identity Automation

“IAM does more than just help IT staff create user accounts; it enables productivity and provides a solid security foundation by addressing authentication and rights management. IAM must be the core of your security program to effectively secure your data and systems.”


Allen Storey, Chief Product Officer, Intercede

“Cyberattacks affect enterprises and individuals alike. Now is the time for cybersecurity best practices to become standard practices as more step up to deploy strong multi-factor authentication with a credential management system and hardware security keys.”


Greg Keller, Chief Strategy Officer, JumpCloud

“We fundamentally believe that the system is the gateway to securing IT. Focusing on where the work happens—the computer in front of you—allows you to protect not only the security of individuals but also their customers.”


Todd Peterson, Director of Product Marketing, One Identity

“With the steep rise in security breaches caused by threat actors using credential theft, it’s become clear that adding additional factors to the authentication process—across all types of users—can dramatically reduce your risk.”


Matt Hurley, VP Global Channels and Strategic Alliances, OneLogin

“Organizations are looking at ways to better secure their environment and reduce password dependency. Integrating identity management with a strong authentication method makes it convenient for end users to adopt advanced login sequences while enhancing privacy.”


Anirban Banerjee, CEO and Founder, Onion ID

“Securing privileges in a fast paced, changing landscape of applications, servers, containers, and endpoints can be very challenging. We believe that easy yet strong authentication is the cornerstone of an effective PAM strategy.” 


Joakim Thorén, CEO, Versasec

“Breaches are a reality both from outside and within the enterprise. Securing a company’s most vital assets with strong, easily managed two-factor authentication solutions is more than critical – it’s a moral imperative.”

Since 2007, Yubico has driven the development of open standards, and collaborated with hundreds of companies worldwide through our Works with YubiKey Program to bring secure, hardware-backed authentication methods to light.

Discover all the Identity Access Management and Privileged Access Management platforms that enable strong authentication with the YubiKey on the Works with YubiKey catalog. Contact our partners to learn more about their solution.

Wendy Spies - SVP of New Businesses
Stina Ehrensvard

Wendy Spies Joins Yubico as SVP of New Business to Drive YubiHSM Growth

Today, I am excited to share that we have added yet another stellar member to the Yubico leadership team: Wendy Spies. Wendy comes from Microsoft where she most recently directed engineering strategy and business development for cloud and AI to build new products and markets. She will be focusing on similar things here at Yubico in the role of SVP of New Business with an initial focus on YubiHSM. 

Wendy has more than 23 years of experience building everything from payment and hardware solutions to games and software. She has taken seven notable companies from conception to financial exit and has a long and proven track record of driving exponential growth for companies, teams, and products. Her secret? “Working with and hiring folks that are a lot smarter than me, focusing on customer needs, and measuring our success by delivering extraordinary products efficiently.”

It’s safe to say that we are lucky to have Wendy on board, and I am personally excited about the expansion of strong female leadership here at Yubico. Please join me in welcoming Wendy into the YubiFamily. To learn a little more about her background, expertise, and vision for Yubico, here is an excerpt from a recent interview between Ronnie Manning, our SVP of Communications, and Wendy.

What led you to join Yubico? 

Yubico was the right choice for me because each person I met with was clearly in the learning zone. Collaboration is high, and the customer focus is turned up to eleven. 

I believe that every day, one step at a time, Yubico can make the world better through product development, new standards, growing partnerships, and excellent teamwork. In the end, it wasn’t about joining a big or small company, consumer or enterprise —  it was about relentless customer focus and knowing that I was joining a team that would always have my back. This is the recipe for making profound, positive change the world, creating a lot of value, and having a really fabulous time doing it. I hope everyone finds their Yubico. 

In your opinion, what makes a team successful?  

Throughout my career, I’ve found that there are two simple criteria that seem to bring the magic at work.

Build a team that 1) you would want to fight the zombie apocalypse with — this takes talent, passion, and opportunity and 2) is relentlessly focused on driving customer value. 

When you bring together talent, passion, and opportunity, you are in the zone nearly every day at work, but that doesn’t always guarantee success. You must also ensure that the team is relentlessly focused on driving customer value. Are these individuals in a learning mode? Do they come from a humble point of inquiry and are they prepared to truly listen when you answer? And are they actively talking about customers and partners?  

When I focus on the customer with a team of folks who have a listening and iterative mindset, we build unique customer experiences, solve wicked hard problems, and create so much value for users. Everyone wins: employees, customers, and investors.

What do you look forward to most during your time here at Yubico? 

I am proud to be part of a team at Yubico that’s securing the net for everyone and everything. We know that the only way we can do that is to make security truly easy to use. 

I look forward to the passwordless future we are building. I look forward to working across boundaries to solve some of the hardest problems of the internet. I look forward to no longer hearing stories about good folks getting their accounts hacked because passwords stink, and because hackers continue to have more resources than we do. I look forward to no longer hearing stories about devices and data being compromised because solutions are so complex that it is almost impossible to think of all of the threats, and even more impossible to remove them. And lastly, I look forward to the day when everyone can believe and see that security and usability can live together hand-in-hand. Strong vision. Clear plan. Sustained effort.

What do you see as the biggest market opportunity for the YubiHSM product line and how do you envision driving its growth?  

I see the YubiHSM as a natural extension of our YubiKey product line for devices and data. As a lot of folks know, anywhere a key is stored and even remotely available for others, it is at risk of being stolen — either by people on the inside of an organization, or sometimes even on the outside. The YubiHSM is a portable, low-cost solution. It can help with everything from code signing and protecting API calls to securing root of trust for something as complex as industrial IoT environments, something as legacy-bound as physical infrastructure (e.g. reactors and dams), and something as simple as cold wallets. While a few other solutions like secure enclaves and SGX could be used to solve this problem, YubiHSM provides protection for your keys in hardware that is physically isolated from operations on the server, creating yet another layer of security. This layer of security, combined with a simple, small attack surface form factor, can make it easier to adopt this technology without breaking the bank. 

When you’re not busy changing the world and driving businesses and teams toward success, what do you do for fun? 

I love to engage in activities that require such deep concentration that I cannot possibly worry about the problems of the world or what to make for dinner. This ranges from the beautiful shared moments with my family playing board games to spending time early in the morning in my tiny garage throwing heavy weights into the air.  

The Yubico team will continue to grow! If you’re interested in a career in cybersecurity at Yubico, check out our open job opportunities here.

Jerrod Chong

Yubico iOS Authentication Expands to Include NFC

This week, at the annual September iPhone event, Apple introduced new functionality that allows the full range of YubiKey authentication on iOS via near field communication (NFC). This has been many years in the making, back in Oct 2017 we even wrote about when this day would come.

Previously, NFC on iOS was read-only, which meant that it couldn’t support modern authentication protocols like FIDO U2F, FIDO2/WebAuthn that require both read and write capabilities – but now that has changed. With these recent updates, iPhone users (running iOS 13+) can experience mobile NFC authentication with a YubiKey 5 NFC or Security Key NFC by Yubico on apps and browsers that have added support. 

Coming right on the heels of our new YubiKey 5Ci, iOS users now have a broad and complete choice of secure authentication options, based on their preference and use cases. NFC-enabled YubiKeys will work with compatible apps and browsers on iPhones 7 or later running iOS 13. Older iPhone models, most iPads, and some iPods will work with the YubiKey 5Ci through its Lightning connector on select apps and browsers.

The YubiKey 5C NFC is coming soon!

That’s not all. Based on feedback and suggestions from our customers (we hear you!), we are happy to announce a sneak preview of YubiKey 5C NFC, our upcoming USB-C security key enabled with NFC. This key will provide yet another authentication option for all environments supporting iOS, Android, Windows, MacOS, and more, all on one key. Arriving this coming Winter, this new device will deliver the same multi-protocol functionality and user experience of the YubiKey 5 Series. Sign up here to receive updates on product availability. 

This announcement supports Yubico’s long-standing YubiKey vision: to deliver secure hardware-based authentication across any operating system and platform. Our goal is to support all authentication use cases across any computing device, as we recognize that individuals use multiple phones, operating systems, laptops, tablets, or desktops each day to access work and personal accounts. 

To coincide with this new NFC functionality, Yubico will also be rolling out updated software for end users and developers on iOS. On mobile iOS devices, users will soon be able to use the Yubico Authenticator application to communicate over NFC, USB and Lightning connection to generate a 6 digit, time-based code commonly used by many services for 2-factor authentication. This is similar to Google Authenticator, with the main differentiator being the user credential is stored on the external YubiKey, versus internally on the mobile device, making it extremely portable to get the one-time codes either on mobile devices and/or desktop computers.  We expect to introduce the new Yubico Authenticator for iOS in the coming months. 

Developers who are interested in adding YubiKey support for desktop or mobile users, can access Yubico’s wide range of libraries on the Yubico developer site, including SDKs for Android and iOS app developers. We are also in the process of updating our Yubico Mobile SDK for iOS to support the new iOS NFC authentication capabilities. This will allow applications to implement modern authentication protocols such as FIDO2 and support the YubiKey over both Lightning and NFC connections. 

Please visit the Yubico developer website to sign up for updates and to get access the current Yubico Mobile SDK for iOS.

Stina Ehrensvard

Yubico Adds New Round of Investment and Grows Board of Directors

Today, Yubico is excited to announce it has received a new round of investment led by Meritech Capital Partners, a top tier venture capital firm based in Palo Alto, CA.   

Existing investors include the Silicon Valley-based leading VCs Andreessen Horowitz (a16z) and NEA, Swedish growth equity firm Bure, and renowned Silicon Valley entrepreneurs Marc Benioff, CEO & Founder of Salesforce, and Ram Shriram, Yubico Chairman and Google founding board member. 

“Yubico has built an amazing company. We love the technology, the respect they have earned in the open standards community, and the enthusiasm from their customers. Beyond the efficient business and big market opportunity, Yubico presents a very special culture, unique in the security market. We are looking forward to working with Yubico to make their technology truly ubiquitous,” Says Paul Madera, Managing Director, Meritech.  

Yubico has been profitable the last seven years, attracting nine of the top 10 internet brands and millions of users in 160 countries. With this investment, we have more fuel to continue accelerated growth, and we welcome Meritech and the new funds to scale operations across our entire organization.

In conjunction to the company backing by Meritech, Paul Madera, Managing Director, will be joining the Yubico board of directors.  

Meritech is making an investment into the company of $25M for a company valuation of $600M. In addition, existing major investors are increasing their holdings, investing $15M in secondary shares, in connection with this round.

Guido Appenzeller

What’s New in YubiKey Firmware 5.2.3

When we launched the YubiKey 5Ci on August 20, we also introduced a new firmware to the YubiKey 5 Series: version 5.2.3. Currently, this firmware is only being shipped in the YubiKey 5Ci, however, we expect to roll out this version to all YubiKey 5 Series devices over the next month. While it is a minor update, 5.2.3 firmware has a number of features and improvements as it relates to the FIDO and OpenPGP protocol stacks.

FIDO

For FIDO2, the new firmware adds an enhanced privacy mode. This enables sites to require a PIN when a YubiKey is registered with their service. The FIDO PIN of the YubiKey must be used in order to reveal what sites the authenticator was registered to. This feature is intended for services that want to protect the privacy of what sites their users have visited for a variety of reasons. For example, assume a user registers the YubiKey with “some-website.com” and at a later point, they travel to a country where the content on “some-website.com” is discriminated against. From this person’s  YubiKey, it would not be possible to tell that the key was registered to “some-website.com” without using the PIN.

The FIDO protocol has also seen a number of technical improvements, which are supported in YubiKey firmware 5.2.3:

  • Removal of RSA, as we didn’t see any use of it in practice
  • Addition of  Ed25519 signature support, a modern ECC curve
  • Addition of  credential management to allow the deletion of FIDO resident keys
  • Addition of PIN and no PIN support to the FIDO HMAC-secret extension for offline operations
  • Implementation of signature counters with even more privacy features including keeping per-credential offsets and randomly increasing counter values 

OpenPGP 

YubiKey Firmware 5.2.3 also has a number of enhancements to the OpenPGP implementation on the YubiKey. Most of them are related to a number of the features from the OpenPGP Smart Card Specification version 3.0 and above.

ECC Support

OpenPGP 3.0 introduced support for Elliptic Curve Cryptography in addition to RSA. ECC today is by many considered a better choice for many applications and has a number of advantages including faster cryptographic operations and smaller key sizes. 

YubiKey Firmware version 5.2.3 and above specifically supports signatures (ECDSA) and key exchange (ECDH) from the OpenPGP 3.4 spec for the following curves.

From ANSI X9.62/FIPS-186-3:

  • ansix9p256r1
  • ansix9p384r1
  • ansix9p521r1

From RFC5639:

  • brainpoolP256r1
  • brainpoolP384r1
  • brainpoolP512r1

In addition to the PGP 3.X spec, the YubiKey now also supports:

Attestation

Firmware 5.2.3 also adds attestation for keys generated on device ( this capability has already been available in our PIV application stack since we launched the YubiKey 5 Series). Specifically, a YubiKey can attest that an asymmetric key was generated on, and never left, the YubiKey. For example, a company could require that all developers sign their commits with a company-provided YubiKey that had the private key generated on device. Using the attestation keys, the system will reject any keys that were generated outside of the YubiKey and imported. Attestation was added as a Yubico-specific extension in version 3.4 of the OpenPGP Smart Card Specification. Documentation for how this feature can be used is found here on the Yubico developer site.

Multiple Operations per Touch

YubiKeys can now be configured to allow multiple operations over a short period of time with a single touch to the key, a capability that was previously available in the PIV application of the YubiKey 5 Series. This can be helpful for batch signing/encryption or operations that are composed out of multiple cryptographic primitives. The behavior can be enabled or disabled by the user.

Yubico is always working to advance the functionality and security of our YubiKeys, and we thank our users for their product feedback and support to drive technical improvements like the ones listed above. 

To determine which firmware your YubiKey 5 Series device has, please use the YubiKey Manager.

Ronnie Manning

Say Hello to Simple, Secure Login on iOS with the YubiKey 5Ci

Today marks an exciting milestone, not only in the history of Yubico, but in the history of security keys and mobile devices. Yubico celebrates more than a decade of cutting edge contributions to the authentication market with its latest innovation, the YubiKey 5Ci, now available for purchase at our Yubico store.  

The YubiKey 5Ci is the world’s first iPhone- and iPad-friendly* security key designed to deliver strong hardware-backed authentication over a Lightning connection. But that’s not all. This key is also equipped with a USB-C connector for securely accessing hundreds of Works with YubiKey applications and services on Mac, Windows, and Android devices as well. 

The unique dual-connector functionality of the YubiKey 5Ci, along with the signature multi-protocol features of the YubiKey 5 Series, make this key the perfect solution for consumers and enterprises alike. With support for FIDO2, WebAuthn, FIDO U2F, OTP (one-time password), PIV (Smart Card), and OpenPGP in a single device, the YubiKey 5Ci delivers strong multi-factor (MFA), second-factor (2FA), and single-factor passwordless authentication across a wide range of devices and use cases.

Featured Works with YubiKey iOS partner integrations.

For all our iOS users out there, we know that you’re eager to get started with the YubiKey 5Ci. Thanks to our strong ecosystem of partners, we are proud to launch the YubiKey 5Ci with native iOS app support from 1Password, Bitwarden, Dashlane, Idaptive, Keeper SecurityLastPass, and Okta. Monkton Rebar and XTN also support the YubiKey 5Ci in their latest software development kits. 

You can also access some of your favorite services with the YubiKey 5Ci through the Brave iOS browser, which is the first and only iOS browser to support WebAuthn over the Lightning connector at this time. These services include: Bitbucket.org, GitHub.com, Login.gov, Twitter.com, and 1Password.com.

Yubico continues to collaborate with services and applications on their support of the YubiKey 5Ci, with the goal of our users’ favorite, day-to-day apps being added soon. Partners with anticipated YubiKey 5Ci app support include: Dropbox, Keeper Security, SecMaker, and more. 

If you see some services or browsers that aren’t listed above, please help us by expressing your desire to secure your accounts on iOS with the YubiKey. 

Developers, if you’d like to step up the security of your iOS apps or browsers, we’ve made it easy for you. Visit developers.yubico.com/yubikey5ci to get access the Yubico Mobile SDK for iOS, along with other helpful resources such as implementation guides, webinars, or reference code. 

Get started with simple and secure authentication today. The YubiKey 5Ci is available for purchase on yubico.com at a retail price of $70 USD. 

*The YubiKey 5Ci works on iPad models with a Lightning connector, however, some capabilities are not compatible via USB-C with the iPad Pro 3rd generation. 

Ashton Tupper

Find Yubico at Black Hat

If you happen to be in Las Vegas this week and you find yourself strolling past the intersection of Las Vegas Boulevard and Harmon Avenue, look up. You might just recognize the friendly green color plastered all over the world’s highest resolution LED screen. 

You guessed it. Yubico is taking Vegas by storm for the annual Black Hat conference. 

Find the Yubico billboard at the corner of Las Vegas Blvd. and Harmon Ave.

Custom Black Hat YubiStyle covers.

 

If you don’t catch our cheeky message on the iconic Las Vegas billboard, stop by the Yubico booth (#465) to get the latest YubiKey updates along with some cool swag. See a demo of secure iOS login over a lightning connection with our upcoming YubiKey 5Ci, or grab a few of our custom YubiStyle covers designed just for Black Hat attendees. These are only available for a limited time, so get them while you can. 

You may even spot a few YubiKeys elsewhere on the show floor. Our impressive partner network will feature ‘Works with YubiKey’ stands at each of their booths. If you see one of these, stop by to say hello and learn more about how the YubiKey works with OneLogin, Duo, Microsoft, 1Password, and more.

Our full list of partners at Black Hat include: 

Works with YubiKey stand.

  • OneLogin (#2030)
  • Duo (#675)
  • Thycotic (#1410)
  • 1Password (#2323)
  • Microsoft (#654)
  • ManageEngine (#1365)
  • Okta (#2518)
  • Cmd (Cmd Beach Bungalow at the Mandalay Bay Pool Deck)
  • PingID  (#2129)

 

To stay up to date on Yubico events, or to receive year-round updates on Yubico news, sign up for our newsletter and other mailing lists here

 

 

Paula Skokowski

The Journey to Passwordless in the Enterprise

Today, Microsoft announced that the passwordless capabilities for Azure Active Directory (Azure AD) are in public preview, reaching a major milestone in enabling passwordless authentication in the Enterprise.

Azure AD provides an identity platform with access management, scalability, and reliability for connecting users with all the apps they need. With FIDO2 and WebAuthn passwordless authentication support now in public preview for Azure AD, users can register a YubiKey 5 Series security key with Azure AD, to enhance account security and enable passwordless login.

YubiKey Passwordless Starter Kit

Yubico is happy to have partnered with Microsoft in today’s announcement. For a limited time, we are offering complimentary YubiKey Passwordless Starter Kits to eligible organizations, who are Microsoft 365 customers interested in beginning their passwordless journey. 

The starter kit includes two multi-protocol YubiKeys, the YubiKey 5 NFC and YubiKey 5C. The YubiKey 5 NFC is compatible with USB-A ports and near field communication (NFC). The YubiKey 5C is compatible with USB-C ports. 

With the multi-protocol YubiKey 5, organizations can begin the journey to passwordless in the cloud, securing existing applications with Azure MFA or smart card login, and be ready for newer applications supporting FIDO2 and WebAuthn authentication.

The YubiKey 5 Series multi-protocol support includes FIDO2, WebAuthn, FIDO U2F, smart card (PIV), Yubico OTP, OpenPGP, OATH-TOTP, OATH-HOTP, and Challenge-Response functionality on a single device, to deliver passwordless, single-factor, second-factor, or multi-factor secure login. 

To verify eligibility and request a YubiKey Passwordless Starter Kit (while supplies last), please visit https://www.yubico.com/passwordless-offer. 

Want to learn more? Register for our upcoming webinar, Go Passwordless with Yubico & Microsoft: WebAuthn, FIDO2 & Azure Active Directory, taking place on July 30, 2019 at 9:00 AM PDT. You’ll hear from Yubico and Microsoft experts on the passwordless journey, key benefits, and how to enable passwordless login with Azure AD.

 

Ronnie Manning

WebAuthn sees rapid growth and adoption: Visit us at Identiverse to see WebAuthn in action

The new web authentication standard, known as WebAuthn, was recently approved by the World Wide Web Consortium (W3C) in March, and is rapidly gaining momentum. Since 2007, Yubico has been driving the development of open standards, and collaborating with partners to bring more secure authentication methods to users.  Through these combined efforts, we co-created WebAuthn.

What makes WebAuthn so noteworthy is that it is supported by all major platforms and browsers, providing users with greater choice of simple authentication methods that protect against phishing attacks. With WebAuthn, users can choose to use any combination of external authenticators, such as a security key, and internal authenticators, such as a biometric keypad on a computer, to secure access to web services and applications. That’s huge.

Microsoft, Google, and Mozilla already support WebAuthn in their web platforms and browsers. Support is currently on the developer preview version of Apple Safari. Upcoming support on Brave browser has been announced by Brave Software. Along with the platform and browser support, a growing number of web services have also rolled out WebAuthn support to their users, including Login.gov, Singular Key, Daon, Isosec, Twitter, and Ping Identity, with more services committed to launching support in the near future.

WebAuthn is quickly gaining momentum, so we asked some of our Works with YubiKey partners to share why they decided to implement support. Here’s what they said:

Jasper Patterson, Web Developer, 1Password

“Our goal at 1Password is to make it easy for people to stay safe online, and adopting modern standards like WebAuthn helps us achieve that. Integrating WebAuthn into our existing two-factor implementation took about a week. The API is well designed and easy to work with for developers.”

WebAuthn offers significant security gains over traditional time-based one-time password (TOTP) or SMS-based two-factor authentication (2FA), all thanks to its secure design based on public key cryptography.

Yves Audebert, CEO, Axiad IDS

“Extending Axiad ID Cloud to support WebAuthn/FIDO2 is a step forward in providing a passwordless and frictionless authentication experience to our customers. Axiad ID Cloud leverages all the features offered by YubiKeys to further our commitment to meeting our customers’ authentication needs.”

Axiad ID Cloud is a standards-based higher-trust identity assurance platform that provides multi-factor authentication (MFA) and dedicated PKI services to secure digital interactions. Axiad IDS expects to roll out support in the back half of this year.

Ben Goodman, SVP, Global Business and Corporate Development, ForgeRock

“ForgeRock is excited to offer WebAuthn as a native authentication option for our identity platform. Hardware authentication enabled by WebAuthn provides a more secure user authentication option, while simultaneously making for an easier, more frictionless experience. This is a “Win-Win” for end-users and application owners.”

ForgeRock’s Intelligent Authentication technology has the capability to orchestrate a multitude of authentication options. WebAuthn support enables ForgeRock to seamlessly extend that functionality to a whole new breed of devices and authenticators.

Jeff Broberg, Sr. Director, Product Management, OneLogin

“WebAuthn simplifies the rollout and adoption of MFA by enabling users to leverage authenticators across mobile and desktop platforms in a more integrated fashion. Combining external authenticators, like the YubiKey, with desktop and mobile biometric sensors benefits both enterprise admins and end users.”

Adopting strong and simple authentication is critical to secure corporate resources from advanced cyber identity threats. With WebAuthn support, OneLogin expands their portfolio of strong authenticator options and makes it simpler for users to choose an authenticator that works best with their primary device.

Arshad Noor, CTO, StrongKey

“We recognize that behavior change is no easy task. Our implementation of FIDO2 and the certification of our FIDO2 server enable us to provide the ease and convenience of WebAuthn to our customers and their users through a safer and more user-friendly alternative to passwords.”

StrongKey has been committed to providing the strongest possible level of encryption and authentication technology to keep data safe for almost two decades. With WebAuthn support, StrongKey delivers phishing-resistant authentication to their users.

Jai Dargan, VP Product Management, Thycotic

“We’re excited to be a part of the Works with YubiKey program, and work together to educate customers about the benefits of strong, hardware-backed MFA.”

Thycotic and Yubico share the same vision that security should be easy to use, even for large organizations with dispersed teams and hundreds of thousands of assets to protect.

Yubico offers free resources and tools for rapidly implementing WebAuthn into an app or service. Visit the Yubico For Developers page to get started. To experience WebAuthn first-hand, visit our WebAuthn demo site.

Learn more about WebAuthn by downloading the WebAuthn Solution Brief, or chatting with us at the Yubico booth (#417) at Identiverse on June 25-27, 2019.

Alex Yakubov

Yubico Announces YubiKey for Lightning Partner Preview Program

Today, Yubico is happy to announce the launch of our YubiKey for Lightning Partner Preview Program, the next phase of the YubiKey for Lightning Private Preview Program announced earlier this year.

This is an exciting step forward for both Yubico and the Works with YubiKey ecosystem. With the launch of the Partner Preview Program, our goal is to enable more web services and applications (relying parties) to improve the protection of customer accounts and the entire account lifecycle with cross-platform support.

The YubiKey for Lightning Partner Preview Program includes access to iOS and Android SDKs to allow organizations to unify the user experience across all mobile platforms. Partners will also receive access to a YubiKey 5Ci preview device (formerly the YubiKey for Lightning), for development and testing. The YubiKey 5Ci has both a USB-C and Lightning connector on one device and will be generally available later this year. As part of the multi-protocol YubiKey 5 Series, the YubiKey 5Ci gives developers the option of securing their iOS apps using the FIDO2, WebAuthn, U2F, OTP, PIV (smartcard) or OpenPGP protocols for passwordless or two-factor authentication.

YubiKey for Lightning participating partners

Since launching the initial YubiKey for Lightning Private Preview Program, several notable partners have been working with us to provide feedback on our iOS developer resources. We would like to extend a special thank you to those partners, including: 1Password, Brave Software, Dashlane, DoD PKI Purebred, Keeper Security, LastPass, Secmaker, XTN, and more.

We look forward to enabling a growing list of compatible services, providing out-of-the-box uses with everyone’s favorite iOS applications when the YubiKey 5Ci becomes generally available later this year.

As Yubico extends hardware authentication capabilities to iOS, the YubiKey will be supported across all major platforms, allowing it to be the trust anchor for the rightful owner and serve as a portable root of trust across any computer or mobile device.

For developers interested in adding YubiKey support into their iOS mobile apps, we welcome you to apply for the YubiKey for Lightning Partner Preview Program here.

New YubiKey 5Ci demonstrations and previews of partner supported applications can also be seen at Identiverse this week, at the Yubico booth #417.

Alex Yakubov

1Password rolls out WebAuthn, and enhanced YubiKey support

Yubico has been a major contributor to the development of open standards for authentication from the initial development of the U2F specification to the latest W3C approved WebAuthn. As we see more services upgrade to modern authentication standards, we can’t help but share in the excitement.

We are thrilled to share that 1Password, a password manager used by millions of individuals and 47,000 business customers worldwide, today announced support for WebAuthn, the new global standard for secure authentication on the web.

A popular request by users, 1Password has enabled the option to use WebAuthn compatible Security Keys, like the YubiKey, for two-factor authentication (2FA). This provides the highest level of hardware-based security and a great user experience for those who want to use the same security key across services, browsers, and applications.

“1Password and Yubico share a common mission—to make it simpler for people to stay safe online,” said Jeff Shiner, 1Password CEO. “Yubico’s focus on security and user-friendly design aligns with our goals here at 1Password, making YubiKey 2FA a great extra layer of protection for 1Password customers.

Previously, 1Password users were able to leverage YubiKeys as a second factor using the Yubico Authenticator app over Time-based One Time Password (TOTP). With the upgrade to WebAuthn support, 1Password takes a leap forward by enabling easier to use, faster and the most secure 2FA for their users. WebAuthn uses asymmetric (public-key) cryptography and phishing-resistant origin bound key validation for registering and authenticating with websites.

Register your YubiKey with your 1Password account today by logging in to your app and following these setup instructions, or viewing 1Password’s how-to video.

Want to know more about WebAuthn? Visit our “What is WebAuthn?” resource to get an overview of what it is and how users can benefit. Interested in implementing support for WebAuthn? We have developer resources for the rapid integration of WebAuthn on our developer website.

Special Offer for Yubico customers

1Password helps businesses and families increase their online security and cut down on digital clutter by combining industry-leading security and award-winning design to make secure password management easy for everyone.

To celebrate this announcement, 1Password is offering Yubico customers three (3) months free on a 1Password Families account. The promotion is valid only for new customers, and is active for a limited time. Go to 1Password’s site to learn more.

Jerrod Chong

5 Reasons to Upgrade Your Web Authentication to WebAuthn

Authentication has made significant progress over the past five years. It has matured beyond passwords with the introduction of a variety of two-factor authentication methods, and most recently, we have the advent of passwordless logins with WebAuthn, the new global standard for web authentication.

WebAuthn now sets a new bar for user authentication and is considered best in class for protecting user accounts. With support in all major browsers and platforms, WebAuthn offers the opportunity for services to easily offer a wide choice of strong authentication methods to users, including a passwordless experience. This consists of using security keys or built-in authenticators such as biometric readers.

To experience the WebAuthn login experience, please take a look at our demo site where you can try out registering different authentication methods using WebAuthn.

For those curious about the additional benefits of passwordless login, we put together a list of five reasons to upgrade to WebAuthn authentication.

Widespread Accessibility

One of the key differentiators of WebAuthn, is the widespread acceptance and adoption of the technology across major browsers, operating systems and devices. To date, Microsoft Edge, Mozilla Firefox, Google Chrome and Google Android have already added support for WebAuthn, and Apple most recently announced WebAuthn support by default in Safari Technology Preview Release 83.

Additionally, the growing availability of built-in authenticators on computers and phones is providing users new options for authentication. As a service provider, this enables you to offer fast, convenient, and secure authentication options for all kinds of users, regardless of what kind of device or operating system they are using.

Improved Security for Customers & the Business

WebAuthn replaces weak password-based login or knowledge-based answers recovery with strong public key cryptography with origin checking to prevent phishing. By making strong authentication the baseline for using built-in and external hardware authenticators, users are protected from account takeovers. A recent study by Google reviewed more than 350,000 wide-scale and targeted attacks, and showed that security keys were the most effective at stopping account takeovers. Not only does the elimination of password-based login protect customers from the threats of credential theft and phishing, but it also relieves your organization from the vulnerabilities associated with storing and protecting millions of user credentials.  

Improved Customer Experience & Brand Loyalty

The average US consumer tries to keep track of over 14 different passwords across all their websites and services. Business users are estimated to be responsible for memorizing and using an even greater number of passwords, reaching up to as many as 191. The sheer number of passwords required for daily digital activities inevitably results in forgotten passwords, password resets, or at the worst, account takeovers due to weak or reused passwords. As a result, passwords degrade customer experiences, reduce brand loyalty, and contribute to lost revenue.

Passwordless login with WebAuthn provides an experience that is faster and more secure than usernames and passwords, transforming the online user experience into the familiar split-second convenience of using an ATM card. WebAuthn also enables users lacking cellular access to still authenticate when they typically might not be able to with authentication methods like one-time codes sent to mobile devices via text messages.

Lower Operational Costs

When users forget their passwords, they often end up calling help desks or support centers, consuming valuable time from support staff. In fact, Gartner estimates that password reset inquiries account for 20 to 50 percent of all help desk calls, which can cost large companies between $5 million and $20 million annually.

WebAuthn enables support and IT departments – including service desks and call centers — to be free from the operational overhead incurred from having to create, store, cycle, and reset passwords. It can simplify user on-boarding and given that password resets currently represent the number one IT support cost, passwordless login promises to significantly reduce workloads in IT call centers where agents today spend considerable time setting and resetting user passwords.

Simple & Flexible Integration Options

WebAuthn introduces the option for strong single-factor, two-factor, or multi-factor authentication. With this expanded choice of authentication flows, developers choosing to add WebAuthn support will have the option to select the authentication model that best suits their use cases and customers. This is specifically useful for organizations who require a higher level of authentication security or who may prefer a layered approach (ex: a PIN, biometric or gesture for additional protection) for certain in-app actions like changing a personal information or transferring a large sum of money.

WebAuthn is also backwards-compatible with FIDO U2F authenticators for a second factor use case. This means that all previously certified FIDO U2F security keys, such as the YubiKey 4 or YubiKey NEO, will continue to work as a form of second-factor authentication login with WebAuthn-enabled authentication flows.

 

To learn more about the WebAuthn open standard and how it can benefit your organization, read our ‘Going Passwordless’ whitepaper. We also offer full development resources on our developer site to enable rapid WebAuthn implementations.

Stina Ehrensvard

WebAuthn wins support in Safari, Twitter, Coinbase and hundreds of more services

“And the winner is… WebAuthn!”

A few weeks ago at the European Identity Conference (EIC) in Munich, WebAuthn won the award for Best Future Technology and Standard Project. As a co-chair of the W3C WebAuthn working group and lead authors of FIDO U2F/FIDO2, Yubico was invited to receive the award on behalf of all who collaborated on the standard.

John Fontana, co-chair of W3C WebAuthn WG and member of the Yubico open standards team, at EIC award ceremony

There is no doubt that the winning authentication standard is gaining momentum. Last week, Apple enabled default WebAuthn support on macOS in its Safari Technology Preview, while Twitter and Coinbase announced their upgrade from FIDO U2F to WebAuthn. At Yubico, our team is busier than ever supporting hundreds of services across the globe in their process of making support for the YubiKey, Security Keys and WebAuthn.

Initially deployed by all the leading internet companies, we are excited to see WebAuthn adoption expanding across a wider range of industries,regions, and use cases including the protection of electronic identities for European citizens, blockchain technology services and financial institutions. One of the leading banks was encouraged to make support for WebAuthn after one of their customers approached them with the question, “How come authenticating to my Google and Facebook account is more secure than the service that holds my money?”

The FIDO U2F, FIDO2 and WebAuthn names can be confusing, but they are all part of the same standards initiative. The varying naming conventions are a result of the further development and expansion from the industry consortium FIDO Alliance (FIDO U2F and FIDO2) to the W3C web standards organization (WebAuthn). In March 2019, W3C approved the WebAuthn standard, which is built-on, and backward compatible with U2F.  

We encourage all services to implement or migrate to WebAuthn so their end users have more choices from  an ever-expanding list of browsers and authentication options including one-factor, two-factor and passwordless login. With free open source servers and development resources available from Yubico and others, service providers are rapidly making support for WebAuthn to stop phishing and radically cut support costs. Users enjoy safer and easier login with the growing options of built-in and external FIDO/WebAuthn authenticators, also known as security keys. This award winning web authentication standard let’s everyone win — except the fraudsters!

To learn more about the WebAuthn open standard and how it can benefit your organization, read our ‘Going Passwordless’ whitepaper. We also offer full development resources on our developer site to enable rapid WebAuthn implementations.

Ronnie Manning

YubiKey Summer Showcase: InfoSecurity, Gartner Security & Risk, Identiverse

We’re gearing up for a busy and exciting month here at Yubico. We have a full event schedule, a handful of speaking sessions on trending security topics, and we will be showcasing many of our Works with YubiKey partners. In other words, you won’t want to miss this.  

YubiStyle Covers

If you are looking to integrate the YubiKey into your application or service, please check out our Works with YubiKey program for all the details and how you can get involved.  

So, where will we be during the month of June? Here are all the places you can find us and our partners in the coming weeks — and don’t forget to pick up a YubiStyle cover when you see us.

 

InfoSecurity Europe, London — June 4-6, Booth #J120

Stop by Yubico booth #J120 at InfoSecurity Europe and catch our latest passwordless login demos. We will be demonstrating the multi-protocol authentication capabilities of the YubiKey and also an early look at our YubiKey for Lightning Private Preview device for iOS.

Several Works with YubiKey partners will also be at InfoSecurity Europe showcasing the benefits of YubiKey authentication. Curious how the YubiKey works with Duo (booth #F140), ManageEngine (booth #D80), OneLogin (booth #C225), Microsoft (booth #D220), Thycotic (booth #C230), and StrongKey (booth #M147)? Be sure to stop by their booths to find out.

“Yubico is a key player in the FIDO community and it’s exciting to partner with them to help promote a world without passwords.” — Jake Kiser, COO, StrongKey

“In an age where identity theft is on the rise and almost every data breach involves a compromised user account, strong authentication should be an organization’s first line of defense.” — ManageEngine

Gartner Security & Risk, National Harbor, MD — June 17-20, Booth #450

Visit us at booth #450 to talk all things cybersecurity and privacy. Once again, we’ll be demo-ing passwordless account logins using WebAuthn and the YubiKey.

Don’t miss Works with YubiKey integrations at our partner booths as well. Drop by and say hello: ForgeRock (booth #625), Thycotic (booth #651), Microsoft, and Okta (booth #629).

“Yubico provides a standardized way to balance usability and security. When using YubiKeys with ForgeRock’s out-of-the-box FIDO2 support, our joint customers get secure multi-factor authentication paired with an outstanding user experience.” Ben Goodman, Senior Vice President, ForgeRock

Identiverse, Washginton, D.C. — June 25-28, Booth #417

Stop by Yubico booth #417 for Yubico’s latest announcements and YubiKey demos during Identiverse. Several Yubico experts are also taking the stage at Identiverse to discuss everything from passwordless authentication to open standards and identity anchors.

  • Wednesday, June 26 | 2:00 – 2:15pm | Portable Root of Trust Explained
    In the Solutions Theater in the expo hall, Nick Charpentier, Solutions Engineer at Yubico, will discuss the concept of hardware authenticators as a portable root of trust to achieve a secure, ubiquitous experience across all devices.
  • Wednesday, June 26 | 5:35 – 6:00pm | Netflix’s Journey with WebAuthn
    Jerrod Chong, Chief Solutions Officer at Yubico, and Tejas Dharamshi, Senior Security Software Engineer at Netflix, will discuss Yubico and Netflix’s collaboration on a move to modern strong authentication with WebAuthn while maintaining a frictionless user experience.
  • Wednesday, June 26 | 4:25 – 4:50pm | Is Your 2FA Broken?
    John Bradley, Senior Solutions Architect at Yubico, will discuss various second-factor authentication techniques and how effective they are against advanced phishing threats.
  • Thursday, June 27 | 9:00 – 9:30am | Standards: The Bedrock of Identity
    John Bradley, Senior Solutions Architect at Yubico, will join a panel of standards experts on the keynote stage to discuss, debate, and provide insight into the world of open standards and how they may change our world in the next five years.
  • Thursday, June 27 | 4:25 – 4:50pm | Understanding Identity Trust Anchors
    Derek Hanson, Vice President of Solutions Architecture and Standards at Yubico, will discuss how identity attributes are managed, validated, secured and updated so that the systems and processes that are reliant on identity proofing have a solid foundation.

That’s not all. See what’s new with current and future Works with YubiKey integrations by stopping by any of our partner booths: Axiad IDS (booth #419), Microsoft (booth #303), Ping Identity (booth #601), ForgeRock (booth #411), Okta (booth #516), and OneLogin (booth #416).

“In today’s digital world, trusted identity requires that all the entities that interact with an organization be authenticated. Mobile and cloud identity solutions eliminate the need for organizations to choose between security, ease-of-use and ease-of-management.” — Yves Audebert, Chairman, President and Co-CEO, Axiad IDS

To stay up to date on these events, or to receive year-round updates on Yubico news, sign up for our newsletter and other mailing lists here.

Stina Ehrensvard

Yubico Expands Executive Team and Advisory Board

Today, I’m happy to announce the addition of two new members to Yubico’s Executive Team and one new board advisor. Jeff Kukowski joins us as Chief Revenue Officer, Bill Rule joins us as SVP of Global Supply Chain, and Chad Kinzelberg joins our advisory board. All three individuals bring years of expertise and proven track records in their respective fields to support Yubico’s growth.

The authentication industry is in a period of hypergrowth and Yubico is positioned at the forefront. With nearly 81% of breaches resulting from phished or stolen credentials, and password resets costing companies upwards of $12M a month, the need for strong, hardware-backed authentication is growing globally.

The new members of our leadership team are critical to the continued success of the company, delivering high-quality products for customers of all sizes and industries around the world, and doing it at scale. I am personally excited to see the YubiTeam growing with the addition of such great people and talent.

Jeff Kukowski, Chief Revenue Officer

Jeff joins Yubico from SecureAuth, where he served as CEO and Board Director. He has 30 years of experience building companies and category-leading solutions across all stages, industry verticals, geographies, technologies and cultures. He has helped scale companies from every stage, including start up, venture-funded to exit, private equity-backed, and public company turnarounds.

“Yubico solves one of the most critical problems in keeping people and companies safe from attackers in one of the most secure and easiest ways for users to do so. I am excited to contribute to our growth by helping our customers safely, easily and quickly accelerate their digital transformations.”

 

Bill Rule, SVP of Global Supply Chain

Bill has more than 20 years of experience in global supply chain and manufacturing at companies including HP, Aruba Networks, and Juniper. He also brings several years of running a manufacturing engineering consulting business working extensively with fast-paced companies, new product releases, and technical operations processes.

I am very excited about the opportunity presented to me to be part of the Yubico Supply Chain team. I look forward to further enabling an already incredible team and contributing to the rapid growth environment at Yubico.”

 

Chad Kinzelberg, Board Advisor

Chad Kinzelberg joins us as a board advisor with invaluable business insights from his previous roles as CEO, CMO, and VC where he led a variety of companies in go-to-market strategies including IPOs and acquisitions.

Most notably, Chad directed the strategy and led business and corporate development efforts at Palo Alto Networks from pre-IPO to its status as the most valuable cybersecurity company in the world with a $24 billion market cap.

“I am genuinely excited to join the world class team at Yubico. An overwhelming majority of attacks rely on credential theft. Yubico addresses this problem better than any other vendor with a robust, easy to use solution. Every business and individual will be safer when they are using YubiKeys.”

The Yubico team will continue to grow in 2019. If you’re interested in a career in cybersecurity at Yubico, check out our open job opportunities here.

Stina Ehrensvard

The YubiKey as the WebAuthn Root of Trust

The new web authentication standard, WebAuthn, that was recently announced by W3C, is rapidly gaining adoption by leading platforms and services. WebAuthn is an evolution of the FIDO U2F standard, spearheaded by Yubico and Google, and successfully deployed since 2014 by millions of users with YubiKey security keys. Yubico helped to create WebAuthn to extend the standard beyond external security keys to include new internal built-in fingerprint readers and facial recognition technologies. Having these choices is important to drive widespread support for simple, strong and passwordless authentication methods.  

In this new authentication landscape, an external security key, such as the YubiKey, takes on the important role of a root of trust. As users move between different platforms and computing devices, having this portable root of trust is essential for enabling rapid bootstrapping on new devices and for recovering when devices are lost, stolen or replaced.

Below is a roundup of some of the best use cases for an external hardware-based authenticator:

  • Device Loss, Theft, or Compromise —In the case that a phone or computer is lost, stolen or replaced, the YubiKey can be used as an easy method to re-establish trust with online accounts and re-register the internal authenticator on a new device. With an external root of trust like the YubiKey, where the user’s credential cannot be tampered with, it allows a high degree of trust to be transferred from device to device and establish all of them as a trusted entity, thereby protecting the account.
  • Multi-Device Access — In today’s digital age, users rarely work from a single device or platform. It’s common to move from a mobile device to desktop, laptop, or tablet, and even between personal and work devices. Having a portable external authenticator that can work across computing devices makes these transitions seamless. With options to connect via NFC, USB-A, USB-C, and soon Lightning, the YubiKey meets the needs of every internet user.
  • Mobile-Restricted Environments — Not all work environments allow employees or contractors to have a mobile phone. Call centers, manufacturing floors, and remote locations are some of the environments where a hardware authenticator is a preferred solution.
  • High Security Applications — Without ties to the internet or a multi-purpose chip or computing device, the attack vector naturally becomes much smaller on an external hardware authenticator. There are certain scenarios where services may choose to require step-up authentication to complete a high-risk action, such as transferring a large sum of money between bank accounts, or updating an address. The YubiKey can be used as an additional form of validation and quickly re-verify the user before the action is taken.  
  • Uninterrupted Access – We designed the YubiKey to provide optimal levels of durability. It is crush and water resistant and does not require batteries, so it eliminates the chance of the device being uncharged.
  • Integration with Legacy Systems — Most enterprises use a variety of systems, platforms, and devices, and not all of these support newer authentication standards such as FIDO and WebAuthn. Also, for use cases that require a corporate credential for computer login and remote access, digital signatures for code signing, key escrow for email encryption, or privilege access for older operating environments, the YubiKey’s multi-protocol functionality helps address a wider range of enterprise security needs.  
  • Authentication Backup — Regardless of how users are securing their accounts, it is always a best practice to have a backup method in case the primary method of authentication is lost, stolen, broken, or inaccessible. The YubiKey is an affordable, simple option that users can carry on their keychain, tuck into a wallet, or store in a safe place for convenient access at any time.

With a growing list of strong authentication options supported by WebAuthn, and the ability to solve use cases across device type, operating system and service, now is the time for companies to add WebAuthn to their services. Developers can take advantage of Yubico’s developer resources to extend user authentication options. To try out the WebAuthn authentication experience please visit the Yubico WebAuthn demo site.

There are more than 3 billion people in the world connected to the internet who need — and deserve — a better more secure experience. Let’s work together toward making the internet a safer place for everyone!

Alex Yakubov

YubiHSM 2 Now Compatible with EJBCA from PrimeKey

The YubiHSM 2, the world’s smallest hardware security module from Yubico, is now compatible with EJBCA software for a range of public key infrastructure (PKI) use cases. Available for all YubiHSM 2.1 and newer devices, Yubico’s updated Setup Tool, which adds support for PrimeKey EJBCA, is accessible in our latest YubiHSM 2 open source software development kit (SDK).

When it comes to maintaining your customers’ trust, it’s imperative to protect against data theft and compromise, and hardware security modules (HSMs) are table stakes. Traditionally, this has meant dedicating an entire rack—or more—in the server room.

Enter the YubiHSM 2. These thumbnail-sized hardware devices deliver enhanced protection for cryptographic keys, are more affordable than traditional HSMs ($650 MSRP), require very low power, are ultra-portable, and plug into any USB-A port—minimizing space requirements for deployment. The sheer size and cost alone open up incredible new use cases. Imagine an autonomous vehicle with its own YubiHSM 2—no need to compromise on trunk space.

“The priorities for us in developing PrimeKey’s EJBCA have always been flexibility and the ability to support different use cases. With the YubiHSM 2, we enable a cost efficient and portable HSM alternative that simplifies the process to secure your CA keys,” said Chris Job, Team Leader, PrimeKey Professional Services.

With our latest YubiHSM 2 open source SDK, and support for PrimeKey EJBCA, YubiHSM 2 users can leverage PrimeKey and Yubico open source software and tools for implementing PKI. Collaborating with PrimeKey, and adding support for PrimeKey EJBCA on the YubiHSM 2 further delivers Yubico technology to organizations where open source is preferred or even required. The YubiHSM 2 now supports two certificate authorities—Microsoft Windows CA and PrimeKey EJBCA—offering greater flexibility to those looking to secure an organization’s most important data with an HSM.

Interested in learning more?

Licensing Information

The YubiHSM 2 SDK is intended for use in development and production environments in conjunction with YubiHSM 2, pursuant to Yubico’s terms and conditions of sale and license. By downloading and installing the SDK you agree to the terms of this license. The released SDK source code is licensed under the Apache 2.0 license. Third party software included in the YubiHSM 2 SDK, and their respective licenses, are listed in the licenses directory inside the SDK package.

Derek Hanson

Yubico Login for Windows Application Now Available in Public Preview

Every day, YubiKey users are protecting access to their data in cloud services like Gmail, Dropbox, and password managers, but these very same people also need to protect access to desktop and laptop computers as well. Thanks to the multi-protocol capabilities of the YubiKey, they can. The YubiKey can be used to log in to Linux, Mac, or Windows machines.

One of the more popular use cases we hear about is logging into Windows machines, which is why we designed the Yubico Login for Windows Application. The tool provides a simple and secure method for YubiKey users to secure access to their Windows computers. Today, we are opening the public preview program for the application.

Yubico Login for Windows Application

The Yubico Login for Windows Application will deliver a simplified configuration experience, enabling users to help protect their computers with a YubiKey. In addition, this application will enable new core features such as enrollment for backup YubiKeys and lost YubiKey recovery mechanisms.

These features make this application the most robust authentication tool that Yubico has provided for standalone Windows computers.

The preview program gives participants the ability to download the new Yubico Login for Windows Application, test the application, and provide feedback on the experience. This is your chance to influence the features prior to the upcoming official release.

The Yubico Login for Windows Application is best suited for:

Individuals that have local accounts on Windows 7, Windows 8.1 or Windows 10 computers.

Individuals or organizations that prefer local accounts created on their computers in order to keep sensitive information localized as opposed to taking advantage of a more connected Windows 10 experience (such as using Outlook.com, OneDrive, Live.com, Hotmail.com etc.).

Organizations that have a mix of Windows 7 and Windows 10 computers and do not use Azure Active Directory or Active Directory.

The Yubico Login for Windows Application is not ideally suited for:

Users who typically log into Windows computers with a Microsoft Account (e.g. username@outlook.com, username@hotmail.com, username@live.com, etc.).

Users who utilize the following sign-in options for their local account: Windows Hello (face, fingerprint, or iris), PIN, or picture password.

If you are interested in joining the public preview program for Yubico Login for Windows Application please sign up here. The preview offering and a configuration guide will be made available after sign-up.

Stina Ehrensvard

A Big Day for the Internet: W3C Standardizes WebAuthn

Today’s standardization of WebAuthn by the World Wide Web Consortium (W3C) marks a milestone in the history of open authentication standards and internet security, and Yubico is excited to be a part of it. Through close collaboration with the global internet standards community and the internet giants, Google and Microsoft, we achieved the near-impossible: the creation of a global standard for web authentication that is on track to be supported by all platforms and browsers.

With much of our personal and business lives now online, the need for stronger security has never been more important to protect our digital identities. With WebAuthn, we are addressing the problem behind the vast majority of security breaches — account takeovers due to stolen online credentials.

We have invested considerable time from our engineering staff in the development of this new standard, including being one of nine Specification Editors, being one of two co-chairs for the W3C WebAuthn group, and having six working group members. When I asked one of our engineers from this group how he liked his job, he responded, “It’s one of the most interesting and scary projects I’ve ever had. We are writing code that will impact the internet security of billions of people, so we feel the responsibility to get this right!”

From start to finish, the WebAuthn spec development has been more than a three-year process, but for Yubico, this is a culmination of more than a decade of innovation and seven years of standards work. Starting first with FIDO U2F, then FIDO2 and now WebAuthn, these standards are a natural evolution built upon each other to bring together new important security capabilities for the modern web:

Driverless, one-touch authentication with a single authenticator that can be used across any number of services with no shared secrets.

Public key cryptography to defend against phishing and man-in-the-middle attacks at scale.

Single-factor, multi-factor and passwordless authentication for web and mobile applications.

WebAuthn recognizes the importance of security keys as well as platform authenticators, such as built-in biometric sensors, by embracing broad support for a choice of authentication devices and modalities. Yubico supports this approach because it fosters widespread adoption of stronger authentication. We contributed to this standard to help as many people as possible stay safe online. Moving forward, the YubiKey will be valued as a high-privacy, high-security authentication choice. In addition, it will take on the important role of the Root of Trust, enabling seamless bootstrapping to new devices and rapid recovery from lost and stolen devices when built-in authenticators are not enabled or no longer accessible.

Microsoft Edge, Mozilla Firefox, Google Chrome and Google Android have already added support for WebAuthn, and Apple Safari is actively testing the API. Additionally, Microsoft Accounts and Dropbox have WebAuthn support. Many more online services will soon follow.

Since FIDO U2F was first launched in Gmail in 2014, Yubico has provided free open source code, and guided the vast majority of online services integrating the standard. We continue this work with WebAuthn. Developers and online services can rapidly add support, including “upgrading” from an existing U2F deployment, by signing up to join the Yubico Developer Program to be informed on the latest reference documentation, testing tools and open source servers.

Individuals and companies who want easy, secure access to their daily online accounts — including those in financial, healthcare, and government services — can accelerate adoption by requesting support for YubiKey and WebAuthn. WebAuthn works with all existing U2F and FIDO2 YubiKeys.

WebAuthn standardization is the foundation for the first-ever web authentication standard designed with scalable public key cryptography and phishing protections, and we can now all help to make the internet safer for everyone.

Want to see WebAuthn in action? Stop by the Yubico booth this week at RSA (#S2162), Scale17x (#519), or Gartner IAM Summit Europe (#S12).

Ronnie Manning

Yubico Releases the 2019 State of Password and Authentication Security Behaviors Report

In conjunction with Data Privacy Day, Yubico is releasing today new research in a report entitled, The 2019 State of Password and Authentication Security Behaviors Report, conducted by Ponemon Institute. The findings reveal that despite a growing understanding of security best practices, user behavior is still falling short. The problem? Passwords continue to trip up users and compromise security and many users are not taking advantage of stronger two-factor authentication solutions that are available.

The annual Data Privacy Day initiative, led by the National Cyber Security Alliance (NCSA), has grown in popularity each year — and with good reason. Massive data breaches like the recent Collection #1 continue to happen. With nearly 773 million records exposed, including email addresses and passwords, Collection #1 is one of the largest breaches to date; and yet, are individuals taking the actions needed to protect their online accounts? According to the report findings, it appears not.

Are we becoming more security-minded, and better yet, are we following best practices? Some of the most interesting stats revealed that: (Click to Tweet your favorites!)

2 out of 3 (69%) respondents share passwords with colleagues to access accounts

51 percent of respondents reuse passwords across business and personal accounts

57 percent of respondents who have experienced a phishing attack have not changed their password behaviors

67 percent of respondents do not use any form of two-factor authentication in their personal life and 55 percent of respondents do not use it at work

57 percent of respondents expressed a preference for a login method that does not involve the use of passwords

Beyond the above listed highlights, the full 2019 State of Password and Authentication Security Behaviors Report delivers further data on the following topics:

How privacy and security concerns affect personal password practices

Risky password practices in the workplace

Authentication and account security in organizations

Differences in password practices and authentication security behaviors by age

Differences in password practices and authentication security behaviors by country (Germany, France, UK, USA)

To read more of the research highlights, please check out our infographic below or download our full research report here.

Stina Ehrensvard

Yubico Expands Executive Team with Addition of Guido Appenzeller, Chief Product Officer

Happy New Year from Yubico! We are very excited for the upcoming year and 2019 has already kicked off with two new product announcements at CES, and now we’re expanding the Yubico family.

As of two weeks ago, we added another member to our executive team: Guido Appenzeller. Guido joins us as the Chief Product Officer of Yubico to focus on product development and strategy, a critical role to the company’s continued innovation and success in making strong authentication truly ubiquitous. Previously, he served as CTO of VMWare, Consulting Professor at Stanford, and the founder of two start-ups.

Please join me in welcoming Guido into the YubiFamily. To learn a little more about Guido here is an excerpt from a recent interview between Ronnie Manning, our VP of Communications, and Guido.

From founding two different start-ups to working as CTO for VMWare, you have had experience with both large and small companies. While each phase of company growth presents its own set of challenges, which growth phase would you say you enjoy the most and why? 
Both have been incredible experiences. I love small companies because of their agility and speed. You spot a new opportunity and with a good team you can have a product in the market months later. On the other hand, being an executive in a large company puts huge resources at your disposal. At VMware, we entered new markets by buying the market leader and then accelerating it with an enterprise sales team of several thousand people. In the end for me, it boils down to where I can have more overall impact and usually that is in a smaller company.

What’s the single biggest lesson you’ve learned in your career about successfully growing a company, and how do you plan to bring that to your role at Yubico? 
The two most important things about growing a company is the market and the team. Yubico is in a great market and solving a key problem: how to make the internet secure. Stina, Jakob and the team have done a great job creating a culture that focuses on security while at the same time emphasizing a fun user experience. That’s actually pretty rare for a security company. My goal is to keep this culture while building the lightweight process that’s needed to take Yubico through the next phases of its growth.

You have a long history of leading companies through successful growth periods. In an ideal world, how do you envision Yubico’s growth to unfold over the next 1-5 years?
The short-term opportunity for Yubico is to replace passwords as the main authentication method in the internet. This is a huge shift. It would all but eliminate phishing while actually improving usability. But this is just scratching the surface. Having inexpensive hardware with advanced cryptographic functionality opens up new applications for payments, messaging security, IoT security and secure infrastructure. Long term, these are the areas that excite me most.

What are the most exciting and daunting aspects of working in the cybersecurity industry?
Security is often an afterthought. We have a rich history in the technology industry of first building systems where we ignore security, then recognizing our error and eventually bolt on a security solution that is awkward to use and difficult to understand. I think what initially got me excited about the YubiKey is that it is one of the very few security products that is easy to understand and that end users actually love to use.

When you’re not busy tackling the roles and responsibilities of a Chief Product Officer, what are most likely to be doing?
I love the outdoors and like exploring the world on foot, scuba diving or behind the controls of a small airplane that I have flown all the way from California to the Caribbean. I am an avid gamer with my kids or alone, and recently have been spending more and more time in Virtual Reality.

The Yubico team will continue to grow in 2019. If you’re interested in a career in cybersecurity at Yubico, check out our open job opportunities here.

Ronnie Manning

Yubico Launches the Security Key NFC and a Private Preview of the YubiKey for Lightning at CES 2019

Hello from Las Vegas. Today, we have some exciting news for you that’s coming straight from the CES show floor. We are introducing two new device form factors: our latest next-generation security key, Security Key NFC by Yubico, and a private preview of our YubiKey for Lightning. We are giving live demos of both of these keys at the CES Yubico booth (#312).

The Security Key NFC

The Security Key NFC is our newest addition to our distinctive blue Security Key Series, offering USB-A and NFC (near-field communication) for tap-and-go authentication over the FIDO U2F and FIDO2/WebAuthn protocols on computers and supported mobile devices (like an Android phone or a NFC reader attached to a Windows 10 computer). With the option of multiple communication methods, this one key is able to deliver a simple and seamless user experience across multiple devices for strong multi-factor, two-factor (2FA), and single-factor passwordless authentication.

Today, the Security Key NFC works out of the box with hundreds of services already supporting FIDO U2F and FIDO2 authentication protocols: including Microsoft (for passwordless login), Google, Facebook, Twitter, Dropbox, a growing list of password managers, and many more FIDO2 and U2F compatible websites. And as the the latest hardware authenticator from Yubico, it’s built to last. It’s made in the USA and Sweden with reinforced fiberglass that is hermetically sealed and injection molded into a monolithic block, delivering exceptional physical l durability.

The Security Key NFC by Yubico is available beginning today for $27 at the Yubico online store.

YubiKey for Lightning — Private Preview

If you are a Yubico follower, you’ve probably heard that Yubico’s goal is to make strong, simple authentication truly ubiquitous, across all services, devices, and operating systems. Historically iOS has presented some challenges to achieving that mission, which is why we’re extremely excited to announce a private preview of our newest YubiKey for Lightning.

YubiKey for Lightning

The YubiKey for Lightning is a multi-protocol hardware authenticator designed with both USB-C and Lightning connectors. By supporting the two most common connectors for Mac and iPhones, the new YubiKey for Lightning, is designed to provide seamless authentication across compatible desktop and mobile devices.

We are also formally launching the YubiKey for Lightning Program as an extension of our Lightning Project announced in August 2018. If you are a developer or service that would like to support strong hardware authentication on iOS, we invite you to work with us by applying to participate in the YubiKey for Lightning Program. Selected participants will have access to the private preview of YubiKey for Lightning and also the Yubico Mobile iOS SDK for Lightning.

Today the YubiKey for Lightning is in private preview to selected participants in the Yubikey for Lightning Program, with general availability still to be announced.

 

Stina Ehrensvard

2018: A Year in Review for Yubico

2018 was an awesome year for Yubico. It was full of new product launches, business milestones, a growing team of super stars, and industry-leading innovations. It’s hard to believe that all of that happened in just one year, but it’s amazing to see how much can be accomplished together when we focus on our mission of making security available for all.  

Over the years, I’ve also learned that it’s necessary to reflect on all of these accomplishments as an entrepreneur, a CEO, or an employee. This time of pause allows us to evaluate the lessons learned, set new goals, and carefully build upon the work we’ve already done. So, as we cross into 2019, here’s a quick look back at some of Yubico’s finest moments of 2018.

We invested a significant amount of time and resources into product innovation and released several major new products, all of them being the first of their kind on the market.

The YubiKey 5 Series

The Security Key by Yubico is the first-ever security key to support FIDO2 and WebAuthn, the new global authentication standards for passwordless logins that Yubico is also the leading contributor to.

The YubiKey 5 Series is the first-ever multi-protocol security key series to support FIDO2 and WebAuthn.

The YubiKey FIPS Series is the first-ever multi-protocol FIPS 140-2 validated security key series.

A major part of the Yubico mission is spent on working with the larger internet ecosystem, providing them with the insight and resources they need to be successful in protecting their users’ data and privacy. As a result, several major services and leading platforms and browsers have made support for FIDO2, WebAuthn, and YubiKey strong authentication.

Twitter adds support for FIDO U2F authentication with a YubiKey.

AWS Identity and Access Management adds support for FIDO U2F authentication with a YubiKey.

LastPass is the first iOS app to add support for strong YubiKey authentication via NFC.

Microsoft Accounts adds support for YubiKey and FIDO2 to allow users to login to their accounts without a username and password.  

Additional browser support continues for WebAuthn from Chrome, Firefox, Edge, and Safari.

The developer community is core to what we do here at Yubico, and while we’ve offered free and open source code since our launch in 2008, this year we created dedicated resources to expand our offerings.

Mobile SDK for iOS enables YubiKey authentication on the iPhone

The Yubico Developer Program is the first source for developers to gain access to YubiKey integration resources such as webinars, SDKs, implementation guides, and more.

Yubico launches the official Works with YubiKey Program to further guide and promote service provider’s YubiKey integrations.  

The Mobile SDK for iOS was released to allow any iOS mobile app to rapidly add support for hardware-based two-factor authentication using YubiKey OTP over NFC.

The Yubico Lightning Project was announced, extending the capabilities of the Yubico Mobile SDK for iOS to support FIDO U2F/2 authentication over a lightning connection.

The YubiHSM open source SDK was released to allow developers to integrate with the YubiHSM 2 and enable its security capabilities for greater protection of cryptographic key material.

Last but not least, we continued to grow Yubico as a trusted leader in strong authentication with new financial investments and the addition of new talent across the globe.

The Yubico team reached 160 people, representing 25 different nationalities, and based in eight countries: Sweden, USA, Germany, UK, Chile, Singapore, Australia and Japan.

Yubico received investment from top-tier investor Andreessen Horowitz (a16z) in support of our mission to create a safer internet at scale. Martin Casado, general partner for a16z, also joined the Yubico board of directors.

2018 was incredible, and we plan to top it with what’s to come in 2019! Be the first to know about new products and more by signing up for our mailing list.

Alex Yakubov

YubiHSM 2 Now Qualified for AWS IoT Greengrass Hardware Security Integration

We are excited to announce that Amazon Web Service (AWS) Internet of Things (IoT) Greengrass users can now use  the YubiHSM 2, Yubico’s ultra-portable hardware security module, for secure key storage. AWS IoT Greengrass software provides local compute, messaging, and data caching for the IoT devices, enabling users to run IoT applications across the AWS cloud and local devices.

The Internet of Things (2018) research report from Business Insider Intelligence predicts that there will be more than 55 billion IoT devices by 2025, up from about 9 billion in 2017. While reaping many advantages like increased efficiency and productivity, this rapid growth in adoption provides a new playground for malicious actors creating real challenges for security and privacy.

Connecting everything to the cloud creates the potential for a single point of failure, which is why protecting access to servers is of paramount importance. A prime threat to access is storing root keys for servers in software. Root keys stored in software can be stolen, accidentally distributed, or misused, and can potentially lead to catastrophic security breaches.

AWS IoT Greengrass enables customers to leverage a hardware root of trust, such as the YubiHSM 2, for private key storage, and end-to-end encryption for messages sent between AWS IoT Greengrass Core and the AWS cloud, as well as between the AWS IoT Greengrass Core and compatible local devices. This provides AWS IoT Greengrass customers with the option to configure their AWS IoT Greengrass Core to use the private keys generated and stored on the YubiHSM 2.

“Security and compliance are primary considerations for customers as they begin their respective cloud journeys. Organizations need true cloud visibility, which is the foundation of security and controls. The integration of YubiHSM 2 with AWS IoT Greengrass is a great example of a way for customers to have greater visibility into local compute, messaging, and data caching for the Internet of Things (IoT), ” said Troy Bertram, General Manager, Worldwide Public Sector Business Development, AWS. “The integration of YubiHSM 2 with AWS IoT Greengrass provides AWS customers with another avenue to maintain the strong hardware-backed security for cryptographic digital key generation, storage, and management.”

Since our initial launch of the YubiHSM 2 last year, many of our customers have approached us looking for a way to protect keys on servers. Complaints of traditional rack-mounted and card-based HSMs offering limited applicability at a significantly higher cost have led customers to our innovative alternative hardware security module. The YubiHSM 2 provides strong hardware-backed security for cryptographic digital key generation, storage, and management. The nano-sized YubiHSM 2 fits inside a server’s USB port and does not require additional hardware, significantly bringing down costs and simplifying the deployment process.

We’re excited for the collaboration with AWS IoT Greengrass. This announcement follows our recent release of our open source software development kit (SDK) for the YubiHSM 2. Now, more developers can rapidly integrate the YubiHSM 2’s capabilities into apps across a wider array of architectures and platforms. The YubiHSM 2 SDK enables developers to build products that communicate seamlessly with the YubiHSM 2 through the industry standard PKCS#11, and extend a range of high security functions and use cases for the greater protection of cryptographic keys.

The open source YubiHSM 2 SDK highlights Yubico’s commitment to transparency and trust. We continue to encourage the developer and security communities to join us in our mission to make strong hardware-backed security more accessible to organizations of all sizes.

Learn more about this new feature, and how AWS IoT Greengrass works with the YubiHSM 2. Want to integrate Yubico technology into your solution? Start here.

Ronnie Manning

Password-less Login with the YubiKey 5 Comes to Microsoft Accounts

We’ve done it! Together, with Microsoft, we’ve officially made it possible for hundreds of millions of Microsoft users around the world to log in without a password on their personal Microsoft accounts (MSA), with a YubiKey 5 or Security Key by Yubico.

With the latest update to Windows 10 (version 1809) and existing native support in Edge, all consumer Microsoft accounts now support password-less login via FIDO2/WebAuthn. Yes, no passwords.

With a Microsoft account and the YubiKey, you can quickly and securely log in (and automatically single-sign-on) to all of these Microsoft services on Edge:


That’s one login, zero passwords, and effortless access to your most loved Microsoft services.
Let’s just take a moment for that to sink in.

Today’s announcement from Microsoft is a landmark in the history of authentication. The first driverless, one-touch authentication USB device was launched in 2008, in the form of the original one-time password (OTP) YubiKey. To improve protection against phishing and advanced attacks, and make it work with any number of services with no shared secrets, Yubico co-created U2F with Google, that was later contributed to the FIDO Alliance.

To remove the need for a username and long complicated passwords, we worked with Microsoft and the FIDO Alliance to evolve U2F into FIDO2 for password-less login.  We say thank you to everyone who has been part of making this a reality. 

“Password-less sign-in is a transformational change to how business users and consumers access devices and applications. It combines industry-best ease of use and security to create an experience people are going to love and hackers are going to hate,” said Alex Simons, Corporate Vice President, Microsoft Identity Division. “FIDO2 is a key part of Microsoft’s push to eliminate passwords and devices like the YubiKey 5 are a great example of how we’re working with partners to make this transformation a reality.”

How To Register A YubiKey with Your Microsoft Account

To take advantage of this new, advanced security feature, you will need to simply register your FIDO2-enabled YubiKey 5 Series or Security Key by Yubico with your Microsoft account. This feature is available on any Windows PC with the Windows 10 version 1809 update and Microsoft Edge installed.

You have the option to do so either by USB-A or USB-C port (YubiKey 5 NFC, YubiKey 5 Nano, YubiKey 5C, YubiKey 5C Nano, Security Key by Yubico) or by NFC (near-field communication) wireless connection (YubiKey 5 NFC).  

  1. To begin, launch Microsoft Edge on the latest Windows 10 update (version 1809) an visit Microsoft account page and sign in as you normally would and click on Security > More security options, select Set up a security key.
  2. Identify what type of YubiKey you have (USB or NFC) and select Next.
  3. You will be redirected to the setup experience where you will insert or tap your YubiKey 5 or Security Key. This action generates a unique public-private key pair between your YubiKey and your Microsoft account, and only the YubiKey stores the private key. It never leaves your device.The public key is stored with the Microsoft service to allow for verification of your authentication.  
  4. You will then be prompted to set a unique PIN to protect your key. This PIN is stored locally on the YubiKey—not with Microsoft accounts.  
  5. Take the follow-up action by touching YubiKey gold sensor.
  6. Name your security key so that you can distinguish it from other keys (we always recommend setting up an additional YubiKey for back up)
  7. Sign out and open Microsoft Edge, select use security key instead, and sign in by inserting or tapping your key and entering your PIN.

That’s it! You have successfully replaced your Microsoft account password with strong, hardware-based authentication using public key cryptography to protect against phishing and man-in-the-middle. For more details, visit yubico.com/go-password-less/microsoft and if you want to see more, check out our fun promo videos here and here!!!

Authenticating Beyond Your Microsoft Account

In addition to FIDO2, the YubiKey 5 series supports: FIDO U2F, PIV (smart card), OpenPGP, Yubico OTP, OATH-TOTP, OATH-HOTP, and challenge-response. This means the same device that you use to protect your Microsoft account can be used to protect your password manager, social media accounts, and your logins to hundreds of services. Check out the Works with YubiKey catalog to discover other services that support the YubiKey.

Alex Yakubov

The Modern Workplace Journey: Experience MFA Everywhere with PingID and the YubiKey

One of the most frequent questions I’m asked to talk about is what sets the YubiKey apart from other security keys. At Yubico, we pride ourselves on making the highest quality, most durable and innovative authentication devices on the market, including the first-ever multi-protocol security keys which combine FIDO2, U2F, one-time password (OATH-HOTP and OATH-TOTP), PIV-compatible smart card, and OpenPGP in one authenticator. This multi-protocol support is a critical feature for organizations in the process of modernizing strong authentication for everything that employees, vendors, and users access on a daily basis, as one single YubiKey can meet varying authentication needs.

The journey to modernizing authentication also often starts with finding the right Identity Access Management (IAM) solution, which is why Ping Identity, the leader in Identity Defined Security solutions, is a critical member of the Yubico Ecosystem. Yubico is excited to work with Ping Identity to strengthen the authentication choices for PingID customers.

Starting today, current and prospective PingID customers considering a YubiKey implementation are invited to learn more about our joint solution through Ping Identity’s YubiKey Experience Pack initiative. A co-branded experience pack will be available to PingID customers as a special complimentary offer designed for admins to experience the many benefits of our joint solution. Each pack features two (2) of our latest YubiKey 5 Series devices and a PingID Quick Start Guide. The YubiKey 5 Series supports two-factor, multi-factor and passwordless authentication, so as the future of authentication progresses toward passwordless logins, PingID customers will be equipped with an authentication device that can do it all.

Setting up YubiKey authentication with PingID is easy. Users can self-register the YubiKey with their PingID account without needing additional software or drivers.

“Ping Identity is committed to providing the most secure multi-factor authentication experience and emerging authentication standards for its customers,” stated Monica Hamilton, Head of Technology Alliances and Business Development at Ping Identity. “By working with Yubico, we are able to provide secure login options with a hardware device for added user convenience, especially in scenarios where a mobile phone cannot be utilized or is not preferred.”

Yubico is also thrilled to be one of Ping Identity’s Global Sponsors for IDENTIFY 2018. Today, we’re kicking off IDENTIFY San Francisco, and November 7 marks the third and final event in the series, IDENTIFY New York. Stop by our kiosk and chat with us about your journey to modernizing the workplace. Still need a ticket to IDENTIFY 2018? Use code YUB524 in the online registration portal for a complimentary pass courtesy of Yubico. Qualifying customers can request the YubiKey Experience Pack for PingID customers by contacting sales@pingidentity.com while supplies last! Learn more about how Yubico and Ping Identity work together.

Alex Yakubov

The Modern Workplace Journey: Experience MFA Everywhere with PingID and the YubiKey

One of the most frequent questions I’m asked to talk about is what sets the YubiKey apart from other security keys. At Yubico, we pride ourselves on making the highest quality, most durable and innovative authentication devices on the market, including the first-ever multi-protocol security keys which combine FIDO2, U2F, one-time password (OATH-HOTP and OATH-TOTP), PIV-compatible smart card, and OpenPGP in one authenticator. This multi-protocol support is a critical feature for organizations in the process of modernizing strong authentication for everything that employees, vendors, and users access on a daily basis, as one single YubiKey can meet varying authentication needs.

The journey to modernizing authentication also often starts with finding the right Identity Access Management (IAM) solution, which is why Ping Identity, the leader in Identity Defined Security solutions, is a critical member of the Yubico Ecosystem. Yubico is excited to work with Ping Identity to strengthen the authentication choices for PingID customers.

Starting today, current and prospective PingID customers considering a YubiKey implementation are invited to learn more about our joint solution through Ping Identity’s YubiKey Experience Pack initiative. A co-branded experience pack will be available to PingID customers as a special complimentary offer designed for admins to experience the many benefits of our joint solution. Each pack features two (2) of our latest YubiKey 5 Series devices and a PingID Quick Start Guide. The YubiKey 5 Series supports two-factor, multi-factor and passwordless authentication, so as the future of authentication progresses toward passwordless logins, PingID customers will be equipped with an authentication device that can do it all.

Setting up YubiKey authentication with PingID is easy. Users can self-register the YubiKey with their PingID account without needing additional software or drivers.

“Ping Identity is committed to providing the most secure multi-factor authentication experience and emerging authentication standards for its customers,” stated Monica Hamilton, Head of Technology Alliances and Business Development at Ping Identity. “By working with Yubico, we are able to provide secure login options with a hardware device for added user convenience, especially in scenarios where a mobile phone cannot be utilized or is not preferred.”

Yubico is also thrilled to be one of Ping Identity’s Global Sponsors for IDENTIFY 2018. Today, we’re kicking off IDENTIFY San Francisco, and November 7 marks the third and final event in the series, IDENTIFY New York. Stop by our kiosk and chat with us about your journey to modernizing the workplace. Still need a ticket to IDENTIFY 2018? Use code YUB524 in the online registration portal for a complimentary pass courtesy of Yubico. Qualifying customers can request the YubiKey Experience Pack for PingID customers by contacting sales@pingidentity.com while supplies last! Learn more about how Yubico and Ping Identity work together.

Jerrod Chong

Introducing the YubiKey 5 Series with New NFC and FIDO2 Passwordless Features

Today, we are announcing some exciting news that we know you’ve all been waiting for. The 5th generation YubiKey has arrived!

Our new YubiKey 5 Series is comprised of four multi-protocol security keys, including two much anticipated new features: FIDO2 / WebAuthn and NFC (near field communication).

The YubiKey 5 Series is the industry’s first set of multi-protocol security keys to support FIDO2 / WebAuthn, the open authentication standard that Yubico helped to pioneer, along with Microsoft and others. All leading platforms and browsers have either made support or are engaged in this standards work, expanding authentication choices using authentication devices, such as a YubiKey, with or without a username and password. Each key in the YubiKey 5 series supports: FIDO2 / WebAuthn, FIDO U2F, PIV (smart card), OpenPGP, Yubico OTP, OATH-TOTP, OATH-HOTP, and challenge-response.

With the new YubiKey 5 series, Yubico provides a solution that not only works for today’s authentication scenarios, but into tomorrow’s, helping to bridge the gap from existing solutions to a future of passwordless login. Users will receive the same trusted security, ease of use, and durability expected from a YubiKey, but will now have the added option of passwordless logins using FIDO2:

Authentication options with the YubiKey 5 Series.

 

Single-Factor Authentication (Passwordless) with the YubiKey 5 Series – The YubiKey 5 security keys can be used alone for strong single-factor authentication, requiring no username or password to login — just tap or touch to authenticate.

Second-Factor Authentication with the YubiKey 5 Series – Used alongside a username and password, the YubiKey 5 series offers a strong second factor of authentication. This is the YubiKey integration that exists today with services like Google, Twitter, and Facebook, and it is most familiar to our users.

Multi-Factor Authentication (Passwordless + PIN + Touch) with the YubiKey 5 Series – The YubiKey 5 series can be used in conjunction with a PIN for user verification. In this case, the PIN unlocks the device locally and touch is still required for the YubiKey to perform the authentication.

 

With this expanded choice of authentication modes, developers choosing to add support for the YubiKey will have the option to choose the authentication model that best suits their use cases and customers. Implementation resources for all of the YubiKey-supported protocols can be found on the Yubico Developer website or through the Yubico Developer Program mailing list.

Another much anticipated feature added with the YubiKey 5 series, is the addition of NFC to the YubiKey 5 NFC device, allowing for a seamless and secure tap-and-go experience with mobile devices or external NFC readers.

YubiKey 5 NFC

YubiKey 5 NFC

Combining the security and usability features of FIDO2 passwordless authentication and tap-and-go NFC provides an optimal user experience, and drastically improves security and productivity. This is especially beneficial in fast-paced, dispersed working environments within sectors such as financial services, healthcare, and retail point-of-sale (POS). FIDO2 is the first open standard authentication protocol that can take tap-and-go authentication to the masses.

The YubiKey 5 Series includes: YubiKey 5 NFC, YubiKey 5 Nano, YubiKey 5C, and YubiKey 5C Nano. To determine the key that is best for you, please reference the online comparison chart, or take our YubiKey quiz!

Beginning today, YubiKey 5 Series security keys are available for purchase exclusively at Yubico.com. Shop our store, and be one of the first to own a YubiKey 5!

Alex Yakubov

Taking strong, hardware-backed MFA where mobile phones can’t go

With security breaches becoming a growing and expensive problem, organizations are embracing identity and access management (IAM) platforms with multi factor authentication (MFA). This technology enables organizations to address expanding security concerns and regulatory requirements within and beyond their employee base, while also reducing complexity for the end user by having as few as one identity to access all the different tools, systems, and programs required to do their jobs.

Our work with the IAM vendor community has proven there are many scenarios where mobile phone use is restricted or even prohibited for varying reasons. Call centers and hospitals, as well as high-security environments like government agencies and financial institutions, require strong authentication to protect sensitive data and assets.

For instance, call centers are tightly controlled environments from a time/work perspective. Performance control is another important aspect—the less distractions, the higher throughput from staff. Arguably more important is privacy. Call centers do not allow mobile phones in an effort to protect customer data from misuse and abuse, which means another form factor becomes essential to enabling MFA.  

Yubico Partner, Ping Identity, offers an Identity as a Service (IDaaS) platform called PingID. With the YubiKey and PingID together, customers receive a comprehensive hardware-backed MFA solution for both high-security and phone-free environments. The joint enterprise-wide solution offers tailored authentication policies for administrators, and at the same time, provides simple, secure access for users.

“Ping Identity’s partnership with Yubico gives an enterprise the convenience and flexibility of mobile app-based or hardware-based MFA to deliver the right level of assurance to match risk across an ever-increasing number of access points. With MFA everywhere these days, admins are looking for a way to centrally manage all MFA use cases. Native support for YubiKey helps an organization get much closer to that goal,” said Edward Killeen, Partner Marketing Manager, Ping Identity.

With PingID, admins easily define advanced authentication policies and layer strong YubiKey MFA when and where needed. This affords users the flexibility to harness hardware-backed protection at any time and from anywhere. PingID’s native support for certified YubiKey hardware and YubiOTP (One Time Password) also enables enterprises to eliminate the need to manually type codes, not only saving on time, but also improving employee productivity. A strong testament to durability and reliability, the YubiKey does not require batteries or network connectivity, so it is always on and accessible.

Using PingID and the YubiKey together helps enterprises safeguard their most sensitive data, and effectively mitigates the risk of security breaches. For more information on how PingID and the YubiKey work together, download our joint solution brief here or visit yubico.com/works-with/ping-identity/.

Heavy Thunderstorm and lightning over the night City, Storm and Rain
Jerrod Chong

Yubico Extends Mobile SDK for iOS to Lightning

Earlier this year, Yubico announced a Mobile SDK for iOS to enable Yubico OTP authentication over NFC on iPhones. Today, we are pleased to announce that we are extending the Yubico Mobile SDK to enable rapid implementation of FIDO U2F over a lightning connection for iOS apps. We invite developers to join the Yubico Lightning Project to work with us to broaden authentication options for iOS applications.

The reality is, overall usage of mobile devices is on the rise. In fact, 79% of internet use is predicted to be on mobile by the end of 2018. Yubico’s goal has always been to make strong, simple online security truly ubiquitous, regardless of service, device, and/or operating system. However, making a hardware authenticator, such as the YubiKey, work in a secure and seamless way with iOS has been a challenge for us and the rest of the industry over the past few years.

We have researched and prototyped various iOS solutions and believe that NFC (near field communication) and USB are optimal communications transports for external authenticators because of security and usability. While it’s always possible that Apple may further open up support for NFC or USB interfaces in the future, this is currently limited or not accessible on today’s iOS devices.

The Yubico Lightning Project is designed to address these issues, with rollout in several phases. Phase one introduces our extended Mobile SDK for iOS, which enables developers to add U2F authentication to iOS apps via a lightning connection. This approach enables apps and services to have out-of-the-box U2F support. Following phases will be communicated in the future.

“Our customers love the security and ease of use of U2F Yubico security keys on their Keeper desktop and web app. Providing this ability to all users on their iPhone and Android devices is an amazing and exciting capability we’ll be ready to deploy as soon as it becomes available,” said Craig Lurey, CTO and Co-Founder of Keeper Security.

“Multi-factor authentication is a must for all organizations, helping to mitigate credential-based attacks and ensuring only the right people have access to the information they need to do their work. By working with companies like Yubico alongside our own MFA offering, we’re able to continue to provide organizations with options for simple, seamless ways to layer security on all of the devices the modern workforce is using today,” said Joe Diamond, Sr. Director of Security Product Marketing, at Okta.

Developers who are interested in taking advantage of strong U2F authentication for iOS apps, are invited to sign up here to receive more information about the Lightning Project. We also encourage you to sign up for the Yubico Developer Program mailing list to stay updated on new developer resources as they become available.

Ronnie Manning

Let’s Meet! Catch YubiKey Demos, Developer Resources & More at Black Hat

This week, we’re headed to Las Vegas for none other than the Black Hat Expo, and we’ll be showcasing all kinds of YubiKey goodness. We’ll be at booth #463, so if you’re there stop by to say hello.

Here’s a taste of what you can expect:

Passwordless Login Demos

If you’ve been keeping up with us and the authentication space, you’ll know that a passwordless future is here thanks to the introduction of the new FIDO2 open standard.

Yubico is a core contributor to this standard, and we’ve got a device that can deliver on the passwordless login experience — the Security Key by Yubico. And you guessed it, we’ll be demoing a tap-and-go login flow (no passwords needed) at Black Hat on an Azure Active Directory environment with the Security Key by Yubico. Catch a sneak peek!

New Developer Resources

We’ve been hard at work on our recently launched Yubico Developer Program, and we’re happy to share some of our latest resources with you at BlackHat.

One of our hottest new offerings is our Mobile SDK for iOS. In case you missed it, LastPass leveraged our Mobile SDK for iOS to enable the YubiKey NEO to authenticate to the LastPass iOS app via NFC (we’ll have demos at the booth). The Mobile SDK for iOS is hosted on our developer site and open for all developers to use.

If you haven’t heard about our Developer Program, sign up for our mailing list and we’ll keep you in the loop on what’s new.

Look for me!

Featured YubiKey Integrations

Here at Yubico, we like to say, “The YubiKey works with many, many locks.” We’ve built so much power, security, and usability into one little device, and those features are built upon by all of the services and applications that support the YubiKey.

That’s why we love our technology partners so much. Keep your eyes peeled and see if you can spot the “Works with YubiKey” standees when you’re walking the show floor.

Several of our partners will have these featured at their booths and will be giving demos of their own YubiKey integrations.

 

If any of this sounds interesting, or even if you’d just like to meet the people behind the key, please come say hi. We’re at booth #463, and we’d love to meet you and talk all things YubiKey.

Jerrod Chong

One Step Closer to Passwordless Login with Microsoft Edge Support for FIDO2 & WebAuthn

The industry moved one step closer to passwordless login with this week’s Microsoft announcement that starting with Microsoft Edge build 17723, the browser will support FIDO2 strong first-factor and multifactor passwordless login, and second-factor authentication.

Now, with Chrome, Firefox, and Edge all engaged to support WebAuthn, we have two-thirds of all major web browsers backing this next-generation protocol. In March this year, W3C Web Authentication Working Group announced that WebAuthn reached Candidate Recommendation (CR) status, meaning with high interoperability, any browser could add support.

This is exciting news for developers, application creators, and those who want to secure their services with WebAuthn and FIDO2 to enable a passwordless login experience.

As a leading contributor and driver of the FIDO2 and WebAuthn open authentication standards, Yubico is committed to helping the larger developer community navigate implementation. Earlier this year we launched a new Developer Program to help developers rapidly integrate with these new standards. Over 1000 companies have registered to date with the program to find resources to help them become successful in integrating FIDO2. Most recently Yubico hosted an expert FIDO2/WebAuthn webinar series focused specifically on FIDO2 and WebAuthn education and deployment:

  • FIDO2 Authentication Demystified
  • FIDO2 WebAuthn Data Flows, Attestation, and Passwordless Technical Overview
  • FIDO2 WebAuthn Server Validation Technical Overview

With new WebAuthn browser support available in Edge, Chrome, and Firefox, a FIDO2 compatible hardware-based authenticator — such as the Security Key by Yubico — can replace a username and password as a much stronger form of single-factor authentication. WebAuthn still allows for the second-factor authentication and also support the use of PIN or biometrics with both external and platform authenticators for a multi-factor passwordless login experience.

The FIDO2 momentum is strong and we encourage developers and security architects interested in the new standard to sign up for our Yubico Developer Program mailing list to stay up-to-date on workshops, webinars, implementation guides, reference code, APIs and SDKs. New content is being added on an ongoing basis with the next FIDO2 resources becoming available later this month.

For those that are still unfamiliar with FIDO2 and WebAuthn, visit our latest blog that answers some of the most common questions we’ve received about the standard so far.

(Browser market share percentage via statcounter)

FIDO2, Security Key by Yubico
Jerrod Chong

10 Things You’ve Been Wondering About FIDO2, WebAuthn, and a Passwordless World

Armed with a mission to deliver a more secure internet, Yubico has been working closely with Microsoft, Google, the FIDO Alliance and W3C to create and drive open standards that pave the way for the future of passwordless login. The FIDO2 standard is the new standard enabling the replacement of weak password-based authentication with strong hardware-based authentication using public key (asymmetric) cryptography.

FIDO2 has created quite a buzz in the security community, and as with any new technology, there’s always a bit of a learning curve. Earlier this year, we introduced our updated Yubico Developer Program to help developers get up to speed quickly with FIDO2 and WebAuthn.  

In the past few weeks, we have run a FIDO2 webinar series for developers to provide background on the FIDO2 specification and how to implement. During the course of this webinar series, we have answered many questions about the specifics of the FIDO2 standard and WebAuthn, including how it relates to our new Security Key by Yubico, and the evolution of a passwordless world. We wanted to share the most commonly asked questions and answers, that you also may have wondered about.

Are FIDO2 and WebAuthn the same thing? If not, how are they different?

FIDO2 is comprised of two standardized components, a web API (WebAuthn) and a Client to Authenticator Protocol (CTAP). The two work together and are required to achieve a passwordless experience for login. The earlier FIDO U2F protocol working with external authenticators is now renamed to CTAP1 in the WebAuthn specifications.

With Chrome and Firefox announcing WebAuthn API and CTAP1 support as the client, and Dropbox now integrating with the WebAuthn API, this has kicked off a flurry of integration activities by other services. Most recently, Microsoft Edge released support for WebAuthn API, CTAP1 and CTAP2, making it the browser with the widest authentication support.

Is FIDO2 backwards-compatible with current YubiKey models?

The WebAuthn component of FIDO2 is backwards-compatible with FIDO U2F authenticators via the CTAP1 protocol in the WebAuthn specifications. This means that all previously certified FIDO U2F Security Keys and YubiKeys will continue to work as a second-factor authentication login experience with web browsers and online services supporting WebAuthn.

The new FIDO2 passwordless experience will require the additional functionally of CTAP2, which is currently only offered in the new Security Key by Yubico. CTAP2 is not supported in previous FIDO U2F Security Keys, or current YubiKey 4 series, or the YubiKey NEO.

Is FIDO2 considered single factor, two-factor or multi-factor authentication?

Login with a FIDO2-enabled hardware device, such as the Security Key by Yubico, offers a greater choice for strong authentication including:

  • single factor passwordless
  • two-factor (2FA)
  • multi-factor authentication (MFA)

With FIDO2, a hardware-based authenticator — such as the Security Key by Yubico — can replace a username and password as a much stronger form of single factor authentication. Users can also continue to use the Security Key by Yubico as a second factor. Finally, for added security, a FIDO2 hardware authenticator can be combined with an additional factor, such as a PIN or biometric gesture, to enable strong multi-factor authentication.

How secure is FIDO2 compared to FIDO U2F and other 2FA solutions?

Single factor login with FIDO2 offers strong authentication as a single factor. In many cases, this single factor authentication is more secure than other forms of two-factor authentication (such as SMS), as there are no secrets that can be phished remotely when using FIDO2. FIDO2 single factor uses the same strong public key cryptography with origin checking to prevent phishing just like FIDO U2F, but with the additional convenience of not needing usernames and passwords as the first factor to identify the user.

Will FIDO U2F become obsolete with the expansion of FIDO2?

FIDO2 WebAuthn is backwards compatible with FIDO U2F authenticators, so over time, we expect FIDO2 will subsume FIDO U2F.

Is there an option to use FIDO2 in conjunction with an additional factor such as a pin or biometrics? Is this recommended?

Hardware authenticators supporting CTAP2 can add user verification by requiring users to use a PIN or biometric to unlock the hardware authenticator so it can perform its role. This preference is primarily dependent on the implementor’s threat vectors as well as use cases. For example, a large banking institution may want to consider the use of a PIN in conjunction with a security key for a higher level of assurance, while a warehouse-based shared kiosk environment may not.

The Security Key by Yubico is enabled with the full CTAP2 specs, and is fully enabled to support several passwordless experiences including single factor touch-and-go using the hardware authenticator (no need for a username) as well as use of a PIN with touch of the hardware authenticator.

What’s the difference between a PIN and password?

As stated above, one of the allowances with FIDO2 is the option to combine hardware-based authentication with an additional factor such as a PIN. This has many of you wondering, “Well, isn’t that the same as needing to remember a password?”

A PIN is actually different than a password. The purpose of the PIN is to unlock the Security Key so it can perform its role. A PIN is stored locally on the device, and is never sent across the network. In contrast, a password is sent across a network to the service for validation, and that can be phished. In addition, since the PIN is not part of the security context for remotely authenticating the user, the PIN does not need the same security requirements as passwords that are sent across the network for verification. This means that a PIN can be much simpler, shorter and does not need to change often, which reduces concerns and IT support loads for reset and recovery. Therefore, the hardware authenticator with a PIN provides a passwordless, phishing-resistant solution for authentication.

How does FIDO2 affect a company’s password policy of replacing passwords every 90 days?

With FIDO2, there’s no need to replace passwords, as there are no passwords required.

For those combining a hardware authenticator with a PIN, it’s important to note that PINs do not demand the same security requirement as a password. A PIN and a password are different. Since a PIN is not part of the security context for remotely authenticating the user (the PIN is not sent over the network for verification), it can be much simpler and less complex than a password, and does not need to be changed with the same frequency (or at all), which eases enterprise concerns about PIN reset and recovery.

What services provide support for FIDO2? When can we expect additional services to roll out support?

Chrome, Firefox, and Dropbox have implemented support for WebAuthn second-factor login flow. Beginning with build 17723, Microsoft Edge now supports the candidate release version of WebAuthn. This latest version of Edge is able to support FIDO2 strong single factor and multi-factor authentication, in addition to the second factor. The Yubico Developer Program offers comprehensive resources for those interested in adding support for FIDO2.

What if I lose my Security Key by Yubico? Without a password, am I locked out of my account?

Best practice is always to ensure that you have a backup Security Key in place, should you misplace your primary device. The Security Key by Yubico contains no identifiable information, so if it were to be found, it could not immediately be used to login without knowing the identity of the owner and to which accounts it is registered. The reality is that the primary attack vector for consumers and enterprises is remote account takeover — whether by credential theft, phishing scams, or man-in-the-middle attacks. FIDO2 and the Security Key by Yubico are specifically designed to protect against these types of threats.

For those who are concerned with physical threats, the option is there to require multi-factor authentication using a PIN for additional protection. That way, if someone obtains a stolen Security Key, they will still need to know which accounts it is registered with, and also have access to your additional factor (PIN) to be able to log in.

A significant benefit of an open authentication standard is that the number of implementations are limitless. With Microsoft Edge, Google Chrome and Mozilla Firefox working as the client and Dropbox working as the service, all have announced WebAuthn support with many more in the works. We’re well on our way to the future of passwordless login!

Do you want to be a part of the future of passwordless login?

If you are a developer who is interested in adding support for FIDO2, sign up for our Developer Program mailing list to stay up-to-date on workshops, webinars, implementation guides, reference code, APIs and SDKs. Also, our series of FIDO2 virtual events is now available for on-demand viewing.

If you’d like to read more about FIDO2, check out our recent blog post, “What is FIDO2?”

Intuit Developer Hangout Blog Crown
Alex Yakubov

Accountants Protecting Sensitive Data and Yubico Developer Program Updates

We just received some stats from our friends over at QuickBooks—the number of apps used by the Small Business Market is projected to grow threefold in the next few years. The QuickBooks Online Community is comprised of more than 3.2 million small businesses, 200 thousand accountants/bookkeepers, and thousands of 3rd party app developers. That’s a lot of apps and accounts with access to sensitive data! With similar visions and missions targeted at developers, it’s about time we joined forces to share tips and resources across communities. Join Yubico and Intuit’s David Leary, host of the Intuit Developer Friday Morning Hangout, this Friday at 9am PT for a chat about YubiKeys and why security is vital to the QuickBooks Online Ecosystem of small business owners, accountants, bookkeepers, and 3rd party app developers. Check out this video to learn more about the QuickBooks Online Ecosystem and APIs:

Yubico Developer Program Updates

The Yubico team is continuously improving the Yubico Developer Program with input and feedback received directly from our community members. We appreciate hearing from so many of you since announcing our revamp plans earlier this year. Top requests include more instructional content, code samples in additional languages, a path to obtain early access to alpha/beta hardware, guidance on how to connect with other developers, and general clarity on the developer program. We’re actively working on each of these areas and look forward to your continued feedback and input. In case you missed it: We recently hosted three instructional webinars on FIDO2, which you can view on demand here. Also, today, we expanded our mailing list to include the option to select the types of email communications you choose to receive from us. The different sub-categories include a Developer Program Updates newsletter, product announcements, surveys, event invitations, and alpha/beta program invitations. Fear not — this doesn't mean we're going to email you at all hours of the day. It's important to us that you only receive the types of communications you care about most. You can join the Yubico Developer Program mailing list here. Shortly after, you'll receive a welcome email and the ability to manage your email preferences. View a copy of our July Newsletter here. Curious about the Yubico Developer Program? Learn more here and check out our developer site, including how to connect with the Yubico developer community.
Stina Ehrensvard

The Key to Trust

As the principal inventor behind both the Security Key and U2F protocol, we are true supporters of open standards. To realize our mission of making secure login ubiquitous, we designed the original Security Key, and provided the majority of the open source code and test tools for FIDO U2F and the latest version of the standard, FIDO2, which offers a passwordless experience.

Innovation is core to all we do, and as the ecosystem continues to mature, U2F and FIDO2 functionality will come in many different form factors, communications methods (USB/BLE/NFC) and features, from Yubico and others.

Over the past several years, Google has deployed hundreds of thousands of FIDO U2F-enabled Yubico devices internally with amazing results. Today, Google released their own version of a security key, and while we have received the question if we were part of this production, these devices are not manufactured by Yubico.

Yubico strongly believes there are security and privacy benefits for our customers by manufacturing and programming our products in the USA and Sweden.

Google’s offering includes a Bluetooth (BLE) capable key. While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.

Yubico is a believer in NFC, and the YubiKey NEO design has proven at scale to deliver a superior contactless user experience for U2F.  Also, Yubico will soon announce another secure and user friendly solution for iOS.

YubiKey authentication devices

The FIDO U2F and FIDO2 standards work has been a long, challenging and inspiring journey convincing and engaging all leading platforms and browsers to subscribe to the Yubico mission: to make secure login easy and available for everyone.  

U2F is just one tool in the YubiKey toolbox. Today, the majority of our customers use our multi-function YubiKeys across multiple applications, services, and operating systems. In addition to FIDO U2F, we offer smart card (PIV), Yubico OTP, OpenPGP, and OATH-HOTP/TOTP, in a single device, over both USB and NFC, as well as in USB-C form factors. 

Yubico continues to work closely with Microsoft, Google and the global open standards community on FIDO2, the passwordless evolution of U2F. This next-generation standard enables the option to use a security key as a single factor, with an optional PIN or biometrics on the user device, removing the need for service providers to store and manage passwords.

We will continue to create market defining authentication products, which we are currently demonstrating at Google Cloud Next, booth #S1426. We welcome you to join us.

Ronnie Manning

5 Simple Ways to Get Started with Your YubiKey

What are your go-to apps? There are several applications and services that many of us use weekly, and in most cases, daily — Gmail, Facebook, Dropbox, a password manager — and the good news is that all of these support the YubiKey for strong authentication. And now, there is one more to add to the list!   

As of last month, Twitter users can now protect their accounts with FIDO U2F two-factor authentication using a YubiKey or Security Key by Yubico. This new feature is now available to all 328 million of Twitter’s monthly active users for both personal and business accounts.

Twitter has some simple set up instructions here for using on your computer. Once you register your YubiKey with Twitter, you will be required to present the key each time you login to your account in the future. It will ask for your username and password, and then it will ask for your YubiKey. Just insert the YubiKey into your computer’s USB port and after it starts blinking, tap it.

The YubiKey NEO is our mobile-friendly device that is equipped with near field communication (NFC). This works by just tapping the YubiKey NEO to the back of your phone. However, Twitter does not yet have support for the YubiKey in their mobile app, but we hope that this will be a feature they add in the near future.

The YubiKey is great for protecting against remote hackers trying to access your account, but you may be thinking, “What if I forget my key?” Twitter has it set up for you to have a backup form of two-factor authentication on your account as well. For example, you could use Google Authenticator or our Yubico Authenticator app to set up your backup on a second YubiKey. These forms of authentication will also be useful for mobile users. That way, you can use a YubiKey on your computer and an authenticator app for your phone.

Best practice is to have multiple YubiKeys set up for your accounts. One on your keychain, or one in your wallet, or one in a safe place at home will help to make sure you’ve always got a backup YubiKey nearby. Many services let users set up multiple YubiKeys with their account for this very reason. Twitter only allows one key at the moment. If you want more than one YubiKey on your Twitter account, or would like to have YubiKey support on mobile, help us out by sending a tweet to tell them what you’d like to see.

One of the best features of the YubiKey is that you can use just one key for any number of services and accounts. Here are the instructions on how to quickly get your other accounts secured with a YubiKey:

Google: Fun fact. Google was the first web service to support the use of U2F and YubiKeys. See how to get started with Google and the YubiKey here.

Facebook: Don’t make the mistake of overlooking the need to protect this social media account. Facebook contains a lot of personally identifiable information that can be used to advance a hacker’s efforts. See how to get started with Facebook and the YubiKey here.

Dropbox: Whether you’re sharing vacation photos or business documents, make sure your files stay safe from prying eyes. See how to get started with Dropbox and YubiKey here.

Password Managers: Did you know that the YubiKey works with 17 password managers? See how to get started with your favorite password manager and the YubiKey here.

Don’t see one of your favorites? Don’t worry. We have plenty of other services — for individual users and businesses — that support the YubiKey. You can see the full list here.

If you’d like to get started using a YubiKey, head over to the Yubico store to shop for the key that suits you best!

Ronnie Manning

Stina Ehrensvard Wins 2018 Female Executive of the Year

Today, we are excited to announce that Yubico’s CEO and Founder, Stina Ehrensvard, was named Female Executive of the Year by the Women World Awards for the second year in a row!

This news comes on the heels of several major announcements that we’ve shared over the past few weeks — YubiKey for iOS, FIPS 140-2 YubiKey Series, Andreessen Horowitz investment, FIDO2 passwordless logins — and we couldn’t be happier to keep the momentum going by celebrating Yubico’s founder and the milestones we’ve achieved together.

The Women World Awards are an annual industry and peers recognition program honoring women in business and the professions and organizations of all types and sizes from around the world. The program encompasses the world’s best in leadership, innovation, organizational performance, and new products and services from every major industry in the world.

The Female Executive of the Year category highlights individual women whose accomplishments in the last year set an impressive standard for the company as well as industry norms. Stina was selected as the Gold Winner in this category due to her significant contributions and innovations to advance the current state of internet security. Most notably, Yubico’s work in developing FIDO2 and driving new paths for the next generation of online security: passwordless logins.

“It’s an honor to be named a winner by Women World Awards,” said Stina. “These awards are an encouraging reminder that each year, Yubico is one step closer to seeing our vision of a safer internet for all become a reality. I’m proud of everything the Yubico team has done to get us there, and has been able to accomplish over the last year.”

To read more about Stina’s entrepreneurial journey and Yubico’s mission, check out her recent interview with Compelo magazine.

Jerrod Chong

Now Available! FIPS 140-2 Validated YubiKey Series

Today, we’re excited to announce the certification and availability of our YubiKey FIPS series, the first multi-protocol FIPS 140-2 validated security keys.

FIPS 140-2 is a US government computer security standard, published by the National Institute of Standards and Technology (NIST), that covers the use of cryptographic functionality such as encryption, authentication, and digital signatures. The FIPS 140-2 validated YubiKeys meet the most stringent security requirements of US federal agencies.

The YubiKey FIPS Series includes keychain and nano form-factors for USB-A and USB-C interfaces.

The YubiKey FIPS series uses the YubiKey 4 Cryptographic Module that received FIPS 140-2 validated at Overall Level 2, Physical Security Level 3 with certificate number 3204. At this level, the YubiKey FIPS series meets Authenticator Assurance Level 3 (AAL3) as defined in NIST SP800-63B, that enables compliance with Federal Risk and Authorization Management Program (FedRAMP)  and Defense Federal Acquisition Regulation Supplement (DFARS) requirements.

FIPS certification is essential for many branches of the US government and contractors, in addition to those in the private sector that collect and transmit sensitive but unclassified (SBU) information.

The YubiKey FIPS Series hardware authentication devices include keychain and nano form-factors for USB-A and USB-C interfaces. The YubiKey FIPS Series is the only FIPS validated multi-protocol security key in the market supporting five authentication protocols; FIDO U2F, smart card (PIV), Yubico OTP, OpenPGP, and OATH-HOTP/TOTP.  Now, federal entities and federal-compliant enterprises can comply with the high assurance security requirements for on-premise or cloud deployments using the YubiKey FIPS Series.

Companies including Google, Facebook, Salesforce and thousands more trust the YubiKey to protect account access to computers, networks and online services. Now, we are able to deliver the same simple, trusted protection as a FIPS validated solution.

For more information and technical details on the new product line, visit the YubiKey FIPS page. Starting at $46, YubiKey FIPS Series security keys are available now for purchase online at the  Yubico store or by contacting Yubico Sales.

Jesper Johansson

WebUSB in Google Chrome and Responsible Disclosure

Authored by Venkat Venkataraju & Jesper Johansson

Yubico Blog Update and Statement – 6/18/18

On June 13, 2018 we published this blog post and security advisory regarding WebUSB issues in Chrome. In hindsight we realize that we did not give enough credit in our blog post and security advisory to the foundational work done by Markus Vervier and Michele Orrù, who highlighted and demonstrated the first security vulnerability in WebUSB at OffensiveCon, and which was subsequently written up in a WIRED article. After posting, we communicated with them, apologized for this, and made updates to the blog post and security advisory to make sure proper credit was given.

Building on the publicly available information about work by Markus and Michele described in the article, Yubico investigated the issue and developed our own proof of concept (PoC) test tools. In the process we discovered additional issues with WebUSB and began outreach with Google on March 1st. Yubico first spoke with the researchers on March 2nd. The formal bug report which Yubico submitted to Google on March 5th, referenced the OffensiveCon talk by Markus and Michele and their original public announcement of the CCID issue in the first sentence. We submitted this privately to protect our customers and the broader U2F ecosystem.

Markus and Michele’s research provided a critical foundation, and we made a mistake by not clearly acknowledging them for their original research in our security advisory. We learned only on June 13, after we published our advisory, that Markus and Michele also discovered and reported HID issues to Google. We understand that better communication after the issue was fixed would have ensured that all parties were in sync, and will use this as an opportunity for improvement.

Yubico has always strived to be transparent and we regret the missed opportunity to work more collaboratively with Markus and Michele. Historically, Yubico has worked closely with security researchers across the globe and we are committed to continue to do so.

————-end update—————–

To improve the entire security ecosystem, Yubico is a strong believer in responsible disclosure practices. We believe that the best outcome happens when security researchers  confidentially provide research and reporting to an impacted company, so a fix can be in place before any public disclosure to help protect users from the exploitation of the vulnerability.

This year, Yubico worked with Google under responsible disclosure to address WebUSB vulnerabilies in Google Chrome that affected the entire ecosystem of FIDO U2F authenticators, manufactured by Yubico and well as other vendors.

The original issue first surfaced in a news article in March 2018 describing how security researchers Markus Vervier and Michele Orrù had demonstrated how to circumvent the FIDO U2F origin check using WebUSB functionality in Google Chrome and the YubiKey NEO’s USB CCID U2F interface.

Once Yubico was informed of the CCID issue, our own researchers quickly discovered there was a broader set of security concerns within WebUSB that affected the entire ecosystem of FIDO U2F authenticators. To help protect the U2F ecosystem, we disclosed these issues to Google in early March and worked closely with their engineering teams on a mitigation plan to address this issue and secure all U2F customers.

With the May 29, 2018 release of Chrome 67, Google fixed the WebUSB vulnerability and the issue could no longer affect any (Yubico or other) U2F authenticators. To read the detailed report of the WebUSB issue in Chrome, please visit our Security Advisories page for full analysis.  

For this research and disclosure, Google awarded Yubico a bug bounty in the amount of $5,000, which Yubico has opted to donate to charity. Yubico chose Girls Who Code, a non-profit that aims to support and increase the number of women in computer science. Additionally, Google has matched the donation with another $5,000, resulting in a $10,000 donation to Girls Who Code, to further support efforts at increasing diversity in our field.

The security ecosystem is only as strong as the weakest link and if we, as a community of vendors and security researchers effectively and respectfully work together, we can secure not only end users, but the entire ecosystem from continually evolving threats.  

For the protection of everyone, we encourage all researchers to responsibly disclose any discovered security concerns to the affected company so they may implement a fix before any public disclosure. To contact the security team at Yubico please email security@yubico.com.


June 13th Update:
We were just made aware that the original researchers reported the Windows HID issue to Google around the same time we submitted it to Google. We were not aware of this at the time, we independently discovered it while investigating the public CCID issue, and followed standard responsible disclosure practices by sending all our findings, including the Windows HID issue, only to the affected vendor in order to afford maximum protection for the ecosystem. 

 

Alex Yakubov

Yubico showcases FIDO2 at InfoSecurity Europe 2018

We’re gearing up for Europe’s biggest information security event of the year: InfoSecurity Europe 2018. Following our announcement with Microsoft at RSA 2018, we’re excited to showcase in Europe the new use cases made possible by the FIDO2 standard, including passwordless single factor, second factor and multi-factor authentication. Come see the new Security Key by Yubico in action at booth J120 at Olympia London from June 5 to 7. Yubico will be demonstrating passwordless login on Windows 10 and the latest iOS mobile offering with LastPass.

Along with the recent announcement of our new FIDO2-enabled security key, we introduced a new Yubico Developer Program with a FIDO2 track. InfoSecurity Europe attendees (and those who are reading this blog) can sign up for early access to resources to support implementation of FIDO2, including the first How-to FIDO2 webinar scheduled for June 14.

Also, joining us in the exhibit hall are five Yubico Technology Partners. Stop by the Yubico booth to learn about these valuable partnerships. We also encourage you to visit their booths, see what they have to offer, and the integration of the YubiKey with their services!

        

Not attending the event? Learn more about these partnerships by clicking the logos.

Ronnie Manning

Yubico Lands a16z Investment and Grows Board of Directors

Today, Yubico is proud to announce its latest round of investment from Andreessen Horowitz (a16z). a16z is supporting Yubico’s mission to create a safer internet for everyone by providing ubiquitous secure access to computers, networks and servers. The company has been growing with profits over the last six years, and funds from the new investment will be used for scaling engineering, product and development teams.

In addition to company backing, Martin Casado, general partner for a16z, will be joining the Yubico board of directors. With an extensive background in computer science, software-defined networking, and security, Martin will support the company in a rapid growth phase. Helping Yubico scale as the hardware root of trust for users and servers, as we move toward the passwordless future.  

“Internet security is an area I’m personally very passionate about and I’m a true believer in the Yubico vision and approach. I’m thrilled to be joining the board and working with the team on this journey forward,” said Casado.

The YubiKey is the authenticator of choice for thousands of business customers and millions of users in more than 160 countries, including a16z, who currently deploy YubiKeys to every employee. This decision was made prior to the investment in Yubico, as a16z determined that the YubiKey was the most secure approach for protecting accounts and sensitive company data.  

Yubico CEO and Founder Stina Ehrensvard worked with Martin Casado on the a16z Podcast episode ‘The State of Security’ from earlier this year to provide insight into the crossroads of software and hardware in the security space. Specifically, Stina spoke about the increasingly important role of authentication  in a world where we hear of new data breaches and stolen user credentials on a daily basis.

Previous Yubico investors include NEA and renowned Silicon Valley entrepreneurs Marc Benioff, CEO of Salesforce, and Ram Shriram, Yubico Chairman and Google founding board member.

Stina Ehrensvard

What is FIDO2?

Last month, open authentication standards reached an important milestone; Microsoft launched support for FIDO2 and CTAP, and the World Wide Web Consortium (W3C) won approval for WebAuthn. Since then, Yubico has received questions on how these efforts are related, what role FIDO U2F and Yubico have in the mix, and what organizations can implement now — and in the future — to enable simple, strong authentication for employees and end-users. This blog will bring some clarity to those questions.

What is the difference between FIDO U2F and FIDO2?

U2F was developed by Yubico and Google, and contributed to the FIDO Alliance after it was successfully deployed for Google employees. The protocol is designed to act as a second factor to strengthen existing username/password-based login flows. It’s built on Yubico’s invention of a scalable public-key model in which a new key pair is generated for each service and an unlimited number of services can be supported, all while maintaining full separation between them to preserve privacy.

Essentially, FIDO2 is the passwordless evolution of FIDO U2F. The overall objective for FIDO2 is to provide an extended set of functionality to cover additional use-cases, with the main driver being passwordless login flows. The U2F model is still the basis for FIDO2 and compatibility for existing U2F deployments is provided in the FIDO2 specs.

What is WebAuthn & CTAP?

A new, extensible web authentication API, called Webauthn, has been developed within W3C, which supports both existing FIDO U2F and upcoming FIDO2 credentials.

The FIDO U2F client-side protocol has been renamed CTAP1, and a new, extensible client-to-authenticator protocol (CTAP2) has been developed to allow for external authenticators (tokens, phones, smart cards etc.) to interface with FIDO2-enabled browsers and Operating Systems

WebAuthn and CTAP2 are both required to deliver the FIDO2 passwordless login experience, but WebAuthn still supports FIDO U2F authenticators, since CTAP1 is also part of the WebAuthn specification.

How can organizations deploy FIDO2?

So, what can organizations do if they are aiming to provide support for FIDO2? We recommend making support for WebAuthn as it works with existing FIDO U2F authenticators and also FIDO 2 authenticators.

Mozilla Firefox 60 recently added support for WebAuthn, Chrome 67 will be shipping with WebAuthn support in the near future, and Microsoft has already announced they will support WebAuthn in Edge browsers. The U2F web API continues to work for U2F authenticators, but is limited to the Chrome and Opera browsers.

To evaluate WebAuthn with FIDO U2F and FIDO2 authenticators today, Yubico offers a test service at demo.yubico.com/webauthn, and soon we will provide more complete open source FIDO2 servers on GitHub. Organizations can sign up for updates from the Yubico Developer Program to get information on FIDO2 and WebAuthn resources.

So, what’s our role in all of this?

From Yubico’s perspective, we’re proud and pleased to see our vision of one single security key to any number of services become a reality. We’ve watched this vision progress from our launch of the first YubiKey in 2008, to early U2F development in 2011, to the launch of FIDO2 in 2018.

With WebAuthn providing a seamless evolution from U2F to FIDO2, and with upcoming support for built-in authenticators and additional use-cases, WebAuthn becomes the center of a ubiquitous ecosystem for authentication.

Our mission has always been to drive standards and adoption by providing technical specifications, open source components, and developer tools; and to be the gold standard for authenticators. With the open standards ecosystem growing, we see the vision of providing strong authentication for everyone coming true.

Interested in exploring FIDO2 and passwordless login? Get started today with the Security Key by Yubico.

Ronnie Manning

YubiKey comes to the iPhone with Mobile SDK for iOS and LastPass support

It’s a question that we receive often, ‘so how does the YubiKey work with iPhone?’ Until now, the answer to that question has been a bit unclear because of limited support for NFC in iOS. But today, we have a clear answer: YubiKey iOS support is here, now, with two exciting pieces of news.

For application developers, we are introducing a new Mobile SDK for iOS that allows any iOS mobile app to rapidly add support for hardware-based two-factor authentication (2FA) using YubiKey OTP over NFC. Second, LastPass, one of our longest and most prominent integrations, has released the latest version of its password management app with fully integrated support for the YubiKey NEO over NFC on iOS. This was completed using our Mobile SDK for iOS, but we’ll share more on this milestone a little later.

A user authenticates to their LastPass app on iPhone using a YubiKey NEO over near field communication (NFC).

The launch of iOS 11 last year saw Apple provide support for NFC tag reading, which allowed developers to build apps with one-time passcode (OTP) support. Given that the YubiKey NEO can generate an OTP and send it to the requesting app via NFC, it became possible to authenticate with Yubico one-time password (Yubico OTP) with a YubiKey NEO — a feature requested by many YubiKey users. However, documentation and reference code for developers to add this support to applications was lacking and unnecessarily complicated.

To help mobile application developers simplify rollouts and deliver on this functionality, Yubico created the Mobile SDK for iOS. It’s available now for download and is also part of the Yubico Developer Program mobile track, and provides developers all the necessary tools to rapidly up-level their iOS mobile app security with Yubico OTP.

By introducing YubiKey hardware-based authentication via NFC to iPhone applications, users no longer need to toggle between apps and temporarily memorize a throw away code before it expires. Now users can just tap the YubiKey to authenticate, which is four times faster than typing in an OTP! Not to mention, users and app developers no longer have to run the risk of potential security and reliability issues by relying on SMS or mobile authentication.

LastPass iOS App Supports Yubico OTP via NFC
The LastPass password manager remains one of the most popular YubiKey integrations for Yubico OTP, and the application has supported NFC on Android devices for many years.

Today, LastPass is the very first password manager application on iOS to enhance its security with Yubico OTP authentication through NFC. This means that LastPass users with iPhone 7 or above, running iOS 11 and above, can now authenticate to their LastPass Premium, Families, Teams, or Enterprise accounts on their mobile device with the same YubiKey NEO that they use for their desktop or laptop. Users will touch the YubiKey NEO to the iPhone to wirelessly transfer a Yubico OTP and securely authenticate to the application

“LastPass has long supported YubiKey as a multi-factor authentication option for adding an extra layer of security to LastPass accounts and values the partnership we have with the Yubico team,” said Akos Putz, Principal Product Manager for LastPass at LogMeIn. “With the new mobile SDK for iOS, our customers now benefit from the strength and security of hardware-backed YubiKey 2FA with the support for our iOS app.”

For current LastPass users, the iOS application will receive an automatic update (version 4.2.7) via the App Store and you can set up YubiKey in your account settings. If you’re an iPhone user, you can download the latest version of LastPass here and for further instructions on setup, visit here.

We applaud LastPass for supporting this milestone leap in YubiKey mobile app authentication for iPhones and iOS. With this announcement, the YubiKey now provides simple and secure authentication for all leading mobile platforms including Android, Windows mobile, and iOS. Find out more about our new Mobile SDK for iOS here.

UPDATE (09/25/18): LastPass also supports the YubiKey 5 NFC over NFC for iOS. Read their announcement here.

John Bradley

New NIST Authentication Guidelines for Public Safety and First Responders

Over the past few months, Yubico has been working closely with the U.S. National Institute of Standards (NIST) National Cybersecurity Center of Excellence (NCCoE) to improve mobile authentication methods for public safety professionals and first responders. Today, we’re happy to share that this guidance is now available in the form of a three-volume draft practice guide: NIST Special Publication 1800-13, Mobile Application Single Sign-On: Improving Authentication for Public Safety and First Responders.

This has been an important project for Yubico and the NCCoE as simple, secure access to critical data can often be a matter of life or death in an emergency response scenario. In high-alert situations, first responder and public safety personnel are often dispatched in the field and are heavily reliant on mobile platforms to access data in real-time that’s needed to deliver proper care. This data may include personally identifiable information (PII), law enforcement sensitive information, or protected health information (PHI), and it is imperative that access to this type of information is highly protected. However, complex and cumbersome authentication requirements to access sensitive information that cause even the slightest of delays in the emergency response process, can potentially risk the life of an individual.

To mitigate the security and access challenges for public safety and first responder personnel, the NCCoE collaborated with several technology vendors, including Yubico, to develop mobile authentication requirements and implement a reference design that assembles commercially available technologies that support the following open standards:

Yubico was a core contributor to this process. The reference implementation, which is documented in the practice guide, uses the NFC-enabled YubiKey (YubiKey NEO) in combination with Federation technology OpenID Connect to strongly secure user access to sensitive applications, improve usability and efficiency of user account management, and share identities across organizational boundaries.

It was recognized early on in the project that reliance on passwords alone can expand the scope of a single data compromise from one service to multiple services due to password reuse. The use of FIDO U2F for authentication provides protection beyond the password, and eliminates problems with social engineering, man-in-the-middle attacks, replay attacks, and phishing, which all present real threats to password-based and OTP-based (SMS, mobile push) authentication systems.

The following diagram from the NCCoE practice guide illustrates the recommended authentication flow for a native app on an Android device using standards-based technologies such as OAuth 2.0, OpenID Connect / SAML, and FIDO U2F with the YubiKey as the trusted second factor.

The OAuth 2.0 for native apps specification requires that applications use a system browser for making authorization requests. This allows a Software-as-a-Service (SaaS) provider, such as Motorola Solutions or GIS, to redirect authentication back to the user’s agency or enterprise via a standard authentication protocol such as OpenID Connect or SAML.

Using the system browser also enables the built-in operating system (OS) support for FIDO U2F authentication to be used without requiring special support in the native apps. This allows a generic SaaS application to support thousands of different identity providers, and different types of external FIDO U2F multi-factor authenticators (like the YubiKey) within a single native application. This avoids having to customize native apps for each organization and instead, allows the reuse of generic components that can make these systems available to even the smallest of organizations.

The combination of FIDO, OAuth, and SAML/OpenID Connect has been shown to be a robust and flexible solution for public safety use cases. In fact, one of the collaborators in the practice guide, Motorola Solutions, has incorporated this model into their commercial product PSX Cocpit, which is currently being deployed in a number of verticals.

From an end user perspective, these standards-based technologies are delivering a simple touch-and-go experience while maintaining the highest levels of security. To access sensitive data within a mobile application, first responder personnel will only require an NFC- and FIDO U2F-enabled hardware authentication device such as the YubiKey NEO. By simply touching the device to their phone, they will be securely authenticated to the app within seconds.

This particular project with NCCoE targets a first-responders use case, however the practice guide is equally applicable to many enterprise mobile scenarios. For more information on the project and to download the Mobile Application Single Sign-On practice guide, please visit the National Cybersecurity Center of Excellence (NCCoE) website. The NCCoE is also accepting public comments on the guide until June 18, 2018.

Stina Ehrensvard

Yubico and Microsoft Introduce Passwordless Login

Ten years ago, at the 2008 RSA Conference, Yubico launched the first YubiKey with the goal of making secure login easy and accessible for everyone. The vision was one single security key to work across any number of services, with great user experience, security, and privacy.

On this anniversary, Yubico has taken another major leap forward toward this vision with the announcement that the recently-launched Security Key by Yubico, with FIDO2, will be supported in Windows 10 devices and Microsoft Azure Active Directory (Azure AD). The feature is currently in limited preview for Microsoft Technology Adoption Program (TAP) customers.

FIDO2 is the passwordless evolution of the FIDO Universal 2nd Factor (U2F) standard, created by Yubico and Google. While U2F included a username and password, FIDO2 supports more use cases, including passwordless authentication. Yubico has worked in close collaboration with Microsoft on developing the FIDO2 technical specifications, and the Security Key by Yubico is the first FIDO2 authentication device on the market.

What Does This Mean?

Organizations will soon have the option to enable employees and customers to sign in to an Azure AD joined device with no password, by simply using a Security Key to get single sign-on to all Azure AD based applications and services. This is just the beginning; Google and Mozilla also announced Chrome and Firefox support for the Web Authentication API (WebAuthn) developed by Yubico and members of the World Wide Web Consortium (W3C) and included in the FIDO2 specification.

Why Is This Important?

Nearly every digital experience today requires passwords, an increasingly frustrating fact of life for businesses and users. For any one person there can be hundreds of sites and devices — both personal and business related — that require memorized passwords. This leads to poor password hygiene: shared and reused passwords. And it is a real cost for businesses managing, storing and resetting passwords for employees and end-users.

Working in conjunction with Windows and Microsoft cloud services, the new Security Key by Yubico offers a secure, seamless and passwordless login experience with one of the world’s largest computer operating systems. Use cases include retail, healthcare, transportation, finance, manufacturing, and more.

How Does It Work?

FIDO2 is built on the same security and privacy features of FIDO U2F: strong public key cryptography, no drivers or client software and one key for unlimited account access with no shared secrets. With FIDO U2F, the user entered a username and password, inserted a  security key in the USB-port, and touched the gold area. FIDO2 adds more options to the login process:

  • Single Factor: This only requires possession of the Security Key to log in, allowing for a passwordless tap-and-go experience.
  • Second-Factor: In a two-factor authentication scenario, such as the current Google and Facebook FIDO U2F implementations, the Security Key by Yubico is used as a strong second factor along with a username and password.
  • Multi-Factor: This allows the use of the Security Key by Yubico with an additional factor such as a PIN (instead of a password), to meet the high-assurance requirements of  operations like financial transactions, or submitting a prescription.

Who Can Get Involved?

Everyone is encouraged to get involved, and accelerate progress to a secure and passwordless world. As with any open standard, advancement will be a collective industry effort and a process of global adoption. Yubico helped the majority of services in making support for FIDO U2F by providing open source code and support. Together with W3C and FIDO Alliance we have made the FIDO2 open authentication standard available, and we are helping support its rapid integration into services and applications through our new Yubico Developer Program.

Enterprises → Learn about using FIDO2 with Windows 10 devices and Microsoft Azure Active Directory in your enterprise environment. Explore the benefits of FIDO2.

Developers → Implement early support for FIDO2 by signing up for updates from Yubico’s Developer Program. Members will have first access to resources to implement FIDO2 within their applications and services.

Individuals → Are you tired of passwords? If you had a choice to securely and easily login to any device or online service without them, would you? Ask for it! Visit your favorite service or businesses on Twitter and tell them you want to securely login to your account without a password by using FIDO2 and the Security Key by @Yubico!

Are you interested in learning more about going passwordless? Learn more about the Security Key by Yubico and benefits of FIDO 2.

Ronnie Manning

Yubico at RSA 2018: Passwordless Logins, Developer Programs, and More

Heading to RSA in San Francisco next week? We’ll be there too, celebrating our 10th year at the conference!

Be sure to stop by Booth #S2241 to see all the awesome things we will be showing, and if you haven’t registered for the conference yet, use this code (X8EYUBIC) for a free expo pass on us.  

An industry first, we are showcasing passwordless login with the just released Security Key by Yubico, the first hardware authentication device to support both FIDO U2F and FIDO2. Yubico is a leading contributor to the new FIDO2 open authentication standard which shares many of the same characteristics as FIDO U2F: public key cryptography, no shared secrets, and no drivers or client software. However, with FIDO2, there’s no need for passwords as user credentials are tied directly to the Security Key. The device can also be conveniently paired with PINs, biometrics, or other human gestures as an additional factor.

At Yubico we’re constantly innovating to make simple, secure authentication a standard for the industry. Along with the announcement of our new FIDO2-enabled security key, we are also announcing our new Yubico Developer Program to provide resources for rapidly enabling strong authentication in web and mobile applications across all our supported protocols including FIDO U2F, PIV (smart card), OpenPGP, OTP (one-time password), the new FIDO2 protocol and for the YubiHSM2. Developer resources include workshops, webinars, implementation guides, reference code, APIs and SDKs. RSA attendees (and those who are reading this blog) will be able to sign up for early access to resources to support implementation of FIDO2.

We also invite you to join our CEO & Founder, Stina Ehrensvärd, and SVP of Product, Jerrod Chong, who will be speaking on the importance of strong authentication for today and tomorrow’s cyber landscape.

Stina’s speaking session at CyberScoop’s Cyber Talks

  • 10 Percent Is Too Little: Time to Pay Attention to Two-Factor Authentication
  • Monday, April 16 at 11:20am PT
  • Four Seasons Hotel San Francisco

Jerrod’s speaking session at Security B-Sides SF

  • Simple. Open. Mobile: A Look at the Future of Strong Authentication
  • Monday, April 16 at 11:00am PT
  • City View at Metreon

Yubico is extremely proud of  what we’ve accomplished over the last ten years. The YubiKey is used by millions around the globe and works with hundreds of services right out of the box, and this number is rapidly growing. That’s one key for an unlimited number of personal or business accounts.

At RSA, be on the lookout for Yubico Technology Partner booths to see how the YubiKey seamlessly integrates with their services. Participating Yubico Technology Partners include:

Yubico at Booth #S2241

If you’re attending RSA next week, please stop by our booth and say hi! We will have team members on site to answer any questions, provide product demonstrations, offer recommendations for specific use-cases and chat about the new Security Key by Yubico and Yubico Developer Program.

Also, make sure you follow us on Twitter for updates during the show. We’ll see you there!

Stina Ehrensvard

The Diver and the YubiKey

If you are driving on highway 101 between Palo Alto and San Francisco in the coming couple of weeks, you may come across a billboard with a diver holding up a YubiKey. The same diver also appears on our website homepage. The photo was shot by Alessio, principal engineer at Yubico, from his adventure under 20 meters of water in the Philippines.

The same image inspired Josh, web developer at Yubico, to try logging into his email underwater with a waterproof phone and YubiKey. And yes, it worked! Please check out the short video below that Josh and other members of our team just created.

At Yubico, we highly regard our adventurous and multi-talented engineers. Last year, we doubled our engineering team in Stockholm, Palo Alto and Seattle. This year we are doubling again. If you are a software or hardware engineer who wants to make the internet safer for everyone – on land or underwater – we welcome you to apply for our open job positions!

Alex Yakubov

Yubico Launches Passwordless Login with new Security Key and FIDO2

Today, together with the FIDO Alliance, we made a big announcement that paves the way to a passwordless future. We revealed the new Security Key by Yubico as well as our new Developer Program, both of which support the new FIDO2 open standard for passwordless authentication.

Why is this important? Think of a time when you have created a new account and didn’t have to create a new password.

For all of us, the account creation process for any application or online service has always started with the pairing of a password to your username, but with today’s announcement that is going to change. With FIDO2, it’s now possible to redesign the process to remove the weak link of passwords, and we’re gearing up to support the ecosystem and developer community to make that happen. Whether you’ve followed Yubico for years, or you’re just learning about us, read ahead to find out more about the significance of the FIDO2 project.

 The FIDO2 Project

In 2011, Yubico invented the concept of a single security key to protect user accounts from phishing and unauthorized access, for any number of services with no shared secrets. We worked with Google to further develop this concept to what today is the FIDO U2F standard.

Now, Yubico has worked in collaboration with Microsoft on the evolution of the FIDO U2F authentication standard, to create FIDO2. With FIDO2, the Security Key with its strong authentication can now solve multiple use case scenarios and experiences:

  • — second factor in a two factor authentication solution
  • — strong first factor, with the possession of the device only, allowing for a passwordless experience like tap and go
  • — multi-factor with possession of the device AND PIN, to solve high assurance requirements such as financial transactions, or submitting a prescription.

Capabilities enabled by the FIDO2 project

FIDO2 has already received support from the FIDO Alliance, World Wide Web Consortium (W3C), and all major web browsers to aid in its global standardization and adoption. With this foundation, FIDO2 is positioned to help services, applications, and enterprise organizations seamlessly transition to a more secure, easy to use replacement for the static password.

Read more about FIDO2 here. If you’re interested in developing with this new standard, you’ll need a Security Key by Yubico and we encourage you to sign up for FIDO2 updates as part of our newly announced Yubico Developer Program.

NEW  Security Key by Yubico

The Security Key by Yubico delivers FIDO2 and FIDO U2F in a single device, supporting existing U2F two-factor authentication (2FA) as well as FIDO2 implementations.

The new Security Key by Yubico supports both the Web Authentication (WebAuthn) API, and Client to Authenticator Protocol (CTAP) which are required for FIDO2-based authentication.

FIDO2 and the Security Key are delivering on trusted, touch-and-go authentication for the modern, flexible and mobile workforce that is meeting the needs of our on-demand society. Together, these technologies will be integrated into many verticals including: retail, healthcare, transportation, finance, manufacturing, and more.

We will be demonstrating the new Security Key by Yubico and new FIDO2 functionality at the RSA South Expo hall at Booth #2241. You can purchase one up from our webstore today ($20 USD). Read more about the Security Key by Yubico here.

 NEW  Yubico Developer Program

This year marks the 10 year anniversary of the launch of the first YubiKey, that millions of users in more than 160 countries around the world love for its ease of use, security, and affordability. We made our YubiKeys available with free open source servers that encouraged adoption and growth of a thriving ecosystem of services supporting our technology. We’ve learned a lot from our partnerships, which is why we today announced a formalized Developer Program. This provides developers with the resources to rapidly integrate the YubiKey with mobile and computer login, across all our supported protocols including U2F, Yubico OTP, PIV-compatible Smart Card, OpenPGP, OATH (HOTP/TOTP), and the new FIDO2 Client to Authenticator Protocol (CTAP) specification, and the YubiHSM.

We encourage developers and security architects interested in FIDO2 to sign up for updates as part of the Yubico Developer Program, to get access to resources needed to aid in early implementations of the FIDO2 open authentication standard.

Alex Yakubov

Modernizing authentication for US federal government agencies

For years, both the public and private sector have faced similar challenges when securing the confidentiality, integrity, and availability (CIA triad) of their information systems. Older technologies and policies have historically conflicted with business/organizational objectives when striving for high security. Today, advancements in cryptography and the adoption of newer, improved open standards are eliminating usability issues, and reducing help desk costs through fewer forgotten passwords. We like to call that modernization.

More than a year ago, the National Institute of Standards and Technology (NIST) began the process of updating their SP 800-63 Digital Identity Guidelines. These much needed changes enable federal agencies and contractors to leverage more convenient and secure authentication methods while still maintaining highest security. As a result, the cybersecurity team’s efforts to comply with federal guidelines can now more easily align with the rest of the industry-evolving technologies already embraced in the private sector.

At Yubico, our mission is to make secure online identities ubiquitous by making account security easy to use, secure, and affordable. The YubiKey combines three of NIST’s permitted authentication types—multi-factor crypto device (PIV-compatible/smart card), single-factor crypto device (FIDO U2F), and single-factor OTP device (Yubico OTP and OATH HOTP/TOTP). In addition, the YubiKey is currently on track to become the first multi-protocol hardware authenticator certified at FIPS 140-2 Overall Level 2 and Physical Level 3.

The modernization of policy by the US federal government presents an opportunity for Yubico and Duo Security—both trusted leaders in easy to use, reliable security products—to deliver a unified security platform for government agencies and contractors that meets NIST Authenticator Assurance Levels 2 through 3 (AAL 2 – AAL3).

We recently sat down with Sean Frazier, Duo Advisory Chief Information Security Officer, Federal during discussions on our joint solution. He shared, “The new authentication and authorization guidance from NIST is giving public sector agencies lots of flexibility to meet their most stringent security needs while providing previously elusive ease of use. In a sector that has been pushing to catch up to other industries in terms of cloud and mobile, the new guidelines are a welcome change for every federal CISO who’s looking to modernize their IT environment. Duo and Yubico combine an easy to use and extremely effective way to achieve the highest levels of assurance for trusted access.”

Duo’s platform enables federal agencies to leverage YubiKey hardware to securely access data and applications on the network or in the cloud. “This federal partnership with Duo underscores our joint commitment to data protection, as well as our responsibility as industry leaders to help federal agencies protect the individuals they serve,” said Jerrod Chong, Yubico SVP of Product. “We’ve made it our shared mission to advocate easy to use security, and encourage the adoption of new open standards like FIDO U2F to meet AAL 3.”

Learn more about what you can do with Duo and the YubiKey. Read Duo’s press release on our partnership.

Additional Resources:

Alex Yakubov

What’s guarding your domain from unauthorized access?

Domains are a frequent target for phishing attacks that pose serious privacy risks and potential losses of millions of dollars in brand damage, lost revenue, stolen data, and recovery efforts. The threat of phishing greatly underscores the need to protect the front door to your domain.

We are excited to announce that Gandi is the first domain registrar to integrate support for the YubiKey and FIDO U2F authentication. With this new integration, Gandi customers benefit from greater security to safeguard domains and critical assets, such as SSL certificates, contained within.

The YubiKey delivers strong defense against phishing at the time of login, complementing Gandi’s promise to provide secure access to domain names, easy third-party integration, and powerful tools for everyone. Gandi is excited to offer users a more secure and easy-to-use 2FA protocol with FIDO U2F, and strongly encourages users to get YubiKeys.

“The user-experience was a big factor in our decision to integrate support. The ability to easily manage multiple tokens for multiple users offers a real-world example,” said Andrew Richner, Head of Communication at Gandi US. “The other factor is obviously security. Time-based one-time password (TOTP) has a few weaknesses that the challenge-response of U2F corrects. The resulting difficulty to phish a U2F user makes the YubiKey very attractive as a 2FA option. We love the portability and durability of YubiKeys too.”

Since adopting YubiKey support, Gandi reports that user feedback has been positive. “Our users have come to expect Gandi to be on top of new technology, and to offer a high level of security. We’re finding that it’s these customers in particular who are excited to spread the word about using Gandi and YubiKey together,” he added.

Gandi’s service features easy-to-use domain management tools that enable users to define access rights by organization, team, and individual, as well as delegate domains and hosting to collaborators no matter the organization structure or size. A domain at Gandi comes with a number of free services, including email addresses, http forwarding, an SSL certificate, and domain name system (DNS) management.

Gandi demonstrates a strong commitment to security and trust—all important values shared by Yubico—that is evident in our joint effort to provide a secure authentication solution to domain management. Learn more about what you can do with Gandi and the YubiKey.

Special Promotions

For a limited time, Gandi users enjoy 20% off up to three (3) single YubiKeys, including the YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, and the Security Key by Yubico. Sign in with your Gandi account here to be eligible for the promo.

Yubico customers also receive a special discount from Gandi. Save 20% off transfers and new domains through July 16, 2018 with code YUBICO. To get started, go to Gandi’s site.

Jesper Johansson

The Anatomy of a Phishing Email: 5 Things to Look For Before You Click

Phishing attacks are now considered the main source of data breaches.

91% of cyber attacks start with a phishing email *

Ten years ago, if you asked someone what ‘phishing’ was, they probably would have no idea. Since then, times have changed considerably; phishing attacks are now responsible for a significant number of major data breaches

Phishing may have made its way into the mainstream vernacular, but there is still confusion about the subject—and rightfully so. Here’s a more in-depth look at “what is phishing?”.

Phishing attacks are becoming more sophisticated and targeted, and even the most tech- or security-savvy people can find themselves a victim. So, how do you make sure you don’t fall victim as well? Use this five-point checklist to closely examine the validity of incoming email. When in doubt, don’t click!

The Sender

This is your first clue that an email may not be legitimate. Do you know the sender? If not, treat the mail with suspicion, and don’t open any attachments until you verify with the purported sender that they meant to send them. If you believe you do know the sender, double check the actual email address. Often, a phishing email will be designed to look like it comes from a person you know, but there will be a slight variation in the address or they will spoof the envelope to show you a name you recognize.

The Subject

Pay attention to subject lines! While something like, ‘Claim your ultimate deal now!,’ can be an obvious sign of a phishing email, the far more successful subject lines are the ones that don’t raise that much suspicion. ‘Account action required’, ‘Delivery status update’, or ‘Billing statement confirmation’ can all be ploys to weaken the email recipient’s defenses through seemingly ordinary alerts.

Remember, if something legitimate is that important, your bank, employer, doctor’s office, retailer, or credit card company will find an alternate way to contact you when you’re not responding over email. When in doubt, call to ask if they’ve sent you an email, but do not make that call to a number that was in the email message you are calling about!

Most clicked email phishing subject lines.*

A delivery attempt was made (18%)

A UPS label delivery  (16%)

Change of password required immediately (15%)

Unusual sign-in activity (9%)

The Body

The body of the email can hold a whole new set of clues, including misspelled words and confusing context. For example, are you asked to verify a banking account or login to a financial institution that you don’t have an account with? Did you get an email from someone you may know that has nothing in it other than a short URL? Does the content apply to you or make sense based on recent conversations or events? Similarly, if it is a known contact, is there a reason they would be sending you this email?

Hackers can also use current or popular events to their advantage. For example, holiday shopping, tax season, and natural disaster or tragedy relief efforts are all used to sneak an unsuspecting phishing email into the inbox of thousands of targets. Did you know that the IRS reported a 400 percent increase in phishing scams for the 2016 tax season alone?

How will you know if an email is valid or not? This is where other email clues will come in handy!

The Attachments

The golden rule — do NOT open an attachment if any other aspect of the email seems suspicious. Attachments often carry malware and can infect your entire machine.

7.3% of successful phishing attacks used a link or an attachment**

The URLs

Similar to attachments, do NOT click on a link if anything else about the email seems suspicious. This is usually the attacker’s ultimate goal in a phishing scam — lure users to a malicious site and trick them into entering login credentials or personal information, allowing the attacker full account access.

If you do click on a link, be sure to also verify the actual URL. Are you on Google.com or Go0gle.com? The variations can be slight, but they make all the difference! That said, be aware that a malicious site will not always be visibly reflected in the URL, and therefore you will not be able to tell the difference. If this is the case, most browsers have built-in phishing protection to alert you that something is wrong.  

15% of individuals who fall for an initial phishing attack admit to falling for a phishing attack a second time.**

 

By using these five email checkpoints, you will be more equipped to decipher a phishing email. However, some phishing attacks are so sophisticated that they can even fool the savviest of users. The good news is that there are technology solutions, such as two-factor authentication, that can help, and we strongly recommend 2FA with the YubiKey

If you’d like to get started using a YubiKey, head over to the Yubico store to shop for the key that suits you best! 

Looking for more information on phishing? What is phishing?” reveals the common features of a phishing scheme, how phishing schemes work to obtain your personal information, and the simple solution to protect yourself. 

 

— Co-Authored with Ashton Tupper

 

*   KnowBe4 Q4 2017 Top-Clicked Phishing Email Subjects

** Verizon Data Breach Report, 2017

Ronnie Manning

Yubico CEO recognized as the Most Powerful Swedish Woman Entrepreneur 2018

On Thursday, March 8, Yubico CEO & Founder Stina Ehrensvard was named “The Most Powerful Woman Entrepreneur, 2018” by Veckans Affärer, the leading weekly business magazine in Sweden.

“With a product that is becoming a world leading standard, she is today one of Sweden’s most powerful, as well as most successful entrepreneurs,” shared the jury for the award.

Following the award, Veckans Affärer published a feature on Stina and her story. In the article, Stina thanked her parents for never stopping her from climbing trees as a young girl, and for instead asking how the view was from the top. She also emphasized that the most important foundation in a company is the team and that every award she gets represents Yubico as a whole.

The Most Powerful Woman Award is celebrating its 20th year anniversary, having started in 1998 to honor and highlight successful, influential women business leaders and entrepreneurs. At the time, there were only 2 women board members for Swedish companies listed on the stock exchange.  Today, the number of women has grown tenfold.

The award was handed out at the gala dinner and award ceremony in central Stockholm, attended by leading Swedish business executives.

Stina Ehrensvard

Buckle Up for a Safer Internet

Some cynics say that the problem of internet security will only continue to get worse, and that there is nothing we can do, but manage and minimize damages and losses. As an optimist, I completely disagree. Throughout our existence, people have faced and resolved extremely complex and evolving challenges—a great example of which is automobile safety.

A few years back, I wrote a blog post entitled Internet Identity and the Safety Belt. It focused on the introduction of the three-point seatbelt and its significant contribution to the automobile industry by making cars safer for drivers and passengers. Today, there are 10 times more cars on the road, but a lower total number of fatal car accidents. While driving will never be completely safe,  millions of lives have been saved through the realization of the problem, innovation, education, market demand, open standards, and government regulations. I am confident that we will make the information superhighway safer for everyone through the same efforts.

For the automobile industry, the seatbelt is an innovation that has had the greatest positive impact on passenger safety. Further advancements in car safety designs and driver’s education programs have similarly equipped new drivers with the tools they need to safely navigate any unforeseen turns.

What if there was a driver’s education program to help internet users move safely across the internet? Perhaps this should become a staple in a school curriculum just like Math and History?

Education, innovation, and collaboration are key to helping us all solve this complex challenge together. With that in mind, I am sharing a security quiz that we developed for basic IT security training of new Yubico employees. I invite you to test your security knowledge, and please feel free to share the quiz with family, friends, and coworkers.

Safe driving on the internet!

Yubico Team

Find Your Perfect YubiKey Match

At Yubico, we love security. As we approach Valentine’s Day, we’re reminded of this, and we want to share the love!

From February 12 to 18, we are offering a 25% discount on the purchase of two single YubiKeys (Hint: keep reading). Share the second key with a loved one or use it as a backup.

To help you find your perfect YubiKey match, we’ve created a product quiz that provides YubiKey recommendations based on your work style, computer type, and security needs. The YubiKey comes with a wide range of features in different form factors and designs, so after completing the quiz you’ll have found your perfect YubiKey match.

Ready to meet these YubiKey sweethearts?

 

Take the YubiKey product quiz. Once you’ve made your decision, head over to the Yubico store, add two YubiKeys of your choice to the cart, and use the coupon code YK18-143 at check out to receive 25% off. The Valentine’s Day promotional offer is valid from 12:01 a.m. PT on Monday, February 12 to Sunday, February 18 at 11:59 p.m. PT.

Looking to share the love with your friends? Spread the word with a tweet!

David Treece

Yubico Simplifies Smart Card Deployment in the Enterprise

In the enterprise, smart cards are used to simplify logging into computers, VPNs, and online applications. Smart cards can also be used for digitally signing emails and documents. While smart cards are known for delivering strong authentication, they have not always been known for being the simplest to deploy. For example, to use a smart card in an enterprise setting, an admin needs to install client / driver software on every computer, and an external smart card reader is typically required.

Since 2015, the YubiKey has supported smart card PIV functionality with the ability for the YubiKey to act as both a smart card reader and a smart card, meaning that no extra hardware is required. Most recently, we have simplified smart card deployment with the introduction of a YubiKey smart card minidriver. The new YubiKey minidriver enables users to simply self-enroll using the native Windows GUI, and even manage their smart card PIN from Windows Ctrl+Alt+Del. Administrators also benefit from the YubiKey minidriver by being able to do user provisioning using the Microsoft built-in MMC.

Smart card functionality is one of the five authentication protocols supported by the YubiKey, including Yubico and OATH one time password, FIDO U2F, and Open PGP smart card. With this multi-protocol support, the YubiKey is suitable for deployment across the enterprise to secure access to computers, networks, and services.

Learn more about YubiKey smart card in the enterprise.

Alex Yakubov

PetitionThat with the YubiKey

Today, the World’s Largest Developer Expo + Conference, DeveloperWeek 2018, opens at the Oakland Convention Center with thousands of developers participating from all over the globe. As a warm up for the conference, hundreds of developers participated in the DevWeek 2018’s hackathon and pulled an all-nighter on Saturday. Over 160 teams coded and collaborated for 24 hours. Our challenge was simple – incorporate YubiKey two-factor authentication (2FA) support into a standalone project for the chance to win a YubiCrown.

And the winning project is… PetitionThat

PetitionThat is a proof of concept that enables petition organizers to collect personal contact information about supporters for the purpose of continued outreach via text, phone, and email after the petition is signed. The platform’s inventors are siblings Solaman and Jameela, and their longtime friend Neil. The three Software Engineers joined forces to tackle an idea they’d been kicking around for awhile. They said, “it’s hard to find time to start a new project. When we saw the tools and technologies that were being promoted for the hackathon and how well they could service our idea, we knew that this was finally the time to build it.”

We were blown away by the progress the team made in just 24 hours. They successfully demonstrated secure login to the PetitionThat organizer platform using the YubiKey, real-time signing of a petition by a verified citizen, and re-engagement with the petition-signer over SMS. What really stood out, however, was this team’s fundamental understanding of the importance of privacy and security of the data they aim to collect.

Here’s what they have to say

“In the current political climate, too many people feel like they don’t have a voice. They wish they could improve some aspect of society, but they don’t really feel empowered to inspire change. People have traditionally proven support for an idea by gathering signatures, and today, there are petition websites that go further by leveraging the reach and connectedness of the internet. However, the problem with these sites is that there’s no verification of supporters. It’s too easy for petition organizers and supporters alike to game the system, creating a lack of confidence in the actual support for an idea,” shared the PetitionThat team.

PetitionThat solves this problem by filtering submissions that appear to be fraudulent and requiring a verified electronic signature for an individual to be counted among the supporters of a cause.

“Our service requires two-factor authentication from petition organizers before they can access the contact information of their supporters. We can associate a YubiKey with their account to make two-factor authentication as easy as pressing a button,” they said.

“The YubiKey gives us confidence that a petition organizer’s account isn’t being accessed by a malicious third party to collect personal contact information about supporters for a cause. And for organizers, it’s easier to use than other two-factor authentication methods, such as taking out a phone, waiting for a text message, and manually typing in a code. We get the security of two-factor authentication in a way that doesn’t slow down our users when they’re logging in.”

When asked about the experience of developing with and using the YubiKey and our developer tools, they said, “We explored a lot of new technologies when working on this project, including the YubiKey. The service advertises integration in less than an hour; it took us 15 minutes! It was so easy! There were some APIs from other hackathon sponsors that were so complicated or poorly documented that we had to re-architect our service to avoid using them. The YubiKey and YubiCloud just integrated seamlessly.”

Yubico applauds PetitionThat for their vision, hard work, and excellent performance at the DevWeek hackathon. To learn more about the YubiKey and how to deploy 2FA into your software or service, please visit https://developers.yubico.com/. If you are at Developer Week 2018, stop by and meet the Yubico team at booth # 513.

Why_2018_will_be_the_year_for_authentication_hardware_blog_crown
Stina Ehrensvard

Why 2018 will be the year for authentication hardware

A journalist recently asked me why the world is seeing the return of hardware authentication. My response is that hardware actually never went away. Today, there is no more prevalent form of user verification than hardware. If there had been an easier and more secure way to deploy and revoke user credentials for billions of people, we would not have hardware SIM cards in our phones or chip credit cards in our wallets.

Security is all about minimizing attack surface and achieving separation. The recent Spectre and Meltdown attacks illustrated that it’s hard to achieve watertight separation between processes as systems become increasingly complex. General purpose computing devices that are connected to the internet have big attack surfaces, making them vulnerable to attacks from many fronts, including malware, phishing, malicious apps, Wifi exploits, VPN masking, and social engineering.

However, hardware security devices by themselves do not automatically make things more secure. Modern threats require stronger cryptography with a tighter integration to the applications they’re designed to protect. As a result, we will see increased awareness and adoption of hardware-based authentication and encryption devices using public key cryptography throughout 2018. These devices keep cryptographic information physically separated from the computing device they are connected to, dramatically minimizing the attack surface.

The benefits of using hardware authenticators go beyond just security. Users wanting to ensure privacy do not want to leave footprints that tie their identity to a particular device. Most mobile devices are controlled or monitored by the telecom or platform providers, collecting data about user activities. Furthermore, tying user identity to a device does not easily allow for multiple identities, such as separate identities for work and personal accounts, or being anonymous. Hardware authenticators, such as the YubiKey, do not require you to share any personal details of yourself to authenticate.

Additionally, there are enterprises who do not allow their employees to bring their phones to work, which makes mobile device based authentication inaccessible. In some geographic locations, there are regulations in place that prohibit companies from forcing employees to download business applications on personal computing devices.

Mobility is another important benefit of hardware-based authenticators. With your credentials tied to an integrated device, it can be difficult to move your login credentials between devices, as there is no seamless communication standard between all computers and mobile platform. Using a hardware authenticator with multiple communication methods solves this problem.

Finally, hardware authenticators offer significant benefits related to backups. Independent of what type of authentication technology selected, users will sooner or later lose, break, or reset their login devices. When organizations allow the use of multiple affordable hardware authenticators, one as a primary and others as backups, productive work will increase and support calls will decrease. A hardware authenticator, such as the YubiKey, can cost less than a support call, and a fraction of the expense of using a mobile phone.

Today, in 2018, Yubico and all leading browsers and platform providers are engaged in open standards work based on hardware and public key crypto across leading standards organizations, including the FIDO Alliance, W3C, IETF, and OpenID. We work together not as competitors, but as true leaders collaboratively driving the open standards that will stop the number one problem of IT security breaches for login, payments, IoT, and beyond: stolen user credentials.

Ronnie Manning

WIRED and Ars Technica Experts Choose the YubiKey 4 for New Subscribers

Credibility is defined as the quality of being trusted and believed in. As Yubico continues to grow the trust from our users, partners, and peers, it is truly valued. It’s with this trust that we continue to drive forward in creating strong, open authentication standards and delivering on our vision and belief of a secure internet for all.

Today, we are honored to announce we are partnering with Ars Technica, as part of celebrating its 20 year anniversary, by offering the YubiKey 4 to new Ars Pro++ subscribers. Ars Technica is a highly respected online publication within the technology community and combines technical savvy content with wide-ranging coverage of human arts and sciences, while specializing in bringing readers the right answer, the first time.

Eric Bangeman, Managing Editor, Ars Technica says, “Keeping your online accounts and personal data safe can be a challenge, but YubiKey’s flexibility and best-in-class two-factor authentication capabilities offers a deeper level of security for its users. Ars Technica is proud to offer the Yubikey 4 as a gift for its Ars++ subscribers.”

Limited Edition WIRED and Ars Technica YubiKeys

Also today, we are equally excited to say we are partnering with WIRED magazine to deliver YubiKeys to their new subscribers as well. WIRED is the ultimate authority on the people and ideas changing our world. With a particular focus on emerging technologies, they don’t just write about the future, they ignite it.

As Nicholas Thompson, Editor-in-Chief, WIRED states, “We’re thrilled to be able to offer our subscribers free YubiKeys. Our readers are sophisticated technology users who value their security, which is why we picked YubiKey as a natural gift for them.”  

With both of these powerful and forward-thinking audiences, we are extremely honored that experts from WIRED and Ars Technica chose the YubiKey as the gift of security for their readers. The best part is, subscribers are not receiving a regular YubiKey — they are receiving a limited edition YubiKey 4 with a laser-etched WIRED or Ars Technica logo. The cool factor is upped considerably here. 

Now, new WIRED and Ars Technica subscribers will be able to add the most secure, easy-to-use multi-factor authentication to their business and personal accounts. YubiKey support is available with services such as Google, Facebook, and Dropbox, plus popular password managers, and hundreds of other services — all with a simple touch.  

Looking to read about some of the best in tech? Are you an avid WIRED or Ars reader?  Want to get your hands on one of these limited edition YubiKeys? Check out the subscription information for WIRED and Ars Technica!

Ronnie Manning

Yubico CEO Wins Ernst & Young Entrepreneur of the Year Award

Today, we are proud to announce that Yubico CEO & Founder, Stina Ehrensvard, won the national finals for Ernst & Young’s Entrepreneur of the Year, earning her the title of Female Shooting Star, Sweden. This follows her acceptance of the regional Female Shooting Star award for Stockholm, which was awarded in November 2017.

Stina shares, “Few entrepreneurs succeed alone, and this award would not be possible without a fantastic team. As American anthropologist Margaret Mead once said, ‘Never doubt that a small group of thoughtful, committed citizens can change the world; indeed, it’s the only thing that ever has’.”

The annual Entrepreneur of the Year awards recognize exceptional business leaders who create products and services that drive a healthier worldwide economy. Specifically, the Female Shooting Star award is reserved for the woman who leads significant company growth in a short period of time. Ernst & Young organizes and distributes the awards regionally, nationally, and internationally with a mission to encourage entrepreneurial interest and inspiration among future generations.

The judging committee concludes, “Stina Ehrensvard has developed the solution for a growing problem and created an international company. The path from idea to success was not a straight line, but thanks to drive and dedicated work she found the key to success. Her product may be small, but it makes the difference for internet security across the globe.”

To learn more about Stina’s entrepreneurial journey and the passion, technology and teamwork that contributed to Yubico’s success, read more about her story in Entreprenör Magazine and Marie Claire. Additional information on the Entrepreneur of the Year awards can be found here.

privacy-aware-blog-crown
Jesper Johansson

5 Best Practices for Companies Serious About Data Privacy

If you caught this month’s earlier blog, you’ll know that Yubico is partnering with the National Cybersecurity Alliance to support Data Privacy Day, which takes place on January 28. Protecting privacy is one of the main end goals of a security program. It’s incredibly important to us at Yubico to empower and educate individuals and businesses on the best ways to stay safe online.

Our first Data Privacy Day blog focused on the individual user by outlining some of the most common ways internet credentials are stolen, and a surprisingly easy solution to protect against them. In the second blog of our two-part Data Privacy Day series, we take a closer look at how a security program supports your data privacy initiatives.

Companies who take data privacy seriously all have five things in common. If you are advocating for better data privacy in your organization, you want to start with a security program that supports these efforts. Such a program has a few common characteristics.

Leadership buy-in

Prioritizing the protection of data and systems starts at the top. The entire executive team, including the CEO and the Board, must know that security is a key priority for your organization. Otherwise, when it comes to allocating finances and resources, security will take a back seat.

This can seem daunting, but it’s actually becoming less difficult to receive this sort of leadership buy-in. For those who ever need a good selling point, just look at the volume and tone of press coverage after some of the most recent data breaches.

A person responsible for security and privacy

Explicitly identify and designate one individual who is responsible for overall security and privacy at the company. This means building out a C-level position to own all aspects of security and privacy, as well as legal and compliance risks. Not only will this ensure that there is a holistic, comprehensive approach to the security and privacy strategy, but it will also help further leadership buy-in by giving security a seat at the executive table and decision-making process. By having security and privacy at the company leadership level, the group can better work with the business by planning for organizational initiatives rather than being surprised by them.

A culture of security and privacy

It’s no surprise that a lot of security and privacy incidents within an enterprise are related to human errors. With tight deadlines and busy schedules, it can be attractive for ambitious, well-intentioned employees to cut corners, and security is usually one of the first areas to take a hit. Reusing passwords, using easily-guessed passwords, sharing credentials, leaving work devices unattended or unlocked, and mistakenly clicking on malicious links are just a few common employee practices that result in breaches. Employees have a job to do, and if security hinders them rather than helps them, they will work around controls they don’t understand.

Companies that take security and privacy seriously run programs that are designed to ensure every employee knows, understands, and follows company security and privacy protocols. These programs also have clear expectations and consequences for failure to abide by the policies. To be clear, this doesn’t—and shouldn’t—mean leading with fear. It means taking the time to educate different groups of people about the negative impact a data breach could have on revenue, safety, and overall company health and reputation. The best security and privacy teams focus on enabling employees to do their best work by enabling them to do security right.

Clear processes and policies

Having a good governance framework won’t matter if users aren’t familiar with the processes and policies involved. After all, it’s important to ensure that the plan can actually be implemented.

It’s also critical to know how to measure the success of the program. The ability to demonstrate the return on investment (ROI) for security products and services is invaluable to CEOs and the Board. Return on mitigation (ROM) is another valuable metric. This shifts the conversation from the potential losses of risk as business gains by calculating how much would not be lost through effective mitigation.

An incident response plan

While no company wants to deal with a data breach, companies that prepare for doing so before it happens weather the storm better. After you get compromised is a terrible time to draft the notification to the board and your customers, and is just as bad for figuring out how to determine what happened and stop it.  A clear, and tested, response plan helps all parties involved know what to do, what their role is, and how to communicate internally and externally.

At Yubico, we are experts at authentication—trusted by millions all around the globe to guide them through securing access to devices, networks, and web applications. That’s because we drive innovation and have modernized strong authentication, making strong two factor authentication (2FA) easy to use, all while reducing IT costs.

Don’t forget, Data Privacy Day is happening on January 28, and we welcome you to join in the movement! Start now by helping to educate and empower individuals and businesses on becoming #PrivacyAware. For additional tips on how to improve online safety, read more here.

privacy-aware-blog-crown
Yubico Team

5 Surprisingly Easy Ways Your Online Account Credentials Can Be Stolen

This month, Yubico is partnering with the National Cybersecurity Alliance (NCSA) to support and promote Data Privacy Day, an initiative to empower individuals and encourage businesses to respect privacy, safeguard data, and enable trust. While Data Privacy Day is a one-day event taking place on January 28, security is our focus at Yubico everyday, and we are starting the conversation about online security and privacy early!

When it comes to compromised internet security, it can be difficult to know what you’re defending against, because attacker objectives, victims, and techniques vary significantly. That said, we do know that internet credential theft and misuse is involved in nearly 81% of hacker-related breaches. Since stealing someone’s password or other authentication data is relatively easy to do from afar, and there’s little risk of or danger in getting caught, it’s become one of the most common attacks in the world.

In this two-part blog series, we will uncover some of the most common techniques for stealing internet credentials, popular and proven methods of defending against these attacks, and best practices to keep your data safe. Before we can effectively protect ourselves online, we must first understand the threats that we’re facing.

Weak Password Guessing

Attackers try common passwords with specific or common usernames across many sites, and this can be surprisingly successful. Unfortunately, most people struggle with creating or remembering strong passwords. As a result, people often choose weak passwords for convenience, or because they don’t think it matters, and rarely change them if circumstances change.

Password Reuse Abuse – Credential Stuffing

Attackers regularly take credentials stolen from one site and try them on another, as it’s very common for people to use the same password, or a variant, across multiple sites. This problem is exacerbated by the large volume of stolen credentials available for sale on the dark web with hundreds of millions of credentials available to attackers. Attackers have also reportedly targeted weaker sites to gain an individual’s credentials. If they’re successful, they’ll use those same credentials on other sites that they’re actually interested in.

Man in the Middle (MitM) Attacks

Sometimes, attackers have access to the network path between their victim’s computer and the site they are accessing. This can enable the attacker to view what sites someone is accessing and steal their data if the connection is not encrypted or if the victim believes the attacker’s system is legitimate.

This privileged position can be used to wait for users to access the site of interest, or it can be used in combination with other techniques, such as phishing, to entice someone to visit the site of interest.

Phishing

Phishing carries serious risks for internet users. Credential phishing typically uses some pretext to convince a person to reveal their credentials directly, or to visit some site that does the same. Attackers do this via SMS verification, email, telephone, instant message, social networks, dating sites, physical mail, or by any other means available.

Account Recovery Exploitation

Due to the large scale of users for many services and the general desire to keep support costs low everywhere, account recovery flows can be much weaker than the primary authentication channel. For example, it’s common for companies deploying strong two-factor authentication (2FA) solutions as their primary method to leave SMS as a backup. Alternatively, companies may simply allow help desk personnel to reset credentials or set temporary bypass codes with just a phone call and little to no identity verification requirements.

Services implementing 2FA need to strengthen both the primary and the recovery login flow so that users aren’t compromised by the weaker path.

The Silver Lining

There is an equally surprisingly easy and affordable way to protect online accounts from all of these attacks. It’s called FIDO Universal 2nd Factor (U2F), a modern security protocol invented by Yubico and Google that is specifically designed to help online services and users tackle these common attacker techniques. Since its inception in 2012, U2F has become widely adopted by many services, including Gmail, Dropbox, Facebook, GitHub, Salesforce.com, and more.

The protocol works by registering a physical hardware device, like the YubiKey, with your service. Once paired, the service will challenge you to provide your account password (something you know) and to present your YubiKey (something you have) by inserting it into the USB port and touching the gold contact (called test of user presence). There are no codes to type or apps to load. The YubiKey does the work for you.

A single U2F device, like the YubiKey, can be used with nearly unlimited services and accounts all while providing data privacy. That’s because the YubiKey generates a new pair of keys for every service, and only that service stores that specific public key. With this approach, no secrets are shared between service providers.

So how does the YubiKey stop hackers even when they’ve stolen your account password? Without also stealing your YubiKey (a physical device), an attacker can’t get access to your account. Once you’ve turned on U2F, you can also help secure your accounts against account recovery exploitations by turning off less secure forms of 2FA like SMS, wherever possible.

For more information on internet credential theft and misuse, read our whitepaper. Also stay tuned for part two of of our blog series!

Alex Yakubov

Is there a good way to share passwords in an enterprise?

One of the most important facets of enterprise security is ensuring protection for all employee accounts. Password sharing methods play a critical role. When pressed for time, many users resort to sending unencrypted plain-text passwords via high risk channels like chat or email.

There are other ways to securely share passwords across teams throughout an organization—and writing it on a post-it note and leaving it on your co-worker’s desk is not one of them. Two recommended practices include:

Creating an audit trail.

With an audit trail, organizations are able to track the users who request passwords and the purpose for which they intend to use them, offering a way for organizations to discover potential password misuse. Additionally, being able to provide evidence of who has seen what in an organization is a compliance measure in known laws and frameworks.

Enforcing a strict need-to-know policy.

Giving users access to assets that are neither relevant nor useful to them on a daily basis only raises the risks for unauthorized access in the future. Limiting access to accounts and assets can help mitigate the probability of exposed sensitive data.

Ecosystem Showcase: StoredSafe

With an in-depth understanding of enterprise password challenges, Yubico ecosystem partner StoredSafe launched their own password manager, Password StoredSafe. It safely stores and shares enterprise passwords, as well as the critical information related to passwords, on a need-to-know basis and with a full audit trail.

All of StoredSafe’s solutions enforce two-factor authentication (2FA)—a testament to their commitment to password security. StoredSafe highly recommends the YubiKey and the YubiHSM for the strong hardware-backed 2FA protection they offer. With YubiKey 2FA enabled, unauthorized users cannot gain access to passwords and the enterprise secrets they protect.

“The YubiKey is the only hardware token StoredSafe supports since we integrated 2FA back in 2010. To further improve security, we have also incorporated the YubiHSM into our platform as a safe storage for all cryptographic keys. Both are easy to implement and empower our users to work independently from the internet and other networking services,” said Fredrik Soderblom, StoredSafe CEO.

StoredSafe continues to expand their product portfolio to help organizations meet and implement internal security policies around critical and sensitive information. Beyond their password manager, StoredSafe also offers 2FA StoredSafe for implementing two-factor authentication to existing IT infrastructures, Certificate StoredSafe for monitoring and holding certificate information, and File StoredSafe for securely storing confidential data.

To learn more, visit the StoredSafe website or contact sales@storedsafe.com.

Yubico is proud to highlight StoredSafe as part of an ongoing YubiKey ecosystem awareness program. Visit our Featured Solutions page to learn more about all the products and services that support the YubiKey.

Alex Yakubov

2FA – not just for employees

Protecting your organization from a potential data breach starts with providing secure two-factor authentication (2FA) for all employees. Once employees are protected, you need to think about  vendors and third parties that have access to your network, customer files, and other sensitive data. Do they have the appropriate protections put in place?

According to a recent Google study, 3.3 billion user credentials were exposed by third-party breaches from March 2016 to March 2017. For example, Target was the victim of a big data breach in 2013 that started when their HVAC vendor’s credentials were compromised. Breaches through third-parties can be greatly reduced or completely avoided by mandating use of 2FA in order to access your systems.

The use of 2FA is one of the most powerful and well established techniques for strengthening credentials. It’s been around since the 1970s with the introduction of smart card technology —  although, deploying and managing 2FA with smart cards has historically been cumbersome. Since then, smart card 2FA has advanced with new, easy-to-use technologies such as the YubiKey and Versasec.

Ecosystem Showcase: Versasec

Together, these technologies allow organizations to quickly increase security. Not only can enterprises mandate 2FA for employees and third parties, but they can also manage each user’s level of access and revoke it as needed by utilizing Versasec’s secure identity & access management solution. Versasec eases the deployment of 2FA with smart cards for organizations of any size by enabling admins to issue and manage user credentials. Users are then able to easily and securely authenticate to enterprise systems from across the cloud to SasS and on-premise applications..

With Versasec’s vSEC:CMS, enterprises can provision a YubiKey for each user, letting them quickly authenticate for login, secure email, or code signing and more with a simple touch using their YubiKey as a PIV-compatible smart card and reader. vSEC:CMS also allows the user to securely unblock their pin or load new certificates on their YubiKeys. Administrators can manage, revoke or renew all registered YubiKeys using the vSEC:CMS. The ability to centrally manage user identity and access to critical data across all the different services with Versasec, is a huge win for organizations and admins.

Whether an organization has 20 or 200,000 employees, the YubiKey offers fast and simple deployment. We provide a hosted validation service, open source software and servers. Partners can easily work within the multiple security protocols supported by YubiKeys: OpenPGP, PIV, FIDO U2F, and more.

Special Offer for Yubico Customers: Start a free product trial
at https://versasec.com/registration.php.

Yubico is proud to highlight Versasec as part of an ongoing YubiKey ecosystem awareness program. Visit our Featured Solutions page to learn more about all the products and services that support the YubiKey.

Alex Yakubov

Ecosystem Showcase: How ID proofing, identity federation, and strong authentication protect digital identities

According to the NIST SP 800-63-3, digital identity is “the online persona of a subject”. Unlike personal identity, an individual can convey multiple digital identities across various networks and communities, so one person can have a digital identity for their work email and another for a social media account. Given the possibility of multiple digital identities, correctly proving an individual is who they say they are on an online service or network is not as easy as glancing at a face and a name tag. Ensuring that only the authentic user is given access may require identity proofing. The identity proofing process relies upon various factors, such as the presentation of identity documents issued by another provider, biographic information, biometric information, and knowledge of personally relevant information or events. As the process for identity proofing is done both online and remotely, it is used in conjunction with identity federation and strong authentication to protect an individual’s digital identity. Identity federation is the process of securely exchanging identity and security information between an identity provider (IdP) and an online service or network. Identity federation relies on strong authentication like FIDO Universal 2nd Factor (FIDO U2F) to protect against phishing, man-in-the-middle attacks, and session hijacking.

Ecosystem Showcase: Digidentity

Using a centralized digital identity through a FIDO U2F-enabled IdP like Digidentity is an economical and effective alternative to securing multiple digital identities independently. An effective example of this is GOV.UK Verify, a secure online verification service Yubico piloted with Digidentity and the UK’s Government Digital Service (GDS) in 2016. This is the first government service in the world to support FIDO U2F. The GOV.UK Verify project was later lauded and awarded “Best Innovation in eGovernment/eCitizen” at the European Identity and Cloud Conference 2016 Awards. The success of GOV.UK Verify marked an important milestone both for individual users and governments looking to leverage identity data as a way of securing online government services while safeguarding privacy. Today, using Digidentity federated authentication services and FIDO U2F with the YubiKey, UK citizens can conveniently access a number of government services online with the utmost security and privacy. Beyond government services, Digidentity also provides IdP services to insurers, financial institutions, and organizations. By creating a robust identity ecosystem combining identity proofing, identity federation, and strong authentication with FIDO U2F, Yubico and Digidentity keep our commitment to protecting and preserving the digital identities of millions of individuals across the globe. Watch this webinar to learn more about identity proofing, federation, and FIDO U2F. To learn more about our ecosystem partner Digidentity, visit their website.   Yubico is proud to highlight Digidentity as part of an ongoing YubiKey ecosystem awareness program. Visit our Featured Solutions page to learn more about all the products and services that support the YubiKey.  
Alex Yakubov

Security and compliance—a top priority for Sentry

Organizations that outsource certain business functions to Software-as-a-Service (SaaS) providers enjoy many benefits, including cost efficiency and increased productivity. However, despite the advantages, there also comes the potential risks of privacy and data compromise.

Due to the nature of cloud computing, SaaS providers are required to take necessary steps and precautions to prove the security, reliability, and integrity of their data processing operations in order to do business with government agencies, financial institutions, healthcare organizations, and others. These compliance directives are designed to protect customers and provide assurance to them that their privacy is kept intact. Before making the switch, organizations evaluating SaaS services need to ensure that their SaaS provider of choice meets these compliance requirements.

Ecosystem Showcase: Sentry

As both a SaaS provider and open source error tracking platform, Sentry—a Yubico ecosystem partner—understands the gravity of security and compliance. Sentry adheres to certification and compliance standards including HIPAA / HITECH, PCI DSS, and Privacy Shield, among others. Sentry is committed to securing both users and applications by eliminating systems vulnerability and using industry-standard technologies to protect data from unauthorized access, disclosure, use, and loss.

Sentry encourages two-factor authentication (2FA) as an important step towards securing data access from unauthorized users, and integrates the strongest level of 2FA with the YubiKey and FIDO Universal 2nd Factor (U2F). The YubiKey meets NIST 800-63-3 Authenticator Assurance Level 2/3, and certification for FIPS 140-2 Overall Level 2 is in progress.

“I feel a lot safer accessing and managing our company’s cloud databases with Sentry and the YubiKey,” said Mike, a Sentry enterprise customer admin. “Without 2FA, we risk access to our company’s cloud service and internal systems, which—if a malicious user gets through—can take down our production fleet. Enforcing YubiKey 2FA with Sentry is the right thing to do. It’s easy, and it works.”

With trust at the core of their business, Sentry takes security very seriously. That is evident in their compliance and certification efforts. By offering strong 2FA with the YubiKey, Sentry demonstrates an unrelenting commitment not only to their users’ privacy, but also to their duty as a SaaS provider to ensure the integrity of their platform.

For more information on Sentry’s YubiKey integration, go to their website. You can also try it free today. Sign up here.

Yubico is proud to highlight Sentry as part of an ongoing YubiKey ecosystem awareness program. Visit our Featured Solutions page to learn more about all the products and services that support the YubiKey.

Alex Yakubov

IBM and Yubico Simplify Strong Security for Enterprises

Raise your hand if you’re a fan of security products that live up to their name and also deliver a delightful user experience! You know we are, and that’s why we’re happy to announce a joint effort with IBM to deliver FIDO Universal 2nd Factor (U2F) protection with the YubiKey through the IBM Security Access Manager (ISAM). The FIDO U2F open authentication standard provides the highest level of security assurance and protects against phishing and man-in-the middle attacks aimed at stealing credentials and gaining access to enterprise systems and services.

If you’re an ISAM customer, and are currently evaluating two-factor authentication (2FA) or multi-factor authentication (MFA) options, then look no further. IBM has integrated the strongest level of 2FA to ISAM with YubiKey and FIDO U2F support. The YubiKey FIDO U2F Settings Configurator for ISAM is available in the IBM Security App Exchange, a marketplace where developers across the industry can share applications based on IBM Security technologies.

The new app enables ISAM Administrators to quickly and easily reconfigure the ISAM appliance to enforce FIDO U2F with YubiKey attestation in a matter of minutes. From there, end users are able to register their own YubiKeys for easy, secure access to any systems you have connected for Single Sign-On (SSO).The YubiKey offers a frictionless authentication experience for ISAM admins, users throughout the organization, and external customers.

For a limited time, we’re offering ISAM Admins the YubiKey Experience Pack for $100* ($268 value), which includes one of all six YubiKey form factors. Use them to test out the integration in your environment, and let us know how we can help when you’re ready to rollout the YubiKey to your organization.

*Offer valid through 11:59pm PT December 15, 2017, while supplies last.

Alex Yakubov

Okta and Yubico partner to offer strong adaptive authentication

With the increasing frequency and scale of identity threats including phishing and man-in-the-middle attacks (MiTM), the best way to prevent a breach is to provide strong multi-factor authentication (MFA). MFA is designed to protect against the range of attacks that rely on stealing user credentials. Organizations can use a variety of techniques, but all work by requiring the user to provide something in addition to their primary password— something the user is, has, or knows—before they can be authenticated.

Deploying strong MFA that is easy-to-use for employees and easy-to-manage for admins can be quickly accomplished with Okta’s Adaptive MFA and the unphishable YubiKey. Adding the YubiKey as a hard token to the Okta Adaptive MFA solution strengthens the MFA by requiring the user to have a physical token verifying their identity. This is also a great option for global organizations that need to provide strong authentication to comply with regulations such as the European Union’s General Data Protection Regulation (GDPR).

Ecosystem Showcase: Okta

Adaptive authentication means the level of authentication required is flexible depending on how much risk a user presents. Every time a user logs in using Okta Adaptive MFA, the system analyzes the request to determine how much access to grant.

With strong MFA in place, even if a user’s password is stolen, user accounts are safe from unauthorized access. Enabling Okta’s MFA and pairing with the YubiKey, will protect business-critical data from the most prevalent attacks on the Internet today.

Special Offer for Yubico Customers: Try Okta free for 30 days to increase security, improve user productivity and make your IT team more efficient.

Yubico is proud to highlight Okta as part of an ongoing YubiKey ecosystem awareness program. Visit our Featured Solutions page to learn more about all the products and services that support the YubiKey.

Jerrod Chong

How to Navigate FIDO U2F in Firefox Quantum

Firefox Quantum is the latest internet browser to natively support FIDO Universal 2nd Factor (U2F) devices, and we couldn’t be more thrilled to see this advancement! With Mozilla jumping on board, millions of Firefox users can now begin to experience the ease-of-use and security of the YubiKey and U2F authentication...with one small caveat. FIDO U2F is not turned on by default in the Firefox browser.

If you’re among the individuals testing the FIDO U2F YubiKey with Firefox Quantum, you’ve likely already experienced a few common challenges. First, FIDO U2F is not a default setting with the latest Firefox browser. It requires configuration in advanced settings. Second, even after enabling FIDO U2F, some services may not recognize it. We understand that this can be frustrating or inconvenient for users, and as a principal inventor of the FIDO U2F open authentication standard, we’d like to provide additional clarity and guidance.

Why isn’t FIDO U2F a default setting in Firefox Quantum?

Mozilla plans to only support the out-of-the-box experience with FIDO U2F devices using Web Authentication APIs (as part of FIDO 2) versus FIDO U2F APIs. Per the company’s Security/Crypto Engineering wiki page, they intend to “...permit use of U2F tokens via a user-controllable preference (not on by default) in Firefox 56 or 57 (Done in Firefox 57), and Web Authentication (on by default) in Firefox 59 or 60.”

In many ways, FIDO 2 is the next-generation of FIDO U2F, as it will pave the way for things like multi-factor and passwordless login, while still supporting two-factor authentication (2FA) functionalities of the original FIDO U2F standard. As Web Authentication specifications will likely not be complete until early 2018, users will need to wait for the seamless experience with U2F devices in Firefox until the Web Authentication API integration is done.

How do I enable FIDO U2F in Firefox Quantum?

While the FIDO U2F experience in Firefox is limited at the moment, turning it on is very simple. It only takes three steps.

1. Type about:config into the Firefox browser.

2. Search for “u2f”.

3. Double click on security.webauth.u2f to enable U2F support.

Even after enabling FIDO U2F in Firefox Quantum, why won’t YubiKeys work for some U2F-enabled sites?

Integrating with FIDO U2F v1.1 JS API will allow a developer’s web app to support U2F on Firefox. That said, it’s important to understand that every FIDO U2F implementation can vary from the official specifications. For example, Mozilla did not fully implement the FIDO AppID and Facet Specification. Some sites supporting FIDO U2F have made accommodations for the incompleteness of Firefox’s implementation, but some have not. In other situations, some services may not work with Firefox Quantum because of a service-specific implementation. For this reason, Firefox Quantum users are currently having trouble authenticating with their FIDO U2F devices for some sites that typically support FIDO U2F devices. Our recommendation? Make a request to both Mozilla and that particular service to refine their FIDO U2F support, allowing for Firefox compatibility.

Ultimately, Mozilla’s FIDO U2F support is a huge progression toward strong, unphishable authentication. We can only hope to see the platform’s FIDO U2F authentication experience grow to become seamless and simple as the FIDO standard intends.

5.9.18 Update -  Firefox 60 is the first browser to support the new security standard, FIDO2, Web Authentication (WebAuthn) and U2F

Alex Yakubov

Privileged credentials—a privilege and a responsibility

When it comes to security, organizations have a lot of moving parts to consider. From mobile and desktop devices to servers, line-of-business applications, cloud storage, social media accounts, and more—these are all resources that can contain sensitive company information. Naturally, it's important to minimize the security risk associated with these channels to help protect enterprise assets.

For many years, privileged user credentials have offered a solution: only specific individuals have the greatest levels of access to the most sensitive company infrastructure and data. While this is a crucial component in the context of the overall security architecture, the trust, authority, and access granted to privileged users also marks these accounts as 'highly desirable' for malicious hackers.

Ecosystem Showcase: Lieberman Software

The Forrester Wave: Privileged Identity Management, Q3 2016 Report estimates that 80% of security breaches involve privileged credentials, and states that privileged credentials provide greater scope for stealing data en masse compared to individual accounts. The report also recognizes that privileged identity management demands an integrated approach that includes multi-factor authentication (MFA) and security assertion markup language (SAML) compatibility.

To ensure that sensitive data is not compromised via privileged credentials, it is absolutely necessary for organizations to deploy proper security precautions, and to be mindful of which users and assets to grant privileges to. Implementing two-factor authentication (2FA) or MFA for administrative access to web applications and other devices that store vital information is an effective way to mitigate these threats. Extending the use of strong authentication to your entire end-user base can also reduce the threat and effectiveness of stolen credentials.

Yubico and Lieberman Software are working together to protect organizations from credential threats like keylogging, social engineering, and other cyber attacks. With its support for the YubiKey, Lieberman Software enables its customers to implement flexible and cost-effective MFA using the YubiKey One Time Password (OTP) and smart card authentication protocols. For large and complex environments, the integration between Lieberman RED - Rapid Enterprise Defense Identity Management and the YubiKey significantly strengthens security for automated privileged identity and access management.

RED Identity Management secures administrative credentials throughout your IT infrastructure including: super-user login accounts on systems and device, service accounts, SSH keys, application credentials, database admin accounts, and cloud identities. Unlike competing, closed solutions, the YubiKey is flexible enough to be re-seeded by authorized IT administrators through the RED Identity Management interface, eliminating the need to rely on third-party vendors to replace compromised tokens.

Protecting privileged credentials is an essential step in protecting your organization’s data. For more information on using Lieberman RED Identity Management with the YubiKey, please visit https://liebsoft.com/partners/technology-integrations/yubico/ or contact sales@liebsoft.com.

Yubico is proud to highlight Lieberman Software as part of an ongoing YubiKey ecosystem awareness program. Visit our Featured Solutions page to learn more about all the products and services that support the YubiKey.

Alex Yakubov

Embracing the future of strong authentication with FIDO U2F

Centrify is a longtime Yubico partner, and together we bring two-factor authentication (2FA) and security to organizations and their global workforces. Today, we are excited to further enhance our joint partnership with Centrify’s commitment to support FIDO Universal 2nd Factor (FIDO U2F) within the Centrify platform. The platform’s upgraded security will be available on December 16, 2017, expanding upon the PIV-compatible smart card and one-time passcode (OTP) features of the YubiKey that have been available to Centrify customers since February of 2016.

FIDO U2F is a two-factor authentication (2FA) security protocol created by Yubico and Google that defends against phishing and man-in-the-middle (MitM) attacks. Centrify’s support for FIDO U2F will give their customers the ability meet the National Institute of Standards and Technology (NIST) highest Authenticator Assurance Level (AAL3) as an alternative option to smart cards, outlined in the NIST Special Publication 800-63 Revision3. To achieve AAL3, this new option now allows a single factor cryptographic device like the YubiKey with FIDO U2F protocol enabled, combined with the user’s password, to authenticate with Centrify’s platform.

Ecosystem Showcase: Centrify

“As principal inventor behind the FIDO Universal 2nd Factor (U2F) open authentication standard, Yubico believes that secure, easy-to-use and scalable authentication should be available to everyone ” said Jerrod Chong, VP of Product at Yubico. “Centrify shares our mission to bring greater security and convenience to the enterprise. By adding FIDO U2F support, Centrify has the most complete set of YubiKey integrations available from a technology partner.”

“The old days of the guarded castle with a moat, where all interactions inside the castle were trusted and all interactions outside the castle were suspect, no longer applies,” said Bill Mann, Chief Product Officer at Centrify. “Remote employees on BYOD devices accessing SaaS applications are as much a reality today as someone sitting at their workstation inside the office. At Centrify, we are committed to helping our customers embrace this new reality and  where all access must be authenticated, authorized and encrypted.”

When available from Centrify, enabling FIDO U2F or your organization is simple. Users will love how easy it is to log in with the YubiKey.

Together, Centrify and Yubico provide a frictionless security solution that moves beyond passwords, bolsters security, and provides secure access to apps, devices, and IT resources. If you’re interested to learn more about the new FIDO U2F integration, and the unphishable YubiKey, you can catch a demo at Yubico booth #222 at the Gartner IAM Summit this week.

Sign-up to attend a webinar hosted by Yubico and Centrify. Stronger Authentication through FIDO U2F takes place on December 12, and features Jerrod Chong, VP of Product at Yubico, and David McNeely, VP of Product Strategy at Centrify.

Yubico Team

Yubico Closes 2017 with Four Major Events

Typically, the Winter holiday season can make for a more quiet year-end for businesses, but things are still in full swing here at Yubico! Over the course of the next two weeks, you’ll find us at four major tech events across the United States and Europe: AWS Re:invent, Gartner IAM Summit, Trustech, and BlackHat Europe.

Whether you attend a speaking session, or stop by our booth, visit us to talk all things YubiKey. Let’s chat about identity and access management (IAM) integrations, next-gen payment and identity ecosystems, IT trends and research, and the future of authentication. We can also catch you up on Yubico’s latest and greatest, including the recently launched YubiHSM 2. To get you up to speed, here are few of the things we’ve been working on over the last few months:

  • YubiHSM 2 is now available. Launched October 31, it’s the world’s smallest and most cost-effective hardware security module (HSM) for server protection, costing only $650.
  • We launched our latest YubiKey form factor, the YubiKey 4C Nano, in September. It’s the only multi-protocol USB-C authenticator of its kind, and is a true design and engineering triumph.
  • A recent integration with identity proofing provider ID.me marks the first roll out of FIDO U2F and YubiKey two-factor authentication for government agencies in the US.
  • The reality of passwordless login is closer with joint efforts from Yubico and Microsoft on the FIDO 2 open authentication standard. The first public demonstration of this was given at the 2017 Cloud Identity Summit (CIS) using a Microsoft Windows 10 computer through Azure Active Directory (AAD) and a YubiKey.

We’d love to fill you in on all of the exciting things we’re working on and how it all plays into the greater security and identity ecosystem, so be sure to pay us a visit! Wondering where you can find us at each show? You can get all the details on our events page.

Alex Yakubov

Layer up with Onion ID and the YubiKey

According to the 2017 Thales Data Threat Report, nearly two thirds (63%) of senior security executives polled indicated that their organizations deploy new technologies such as cloud, big data, IOT, and containers before having the security in place to protect them. With 88% feeling vulnerable to a cyberattack, organizations are now starting to shift their focus to securing all these new technologies with multi-factor authentication (MFA). In fact, the report shows that US and global retail organizations rank MFA in the top 3 data security tools they plan to implement this year.

Ecosystem Showcase: Onion ID

Yubico ecosystem partner Onion ID offers organizations the opportunity to use various methods of authentication—ranging from biometrics to location to security keys—to protect any web application or server in their IT infrastructure. Onion ID secures privileges for accounts on any server, container, and SaaS applications, and acts as a single pane of glass to provide security, visibility, and auditing to organizations of all sizes.

“Before we integrated YubiKey support, our customers used MFA methods that required their employees to use their mobile phones to verify their identity. To complete the mobile authentication process, data has to be trafficked to and from the internet, which is not ideal or secure for customers handling sensitive data, such as medical and financial information. If an organization doesn’t want to pass their employees’ information through the internet or have their employees install an app on their phones, what we recommend is a hardware-based security key like the YubiKey,” said Onion ID founder Anirban Banerjee.

While still common in enterprise security, mobile authentication methods like SMS and phone calls are essentially unencrypted and vulnerable to phishing. Phone and SMS networks have been exploited by governments, criminal gangs, and even penetration testing firms. Phone companies can also provide access to personal records if required to by legal order or if they are hacked or tricked.

“Organizations need an MFA solution they can fully control without needing to download and use third-party apps like Google Authenticator. Our customers find that the YubiKey offers them just that — an MFA option that is easy, affordable, and can help control exactly what an employee can do on a server or a SaaS application,” said Anirban.

With support for Yubico OTP, Onion ID successfully combines versatility with ease of use and security to protect privileged accounts on AWS, Rackspace, and more. Yubico OTP works with no client software needed, allows for self-provisioning, as well as authenticating without a username, and is easy to implement.

“Integrating Yubico OTP was simple and did not take a lot of effort from our side. The API documentation is clear, and there was excellent communication between our teams. It took us about 2 weeks for the initial integration, and 1 week for fine tuning. We also use the YubiKey internally and are happy with our experience,” he added.

Onion ID offers a cloud-based Software as a Service (SaaS) security solution that enables organizations to control access across all their properties in 60 seconds. From server privilege access management (Server PAM) for secrets storage to SaaS privilege access management (SaaS PAM), Onion ID and the YubiKey provide the secure sharing of API keys and credentials between your employees and automated script.

By giving organizations the ability to choose and easily enable MFA on apps and servers of their choosing with zero change, Onion ID provides security, visibility, and flexibility for organizations of all sizes.

Learn more about protecting your privileged accounts with Onion ID.

Yubico is proud to highlight Onion ID as part of an ongoing YubiKey ecosystem awareness program. Visit our Featured Solutions page to learn more about all the products and services that support the YubiKey.

Alex Yakubov

Duo Security & Yubico partner to protect Facebook employees

Protecting your organization does not need to be complicated, frustrating or costly. The simple addition of strong authentication paired with seamless identity access management can significantly reduce security risks across an entire organization by making it simple to deploy and easy for employees to use.

The focus on a strong, simple authentication experience is something Duo Security and Yubico have offered together since 2013, when a security need from Facebook sparked the partnership. Facebook needed to provide secure, simple, and seamless authentication to all their employees. They also needed support for frequent logins and quick deployment to 30,000+ employees with minimal overhead and support costs. After careful consideration, the company looked to the advanced authentication solutions provided by both Duo Security and Yubico. Together, our joint solution addressed Facebook’s authentication priorities—placing equal emphasis on usability and security.  

“Organizations are looking for flexible options that can meet the needs of a diverse and mobile workforce, and more often than not, they are looking to several solutions to do so,” said Jerrod Chong, VP of Product at Yubico. “That is why Yubico’s integration with Duo Security is one that we, and our customers, value. Together, through the use of the YubiKey and cloud-based authentication on the backend, we’re able to provide a seamless, flexible, and highly-secure authentication experience.”

Both Yubico and Duo Security support the FIDO Universal 2nd Factor (U2F), a two-factor authentication (2FA) security protocol developed by Yubico and Google that effectively defends against phishing and man-in-the middle (MitM) attacks. In June 2017, the National Institute of Standards and Technology (NIST) recognized FIDO U2F at the highest Authenticator Assurance Level (AAL3) in their NIST Special Publication 800-63 Revision3.

“At Duo, we place a heavy focus on end user experience. From frictionless user experiences to quick and seamless deployments, we aim to make authentication with Duo Security exceptionally easy,” said Ash Devata, VP of Product at Duo Security. “At the same time, we take security seriously and constantly improve authentication effectiveness. This is exactly why we added support for the YubiKey and FIDO U2F. As a globally recognized leading authentication standard, U2F is something we absolutely want our customers having access to.”

Ecosystem Showcase: Duo Security

In addition to FIDO U2F, the YubiKey and Duo Security support other authentication protocols including Yubico OTP (one time password), PIV (smart card), OpenPGP, and more. This functionality is loved by joint customers for the flexibility to choose 2FA methods that fit the needs of a diverse user base. The YubiKey provides an easy-to-use and secure way to protect applications that support FIDO U2F standards, as well as additional applications such as VPNs, SSH, RDP, and more, using the same physical form factor.

Learn more about utilizing the YubiKey and FIDO U2F with Duo Security, instructions are provided during the initial Duo self-enrollment process. If you are already enrolled in Duo Security using a different device for two factor authentication, such as your mobile phone, you can add a YubiKey (security token) as an additional authentication device from the device management portal.

New to Duo Security? Learn more about their 2FA and trusted access options for the enterprise. You can get a free trial.

Don’t have a YubiKey? Learn more about securing digital identities, computers, servers, mobile devices, and online services with the YubiKey. Check out the full YubiKey product lineup to find the right key for you.

Alex Yakubov

Why email security is mission critical to FastMail

According to the Verizon 2017 Data Breach Investigations Report, gaining access to a user’s personal or professional data through a malicious email is a cyber criminal’s weapon of choice. While many users might consider that there is nothing worth taking inside their inbox, they are most likely overlooking how connected their email is to other digital accounts. Stolen email credentials can unlock other accounts, and reusing passwords across multiple logins makes that risk even greater.

Phishing attacks are amongst the most prevalent of threats to email, and typically use some pretext to convince you to reveal your credentials directly or to visit a fake login page that prompts you to do the same. Phishing alone is responsible for huge monetary losses each year, and sadly still affects around 1 in 14 users. There are a number of precautions you could take to avoid being phished, starting with using an email platform that enables two-factor authentication and an unphishable YubiKey.

Our trusted tech partner FastMail has made security a core feature of their email platform. FastMail provides an extensive range of encryption practices to keep your data safe from prying eyes, including full support for two-factor authentication. With FIDO U2F and YubiKey One Time Password (OTP) integrated into their services, FastMail recommends setting up YubiKey 2FA for the peace of mind that comes with additional security.

Ecosystem Showcase: FastMail

“FastMail has built its reputation by offering highly secure login mechanisms. The YubiKey provides a simple yet robust solution, ensuring that people can log in and access their email on any machine without the worry of their authentication details being stolen,” says FastMail co-founder Rob Mueller.

FastMail has been hosting email for companies and discerning individuals around the world since 1999, making it one of the longest operating email services on the web. Trusted by over 150,000 users in 150 countries today, FastMail is an employee-owned, independent company headquartered in Melbourne, Australia, and runs a portfolio of communication and collaboration services.

Topicbox, FastMail’s latest group email offering, is also now YubiKey-enabled. Topicbox increases productivity by providing unlimited groups to keep conversations organized, customized email delivery options to minimize distractions, and searchable team history for better onboarding.

“Protecting your information is critical for every organization, so YubiKey support was natural to build into Topicbox from the start,” says FastMail's COO Helen Horstmann-Allen. “Topicbox makes communicating with your teams faster and easier, and Yubico does the same for your team’s security.”

Special Offer for Yubico Customers: Sign up to FastMail, and get 20% off your first year by visiting FastMail here.

You can also try Topicbox free for one month by visiting topicbox.com.

Yubico is proud to highlight FastMail as part of an ongoing YubiKey ecosystem awareness program. Visit our Featured Solutions page to learn more about all the products and services that support YubiKeys.

Yubico Team

Yubico CEO Awarded 2017 Shooting Star by Ernst & Young

Today, we are proud to announce that Yubico CEO & Founder Stina Ehrensvard was awarded the 2017 Female Shooting Star by Ernst & Young’s Entrepreneur of the Year awards in Stockholm.

The annual Entrepreneur of the Year awards recognize exceptional business leaders who create products and services that drive a healthier worldwide economy. Specifically, the Female Shooting Star award is reserved for the woman who leads significant company growth in a short period of time. Ernst & Young organizes and distributes the awards regionally, nationally, and internationally with a mission to encourage entrepreneurial interest and inspiration among future generations.

All award finalists are evaluated by a jury based on entrepreneurial spirit, innovation, personal integrity, financial performance, strategic direction, market impact, and social responsibility. The jury for Stockholm’s regional finalists included previous Swedish award winners and local business representatives with solid knowledge and experience of entrepreneurship. Upon the jury’s delivery of the award to Stina, it was noted:

“With an impressive and inspiring forward-looking mindset and goal-consciousness, Stina is building a new world standard in one of the most competitive sectors in the IT world. A future-defining entrepreneur can create something that the world has not seen before. This entrepreneur demonstrates that she is about to do this. Backed by an impressive customer list and explosive growth, she is aiming for gold.”

To learn more about Yubico’s corporate growth and industry leadership, read our press release. Additional information on the Entrepreneur of the Year awards can be found here.

Alex Yakubov

Ecosystem Showcase: Fast, flexible, and free open source identity management with Gluu

Ecosystem Showcase: Gluu

Gluu was founded in 2009 to address challenges posed by an increasingly complex and proprietary web single sign-on (SSO) market.

The Gluu Server was envisioned as a utility, open source platform that would enable more organizations to deliver a secure authentication service.

Today, the Gluu Server is used by universities, government agencies, and large enterprises around the world to securely identify people and manage access to resources.

Why Gluu?

According to the 2017 Data Breach Investigations Report by Verizon, more than 80% of hacking-related breaches leveraged stolen and/or weak passwords.

One of the best ways to protect your organization is to use a central authentication platform like the Gluu Server--the fewer places you store passwords and authenticate users, the easier it is to enforce strong security.

The Gluu Server will empower your organization to improve security, reduce user friction, and more quickly roll out value added products and services to your communities.

Gluu & YubiKey

Once web and mobile applications are leveraging your Gluu Server for user login, you can significantly improve security by enforcing strong authentication.

With the Gluu Server and the YubiKey, your people will be protected from phishing, malware, and man-in-the-middle attacks while maintaining secure and seamless single sign-on (SSO) access to resources across your digital kingdom.

Get started today by following these 3 easy steps:

1. Deploy the free open source Gluu Server

2. Configure web and mobile applications for SSO

3. Enable YubiKey for easy-to-use and high security authentication!

 

Yubico is proud to highlight Gluu as part of an ongoing YubiKey ecosystem awareness program. Visit our Featured Solutions page to learn more about all the products and services that support YubiKeys.

 
Alex Yakubov

The key to DFARS/NIST Compliance

There are only 8 weeks left before the Defense Federal Acquisition Regulation Supplement (DFARS) deadline, and now is the right time for US government contractors to secure Active Directory users. DFARS was structured to protect unclassified US Department of Defense (DoD) information on a contractor’s internal information system from cyber incidents, and to minimize the loss of information via cyber incident reporting and damage assessment processes.

Government contractors are required to implement the mandatory controls for Controlled Unclassified Information (CUI) detailed in NIST SP 800-171, a key component of which is to implement multi-factor authentication (MFA) for accounts that access privileged data.

Ecosystem Showcase: AuthLite 

Whether you're implementing DFARS/NIST, PCI, HIPAA compliance, or just moving to strong authentication, securing your user accounts with static passwords isn't enough anymore. The AuthLite two-factor system for Active Directory is inspired by the simple model of YubiKeys, and designed to solve this issue,” said Greg Bell, CEO and Founder of AuthLite.

Together, Yubico and AuthLite offer a joint solution for government contractors and organizations seeking DFARS compliance. AuthLite systems natively support YubiKeys so organizations can meet the multi-factor authentication requirements for local and network access outlined in the DFARS clause.

AuthLite enables your organization to natively process MFA in your Domain Controllers and connected systems, giving you the flexibility to implement YubiKey MFA to servers, computers, and users of your choice. AuthLite also gives your organization the opportunity to add YubiKeys for users at any time, and can quickly provision new YubiKeys as your organization grows.

The multi-protocol YubiKey is built to address privacy, validation, and compliance requirements across various standards and directives, including FIPS and NIST. The YubiKey combines three of the permitted authenticator types from the latest NIST digital identity guidelines in one physical device: OTP, FIDO U2F, and smart card / PIV-compatible / OpenPGP. In the same guidelines, NIST recognizes FIDO U2F at the highest authenticator assurance level, AAL3.

The YubiKey is loved by millions across the globe for its simplicity, security, and affordability. Your users will love the ease of use of the combined YubiKey and AuthLite solution.

How it works:

Logging In

  1. Simply press the YubiKey contact to enter a One-Time-Passcode (OTP)
  2. Type the Active Directory password as usual

Behind the Scenes

On the Domain Controller, AuthLite validates the OTP, and changes the user's Kerberos ticket to contain an extra "two-factor tag" group. That way, your domain services can check whether a user logged in with one or two-factors, and decide whether to grant or deny access to sensitive resources.

AuthLite's unique power and flexibility comes from working with your Domain Controllers to improve the authentication in the core of your domain instead of just around the perimeter.  Even in simple networks, each customer's configuration might be different. We even provide Interactive Documentation, walkthrough videos, and include remote engineering assistance to make sure your multi-factor deployment is secure,” said Bell.

Fun fact! AuthLite became Yubico’s first enterprise partner in 2009. With this joint solution, AuthLite and Yubico are ready and excited to help organizations and government contractors achieve DFARS compliance by the December 31 deadline.

Learn more about using AuthLite for DFARS compliance here.
Talk to Yubico about using the YubiKey for DFARS compliance here.

Yubico is proud to highlight AuthLite as part of an ongoing YubiKey ecosystem awareness program. Visit our Featured Solutions page to learn more about other products and services that support YubiKeys.

Yubico Team

YubiHSM 2 is here: Providing root of trust for servers and computing devices

If you were to ask someone who Yubico is or what we do, you’ll likely get the answer, ‘YubiKeys’, and rightfully so. YubiKeys are our foundation, and at the core of our mission to provide tried and true multi-factor authentication since 2008. They are used and loved by some of the world’s largest companies and by millions of individuals in more than 160 countries. But what a lot of people don’t know is that our product portfolio is more extensive. We’re also in the business of protecting servers and the keys stored on those servers, and today, we are thrilled to launch the YubiHSM 2.

True to Yubico form, the YubiHSM 2 defies a conventional design approach to hardware security modules (HSM) with the company’s signature traits of simplicity and affordability. The ultra-slim nano form factor YubiHSM 2 device is affordable at $650, offering advanced capabilities and benefits at a price within reach for all organizations. This is far from the traditional $10,000 HSM box that might typically come to mind.

Many customers will use the YubiHSM 2 to secure their certificate authorities’ (CAs) root keys and to verify signatures. The YubiHSM 2 also offers advanced signing with EdDSA curve 25519.

So, how does the new YubiHSM 2 fit into your organization? Our VP of Product Jerrod Chong gives us a real-world snapshot of the YubiHSM 2 in action:

Q: Why would an enterprise or SMB have a need for an HSM?

Every organization needs to protect their server environments and the cryptographic keys stored on those servers. Approximately 95% of all IT breaches happen when a user credential or server gets hacked. HSM hardware delivers advanced protection to prevent the theft of keys while at rest or in use. This protects against both logical attacks against the server, such as zero-day exploits or malware, and physical theft of a server or its hard drive. However, most companies have taken a software-based approach, as hardware-based protection has always been cost prohibitive with traditional HSM solutions. That is not the case with the YubiHSM 2.

Q: What would a typical YubiHSM 2 enterprise deployment look like?

A typical YubiHSM 2 deployment for enterprise would include the use of hardware-backed keys for a Microsoft-based PKI implementation. Deploying the YubiHSM 2 for Microsoft Active Directory Certificate services not only protects the CA root keys, but also protects all signing and verification services using the root key. For this particular type of YubiHSM 2 deployment, implementation is fairly plug-and-play.

Q: What were some of the more unique or creative ways people were using YubiHSM 2 during the beta program?

While protection of root keys for Microsoft AD Certificate services is a common use case, participants in our beta program also explored the use of the YubiHSM 2 for improving security on manufacturing lines, increasing security for IoT gateways and network appliances, and augmenting security on legacy SCADA.

Q: Can the YubiHSM 2 be used on virtual systems?

Yes, the YubiHSM 2 is network-sharable. While it plugs into a USB port on a host machine, communication is handled via a connector that can speak HTTPS. This means it can speak with any application connected to the network using HTTPS, a feature not previously available on the original YubiHSM model and not frequently supported by lower-priced HSMs. This can be especially advantageous on a physical server that is hosting multiple virtual machines (particularly for cloud applications), so organizations are not bound to the host machine USB ports.

Q: The size of the YubiHSM 2 is rare for an HSM. What was the impetus behind selecting the “nano” form factor?

One of the drawbacks with traditional HSM solutions is that they are large in size, making it difficult to deploy on servers that use rack-based installations. The Yubico nano form factor allows the HSM to be inserted completely inside a USB-A port with minimal protrusion. This allows for optimized placement in tightly constrained server racks.

For more information on additional YubiHSM 2 capabilities and technical specifications, visit https://www.yubico.com/products/yubihsm. Alternatively, if you are ready to purchase the YubiHSM 2 for your organization, units are available on our store.

Growing our security and open standards team
Yubico Team

Growing our security and open standards team

In celebration of this week’s National Cybersecurity Awareness Month theme, The Internet Wants YOU: Consider a Career in Cybersecurity, we asked three of our security and open standards rockstars — Jesper Johansson, Torbjörn Granlund, and John Bradley — to share their career background, and the journey that led them to Yubico.

Jesper Johansson, Chief Security Architect, Yubico

Jesper joins Yubico’s Seattle office to grow and lead the Yubico Security Team. He leaves his post at Google, where he worked in the Security & Privacy team. Prior to that, he spent a decade at Amazon, rising to Chief Security Architect for Amazon's Worldwide Consumer business, and was a security strategist and founding team member of the Trustworthy Computing Team at Microsoft.

When asked to impart some advice to those pursuing a career in cybersecurity, he shared:

“Two things -- first, learn another field as well. You can't be an expert in security without being an expert in some related field. Security is all about protecting something, and you have to have a good understanding of that something else. Second, be pragmatic. The biggest mistake security folks make is trying to secure things to a level that far exceeds the value of the asset you are protecting, or the risk to that asset. We need to focus on security solutions that support the business rather than those that hinder it.”

Jesper is the author of three books, many articles, and blog posts, and has delivered more presentations on security than anyone could remember.

Torbjörn Granlund, Senior Software Engineer, Yubico

Torbjörn recently joined our Stockholm office as an expert in efficient and side channel resilient asymmetric cryptography. He has contributed fundamental functionality to the GNU project, which is used by Linux for file copying, string and memory operations, as well as the GNU compiler.

Torbjörn proves that following your passion and honing your skills can lead to a fulfilling career and significant breakthroughs. “I’ve always been into maths, and in my teens turned into programming. I took a Masters in Science in CS. Far into my career, I realized that my maths skills were lacking, and decided to take a PhD with more maths and more theoretical CS,” said Torbjörn.

Torbjörn developed and authored the GMP arithmetic library, the de facto standard library for arithmetic within the areas of computational number theory — truly a great achievement in the field of mathematics. It is used for asymmetric cryptography in libgcrypt, nettle, GnuTLS, and optionally in OpenSSL.

John Bradley, Senior Technical Architect, Yubico

With more than 15 years of experience, John is an Identity Management subject matter expert and IT professional, whose primary focus at Yubico is on open identity standards. John is treasurer of the openID Foundation and the Open Identity Exchange (OIX), and an active contributor to SAML, OAuth, and other IETF standards. He is also one of the leaders of OSIS and the OpenID Certification, forums that vendors use for industry interoperability testing.

In a previous role, John was asked for a solution that offered the same level of security used for the US Government Service Agency (GSA), but was simple enough for the average user. Meeting the challenge, John co-authored the ICAM protocol profiles at Protiviti Government Services on behalf of GSA, and is currently co-authoring the next version of the openID specification and related standards.

“The standards are all coming together for 2018, as observed by Microsoft at CIS. We also made progress this year by updating NIST SP-800-63 to a third revision to accommodate the new techniques beyond the original smart card model,” he continued. “The goal is to make possible end-to-end proof of possession security from the first authentication through to the last access token.”

With an impressive list of achievements between the three, we are thrilled and proud to welcome them into the Yubico team.

Interested in a career in cybersecurity at Yubico? Check out our open job opportunities here.

Jerrod Chong

iPhone support for YubiKey OTP via NFC

Will my YubiKey NEO work on iPhones now that iOS 11 added some NFC support? It’s a fair question – one that we’ve been getting a lot of. This blog explains some of the details about iPhone support for YubiKey OTP to help bring some clarity to YubiKey users.

First, it’s important to understand the limited scope of Apple’s NFC support. Apple’s NFC APIs for iOS (Core NFC) allow iPhone apps to read the NFC Data Exchange Format (NDEF) records from certain NDEF tags (only supported on iPhone 7, 7 Plus, and up). However, there are a few limitations. Besides the fact that the NFC Reader interface can only be fired up from an app, Core NFC does not allow for write operations that are required for authentication protocols like FIDO U2F. That said, NFC on the iOS platform does not support Google’s recently announced Advanced Protection Program.

However, because NFC tag reading is supported, it allows developers to build apps, including consumer facing or purpose-built enterprise applications, with one-time passcode (OTP) support. Given that the YubiKey NEO can generate an OTP and send it to the requesting app via NFC, we finally have some good news for iPhone lovers: the YubiKey NEO will support OTP over NFC for applications that run on iOS11 and iPhone versions 7+. While Yubico acknowledges this progress, ubiquitous Apple support for strong authentication, namely FIDO protocols, remains out of reach at the moment.

For YubiKey users, this improves OTP two-factor authentication on the iPhone. Now they can authenticate with just a tap of their YubiKey NEO against the phone. Additionally, developers have a better authentication option to integrate with their mobile applications. One caveat remains: developers will have to build NFC support into each individual application to retrieve the OTP from the NDEF tag. Edit (28 May, 2018): See our new Mobile SDK for iOS.

In contrast, Android supports NFC natively in the platform. For example, Android developers can open the NDEF record for a URL with the default browser instead of opening up the specific app to read the NDEF tag. Furthermore, Android developers can also add FIDO U2F support using the Android FIDO U2F APIs.

While this is encouraging news, we realize it is not yet the complete desired solution. With Apple finally opening up parts of its NFC technology (just like with Touch ID a few years ago), we are hopeful that this standards-based approach will evolve. We know security is only as strong as its weakest link; it is high on our bucket list of things to solve for the ecosystem!

What can you do? As Yubico continues to advocate for ubiquitous, strong authentication for all, we invite you to join us in voicing or tweeting your concerns and desires to Apple to expand their NFC on iOS. As a customer-centric company, Apple will greatly value your input. To send developer feedback to Apple, visit their contact page or send a tweet to @AppleSupport.

Yubico Team

Catch today’s webinar: Next-gen Identity Management

Are your users really who they claim to be? What is the impact to your business if your end-users are registering as fake individuals, or impersonating others? If the identity of your users matters to your business, then you’ll want to join today’s webinar hosted by SC Magazine.

Identity, the internet, and your business—architecting your online product/service once was as simple as enabling someone to create a user name and a password. It’s not that easy or simple anymore. User names are easily guessed and passwords are easily breached. The answer, of course, is that identity and access management software need to be absolutely certain that the identity is correct and not an attacker pretending to be the authorized user. NIST 800-63-3 recommends combining identity proofing with multi-factor authentication.

Tune in to today’s webinar on next-gen identity management. Yubico’s foremost Identity expert, John Bradley will chat with SC Media’s Editor, Stephen Lawton about identity proofing in the real world, and how companies can ensure a user’s identity is accurate and not an imposter.

 

About John Bradley

John has over 15 years experience in the information technology and identity management field. He advises Government Agencies and commercial organizations on the policy and technical requirements of Identity Management, Federated Identity, PKI and smart card solutions. He is often consulted and brought in to brief clients, vendors, staff, and standards organizations on complex state-of-the-art identity management concepts, best practices, and technical requirements because of his amazing ability to make complex topics simple.

Google Advanced Protection Program Keys
Alex Yakubov

Yubico Partners with Google’s Advanced Protection Program

Today, Google formally announced their Advanced Protection Program designed to safeguard the personal Google Accounts of those most at risk of targeted online attacks, including journalists, business leaders, and political campaign teams. Yubico has partnered with Google on this initiative as part of our ongoing commitment to working with people at risk including human rights organizations, such as Freedom of the Press, EFF, and The ISC Project, as well as journalists at the NY Times and other news publications.

Modern phishing and man-in-the-middle (MiTM) attacks are creating new threats for users and Google’s Advanced protection Program is an important initiative to protect those most at risk. An extensive Google research study, found that traditional 2-step verification and other authentication methods such as codes sent via SMS, one-time password tokens, and mobile apps are now phishable and susceptible to these attacks.

Personal Google Account Advanced Protection Program Login Flow

This is why Yubico and Google co-created the FIDO Universal 2nd Factor (U2F) standard, and why Yubico created the unphishable Security Key, supported by Google since 2014. Both the FIDO U2F standard and the Security Key form the foundation for Google’s new Advanced Protection Program.

Google’s Advanced Protection Program extends the benefits of using YubiKey security keys with important security enhancements.

  • The strongest defense against phishing - Advanced Protection makes it a requirement to use both a password with a physical security key when signing in. Other authentication methods that can be more easily phished by attackers, including codes sent via SMS or the Google Authenticator app, are not permitted and will no longer work.
  • Limit data access to trusted apps - Advanced Protection automatically prevents non Google apps from accessing your most sensitive data, like your emails or documents.
  • Block fraudulent account access - Advanced Protection adds extra steps to verify your identity during the account recovery process to safeguard against fraudulent account access.

In partnership with Google, Yubico is proud and honored to announce our participation and support of those signing up for Google’s Advanced Protection Program. Get a recommended YubiKey Advanced Protection bundle here.

You can read more about how to sign up to the program at Google’s Advanced Protection Program information page.

Yubico Team

Infineon RSA Key Generation Issue

Infineon Technologies, one of Yubico’s secure element vendors, has informed us of a security issue in their cryptographic firmware library. The issue affects TPMs in millions of computers, and multiple smart card and security token vendors.

For Yubico, the issue weakens the strength of on-chip RSA key generation, and affects some use cases for the PIV smart card and OpenPGP functionality of the YubiKey 4 platform. We’ve issued a security advisory on this issue.

FIDO U2F, OTP, and OATH functions of the YubiKey 4 platform are not affected. The YubiKey NEO, FIDO U2F Security Key and YubiHSM are not impacted, nor are the deprecated products YubiKey Standard and YubiKey Edge. Externally generated RSA keys are not affected.

Yubico estimates that approximately 2% of YubiKey customers utilize the functionality affected by this issue. We have addressed this issue in all shipments of YubiKey 4, YubiKey 4 Nano, and YubiKey 4C, since June 6, 2017.

At this time, we are not aware of any security breaches due to this issue. We are committed to always improving how we protect our customers and continuously invest in making our products even more secure.

We offer customers who are affected mitigation recommendations and optional YubiKey replacement. For more information please refer to our dedicated customer portal.

Stina Ehrensvard

The key to GDPR compliance and online privacy protection

The EU General Data Protection Regulation (GDPR) is a new set of mandates aimed to protect the privacy of internet users. From May, 2018, any organization operating, storing or processing data of EU citizens will be subject to the requirements. With the threat of hefty fines of €20M or 4% of worldwide turnover for non-compliance, whichever is greater, GDPR has got everyone’s attention.

One of the key components for GDPR compliance is the need for strong authentication. With billions of stolen credentials now in circulation, the use of username and passwords is no longer sufficient for protecting personal data. The European Union Agency for Network and Information Security – ENISA –  describes authentication as ‘key to securing computer systems’ and as the first step ‘in using a remote service or facility, and performing access control’. Referenced as GDPR-compliant authentication solutions are one time password solutions, smart cards, and FIDO Universal 2nd Factor (U2F).

At Yubico, it’s been our mission to make strong two factor authentication easy to use and deploy, and available for everyone. We disrupted One Time Password (OTP) technology introducing the simple touch and no client software install solution of the YubiKey. We co-created the FIDO U2F open standard and developed a next generation, simplified, and more secure PIV smart card technology. All these protocols and acronyms – OTP, PIV, FIDO U2F – enable one YubiKey to provide strong authentication for secure access to the majority of IT systems, ranging from computers and phones to networks and online services.

But of all the three protocols, FIDO U2F is the most powerful.

FIDO U2F has today proven at scale that it is the strongest defense against modern phishing attacks that hijack the session, the so called man-in-the middle attacks. As well as being easy and affordable to use and support, FIDO U2F preserves the privacy of internet citizens.

Many online authentication and identity technologies store user data and cryptographic secrets in centralized servers. An essential feature of FIDO U2F is that it does not store any means of personally identifiable information (PII), and while it works across any number of services, it does this without sharing any information between the services. And it is these game changing privacy measures that make the YubiKey and FIDO U2F optimal for GDPR compliance.

Government regulations supporting public safety are not new. Several times before we have seen government step up and re-write laws when the health and security of citizens are at risk. We may like it or not, but some of these laws have been effective. For example, today, significantly fewer people are killed by cars and cigarettes compared to the 1950s.

With the May 28, 2018 deadline for GDPR rapidly approaching, the days of usernames and passwords as an acceptable authentication technique are numbered. The hefty fines that can be imposed for GDPR non-compliance may be the necessary means for organizations to become responsible when operating, storing or processing data of EU citizens. Learn more about the security, usability, cost and privacy benefits of FIDO U2F.

Please contact us if we can help you with GDPR compliant authentication.

Stina Ehrensvard

Creating the Unphishable Security Key

How the FIDO U2F security key and YubiKey stop phishing and man-in-the-middle attacks

Security is never stronger than its weakest link, and that weakest link is often the user. Not surprisingly, phishing attacks that target users are increasing not only in volume, but also in sophistication. Google knows that. Recently, the search giant updated their login security policy to enable users to set up security keys as their preferred and only authentication method, no longer requiring the use of SMS or a mobile authenticator app.

SMS and mobile authenticator apps are no longer effective at protecting against the modern man-in-the-middle phishing attacks that are able to hijack the session.

To prevent state-of-the-art and old school phishing attacks, Yubico and Google combined a number of advanced security features, listed below, when co-creating the FIDO Universal 2nd Factor (U2F) protocol, to deliver the unphishable key.

Origin bound keys
One of the most common phishing attacks is to trick users to visit and log in to a fake website, where the user gives away sensitive login data and performs a fraudulent transaction. With the increasing sophistication of hackers, it is becoming difficult for most users to see the difference between a fake and a real site. Some fake sites may even include the green light indicating a secure connection and an SSL certificate.

The latest sophisticated phishing attacks, so called man-in-the middle, are even more aggressive: hijacking the communication between the user and service, and automatically redirecting the user to the fake web site.

With the YubiKey and FIDO U2F Security Key, user login is bound to the origin, meaning that only the real site can authenticate with the key. The authentication will fail on the fake site even if the user was fooled into thinking it was real.

Verification of user presence
By requiring a simple human touch to trigger the key to authenticate, the YubiKey and FIDO U2F Security Key verify that the person logging in is a real live human behind the computer, and not a remote hacker, bot, or trojan.

No shared secrets
U2F relies on the concept of minting a cryptographic key pair for each service. This means that the authentication secrets for each service are not shared. By using public-key cryptography, the server only has to store the public key for the user. Furthermore, this enhances user privacy as different sites cannot learn for which sites the user has registered.

Token binding
Token binding is an additional protection supported by FIDO U2F that secures the connection between the browser and the service to prevent man in the middle attacks.

Token binding allows servers to create cryptographically bound tokens (such as cookies, OAuth tokens) to the TLS layer, to prevent attacks where an attacker exports a bearer token from the user’s machine to present to a web service and impersonate the user.Token binding is used by FIDO U2F keys to bind the fido authentication token to the user agents TLS connection with the service.

Native platform/OS support
The YubiKey and FIDO U2F Security Key were intentionally designed so that no additional client software is required. With all the authentication software built into the key, this design brings zero friction for the user. Additionally, this eliminates the vulnerability and risk of compromise that comes from any extra client software that needs to be downloaded to a phone or computer.

Secure backup
Any authentication technology and device can be lost. The affordable hardware-based design of the security key makes it easy for users to setup multiple keys for their accounts. This approach enables secure backups for users at considerably lower support cost compared to using mobile phone authentication technology.  

Ease of use
Last, but not least, the unphishable YubiKey and FIDO U2F Security Key were designed to be easy to use and deploy.

All these security features work seamlessly. For the user, it is just a simple touch to authenticate. To further simplify, services and users can choose their own policies on how often they need to authenticate with a security key. With the way Facebook has implemented FIDO U2F, users only need to register and authenticate once per trusted laptop or phone.  

Any online service can easily make support for FIDO U2F using Yubico’s free and open source server code, and integration can be done within a few days. Alternatively, U2F can be implemented via Google and Facebook social login. Through this federation model, millions of websites and billions of users globally have access to online identity protection through unphishable security keys.

Learn more about FIDO U2F and social login.

Yubico Team

Our Family is Growing! YubiKey 4C Nano Unveiled at Microsoft Ignite

Today, at Microsoft Ignite (Booth #2063), we proudly announced the first-ever — and the world’s smallest — USB-C authentication device of its kind: the YubiKey 4C Nano.

The YubiKey 4C Nano form factor shares unique features with two of its siblings — the YubiKey 4C and YubiKey 4 Nano. Similar to the 4C, the YubiKey 4C Nano is designed for use with the latest USB-C devices, such as the newly designed Mac and PC laptops. Akin to the 4 Nano, the YubiKey 4C Nano’s miniature design and ultra-low profile allows the device to be left in a USB-C port without any disturbance to a user’s work environment or device mobility.

With the YubiKey 4C Nano’s patent-pending micro-design, the device is built with the same robust, multi-protocol authentication support of the YubiKey 4 product suite. This enables flexible and secure access to a variety of applications: computer login, remote server access, identity access managers, password managers, and an ever-growing number of online web accounts, including Google, Facebook, Dropbox, and more.

Delivering enterprise-grade authentication within a micro-sized hardware device is quite frankly an engineering and product design triumph! That said, we talked to Yubico CTO Jakob Ehrensvard for a closer look at some of the behind-the-scenes effort it took to make this happen. Here’s what he had to say:

Q: Many users, enterprises, and consumers alike are excited about the YubiKey 4C Nano. How did you know this was the best next step in terms of product development?

Jakob: The YubiKey nano design has become popular for users who want their Yubikey to almost be an integral part of their laptop. Particularly, when the user needs to authenticate often, this setup becomes very convenient. So, immediately after we launched the YubiKey 4C earlier this year, customers began asking us for a nano design.

Q: As discussed, the YubiKey 4C Nano size and design is incredibly impressive. What is some of the unseen work that went into this?

Jakob: At first glance, we thought it could not be done. There was simply not enough space to fit both a connector and electronics. The first couple of prototypes simply did not match the elegance of the YubiKey Nano, so we had to go back to the drawing board, and actually design a USB-C connector from the ground up. Fitting the electronics into the small form-factor, and being able to mass-produce them has been a design challenge, but I believe the final result is in keeping with the promise of a YubiKey Nano. It “is just there”, without interfering with everyday use, and without blocking any other ports.

Q: How do you see this product addition strengthening Yubico’s position to better serve enterprises and consumers?

Jakob: With the increasing adoption of USB-C on mobile devices and Apple’s “all in” approach, where they removed all other ports, we believe devices designed specifically for USB-C make the everyday use of the YubiKey simpler and smoother. Going forward, we anticipate a migration to USB-C, where it becomes the ubiquitous standard for peripheral connectivity, from desktop to phones.

Q: Moving forward, what will be the next new thing we see from Yubico?

Jakob: Broadening the hardware options is one part of the equation. In parallel, we’re working on broadening the protocol and platform support to keep the promise of the YubiKey being the ultimate authentication solution. The upcoming FIDO2 and WebAuthn standards will expand the capabilities and platform support, and we’re excited to be driving this effort. In addition to that, we’re finalizing our second-generation YubiHSM product, which extends the reach of the YubiKey to the backend of the authentication and encryption ecosystem, bringing cryptography for servers to the masses.

For more information regarding the full suite of YubiKey 4 products, visit https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/. The YubiKey 4C Nano is available today at  www.yubico.com/store for $60 US. The product is also being demonstrated  at Yubico Booth #2063 at Microsoft Ignite.

Stina Ehrensvard

Firefox Nightly enables support for FIDO U2F Security Keys

This week, Mozilla enabled support for FIDO U2F (Universal 2nd Factor) security keys in the pre-beta release of Firefox, Firefox Nightly. Firefox is the second largest internet browser by user base. In the near future, 80% of the world’s desktop users, including Chrome and Opera users, will benefit from the open authentication standard and YubiKey support out of the box.

When GitHub made support for U2F in 2015, the open source community voted U2F as the most wanted feature in Firefox. We are delighted to now see it happening. Yubico has helped with U2F integration for Firefox and for other platforms and browsers that have or are in the process of making support, as it is critical for taking the YubiKey and U2F unphishable authentication to the global masses.

In today’s world, software installation brings with it not only added complexity for the user, but also the potential risk of malware. Chrome has already enabled millions of websites and services to deploy FIDO U2F seamlessly, mainly through Google and Facebook social login, to help mitigate that. Now with native support for FIDO U2F security keys in Firefox, millions more will benefit from strong, hardware-based two-factor authentication without the need to download or install client software.

Thanks Mozilla for working on increasing security and usability for internet users!

Stina Ehrensvard

First US e-Government Services Protected with FIDO U2F Unphishable Security Keys

Today, at the 2017 Federal Identity Forum (FedID), we are taking an important step towards a more secure internet for everyone by introducing the first US federal services to offer identity proofing protection with an unphishable FIDO U2F security key.  This solution is enabled through identity proofing provider ID.me, and marks the first roll out of FIDO U2F two-factor authentication for government agencies in the US. We will be demonstrating this integration at the Yubico FedID booth #636.

As the co-author of U2F and the leading maker of FIDO U2F security keys, Yubico is thrilled to see ID.me become the first in helping protect US government services using FIDO U2F security keys. Today, US citizens can use the same YubiKey to log in securely to leading internet services, including Google and Facebook, and now on federal sites where ID.me is used for identity proofing.  This is a great milestone for all the contributors of the FIDO U2F standards.

Register your security key

“Thieves can guess or steal passwords from a database, and they can spoof biometrics,” said Blake Hall, CEO of ID.me.

“A physical FIDO U2F security key is ‘unphishable’ – to provide more robust and easy to use security to all customers, it’s essential to support FIDO U2F based standards and the adoption of security keys.”

This week’s announcement of US e-Government support for FIDO U2F follows last year’s launch by the UK government. Similar to the US government  initiatives, the GOV.UK Verify service for UK citizens offers a combination of identity proofing, single-sign on, and secure authentication with FIDO U2F security keys.  GOV.UK Verify used with FIDO U2F was enabled through identity provider Digidentity. Yubico is in dialogue with many other countries around the world that are considering offering U2F authentication for citizen-facing government services.

Yubico and ID.me will discuss the new capabilities at FedID during their “Unphishable” Authentication by the VA Panel session on Thursday, September 14th , 2017, at 2:15pm-3:15pm.

Additionally, Yubico will also be participating in the below discussions at FedID.

Wednesday, September 13 | 11:00am – 12:00pm
Panel: Proving (or Hiding) Your Identity Online

Wednesday, September 13 | 3:16pm – 4:14pm
Panel: A Survey of Identity Standards

For more information on FIDO U2F security keys, go to www.yubico.com.

Yubico blog crown with Las Vegas, Washington DC, Orlando, Dallas, and London images
Yubico Team

Yubico on the Road: 5 Tech Events You Wouldn’t Want To Miss

Two countries. Five cities. One month. The coming weeks will be busy and exciting for the Yubico team.  so we’ve compiled our full travel itinerary for those of you keeping tabs. If you are attending any of the events below, please come by and say hello — you’ll know where to find us.

True to Yubico form, we will showcase the seamless power of our multi-protocol YubiKeys with in-booth demos for Okta, Google, GitHub, and more. Got something you want to see? Let us know! If you’re looking for more behind-the-scenes details on leading identity and authentication open standards, you can attend some of our speaking sessions.

Oktane: August 28-30 | Las Vegas, NV

Visit us at Booth #E1, or attend our speaking session.

Panel: The Future of Identity and Security
Tuesday, August 29 at 3:45 – 4:30pm
John Bradley, Senior Architect at Yubico, joins Google, Okta, and OATH to discuss the future of identity, security, and access.

AFCEA: September 12 – 14 | Washington D.C.

Visit us at Booth #636, or attend our speaking sessions.

Panel: Proving (or Hiding) Your Identity Online
Wednesday, September 13 at 11:00am – 12:00pm
Stina Ehrensvard, CEO and Founder of Yubico, joins Venable, Experian, and FIDO Alliance to discuss best approaches to achieving balanced and privacy-preserving web authentication.

Panel: A Survey of Identity Standards
Wednesday, September 13 at 3:16 – 4:14pm
John Bradley, Senior Architect at Yubico, joins Axiomatics, SaliPoint, and MorphoTrust to dive into the realm of open identity standards.

“Un-Phishable” Authentication by the VA Panel
Thursday, September 14 at 2:16 – 3:14pm
Stina Ehrensvard, CEO and Founder of Yubico, joins members from ID.me and FIDO Alliance to discuss strong authentication that can withstand sophisticated modern attacks.

Microsoft Ignite: September 25-29 | Orlando, FL

Visit us at Booth #2063.

ASIS: September 25-28 | Dallas, TX

Attend our speaking session.

Stop Sweating the Password and Learn to Love Public Key Cryptography
Tuesday, September 26 at 11:00am – 12:15pm
Chris Streeks, Solutions Engineer at Yubico, explores the benefits and authentication advantages of the emerging FIDO Universal 2nd Factor (U2F) open standard.

Wired UK: September 28 | London, UK

Attend our speaking session.

A Safer Internet for Everyone
Thursday, September 28 at 3:20 – 4:30pm
Stina Ehrensvard, CEO and Founder at Yubico, shares her vision for a secure, privacy-preserving internet that is accessible for everyone worldwide.

 

We’ve got a busy month ahead, and we hope to catch up with you while we’re on the road. Be sure to stop by our booth or join us for one of our speaking sessions. To get the scoop on where we’re heading to next, follow us on Twitter, Facebook, Instagram, and LinkedIn.

Yubico Team

Yubico CEO and Founder wins SC Media Reboot Leadership Award

Yubico is proud to announce that our CEO and Founder, Stina Ehrensvard, won in the Thought Leaders category of the inaugural SC Media Reboot Leadership Awards. Honorees across a range of professional categories were revealed in today’s special editorial section at SCMagazine.com, and recognized for their outstanding service, qualifications, and advancements in cybersecurity.

“Businesses today are increasingly under threat by a range of cybercriminals,” said Teri Robinson, Executive Editor, SC Media. “The cybersecurity leaders we’re celebrating with these leadership awards are on the frontlines every day to help defend and protect our critical systems, data, and privacy from their attacks. To showcase their advances is SC’s honor.”

The awards program is designed to showcase and acknowledge industry luminaries who positively impact the cybersecurity arena. As an extension of SC Media’s annual Reboot edition, the announcement will also be published in print at the end of the year, when the editorial team identifies the best and brightest cybersecurity professionals and their many achievements.

“Winning the SC Media Reboot Leadership Award, in its very first year, is truly an honor and one that represents our company as a whole,” said Ehrensvard. “Our core product, the YubiKey, has become the gold-standard for easy-to-use authentication and encryption. In close collaboration with our customers and top internet companies, we will continue to drive innovation, enabling a safer internet for everyone.”

Contenders in various categories faced a thorough judging process conducted by SC Media’s editorial team. The process included a review of their professional background, references, efforts to benefit the wider industry, and any other research deemed necessary by editorial leaders.

“Stina Ehrensvard exemplifies leadership in one of the most vibrant and fast-evolving industries today,” continued Robinson. “That’s what this awards program is all about – highlighting some of the strongest leaders of the cybersecurity arena whose efforts more often than not underpin every business and leisure activity we all undertake online nowadays. The advances made in this marketplace to protect data, privacy and people are vital to all that we do.”

After this inaugural year, the SC Media Reboot Leadership Awards program will continue to be an annual celebration of the notable contributions, thought leadership, and unique improvements made by a wide range of IT and information security players. To see the profiles of this year’s SC Media Reboot Leadership Awards honorees, go to SCMagazine.com.

August 2017 webcasts blog crown
Yubico Team

Listen in and learn: Upcoming webcasts featuring Yubico experts

Webcasts galore! Yubico is taking over the airwaves this month with 4 exciting and thought-provoking webcasts. We are collaborating with IT security leaders Microsoft and the FIDO Alliance, plus other industry professionals, to give updates on the future of FIDO and enterprise authentication. Tune in, and learn from the experts.

On August 3, Jerrod Chong, Yubico’s VP of Solutions, will partner with Andrew Shikiar, FIDO Alliance’s Senior Director of Marketing, to deliver a case study on how FIDO, Federation, and Identity Proofing can work together to create a robust identity ecosystem.

Following Microsoft’s game-changing demo at CIS, Derek Hanson, Yubico’s Director of Solutions Architecture and Standards, will join forces with Microsoft’s Alex Simons, Partner Director of Program Management for Microsoft’s Identity Division, on August 9 to discuss modern authentication with FIDO 2.0-based passwordless logins.

On August 15, Jerrod Chong will be back online to share valuable insights on various enterprise authentication techniques, including one-time password, mobile push, smart card, and FIDO U2F, and going beyond the security / simplicity trade-off with Yubico’s enterprise-wide authentication solutions.

Finally, on August 17, Tommaso De Orchi, Yubico’s EMEA Solutions Manager, will speak on the global impact of the General Data Protection Regulation (GDPR), and how organizations can leverage open standards like FIDO U2F and security keys to achieve GDPR compliance.

Join the conversation, and sign up to attend all of our webcasts below:

Aug 3 – Case Study: FIDO, Federation, ID Proofing
10:00AM PDT
Jerrod Chong, VP of Solutions, Yubico
Andrew Shikiar, Senior Director of Marketing, FIDO Alliance
Register to attend

Aug 9 – The Future of Authentication with FIDO
11:00AM PDT
Derek Hanson, Director of Solutions Architecture and Standards, Yubico
Alex Simons, Partner Director of Program Management for Microsoft’s Identity Division, Microsoft
Register to attend

Aug 15 – Enterprise Authentication: Understanding the security / simplicity trade-off
12:00PM PDT
Jerrod Chong, VP of Solutions, Yubico
Register to attend

Aug 17 – Using Open Standards to Comply with GDPR
1:00AM PDT
Tommaso De Orchi, EMEA Solutions Manager, Yubico
Register to attend

Subscribe here to receive Yubico news and updates. Check out our previous webcasts and video content. Follow Yubico on Twitter, Facebook, Instagram, and LinkedIn to get real-time updates and social posts.

Yubico at BlackHat 2017 blog crown
Yubico Team

Don’t Roll The Dice on Security! Meet Yubico at Black Hat

This week, information security enthusiasts and experts across the country will make their way to Las Vegas, NV to attend the annual Black Hat cybersecurity conference. Find us during the expo (July 26 – 27) at Booth #572, where we will double down on our award-winning YubiKeys, demonstrate the simplicity of hardware-backed authentication, and speak on the advantages of physical, one-touch YubiKey authentication over other authentication methods, such as push or SMS.

Simplicity and flexibility are not often associated with strong authentication. That is not the case here at Yubico. We believe in making easy-to-use yet exceptional internet security accessible to everyone, and our YubiKeys deliver on that promise. With built-in support for multiple authentication protocols, a single YubiKey can secure an unlimited number of applications with just one touch. No shared secrets, drivers, or client software needed — it’s not part of a Vegas magic show, we swear!

Black Hat attendees can experience innovative authentication in action at the Yubico booth. We will demonstrate the ease, speed, and flexibility of multi-protocol YubiKeys in different scenarios — from U2F authentication across cloud platforms like Google and Dropbox, to leading IAM integrations, to smart card (PIV) authentication for computer login.

On Wednesday afternoon, Jerrod Chong, VP of Solutions, will take the stage to deliver his presentation, “Think All MFA is the Same? Think Again.”

Wednesday, July 26 | 12:30pm – 1:20pm
Think All MFA is the Same? Think Again
Location: Oceanside F, Level 2

Authentication’s evolution is unfolding as newer protocols and multi-function hardware-backed keys offer fortified security compared to today’s weak and vulnerable credentials. These enhanced capabilities are designed to defend enterprises and individuals against advanced phishing techniques, and protect privacy by delivering public key crypto in the form of FIDO’s Universal 2nd Factor (U2F) protocol and next-gen smart card functionalities. Jerrod Chong, Yubico’s VP of Solutions, will discuss the advantages of hardware-backed keys using several MFA capabilities on a single device to address today’s advanced credential thefts.

If you are attending Black Hat, we’d love to meet you. Stop by Booth #572 and grab a seat during Jerrod’s presentation! To learn more about how your organization can benefit from the authentication power of multi-protocol YubiKeys, click here.

Flexible Modern Authentication blog crown
David Maples

Flexible Modern Authentication with the Multi-Protocol YubiKey

Most organizations work with multiple services and applications, and thus different authentication protocols, to meet all their security needs. Oftentimes, the protocol is predetermined by the application or service provider. However, in other cases, a business or systems integrator has some flexibility on which integration approach or third party to use. When it comes to authentication choices, there is typically no such thing as a silver bullet. The YubiKey was designed with this in mind to support multiple methods for authentication, enabling users and integrators to utilize the best method for each solution.

YubiKeys have multiple authentication protocols, spanning One-Time Passwords (OTP), CCID (smart card), and Universal 2nd Factor (U2F). Each protocol has support for different services and apps, much like a toolbox, allowing the user to select the correct tool for the task at hand.

OTP supports protocols where a single use code is entered to provide authentication. These protocols tend to be older and more widely supported in legacy applications. The YubiKey communicates via the HID keyboard interface, sending output as a series of keystrokes. This means OTP protocols can work across all OS/Environments that support USB keyboards, as well as with any app that can accept keyboard input. Some common services that use OTPs are network devices like VPNs and local authentication services with user login, as support for OTPs tend to be the most straightforward to integrate.

CCID, or smart cards as their interface is more commonly called, is another supported protocol on the YubiKey. The YubiKey identifies itself as a smart card reader with a smart card plugged in, so it will work with most common smart card drivers. Windows has native support, Linux has the OpenSC project, and macOS has support for smart cards natively on Sierra (10.12) and higher. The YubiKey allows 3 different CCID protocols to be used simultaneously – PIV, as defined by the NIST standard for authentication; OpenPGP for encryption, decryption, and signing; and OATH, for client apps like Yubico Authenticator and Windows Hello. The open source nature of the supported smart card protocols make them ideal for integrating with existing environments, such as Windows Authentication, Active Directory Federated Services, SSH or OpenPGP, and derived services.

FIDO U2F is the newest protocol supported by the YubiKey. Developed by Yubico and Google, the U2F protocol provides strong authentication without requiring a complex backend or framework to support it. Turning traditional authentication on its head, FIDO U2F makes the authentication device (like the YubiKey) the authentication provider. It issues unique keys to the services it is authenticating against, ensures each service does not have any information about the others, and removes the need for a central authentication service. With FIDO 2.0, the specification is growing to meet evolving industry needs, while ensuring that the previous generation is not rendered obsolete. The security built into the U2F protocol makes it ideal for web applications or customer-facing apps, which may be exposed to attacks on the information in transit between the user client and server.

Each protocol has strengths and weaknesses, restricting the situations where each one is most effective. However, the YubiKey resolves this limitation by supporting all of the different protocols on a single device, all at the same time. Like a carpenter using the right tool in his toolbox for the job at hand, users and integrators are able to secure their applications and services with the YubiKey using the appropriate protocol for each environment.

To learn more about the protocols supported by the YubiKey, please refer to our Developer site.