Ashton Tupper

Find Yubico at Black Hat

If you happen to be in Las Vegas this week and you find yourself strolling past the intersection of Las Vegas Boulevard and Harmon Avenue, look up. You might just recognize the friendly green color plastered all over the world’s highest resolution LED screen. 

You guessed it. Yubico is taking Vegas by storm for the annual Black Hat conference. 

Find the Yubico billboard at the corner of Las Vegas Blvd. and Harmon Ave.

Custom Black Hat YubiStyle covers.

 

If you don’t catch our cheeky message on the iconic Las Vegas billboard, stop by the Yubico booth (#465) to get the latest YubiKey updates along with some cool swag. See a demo of secure iOS login over a lightning connection with our upcoming YubiKey 5Ci, or grab a few of our custom YubiStyle covers designed just for Black Hat attendees. These are only available for a limited time, so get them while you can. 

You may even spot a few YubiKeys elsewhere on the show floor. Our impressive partner network will feature ‘Works with YubiKey’ stands at each of their booths. If you see one of these, stop by to say hello and learn more about how the YubiKey works with OneLogin, Duo, Microsoft, 1Password, and more.

Our full list of partners at Black Hat include: 

Works with YubiKey stand.

  • OneLogin (#2030)
  • Duo (#675)
  • Thycotic (#1410)
  • 1Password (#2323)
  • Microsoft (#654)
  • ManageEngine (#1365)
  • Okta (#2518)
  • Cmd (Cmd Beach Bungalow at the Mandalay Bay Pool Deck)
  • PingID  (#2129)

 

To stay up to date on Yubico events, or to receive year-round updates on Yubico news, sign up for our newsletter and other mailing lists here

 

 

Paula Skokowski

The Journey to Passwordless in the Enterprise

Today, Microsoft announced that the passwordless capabilities for Azure Active Directory (Azure AD) are in public preview, reaching a major milestone in enabling passwordless authentication in the Enterprise.

Azure AD provides an identity platform with access management, scalability, and reliability for connecting users with all the apps they need. With FIDO2 and WebAuthn passwordless authentication support now in public preview for Azure AD, users can register a YubiKey 5 Series security key with Azure AD, to enhance account security and enable passwordless login.

YubiKey Passwordless Starter Kit

Yubico is happy to have partnered with Microsoft in today’s announcement. For a limited time, we are offering complimentary YubiKey Passwordless Starter Kits to eligible organizations, who are Microsoft 365 customers interested in beginning their passwordless journey. 

The starter kit includes two multi-protocol YubiKeys, the YubiKey 5 NFC and YubiKey 5C. The YubiKey 5 NFC is compatible with USB-A ports and near field communication (NFC). The YubiKey 5C is compatible with USB-C ports. 

With the multi-protocol YubiKey 5, organizations can begin the journey to passwordless in the cloud, securing existing applications with Azure MFA or smart card login, and be ready for newer applications supporting FIDO2 and WebAuthn authentication.

The YubiKey 5 Series multi-protocol support includes FIDO2, WebAuthn, FIDO U2F, smart card (PIV), Yubico OTP, OpenPGP, OATH-TOTP, OATH-HOTP, and Challenge-Response functionality on a single device, to deliver passwordless, single-factor, second-factor, or multi-factor secure login. 

To verify eligibility and request a YubiKey Passwordless Starter Kit (while supplies last), please visit http://www.yubico.com/passwordless-offer. 

Want to learn more? Register for our upcoming webinar, Go Passwordless with Yubico & Microsoft: WebAuthn, FIDO2 & Azure Active Directory, taking place on July 30, 2019 at 9:00 AM PDT. You’ll hear from Yubico and Microsoft experts on the passwordless journey, key benefits, and how to enable passwordless login with Azure AD.

 

Ronnie Manning

WebAuthn sees rapid growth and adoption: Visit us at Identiverse to see WebAuthn in action

The new web authentication standard, known as WebAuthn, was recently approved by the World Wide Web Consortium (W3C) in March, and is rapidly gaining momentum. Since 2007, Yubico has been driving the development of open standards, and collaborating with partners to bring more secure authentication methods to users.  Through these combined efforts, we co-created WebAuthn.

What makes WebAuthn so noteworthy is that it is supported by all major platforms and browsers, providing users with greater choice of simple authentication methods that protect against phishing attacks. With WebAuthn, users can choose to use any combination of external authenticators, such as a security key, and internal authenticators, such as a biometric keypad on a computer, to secure access to web services and applications. That’s huge.

Microsoft, Google, and Mozilla already support WebAuthn in their web platforms and browsers. Support is currently on the developer preview version of Apple Safari. Upcoming support on Brave browser has been announced by Brave Software. Along with the platform and browser support, a growing number of web services have also rolled out WebAuthn support to their users, including Login.gov, Singular Key, Daon, Isosec, Twitter, and Ping Identity, with more services committed to launching support in the near future.

WebAuthn is quickly gaining momentum, so we asked some of our Works with YubiKey partners to share why they decided to implement support. Here’s what they said:

Jasper Patterson, Web Developer, 1Password

“Our goal at 1Password is to make it easy for people to stay safe online, and adopting modern standards like WebAuthn helps us achieve that. Integrating WebAuthn into our existing two-factor implementation took about a week. The API is well designed and easy to work with for developers.”

WebAuthn offers significant security gains over traditional time-based one-time password (TOTP) or SMS-based two-factor authentication (2FA), all thanks to its secure design based on public key cryptography.

Yves Audebert, CEO, Axiad IDS

“Extending Axiad ID Cloud to support WebAuthn/FIDO2 is a step forward in providing a passwordless and frictionless authentication experience to our customers. Axiad ID Cloud leverages all the features offered by YubiKeys to further our commitment to meeting our customers’ authentication needs.”

Axiad ID Cloud is a standards-based higher-trust identity assurance platform that provides multi-factor authentication (MFA) and dedicated PKI services to secure digital interactions. Axiad IDS expects to roll out support in the back half of this year.

Ben Goodman, SVP, Global Business and Corporate Development, ForgeRock

“ForgeRock is excited to offer WebAuthn as a native authentication option for our identity platform. Hardware authentication enabled by WebAuthn provides a more secure user authentication option, while simultaneously making for an easier, more frictionless experience. This is a “Win-Win” for end-users and application owners.”

ForgeRock’s Intelligent Authentication technology has the capability to orchestrate a multitude of authentication options. WebAuthn support enables ForgeRock to seamlessly extend that functionality to a whole new breed of devices and authenticators.

Jeff Broberg, Sr. Director, Product Management, OneLogin

“WebAuthn simplifies the rollout and adoption of MFA by enabling users to leverage authenticators across mobile and desktop platforms in a more integrated fashion. Combining external authenticators, like the YubiKey, with desktop and mobile biometric sensors benefits both enterprise admins and end users.”

Adopting strong and simple authentication is critical to secure corporate resources from advanced cyber identity threats. With WebAuthn support, OneLogin expands their portfolio of strong authenticator options and makes it simpler for users to choose an authenticator that works best with their primary device.

Arshad Noor, CTO, StrongKey

“We recognize that behavior change is no easy task. Our implementation of FIDO2 and the certification of our FIDO2 server enable us to provide the ease and convenience of WebAuthn to our customers and their users through a safer and more user-friendly alternative to passwords.”

StrongKey has been committed to providing the strongest possible level of encryption and authentication technology to keep data safe for almost two decades. With WebAuthn support, StrongKey delivers phishing-resistant authentication to their users.

Jai Dargan, VP Product Management, Thycotic

“We’re excited to be a part of the Works with YubiKey program, and work together to educate customers about the benefits of strong, hardware-backed MFA.”

Thycotic and Yubico share the same vision that security should be easy to use, even for large organizations with dispersed teams and hundreds of thousands of assets to protect.

Yubico offers free resources and tools for rapidly implementing WebAuthn into an app or service. Visit the Yubico For Developers page to get started. To experience WebAuthn first-hand, visit our WebAuthn demo site.

Learn more about WebAuthn by downloading the WebAuthn Solution Brief, or chatting with us at the Yubico booth (#417) at Identiverse on June 25-27, 2019.

Alex Yakubov

Yubico Announces YubiKey for Lightning Partner Preview Program

Today, Yubico is happy to announce the launch of our YubiKey for Lightning Partner Preview Program, the next phase of the YubiKey for Lightning Private Preview Program announced earlier this year.

This is an exciting step forward for both Yubico and the Works with YubiKey ecosystem. With the launch of the Partner Preview Program, our goal is to enable more web services and applications (relying parties) to improve the protection of customer accounts and the entire account lifecycle with cross-platform support.

The YubiKey for Lightning Partner Preview Program includes access to iOS and Android SDKs to allow organizations to unify the user experience across all mobile platforms. Partners will also receive access to a YubiKey 5Ci preview device (formerly the YubiKey for Lightning), for development and testing. The YubiKey 5Ci has both a USB-C and Lightning connector on one device and will be generally available later this year. As part of the multi-protocol YubiKey 5 Series, the YubiKey 5Ci gives developers the option of securing their iOS apps using the FIDO2, WebAuthn, U2F, OTP, PIV (smartcard) or OpenPGP protocols for passwordless or two-factor authentication.

YubiKey for Lightning participating partners

Since launching the initial YubiKey for Lightning Private Preview Program, several notable partners have been working with us to provide feedback on our iOS developer resources. We would like to extend a special thank you to those partners, including: 1Password, Brave Software, Dashlane, DoD PKI Purebred, Keeper Security, LastPass, Secmaker, XTN, and more.

We look forward to enabling a growing list of compatible services, providing out-of-the-box uses with everyone’s favorite iOS applications when the YubiKey 5Ci becomes generally available later this year.

As Yubico extends hardware authentication capabilities to iOS, the YubiKey will be supported across all major platforms, allowing it to be the trust anchor for the rightful owner and serve as a portable root of trust across any computer or mobile device.

For developers interested in adding YubiKey support into their iOS mobile apps, we welcome you to apply for the YubiKey for Lightning Partner Preview Program here.

New YubiKey 5Ci demonstrations and previews of partner supported applications can also be seen at Identiverse this week, at the Yubico booth #417.

Jerrod Chong

5 Reasons to Upgrade Your Web Authentication to WebAuthn

Authentication has made significant progress over the past five years. It has matured beyond passwords with the introduction of a variety of two-factor authentication methods, and most recently, we have the advent of passwordless logins with WebAuthn, the new global standard for web authentication.

WebAuthn now sets a new bar for user authentication and is considered best in class for protecting user accounts. With support in all major browsers and platforms, WebAuthn offers the opportunity for services to easily offer a wide choice of strong authentication methods to users, including a passwordless experience. This consists of using security keys or built-in authenticators such as biometric readers.

To experience the WebAuthn login experience, please take a look at our demo site where you can try out registering different authentication methods using WebAuthn.

For those curious about the additional benefits of passwordless login, we put together a list of five reasons to upgrade to WebAuthn authentication.

Widespread Accessibility

One of the key differentiators of WebAuthn, is the widespread acceptance and adoption of the technology across major browsers, operating systems and devices. To date, Microsoft Edge, Mozilla Firefox, Google Chrome and Google Android have already added support for WebAuthn, and Apple most recently announced WebAuthn support by default in Safari Technology Preview Release 83.

Additionally, the growing availability of built-in authenticators on computers and phones is providing users new options for authentication. As a service provider, this enables you to offer fast, convenient, and secure authentication options for all kinds of users, regardless of what kind of device or operating system they are using.

Improved Security for Customers & the Business

WebAuthn replaces weak password-based login or knowledge-based answers recovery with strong public key cryptography with origin checking to prevent phishing. By making strong authentication the baseline for using built-in and external hardware authenticators, users are protected from account takeovers. A recent study by Google reviewed more than 350,000 wide-scale and targeted attacks, and showed that security keys were the most effective at stopping account takeovers. Not only does the elimination of password-based login protect customers from the threats of credential theft and phishing, but it also relieves your organization from the vulnerabilities associated with storing and protecting millions of user credentials.  

Improved Customer Experience & Brand Loyalty

The average US consumer tries to keep track of over 14 different passwords across all their websites and services. Business users are estimated to be responsible for memorizing and using an even greater number of passwords, reaching up to as many as 191. The sheer number of passwords required for daily digital activities inevitably results in forgotten passwords, password resets, or at the worst, account takeovers due to weak or reused passwords. As a result, passwords degrade customer experiences, reduce brand loyalty, and contribute to lost revenue.

Passwordless login with WebAuthn provides an experience that is faster and more secure than usernames and passwords, transforming the online user experience into the familiar split-second convenience of using an ATM card. WebAuthn also enables users lacking cellular access to still authenticate when they typically might not be able to with authentication methods like one-time codes sent to mobile devices via text messages.

Lower Operational Costs

When users forget their passwords, they often end up calling help desks or support centers, consuming valuable time from support staff. In fact, Gartner estimates that password reset inquiries account for 20 to 50 percent of all help desk calls, which can cost large companies between $5 million and $20 million annually.

WebAuthn enables support and IT departments – including service desks and call centers — to be free from the operational overhead incurred from having to create, store, cycle, and reset passwords. It can simplify user on-boarding and given that password resets currently represent the number one IT support cost, passwordless login promises to significantly reduce workloads in IT call centers where agents today spend considerable time setting and resetting user passwords.

Simple & Flexible Integration Options

WebAuthn introduces the option for strong single-factor, two-factor, or multi-factor authentication. With this expanded choice of authentication flows, developers choosing to add WebAuthn support will have the option to select the authentication model that best suits their use cases and customers. This is specifically useful for organizations who require a higher level of authentication security or who may prefer a layered approach (ex: a PIN, biometric or gesture for additional protection) for certain in-app actions like changing a personal information or transferring a large sum of money.

WebAuthn is also backwards-compatible with FIDO U2F authenticators for a second factor use case. This means that all previously certified FIDO U2F security keys, such as the YubiKey 4 or YubiKey NEO, will continue to work as a form of second-factor authentication login with WebAuthn-enabled authentication flows.

 

To learn more about the WebAuthn open standard and how it can benefit your organization, read our ‘Going Passwordless’ whitepaper. We also offer full development resources on our developer site to enable rapid WebAuthn implementations.

Stina Ehrensvard

WebAuthn wins support in Safari, Twitter, Coinbase and hundreds of more services

“And the winner is… WebAuthn!”

A few weeks ago at the European Identity Conference (EIC) in Munich, WebAuthn won the award for Best Future Technology and Standard Project. As a co-chair of the W3C WebAuthn working group and lead authors of FIDO U2F/FIDO2, Yubico was invited to receive the award on behalf of all who collaborated on the standard.

John Fontana, co-chair of W3C WebAuthn WG and member of the Yubico open standards team, at EIC award ceremony

There is no doubt that the winning authentication standard is gaining momentum. Last week, Apple enabled default WebAuthn support on macOS in its Safari Technology Preview, while Twitter and Coinbase announced their upgrade from FIDO U2F to WebAuthn. At Yubico, our team is busier than ever supporting hundreds of services across the globe in their process of making support for the YubiKey, Security Keys and WebAuthn.

Initially deployed by all the leading internet companies, we are excited to see WebAuthn adoption expanding across a wider range of industries,regions, and use cases including the protection of electronic identities for European citizens, blockchain technology services and financial institutions. One of the leading banks was encouraged to make support for WebAuthn after one of their customers approached them with the question, “How come authenticating to my Google and Facebook account is more secure than the service that holds my money?”

The FIDO U2F, FIDO2 and WebAuthn names can be confusing, but they are all part of the same standards initiative. The varying naming conventions are a result of the further development and expansion from the industry consortium FIDO Alliance (FIDO U2F and FIDO2) to the W3C web standards organization (WebAuthn). In March 2019, W3C approved the WebAuthn standard, which is built-on, and backward compatible with U2F.  

We encourage all services to implement or migrate to WebAuthn so their end users have more choices from  an ever-expanding list of browsers and authentication options including one-factor, two-factor and passwordless login. With free open source servers and development resources available from Yubico and others, service providers are rapidly making support for WebAuthn to stop phishing and radically cut support costs. Users enjoy safer and easier login with the growing options of built-in and external FIDO/WebAuthn authenticators, also known as security keys. This award winning web authentication standard let’s everyone win — except the fraudsters!

To learn more about the WebAuthn open standard and how it can benefit your organization, read our ‘Going Passwordless’ whitepaper. We also offer full development resources on our developer site to enable rapid WebAuthn implementations.

Ronnie Manning

YubiKey Summer Showcase: InfoSecurity, Gartner Security & Risk, Identiverse

We’re gearing up for a busy and exciting month here at Yubico. We have a full event schedule, a handful of speaking sessions on trending security topics, and we will be showcasing many of our Works with YubiKey partners. In other words, you won’t want to miss this.  

YubiStyle Covers

If you are looking to integrate the YubiKey into your application or service, please check out our Works with YubiKey program for all the details and how you can get involved.  

So, where will we be during the month of June? Here are all the places you can find us and our partners in the coming weeks — and don’t forget to pick up a YubiStyle cover when you see us.

 

InfoSecurity Europe, London — June 4-6, Booth #J120

Stop by Yubico booth #J120 at InfoSecurity Europe and catch our latest passwordless login demos. We will be demonstrating the multi-protocol authentication capabilities of the YubiKey and also an early look at our YubiKey for Lightning Private Preview device for iOS.

Several Works with YubiKey partners will also be at InfoSecurity Europe showcasing the benefits of YubiKey authentication. Curious how the YubiKey works with Duo (booth #F140), ManageEngine (booth #D80), OneLogin (booth #C225), Microsoft (booth #D220), Thycotic (booth #C230), and StrongKey (booth #M147)? Be sure to stop by their booths to find out.

“Yubico is a key player in the FIDO community and it’s exciting to partner with them to help promote a world without passwords.” — Jake Kiser, COO, StrongKey

“In an age where identity theft is on the rise and almost every data breach involves a compromised user account, strong authentication should be an organization’s first line of defense.” — ManageEngine

Gartner Security & Risk, National Harbor, MD — June 17-20, Booth #450

Visit us at booth #450 to talk all things cybersecurity and privacy. Once again, we’ll be demo-ing passwordless account logins using WebAuthn and the YubiKey.

Don’t miss Works with YubiKey integrations at our partner booths as well. Drop by and say hello: ForgeRock (booth #625), Thycotic (booth #651), Microsoft, and Okta (booth #629).

“Yubico provides a standardized way to balance usability and security. When using YubiKeys with ForgeRock’s out-of-the-box FIDO2 support, our joint customers get secure multi-factor authentication paired with an outstanding user experience.” Ben Goodman, Senior Vice President, ForgeRock

Identiverse, Washginton, D.C. — June 25-28, Booth #417

Stop by Yubico booth #417 for Yubico’s latest announcements and YubiKey demos during Identiverse. Several Yubico experts are also taking the stage at Identiverse to discuss everything from passwordless authentication to open standards and identity anchors.

  • Wednesday, June 26 | 2:00 – 2:15pm | Portable Root of Trust Explained
    In the Solutions Theater in the expo hall, Nick Charpentier, Solutions Engineer at Yubico, will discuss the concept of hardware authenticators as a portable root of trust to achieve a secure, ubiquitous experience across all devices.
  • Wednesday, June 26 | 5:35 – 6:00pm | Netflix’s Journey with WebAuthn
    Jerrod Chong, Chief Solutions Officer at Yubico, and Tejas Dharamshi, Senior Security Software Engineer at Netflix, will discuss Yubico and Netflix’s collaboration on a move to modern strong authentication with WebAuthn while maintaining a frictionless user experience.
  • Wednesday, June 26 | 4:25 – 4:50pm | Is Your 2FA Broken?
    John Bradley, Senior Solutions Architect at Yubico, will discuss various second-factor authentication techniques and how effective they are against advanced phishing threats.
  • Thursday, June 27 | 9:00 – 9:30am | Standards: The Bedrock of Identity
    John Bradley, Senior Solutions Architect at Yubico, will join a panel of standards experts on the keynote stage to discuss, debate, and provide insight into the world of open standards and how they may change our world in the next five years.
  • Thursday, June 27 | 4:25 – 4:50pm | Understanding Identity Trust Anchors
    Derek Hanson, Vice President of Solutions Architecture and Standards at Yubico, will discuss how identity attributes are managed, validated, secured and updated so that the systems and processes that are reliant on identity proofing have a solid foundation.

That’s not all. See what’s new with current and future Works with YubiKey integrations by stopping by any of our partner booths: Axiad IDS (booth #419), Microsoft (booth #303), Ping Identity (booth #601), ForgeRock (booth #411), Okta (booth #516), and OneLogin (booth #416).

“In today’s digital world, trusted identity requires that all the entities that interact with an organization be authenticated. Mobile and cloud identity solutions eliminate the need for organizations to choose between security, ease-of-use and ease-of-management.” — Yves Audebert, Chairman, President and Co-CEO, Axiad IDS

To stay up to date on these events, or to receive year-round updates on Yubico news, sign up for our newsletter and other mailing lists here.

Stina Ehrensvard

Yubico Expands Executive Team and Advisory Board

Today, I’m happy to announce the addition of two new members to Yubico’s Executive Team and one new board advisor. Jeff Kukowski joins us as Chief Revenue Officer, Bill Rule joins us as SVP of Global Supply Chain, and Chad Kinzelberg joins our advisory board. All three individuals bring years of expertise and proven track records in their respective fields to support Yubico’s growth.

The authentication industry is in a period of hypergrowth and Yubico is positioned at the forefront. With nearly 81% of breaches resulting from phished or stolen credentials, and password resets costing companies upwards of $12M a month, the need for strong, hardware-backed authentication is growing globally.

The new members of our leadership team are critical to the continued success of the company, delivering high-quality products for customers of all sizes and industries around the world, and doing it at scale. I am personally excited to see the YubiTeam growing with the addition of such great people and talent.

Jeff Kukowski, Chief Revenue Officer

Jeff joins Yubico from SecureAuth, where he served as CEO and Board Director. He has 30 years of experience building companies and category-leading solutions across all stages, industry verticals, geographies, technologies and cultures. He has helped scale companies from every stage, including start up, venture-funded to exit, private equity-backed, and public company turnarounds.

“Yubico solves one of the most critical problems in keeping people and companies safe from attackers in one of the most secure and easiest ways for users to do so. I am excited to contribute to our growth by helping our customers safely, easily and quickly accelerate their digital transformations.”

 

Bill Rule, SVP of Global Supply Chain

Bill has more than 20 years of experience in global supply chain and manufacturing at companies including HP, Aruba Networks, and Juniper. He also brings several years of running a manufacturing engineering consulting business working extensively with fast-paced companies, new product releases, and technical operations processes.

I am very excited about the opportunity presented to me to be part of the Yubico Supply Chain team. I look forward to further enabling an already incredible team and contributing to the rapid growth environment at Yubico.”

 

Chad Kinzelberg, Board Advisor

Chad Kinzelberg joins us as a board advisor with invaluable business insights from his previous roles as CEO, CMO, and VC where he led a variety of companies in go-to-market strategies including IPOs and acquisitions.

Most notably, Chad directed the strategy and led business and corporate development efforts at Palo Alto Networks from pre-IPO to its status as the most valuable cybersecurity company in the world with a $24 billion market cap.

“I am genuinely excited to join the world class team at Yubico. An overwhelming majority of attacks rely on credential theft. Yubico addresses this problem better than any other vendor with a robust, easy to use solution. Every business and individual will be safer when they are using YubiKeys.”

The Yubico team will continue to grow in 2019. If you’re interested in a career in cybersecurity at Yubico, check out our open job opportunities here.

Stina Ehrensvard

The YubiKey as the WebAuthn Root of Trust

The new web authentication standard, WebAuthn, that was recently announced by W3C, is rapidly gaining adoption by leading platforms and services. WebAuthn is an evolution of the FIDO U2F standard, spearheaded by Yubico and Google, and successfully deployed since 2014 by millions of users with YubiKey security keys. Yubico helped to create WebAuthn to extend the standard beyond external security keys to include new internal built-in fingerprint readers and facial recognition technologies. Having these choices is important to drive widespread support for simple, strong and passwordless authentication methods.  

In this new authentication landscape, an external security key, such as the YubiKey, takes on the important role of a root of trust. As users move between different platforms and computing devices, having this portable root of trust is essential for enabling rapid bootstrapping on new devices and for recovering when devices are lost, stolen or replaced.

Below is a roundup of some of the best use cases for an external hardware-based authenticator:

  • Device Loss, Theft, or Compromise —In the case that a phone or computer is lost, stolen or replaced, the YubiKey can be used as an easy method to re-establish trust with online accounts and re-register the internal authenticator on a new device. With an external root of trust like the YubiKey, where the user’s credential cannot be tampered with, it allows a high degree of trust to be transferred from device to device and establish all of them as a trusted entity, thereby protecting the account.
  • Multi-Device Access — In today’s digital age, users rarely work from a single device or platform. It’s common to move from a mobile device to desktop, laptop, or tablet, and even between personal and work devices. Having a portable external authenticator that can work across computing devices makes these transitions seamless. With options to connect via NFC, USB-A, USB-C, and soon Lightning, the YubiKey meets the needs of every internet user.
  • Mobile-Restricted Environments — Not all work environments allow employees or contractors to have a mobile phone. Call centers, manufacturing floors, and remote locations are some of the environments where a hardware authenticator is a preferred solution.
  • High Security Applications — Without ties to the internet or a multi-purpose chip or computing device, the attack vector naturally becomes much smaller on an external hardware authenticator. There are certain scenarios where services may choose to require step-up authentication to complete a high-risk action, such as transferring a large sum of money between bank accounts, or updating an address. The YubiKey can be used as an additional form of validation and quickly re-verify the user before the action is taken.  
  • Uninterrupted Access – We designed the YubiKey to provide optimal levels of durability. It is crush and water resistant and does not require batteries, so it eliminates the chance of the device being uncharged.
  • Integration with Legacy Systems — Most enterprises use a variety of systems, platforms, and devices, and not all of these support newer authentication standards such as FIDO and WebAuthn. Also, for use cases that require a corporate credential for computer login and remote access, digital signatures for code signing, key escrow for email encryption, or privilege access for older operating environments, the YubiKey’s multi-protocol functionality helps address a wider range of enterprise security needs.  
  • Authentication Backup — Regardless of how users are securing their accounts, it is always a best practice to have a backup method in case the primary method of authentication is lost, stolen, broken, or inaccessible. The YubiKey is an affordable, simple option that users can carry on their keychain, tuck into a wallet, or store in a safe place for convenient access at any time.

With a growing list of strong authentication options supported by WebAuthn, and the ability to solve use cases across device type, operating system and service, now is the time for companies to add WebAuthn to their services. Developers can take advantage of Yubico’s developer resources to extend user authentication options. To try out the WebAuthn authentication experience please visit the Yubico WebAuthn demo site.

There are more than 3 billion people in the world connected to the internet who need — and deserve — a better more secure experience. Let’s work together toward making the internet a safer place for everyone!

Alex Yakubov

YubiHSM 2 Now Compatible with EJBCA from PrimeKey

The YubiHSM 2, the world’s smallest hardware security module from Yubico, is now compatible with EJBCA software for a range of public key infrastructure (PKI) use cases. Available for all YubiHSM 2.1 and newer devices, Yubico’s updated Setup Tool, which adds support for PrimeKey EJBCA, is accessible in our latest YubiHSM 2 open source software development kit (SDK).

When it comes to maintaining your customers’ trust, it’s imperative to protect against data theft and compromise, and hardware security modules (HSMs) are table stakes. Traditionally, this has meant dedicating an entire rack—or more—in the server room.

Enter the YubiHSM 2. These thumbnail-sized hardware devices deliver enhanced protection for cryptographic keys, are more affordable than traditional HSMs ($650 MSRP), require very low power, are ultra-portable, and plug into any USB-A port—minimizing space requirements for deployment. The sheer size and cost alone open up incredible new use cases. Imagine an autonomous vehicle with its own YubiHSM 2—no need to compromise on trunk space.

“The priorities for us in developing PrimeKey’s EJBCA have always been flexibility and the ability to support different use cases. With the YubiHSM 2, we enable a cost efficient and portable HSM alternative that simplifies the process to secure your CA keys,” said Chris Job, Team Leader, PrimeKey Professional Services.

With our latest YubiHSM 2 open source SDK, and support for PrimeKey EJBCA, YubiHSM 2 users can leverage PrimeKey and Yubico open source software and tools for implementing PKI. Collaborating with PrimeKey, and adding support for PrimeKey EJBCA on the YubiHSM 2 further delivers Yubico technology to organizations where open source is preferred or even required. The YubiHSM 2 now supports two certificate authorities—Microsoft Windows CA and PrimeKey EJBCA—offering greater flexibility to those looking to secure an organization’s most important data with an HSM.

Interested in learning more?

Licensing Information

The YubiHSM 2 SDK is intended for use in development and production environments in conjunction with YubiHSM 2, pursuant to Yubico’s terms and conditions of sale and license. By downloading and installing the SDK you agree to the terms of this license. The released SDK source code is licensed under the Apache 2.0 license. Third party software included in the YubiHSM 2 SDK, and their respective licenses, are listed in the licenses directory inside the SDK package.

Derek Hanson

Yubico Login for Windows Application Now Available in Public Preview

Every day, YubiKey users are protecting access to their data in cloud services like Gmail, Dropbox, and password managers, but these very same people also need to protect access to desktop and laptop computers as well. Thanks to the multi-protocol capabilities of the YubiKey, they can. The YubiKey can be used to log in to Linux, Mac, or Windows machines.

One of the more popular use cases we hear about is logging into Windows machines, which is why we designed the Yubico Login for Windows Application. The tool provides a simple and secure method for YubiKey users to secure access to their Windows computers. Today, we are opening the public preview program for the application.

Yubico Login for Windows Application

The Yubico Login for Windows Application will deliver a simplified configuration experience, enabling users to help protect their computers with a YubiKey. In addition, this application will enable new core features such as enrollment for backup YubiKeys and lost YubiKey recovery mechanisms.

These features make this application the most robust authentication tool that Yubico has provided for standalone Windows computers.

The preview program gives participants the ability to download the new Yubico Login for Windows Application, test the application, and provide feedback on the experience. This is your chance to influence the features prior to the upcoming official release.

The Yubico Login for Windows Application is best suited for:

Individuals that have local accounts on Windows 7, Windows 8.1 or Windows 10 computers.

Individuals or organizations that prefer local accounts created on their computers in order to keep sensitive information localized as opposed to taking advantage of a more connected Windows 10 experience (such as using Outlook.com, OneDrive, Live.com, Hotmail.com etc.).

Organizations that have a mix of Windows 7 and Windows 10 computers and do not use Azure Active Directory or Active Directory.

The Yubico Login for Windows Application is not ideally suited for:

Users who typically log into Windows computers with a Microsoft Account (e.g. username@outlook.com, username@hotmail.com, username@live.com, etc.).

Users who utilize the following sign-in options for their local account: Windows Hello (face, fingerprint, or iris), PIN, or picture password.

If you are interested in joining the public preview program for Yubico Login for Windows Application please sign up here. The preview offering and a configuration guide will be made available after sign-up.

Stina Ehrensvard

A Big Day for the Internet: W3C Standardizes WebAuthn

Today’s standardization of WebAuthn by the World Wide Web Consortium (W3C) marks a milestone in the history of open authentication standards and internet security, and Yubico is excited to be a part of it. Through close collaboration with the global internet standards community and the internet giants, Google and Microsoft, we achieved the near-impossible: the creation of a global standard for web authentication that is on track to be supported by all platforms and browsers.

With much of our personal and business lives now online, the need for stronger security has never been more important to protect our digital identities. With WebAuthn, we are addressing the problem behind the vast majority of security breaches — account takeovers due to stolen online credentials.

We have invested considerable time from our engineering staff in the development of this new standard, including being one of nine Specification Editors, being one of two co-chairs for the W3C WebAuthn group, and having six working group members. When I asked one of our engineers from this group how he liked his job, he responded, “It’s one of the most interesting and scary projects I’ve ever had. We are writing code that will impact the internet security of billions of people, so we feel the responsibility to get this right!”

From start to finish, the WebAuthn spec development has been more than a three-year process, but for Yubico, this is a culmination of more than a decade of innovation and seven years of standards work. Starting first with FIDO U2F, then FIDO2 and now WebAuthn, these standards are a natural evolution built upon each other to bring together new important security capabilities for the modern web:

Driverless, one-touch authentication with a single authenticator that can be used across any number of services with no shared secrets.

Public key cryptography to defend against phishing and man-in-the-middle attacks at scale.

Single-factor, multi-factor and passwordless authentication for web and mobile applications.

WebAuthn recognizes the importance of security keys as well as platform authenticators, such as built-in biometric sensors, by embracing broad support for a choice of authentication devices and modalities. Yubico supports this approach because it fosters widespread adoption of stronger authentication. We contributed to this standard to help as many people as possible stay safe online. Moving forward, the YubiKey will be valued as a high-privacy, high-security authentication choice. In addition, it will take on the important role of the Root of Trust, enabling seamless bootstrapping to new devices and rapid recovery from lost and stolen devices when built-in authenticators are not enabled or no longer accessible.

Microsoft Edge, Mozilla Firefox, Google Chrome and Google Android have already added support for WebAuthn, and Apple Safari is actively testing the API. Additionally, Microsoft Accounts and Dropbox have WebAuthn support. Many more online services will soon follow.

Since FIDO U2F was first launched in Gmail in 2014, Yubico has provided free open source code, and guided the vast majority of online services integrating the standard. We continue this work with WebAuthn. Developers and online services can rapidly add support, including “upgrading” from an existing U2F deployment, by signing up to join the Yubico Developer Program to be informed on the latest reference documentation, testing tools and open source servers.

Individuals and companies who want easy, secure access to their daily online accounts — including those in financial, healthcare, and government services — can accelerate adoption by requesting support for YubiKey and WebAuthn. WebAuthn works with all existing U2F and FIDO2 YubiKeys.

WebAuthn standardization is the foundation for the first-ever web authentication standard designed with scalable public key cryptography and phishing protections, and we can now all help to make the internet safer for everyone.

Want to see WebAuthn in action? Stop by the Yubico booth this week at RSA (#S2162), Scale17x (#519), or Gartner IAM Summit Europe (#S12).

Ronnie Manning

Yubico Releases the 2019 State of Password and Authentication Security Behaviors Report

In conjunction with Data Privacy Day, Yubico is releasing today new research in a report entitled, The 2019 State of Password and Authentication Security Behaviors Report, conducted by Ponemon Institute. The findings reveal that despite a growing understanding of security best practices, user behavior is still falling short. The problem? Passwords continue to trip up users and compromise security and many users are not taking advantage of stronger two-factor authentication solutions that are available.

The annual Data Privacy Day initiative, led by the National Cyber Security Alliance (NCSA), has grown in popularity each year — and with good reason. Massive data breaches like the recent Collection #1 continue to happen. With nearly 773 million records exposed, including email addresses and passwords, Collection #1 is one of the largest breaches to date; and yet, are individuals taking the actions needed to protect their online accounts? According to the report findings, it appears not.

Are we becoming more security-minded, and better yet, are we following best practices? Some of the most interesting stats revealed that: (Click to Tweet your favorites!)

2 out of 3 (69%) respondents share passwords with colleagues to access accounts

51 percent of respondents reuse passwords across business and personal accounts

57 percent of respondents who have experienced a phishing attack have not changed their password behaviors

67 percent of respondents do not use any form of two-factor authentication in their personal life and 55 percent of respondents do not use it at work

57 percent of respondents expressed a preference for a login method that does not involve the use of passwords

Beyond the above listed highlights, the full 2019 State of Password and Authentication Security Behaviors Report delivers further data on the following topics:

How privacy and security concerns affect personal password practices

Risky password practices in the workplace

Authentication and account security in organizations

Differences in password practices and authentication security behaviors by age

Differences in password practices and authentication security behaviors by country (Germany, France, UK, USA)

To read more of the research highlights, please check out our infographic below or download our full research report here.

Stina Ehrensvard

Yubico Expands Executive Team with Addition of Guido Appenzeller, Chief Product Officer

Happy New Year from Yubico! We are very excited for the upcoming year and 2019 has already kicked off with two new product announcements at CES, and now we’re expanding the Yubico family.

As of two weeks ago, we added another member to our executive team: Guido Appenzeller. Guido joins us as the Chief Product Officer of Yubico to focus on product development and strategy, a critical role to the company’s continued innovation and success in making strong authentication truly ubiquitous. Previously, he served as CTO of VMWare, Consulting Professor at Stanford, and the founder of two start-ups.

Please join me in welcoming Guido into the YubiFamily. To learn a little more about Guido here is an excerpt from a recent interview between Ronnie Manning, our VP of Communications, and Guido.

From founding two different start-ups to working as CTO for VMWare, you have had experience with both large and small companies. While each phase of company growth presents its own set of challenges, which growth phase would you say you enjoy the most and why? 
Both have been incredible experiences. I love small companies because of their agility and speed. You spot a new opportunity and with a good team you can have a product in the market months later. On the other hand, being an executive in a large company puts huge resources at your disposal. At VMware, we entered new markets by buying the market leader and then accelerating it with an enterprise sales team of several thousand people. In the end for me, it boils down to where I can have more overall impact and usually that is in a smaller company.

What’s the single biggest lesson you’ve learned in your career about successfully growing a company, and how do you plan to bring that to your role at Yubico? 
The two most important things about growing a company is the market and the team. Yubico is in a great market and solving a key problem: how to make the internet secure. Stina, Jakob and the team have done a great job creating a culture that focuses on security while at the same time emphasizing a fun user experience. That’s actually pretty rare for a security company. My goal is to keep this culture while building the lightweight process that’s needed to take Yubico through the next phases of its growth.

You have a long history of leading companies through successful growth periods. In an ideal world, how do you envision Yubico’s growth to unfold over the next 1-5 years?
The short-term opportunity for Yubico is to replace passwords as the main authentication method in the internet. This is a huge shift. It would all but eliminate phishing while actually improving usability. But this is just scratching the surface. Having inexpensive hardware with advanced cryptographic functionality opens up new applications for payments, messaging security, IoT security and secure infrastructure. Long term, these are the areas that excite me most.

What are the most exciting and daunting aspects of working in the cybersecurity industry?
Security is often an afterthought. We have a rich history in the technology industry of first building systems where we ignore security, then recognizing our error and eventually bolt on a security solution that is awkward to use and difficult to understand. I think what initially got me excited about the YubiKey is that it is one of the very few security products that is easy to understand and that end users actually love to use.

When you’re not busy tackling the roles and responsibilities of a Chief Product Officer, what are most likely to be doing?
I love the outdoors and like exploring the world on foot, scuba diving or behind the controls of a small airplane that I have flown all the way from California to the Caribbean. I am an avid gamer with my kids or alone, and recently have been spending more and more time in Virtual Reality.

The Yubico team will continue to grow in 2019. If you’re interested in a career in cybersecurity at Yubico, check out our open job opportunities here.

Ronnie Manning

Yubico Launches the Security Key NFC and a Private Preview of the YubiKey for Lightning at CES 2019

Hello from Las Vegas. Today, we have some exciting news for you that’s coming straight from the CES show floor. We are introducing two new device form factors: our latest next-generation security key, Security Key NFC by Yubico, and a private preview of our YubiKey for Lightning. We are giving live demos of both of these keys at the CES Yubico booth (#312).

The Security Key NFC

The Security Key NFC is our newest addition to our distinctive blue Security Key Series, offering USB-A and NFC (near-field communication) for tap-and-go authentication over the FIDO U2F and FIDO2/WebAuthn protocols on computers and supported mobile devices (like an Android phone or a NFC reader attached to a Windows 10 computer). With the option of multiple communication methods, this one key is able to deliver a simple and seamless user experience across multiple devices for strong multi-factor, two-factor (2FA), and single-factor passwordless authentication.

Today, the Security Key NFC works out of the box with hundreds of services already supporting FIDO U2F and FIDO2 authentication protocols: including Microsoft (for passwordless login), Google, Facebook, Twitter, Dropbox, a growing list of password managers, and many more FIDO2 and U2F compatible websites. And as the the latest hardware authenticator from Yubico, it’s built to last. It’s made in the USA and Sweden with reinforced fiberglass that is hermetically sealed and injection molded into a monolithic block, delivering exceptional physical l durability.

The Security Key NFC by Yubico is available beginning today for $27 at the Yubico online store.

YubiKey for Lightning — Private Preview

If you are a Yubico follower, you’ve probably heard that Yubico’s goal is to make strong, simple authentication truly ubiquitous, across all services, devices, and operating systems. Historically iOS has presented some challenges to achieving that mission, which is why we’re extremely excited to announce a private preview of our newest YubiKey for Lightning.

YubiKey for Lightning

The YubiKey for Lightning is a multi-protocol hardware authenticator designed with both USB-C and Lightning connectors. By supporting the two most common connectors for Mac and iPhones, the new YubiKey for Lightning, is designed to provide seamless authentication across compatible desktop and mobile devices.

We are also formally launching the YubiKey for Lightning Program as an extension of our Lightning Project announced in August 2018. If you are a developer or service that would like to support strong hardware authentication on iOS, we invite you to work with us by applying to participate in the YubiKey for Lightning Program. Selected participants will have access to the private preview of YubiKey for Lightning and also the Yubico Mobile iOS SDK for Lightning.

Today the YubiKey for Lightning is in private preview to selected participants in the Yubikey for Lightning Program, with general availability still to be announced.

 

Stina Ehrensvard

2018: A Year in Review for Yubico

2018 was an awesome year for Yubico. It was full of new product launches, business milestones, a growing team of super stars, and industry-leading innovations. It’s hard to believe that all of that happened in just one year, but it’s amazing to see how much can be accomplished together when we focus on our mission of making security available for all.  

Over the years, I’ve also learned that it’s necessary to reflect on all of these accomplishments as an entrepreneur, a CEO, or an employee. This time of pause allows us to evaluate the lessons learned, set new goals, and carefully build upon the work we’ve already done. So, as we cross into 2019, here’s a quick look back at some of Yubico’s finest moments of 2018.

We invested a significant amount of time and resources into product innovation and released several major new products, all of them being the first of their kind on the market.

The YubiKey 5 Series

The Security Key by Yubico is the first-ever security key to support FIDO2 and WebAuthn, the new global authentication standards for passwordless logins that Yubico is also the leading contributor to.

The YubiKey 5 Series is the first-ever multi-protocol security key series to support FIDO2 and WebAuthn.

The YubiKey FIPS Series is the first-ever multi-protocol FIPS 140-2 validated security key series.

A major part of the Yubico mission is spent on working with the larger internet ecosystem, providing them with the insight and resources they need to be successful in protecting their users’ data and privacy. As a result, several major services and leading platforms and browsers have made support for FIDO2, WebAuthn, and YubiKey strong authentication.

Twitter adds support for FIDO U2F authentication with a YubiKey.

AWS Identity and Access Management adds support for FIDO U2F authentication with a YubiKey.

LastPass is the first iOS app to add support for strong YubiKey authentication via NFC.

Microsoft Accounts adds support for YubiKey and FIDO2 to allow users to login to their accounts without a username and password.  

Additional browser support continues for WebAuthn from Chrome, Firefox, Edge, and Safari.

The developer community is core to what we do here at Yubico, and while we’ve offered free and open source code since our launch in 2008, this year we created dedicated resources to expand our offerings.

Mobile SDK for iOS enables YubiKey authentication on the iPhone

The Yubico Developer Program is the first source for developers to gain access to YubiKey integration resources such as webinars, SDKs, implementation guides, and more.

Yubico launches the official Works with YubiKey Program to further guide and promote service provider’s YubiKey integrations.  

The Mobile SDK for iOS was released to allow any iOS mobile app to rapidly add support for hardware-based two-factor authentication using YubiKey OTP over NFC.

The Yubico Lightning Project was announced, extending the capabilities of the Yubico Mobile SDK for iOS to support FIDO U2F/2 authentication over a lightning connection.

The YubiHSM open source SDK was released to allow developers to integrate with the YubiHSM 2 and enable its security capabilities for greater protection of cryptographic key material.

Last but not least, we continued to grow Yubico as a trusted leader in strong authentication with new financial investments and the addition of new talent across the globe.

The Yubico team reached 160 people, representing 25 different nationalities, and based in eight countries: Sweden, USA, Germany, UK, Chile, Singapore, Australia and Japan.

Yubico received investment from top-tier investor Andreessen Horowitz (a16z) in support of our mission to create a safer internet at scale. Martin Casado, general partner for a16z, also joined the Yubico board of directors.

2018 was incredible, and we plan to top it with what’s to come in 2019! Be the first to know about new products and more by signing up for our mailing list.

Ronnie Manning

Password-less Login with the YubiKey 5 Comes to Microsoft Accounts

We’ve done it! Together, with Microsoft, we’ve officially made it possible for hundreds of millions of Microsoft users around the world to log in without a password on their personal Microsoft accounts (MSA), with a YubiKey 5 or Security Key by Yubico.

With the latest update to Windows 10 (version 1809) and existing native support in Edge, all consumer Microsoft accounts now support password-less login via FIDO2/WebAuthn. Yes, no passwords.

With a Microsoft account and the YubiKey, you can quickly and securely log in (and automatically single-sign-on) to all of these Microsoft services on Edge:


That’s one login, zero passwords, and effortless access to your most loved Microsoft services.
Let’s just take a moment for that to sink in.

Today’s announcement from Microsoft is a landmark in the history of authentication. The first driverless, one-touch authentication USB device was launched in 2008, in the form of the original one-time password (OTP) YubiKey. To improve protection against phishing and advanced attacks, and make it work with any number of services with no shared secrets, Yubico co-created U2F with Google, that was later contributed to the FIDO Alliance.

To remove the need for a username and long complicated passwords, we worked with Microsoft and the FIDO Alliance to evolve U2F into FIDO2 for password-less login.  We say thank you to everyone who has been part of making this a reality. 

“Password-less sign-in is a transformational change to how business users and consumers access devices and applications. It combines industry-best ease of use and security to create an experience people are going to love and hackers are going to hate,” said Alex Simons, Corporate Vice President, Microsoft Identity Division. “FIDO2 is a key part of Microsoft’s push to eliminate passwords and devices like the YubiKey 5 are a great example of how we’re working with partners to make this transformation a reality.”

How To Register A YubiKey with Your Microsoft Account

To take advantage of this new, advanced security feature, you will need to simply register your FIDO2-enabled YubiKey 5 Series or Security Key by Yubico with your Microsoft account. This feature is available on any Windows PC with the Windows 10 version 1809 update and Microsoft Edge installed.

You have the option to do so either by USB-A or USB-C port (YubiKey 5 NFC, YubiKey 5 Nano, YubiKey 5C, YubiKey 5C Nano, Security Key by Yubico) or by NFC (near-field communication) wireless connection (YubiKey 5 NFC).  

  1. To begin, launch Microsoft Edge on the latest Windows 10 update (version 1809) an visit Microsoft account page and sign in as you normally would and click on Security > More security options, select Set up a security key.
  2. Identify what type of YubiKey you have (USB or NFC) and select Next.
  3. You will be redirected to the setup experience where you will insert or tap your YubiKey 5 or Security Key. This action generates a unique public-private key pair between your YubiKey and your Microsoft account, and only the YubiKey stores the private key. It never leaves your device.The public key is stored with the Microsoft service to allow for verification of your authentication.  
  4. You will then be prompted to set a unique PIN to protect your key. This PIN is stored locally on the YubiKey—not with Microsoft accounts.  
  5. Take the follow-up action by touching YubiKey gold sensor.
  6. Name your security key so that you can distinguish it from other keys (we always recommend setting up an additional YubiKey for back up)
  7. Sign out and open Microsoft Edge, select use security key instead, and sign in by inserting or tapping your key and entering your PIN.

That’s it! You have successfully replaced your Microsoft account password with strong, hardware-based authentication using public key cryptography to protect against phishing and man-in-the-middle. For more details, visit yubico.com/go-password-less/microsoft and if you want to see more, check out our fun promo videos here and here!!!

Authenticating Beyond Your Microsoft Account

In addition to FIDO2, the YubiKey 5 series supports: FIDO U2F, PIV (smart card), OpenPGP, Yubico OTP, OATH-TOTP, OATH-HOTP, and challenge-response. This means the same device that you use to protect your Microsoft account can be used to protect your password manager, social media accounts, and your logins to hundreds of services. Check out the Works with YubiKey catalog to discover other services that support the YubiKey.

Alex Yakubov

The Modern Workplace Journey: Experience MFA Everywhere with PingID and the YubiKey

One of the most frequent questions I’m asked to talk about is what sets the YubiKey apart from other security keys. At Yubico, we pride ourselves on making the highest quality, most durable and innovative authentication devices on the market, including the first-ever multi-protocol security keys which combine FIDO2, U2F, one-time password (OATH-HOTP and OATH-TOTP), PIV-compatible smart card, and OpenPGP in one authenticator. This multi-protocol support is a critical feature for organizations in the process of modernizing strong authentication for everything that employees, vendors, and users access on a daily basis, as one single YubiKey can meet varying authentication needs.

The journey to modernizing authentication also often starts with finding the right Identity Access Management (IAM) solution, which is why Ping Identity, the leader in Identity Defined Security solutions, is a critical member of the Yubico Ecosystem. Yubico is excited to work with Ping Identity to strengthen the authentication choices for PingID customers.

Starting today, current and prospective PingID customers considering a YubiKey implementation are invited to learn more about our joint solution through Ping Identity’s YubiKey Experience Pack initiative. A co-branded experience pack will be available to PingID customers as a special complimentary offer designed for admins to experience the many benefits of our joint solution. Each pack features two (2) of our latest YubiKey 5 Series devices and a PingID Quick Start Guide. The YubiKey 5 Series supports two-factor, multi-factor and passwordless authentication, so as the future of authentication progresses toward passwordless logins, PingID customers will be equipped with an authentication device that can do it all.

Setting up YubiKey authentication with PingID is easy. Users can self-register the YubiKey with their PingID account without needing additional software or drivers.

“Ping Identity is committed to providing the most secure multi-factor authentication experience and emerging authentication standards for its customers,” stated Monica Hamilton, Head of Technology Alliances and Business Development at Ping Identity. “By working with Yubico, we are able to provide secure login options with a hardware device for added user convenience, especially in scenarios where a mobile phone cannot be utilized or is not preferred.”

Yubico is also thrilled to be one of Ping Identity’s Global Sponsors for IDENTIFY 2018. Today, we’re kicking off IDENTIFY San Francisco, and November 7 marks the third and final event in the series, IDENTIFY New York. Stop by our kiosk and chat with us about your journey to modernizing the workplace. Still need a ticket to IDENTIFY 2018? Use code YUB524 in the online registration portal for a complimentary pass courtesy of Yubico. Qualifying customers can request the YubiKey Experience Pack for PingID customers by contacting sales@pingidentity.com while supplies last! Learn more about how Yubico and Ping Identity work together.

Jerrod Chong

Introducing the YubiKey 5 Series with New NFC and FIDO2 Passwordless Features

Today, we are announcing some exciting news that we know you’ve all been waiting for. The 5th generation YubiKey has arrived!

Our new YubiKey 5 Series is comprised of four multi-protocol security keys, including two much anticipated new features: FIDO2 / WebAuthn and NFC (near field communication).

The YubiKey 5 Series is the industry’s first set of multi-protocol security keys to support FIDO2 / WebAuthn, the open authentication standard that Yubico helped to pioneer, along with Microsoft and others. All leading platforms and browsers have either made support or are engaged in this standards work, expanding authentication choices using authentication devices, such as a YubiKey, with or without a username and password. Each key in the YubiKey 5 series supports: FIDO2 / WebAuthn, FIDO U2F, PIV (smart card), OpenPGP, Yubico OTP, OATH-TOTP, OATH-HOTP, and challenge-response.

With the new YubiKey 5 series, Yubico provides a solution that not only works for today’s authentication scenarios, but into tomorrow’s, helping to bridge the gap from existing solutions to a future of passwordless login. Users will receive the same trusted security, ease of use, and durability expected from a YubiKey, but will now have the added option of passwordless logins using FIDO2:

Authentication options with the YubiKey 5 Series.

 

Single-Factor Authentication (Passwordless) with the YubiKey 5 Series – The YubiKey 5 security keys can be used alone for strong single-factor authentication, requiring no username or password to login — just tap or touch to authenticate.

Second-Factor Authentication with the YubiKey 5 Series – Used alongside a username and password, the YubiKey 5 series offers a strong second factor of authentication. This is the YubiKey integration that exists today with services like Google, Twitter, and Facebook, and it is most familiar to our users.

Multi-Factor Authentication (Passwordless + PIN + Touch) with the YubiKey 5 Series – The YubiKey 5 series can be used in conjunction with a PIN for user verification. In this case, the PIN unlocks the device locally and touch is still required for the YubiKey to perform the authentication.

 

With this expanded choice of authentication modes, developers choosing to add support for the YubiKey will have the option to choose the authentication model that best suits their use cases and customers. Implementation resources for all of the YubiKey-supported protocols can be found on the Yubico Developer website or through the Yubico Developer Program mailing list.

Another much anticipated feature added with the YubiKey 5 series, is the addition of NFC to the YubiKey 5 NFC device, allowing for a seamless and secure tap-and-go experience with mobile devices or external NFC readers.

YubiKey 5 NFC

YubiKey 5 NFC

Combining the security and usability features of FIDO2 passwordless authentication and tap-and-go NFC provides an optimal user experience, and drastically improves security and productivity. This is especially beneficial in fast-paced, dispersed working environments within sectors such as financial services, healthcare, and retail point-of-sale (POS). FIDO2 is the first open standard authentication protocol that can take tap-and-go authentication to the masses.

The YubiKey 5 Series includes: YubiKey 5 NFC, YubiKey 5 Nano, YubiKey 5C, and YubiKey 5C Nano. To determine the key that is best for you, please reference the online comparison chart, or take our YubiKey quiz!

Beginning today, YubiKey 5 Series security keys are available for purchase exclusively at Yubico.com. Shop our store, and be one of the first to own a YubiKey 5!

Heavy Thunderstorm and lightning over the night City, Storm and Rain
Jerrod Chong

Yubico Extends Mobile SDK for iOS to Lightning

Earlier this year, Yubico announced a Mobile SDK for iOS to enable Yubico OTP authentication over NFC on iPhones. Today, we are pleased to announce that we are extending the Yubico Mobile SDK to enable rapid implementation of FIDO U2F over a lightning connection for iOS apps. We invite developers to join the Yubico Lightning Project to work with us to broaden authentication options for iOS applications.

The reality is, overall usage of mobile devices is on the rise. In fact, 79% of internet use is predicted to be on mobile by the end of 2018. Yubico’s goal has always been to make strong, simple online security truly ubiquitous, regardless of service, device, and/or operating system. However, making a hardware authenticator, such as the YubiKey, work in a secure and seamless way with iOS has been a challenge for us and the rest of the industry over the past few years.

We have researched and prototyped various iOS solutions and believe that NFC (near field communication) and USB are optimal communications transports for external authenticators because of security and usability. While it’s always possible that Apple may further open up support for NFC or USB interfaces in the future, this is currently limited or not accessible on today’s iOS devices.

The Yubico Lightning Project is designed to address these issues, with rollout in several phases. Phase one introduces our extended Mobile SDK for iOS, which enables developers to add U2F authentication to iOS apps via a lightning connection. This approach enables apps and services to have out-of-the-box U2F support. Following phases will be communicated in the future.

“Our customers love the security and ease of use of U2F Yubico security keys on their Keeper desktop and web app. Providing this ability to all users on their iPhone and Android devices is an amazing and exciting capability we’ll be ready to deploy as soon as it becomes available,” said Craig Lurey, CTO and Co-Founder of Keeper Security.

“Multi-factor authentication is a must for all organizations, helping to mitigate credential-based attacks and ensuring only the right people have access to the information they need to do their work. By working with companies like Yubico alongside our own MFA offering, we’re able to continue to provide organizations with options for simple, seamless ways to layer security on all of the devices the modern workforce is using today,” said Joe Diamond, Sr. Director of Security Product Marketing, at Okta.

Developers who are interested in taking advantage of strong U2F authentication for iOS apps, are invited to sign up here to receive more information about the Lightning Project. We also encourage you to sign up for the Yubico Developer Program mailing list to stay updated on new developer resources as they become available.

Ronnie Manning

Let’s Meet! Catch YubiKey Demos, Developer Resources & More at Black Hat

This week, we’re headed to Las Vegas for none other than the Black Hat Expo, and we’ll be showcasing all kinds of YubiKey goodness. We’ll be at booth #463, so if you’re there stop by to say hello.

Here’s a taste of what you can expect:

Passwordless Login Demos

If you’ve been keeping up with us and the authentication space, you’ll know that a passwordless future is here thanks to the introduction of the new FIDO2 open standard.

Yubico is a core contributor to this standard, and we’ve got a device that can deliver on the passwordless login experience — the Security Key by Yubico. And you guessed it, we’ll be demoing a tap-and-go login flow (no passwords needed) at Black Hat on an Azure Active Directory environment with the Security Key by Yubico. Catch a sneak peek!

New Developer Resources

We’ve been hard at work on our recently launched Yubico Developer Program, and we’re happy to share some of our latest resources with you at BlackHat.

One of our hottest new offerings is our Mobile SDK for iOS. In case you missed it, LastPass leveraged our Mobile SDK for iOS to enable the YubiKey NEO to authenticate to the LastPass iOS app via NFC (we’ll have demos at the booth). The Mobile SDK for iOS is hosted on our developer site and open for all developers to use.

If you haven’t heard about our Developer Program, sign up for our mailing list and we’ll keep you in the loop on what’s new.

Look for me!

Featured YubiKey Integrations

Here at Yubico, we like to say, “The YubiKey works with many, many locks.” We’ve built so much power, security, and usability into one little device, and those features are built upon by all of the services and applications that support the YubiKey.

That’s why we love our technology partners so much. Keep your eyes peeled and see if you can spot the “Works with YubiKey” standees when you’re walking the show floor.

Several of our partners will have these featured at their booths and will be giving demos of their own YubiKey integrations.

 

If any of this sounds interesting, or even if you’d just like to meet the people behind the key, please come say hi. We’re at booth #463, and we’d love to meet you and talk all things YubiKey.

Jerrod Chong

One Step Closer to Passwordless Login with Microsoft Edge Support for FIDO2 & WebAuthn

The industry moved one step closer to passwordless login with this week’s Microsoft announcement that starting with Microsoft Edge build 17723, the browser will support FIDO2 strong first-factor and multifactor passwordless login, and second-factor authentication.

Now, with Chrome, Firefox, and Edge all engaged to support WebAuthn, we have two-thirds of all major web browsers backing this next-generation protocol. In March this year, W3C Web Authentication Working Group announced that WebAuthn reached Candidate Recommendation (CR) status, meaning with high interoperability, any browser could add support.

This is exciting news for developers, application creators, and those who want to secure their services with WebAuthn and FIDO2 to enable a passwordless login experience.

As a leading contributor and driver of the FIDO2 and WebAuthn open authentication standards, Yubico is committed to helping the larger developer community navigate implementation. Earlier this year we launched a new Developer Program to help developers rapidly integrate with these new standards. Over 1000 companies have registered to date with the program to find resources to help them become successful in integrating FIDO2. Most recently Yubico hosted an expert FIDO2/WebAuthn webinar series focused specifically on FIDO2 and WebAuthn education and deployment:

  • FIDO2 Authentication Demystified
  • FIDO2 WebAuthn Data Flows, Attestation, and Passwordless Technical Overview
  • FIDO2 WebAuthn Server Validation Technical Overview

With new WebAuthn browser support available in Edge, Chrome, and Firefox, a FIDO2 compatible hardware-based authenticator — such as the Security Key by Yubico — can replace a username and password as a much stronger form of single-factor authentication. WebAuthn still allows for the second-factor authentication and also support the use of PIN or biometrics with both external and platform authenticators for a multi-factor passwordless login experience.

The FIDO2 momentum is strong and we encourage developers and security architects interested in the new standard to sign up for our Yubico Developer Program mailing list to stay up-to-date on workshops, webinars, implementation guides, reference code, APIs and SDKs. New content is being added on an ongoing basis with the next FIDO2 resources becoming available later this month.

For those that are still unfamiliar with FIDO2 and WebAuthn, visit our latest blog that answers some of the most common questions we’ve received about the standard so far.

(Browser market share percentage via statcounter)

FIDO2, Security Key by Yubico
Jerrod Chong

10 Things You’ve Been Wondering About FIDO2, WebAuthn, and a Passwordless World

Armed with a mission to deliver a more secure internet, Yubico has been working closely with Microsoft, Google, the FIDO Alliance and W3C to create and drive open standards that pave the way for the future of passwordless login. The FIDO2 standard is the new standard enabling the replacement of weak password-based authentication with strong hardware-based authentication using public key (asymmetric) cryptography.

FIDO2 has created quite a buzz in the security community, and as with any new technology, there’s always a bit of a learning curve. Earlier this year, we introduced our updated Yubico Developer Program to help developers get up to speed quickly with FIDO2 and WebAuthn.  

In the past few weeks, we have run a FIDO2 webinar series for developers to provide background on the FIDO2 specification and how to implement. During the course of this webinar series, we have answered many questions about the specifics of the FIDO2 standard and WebAuthn, including how it relates to our new Security Key by Yubico, and the evolution of a passwordless world. We wanted to share the most commonly asked questions and answers, that you also may have wondered about.

Are FIDO2 and WebAuthn the same thing? If not, how are they different?

FIDO2 is comprised of two standardized components, a web API (WebAuthn) and a Client to Authenticator Protocol (CTAP). The two work together and are required to achieve a passwordless experience for login. The earlier FIDO U2F protocol working with external authenticators is now renamed to CTAP1 in the WebAuthn specifications.

With Chrome and Firefox announcing WebAuthn API and CTAP1 support as the client, and Dropbox now integrating with the WebAuthn API, this has kicked off a flurry of integration activities by other services. Most recently, Microsoft Edge released support for WebAuthn API, CTAP1 and CTAP2, making it the browser with the widest authentication support.

Is FIDO2 backwards-compatible with current YubiKey models?

The WebAuthn component of FIDO2 is backwards-compatible with FIDO U2F authenticators via the CTAP1 protocol in the WebAuthn specifications. This means that all previously certified FIDO U2F Security Keys and YubiKeys will continue to work as a second-factor authentication login experience with web browsers and online services supporting WebAuthn.

The new FIDO2 passwordless experience will require the additional functionally of CTAP2, which is currently only offered in the new Security Key by Yubico. CTAP2 is not supported in previous FIDO U2F Security Keys, or current YubiKey 4 series, or the YubiKey NEO.

Is FIDO2 considered single factor, two-factor or multi-factor authentication?

Login with a FIDO2-enabled hardware device, such as the Security Key by Yubico, offers a greater choice for strong authentication including:

  • single factor passwordless
  • two-factor (2FA)
  • multi-factor authentication (MFA)

With FIDO2, a hardware-based authenticator — such as the Security Key by Yubico — can replace a username and password as a much stronger form of single factor authentication. Users can also continue to use the Security Key by Yubico as a second factor. Finally, for added security, a FIDO2 hardware authenticator can be combined with an additional factor, such as a PIN or biometric gesture, to enable strong multi-factor authentication.

How secure is FIDO2 compared to FIDO U2F and other 2FA solutions?

Single factor login with FIDO2 offers strong authentication as a single factor. In many cases, this single factor authentication is more secure than other forms of two-factor authentication (such as SMS), as there are no secrets that can be phished remotely when using FIDO2. FIDO2 single factor uses the same strong public key cryptography with origin checking to prevent phishing just like FIDO U2F, but with the additional convenience of not needing usernames and passwords as the first factor to identify the user.

Will FIDO U2F become obsolete with the expansion of FIDO2?

FIDO2 WebAuthn is backwards compatible with FIDO U2F authenticators, so over time, we expect FIDO2 will subsume FIDO U2F.

Is there an option to use FIDO2 in conjunction with an additional factor such as a pin or biometrics? Is this recommended?

Hardware authenticators supporting CTAP2 can add user verification by requiring users to use a PIN or biometric to unlock the hardware authenticator so it can perform its role. This preference is primarily dependent on the implementor’s threat vectors as well as use cases. For example, a large banking institution may want to consider the use of a PIN in conjunction with a security key for a higher level of assurance, while a warehouse-based shared kiosk environment may not.

The Security Key by Yubico is enabled with the full CTAP2 specs, and is fully enabled to support several passwordless experiences including single factor touch-and-go using the hardware authenticator (no need for a username) as well as use of a PIN with touch of the hardware authenticator.

What’s the difference between a PIN and password?

As stated above, one of the allowances with FIDO2 is the option to combine hardware-based authentication with an additional factor such as a PIN. This has many of you wondering, “Well, isn’t that the same as needing to remember a password?”

A PIN is actually different than a password. The purpose of the PIN is to unlock the Security Key so it can perform its role. A PIN is stored locally on the device, and is never sent across the network. In contrast, a password is sent across a network to the service for validation, and that can be phished. In addition, since the PIN is not part of the security context for remotely authenticating the user, the PIN does not need the same security requirements as passwords that are sent across the network for verification. This means that a PIN can be much simpler, shorter and does not need to change often, which reduces concerns and IT support loads for reset and recovery. Therefore, the hardware authenticator with a PIN provides a passwordless, phishing-resistant solution for authentication.

How does FIDO2 affect a company’s password policy of replacing passwords every 90 days?

With FIDO2, there’s no need to replace passwords, as there are no passwords required.

For those combining a hardware authenticator with a PIN, it’s important to note that PINs do not demand the same security requirement as a password. A PIN and a password are different. Since a PIN is not part of the security context for remotely authenticating the user (the PIN is not sent over the network for verification), it can be much simpler and less complex than a password, and does not need to be changed with the same frequency (or at all), which eases enterprise concerns about PIN reset and recovery.

What services provide support for FIDO2? When can we expect additional services to roll out support?

Chrome, Firefox, and Dropbox have implemented support for WebAuthn second-factor login flow. Beginning with build 17723, Microsoft Edge now supports the candidate release version of WebAuthn. This latest version of Edge is able to support FIDO2 strong single factor and multi-factor authentication, in addition to the second factor. The Yubico Developer Program offers comprehensive resources for those interested in adding support for FIDO2.

What if I lose my Security Key by Yubico? Without a password, am I locked out of my account?

Best practice is always to ensure that you have a backup Security Key in place, should you misplace your primary device. The Security Key by Yubico contains no identifiable information, so if it were to be found, it could not immediately be used to login without knowing the identity of the owner and to which accounts it is registered. The reality is that the primary attack vector for consumers and enterprises is remote account takeover — whether by credential theft, phishing scams, or man-in-the-middle attacks. FIDO2 and the Security Key by Yubico are specifically designed to protect against these types of threats.

For those who are concerned with physical threats, the option is there to require multi-factor authentication using a PIN for additional protection. That way, if someone obtains a stolen Security Key, they will still need to know which accounts it is registered with, and also have access to your additional factor (PIN) to be able to log in.

A significant benefit of an open authentication standard is that the number of implementations are limitless. With Microsoft Edge, Google Chrome and Mozilla Firefox working as the client and Dropbox working as the service, all have announced WebAuthn support with many more in the works. We’re well on our way to the future of passwordless login!

Do you want to be a part of the future of passwordless login?

If you are a developer who is interested in adding support for FIDO2, sign up for our Developer Program mailing list to stay up-to-date on workshops, webinars, implementation guides, reference code, APIs and SDKs. Also, our series of FIDO2 virtual events is now available for on-demand viewing.

If you’d like to read more about FIDO2, check out our recent blog post, “What is FIDO2?”

Stina Ehrensvard

The Key to Trust

As the principal inventor behind both the Security Key and U2F protocol, we are true supporters of open standards. To realize our mission of making secure login ubiquitous, we designed the original Security Key, and provided the majority of the open source code and test tools for FIDO U2F and the latest version of the standard, FIDO2, which offers a passwordless experience.

Innovation is core to all we do, and as the ecosystem continues to mature, U2F and FIDO2 functionality will come in many different form factors, communications methods (USB/BLE/NFC) and features, from Yubico and others.

Over the past several years, Google has deployed hundreds of thousands of FIDO U2F-enabled Yubico devices internally with amazing results. Today, Google released their own version of a security key, and while we have received the question if we were part of this production, these devices are not manufactured by Yubico.

Yubico strongly believes there are security and privacy benefits for our customers by manufacturing and programming our products in the USA and Sweden.

Google’s offering includes a Bluetooth (BLE) capable key. While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.

Yubico is a believer in NFC, and the YubiKey NEO design has proven at scale to deliver a superior contactless user experience for U2F.  Also, Yubico will soon announce another secure and user friendly solution for iOS.

YubiKey authentication devices

The FIDO U2F and FIDO2 standards work has been a long, challenging and inspiring journey convincing and engaging all leading platforms and browsers to subscribe to the Yubico mission: to make secure login easy and available for everyone.  

U2F is just one tool in the YubiKey toolbox. Today, the majority of our customers use our multi-function YubiKeys across multiple applications, services, and operating systems. In addition to FIDO U2F, we offer smart card (PIV), Yubico OTP, OpenPGP, and OATH-HOTP/TOTP, in a single device, over both USB and NFC, as well as in USB-C form factors. 

Yubico continues to work closely with Microsoft, Google and the global open standards community on FIDO2, the passwordless evolution of U2F. This next-generation standard enables the option to use a security key as a single factor, with an optional PIN or biometrics on the user device, removing the need for service providers to store and manage passwords.

We will continue to create market defining authentication products, which we are currently demonstrating at Google Cloud Next, booth #S1426. We welcome you to join us.

Ronnie Manning

5 Simple Ways to Get Started with Your YubiKey

What are your go-to apps? There are several applications and services that many of us use weekly, and in most cases, daily — Gmail, Facebook, Dropbox, a password manager — and the good news is that all of these support the YubiKey for strong authentication. And now, there is one more to add to the list!   

As of last month, Twitter users can now protect their accounts with FIDO U2F two-factor authentication using a YubiKey or Security Key by Yubico. This new feature is now available to all 328 million of Twitter’s monthly active users for both personal and business accounts.

Twitter has some simple set up instructions here for using on your computer. Once you register your YubiKey with Twitter, you will be required to present the key each time you login to your account in the future. It will ask for your username and password, and then it will ask for your YubiKey. Just insert the YubiKey into your computer’s USB port and after it starts blinking, tap it.

The YubiKey NEO is our mobile-friendly device that is equipped with near field communication (NFC). This works by just tapping the YubiKey NEO to the back of your phone. However, Twitter does not yet have support for the YubiKey in their mobile app, but we hope that this will be a feature they add in the near future.

The YubiKey is great for protecting against remote hackers trying to access your account, but you may be thinking, “What if I forget my key?” Twitter has it set up for you to have a backup form of two-factor authentication on your account as well. For example, you could use Google Authenticator or our Yubico Authenticator app to set up your backup on a second YubiKey. These forms of authentication will also be useful for mobile users. That way, you can use a YubiKey on your computer and an authenticator app for your phone.

Best practice is to have multiple YubiKeys set up for your accounts. One on your keychain, or one in your wallet, or one in a safe place at home will help to make sure you’ve always got a backup YubiKey nearby. Many services let users set up multiple YubiKeys with their account for this very reason. Twitter only allows one key at the moment. If you want more than one YubiKey on your Twitter account, or would like to have YubiKey support on mobile, help us out by sending a tweet to tell them what you’d like to see.

One of the best features of the YubiKey is that you can use just one key for any number of services and accounts. Here are the instructions on how to quickly get your other accounts secured with a YubiKey:

Google: Fun fact. Google was the first web service to support the use of U2F and YubiKeys. See how to get started with Google and the YubiKey here.

Facebook: Don’t make the mistake of overlooking the need to protect this social media account. Facebook contains a lot of personally identifiable information that can be used to advance a hacker’s efforts. See how to get started with Facebook and the YubiKey here.

Dropbox: Whether you’re sharing vacation photos or business documents, make sure your files stay safe from prying eyes. See how to get started with Dropbox and YubiKey here.

Password Managers: Did you know that the YubiKey works with 17 password managers? See how to get started with your favorite password manager and the YubiKey here.

Don’t see one of your favorites? Don’t worry. We have plenty of other services — for individual users and businesses — that support the YubiKey. You can see the full list here.

If you’d like to get started using a YubiKey, head over to the Yubico store to shop for the key that suits you best!

Ronnie Manning

Stina Ehrensvard Wins 2018 Female Executive of the Year

Today, we are excited to announce that Yubico’s CEO and Founder, Stina Ehrensvard, was named Female Executive of the Year by the Women World Awards for the second year in a row!

This news comes on the heels of several major announcements that we’ve shared over the past few weeks — YubiKey for iOS, FIPS 140-2 YubiKey Series, Andreessen Horowitz investment, FIDO2 passwordless logins — and we couldn’t be happier to keep the momentum going by celebrating Yubico’s founder and the milestones we’ve achieved together.

The Women World Awards are an annual industry and peers recognition program honoring women in business and the professions and organizations of all types and sizes from around the world. The program encompasses the world’s best in leadership, innovation, organizational performance, and new products and services from every major industry in the world.

The Female Executive of the Year category highlights individual women whose accomplishments in the last year set an impressive standard for the company as well as industry norms. Stina was selected as the Gold Winner in this category due to her significant contributions and innovations to advance the current state of internet security. Most notably, Yubico’s work in developing FIDO2 and driving new paths for the next generation of online security: passwordless logins.

“It’s an honor to be named a winner by Women World Awards,” said Stina. “These awards are an encouraging reminder that each year, Yubico is one step closer to seeing our vision of a safer internet for all become a reality. I’m proud of everything the Yubico team has done to get us there, and has been able to accomplish over the last year.”

To read more about Stina’s entrepreneurial journey and Yubico’s mission, check out her recent interview with Compelo magazine.

Jerrod Chong

Now Available! FIPS 140-2 Validated YubiKey Series

Today, we’re excited to announce the certification and availability of our YubiKey FIPS series, the first multi-protocol FIPS 140-2 validated security keys.

FIPS 140-2 is a US government computer security standard, published by the National Institute of Standards and Technology (NIST), that covers the use of cryptographic functionality such as encryption, authentication, and digital signatures. The FIPS 140-2 validated YubiKeys meet the most stringent security requirements of US federal agencies.

The YubiKey FIPS Series includes keychain and nano form-factors for USB-A and USB-C interfaces.

The YubiKey FIPS series uses the YubiKey 4 Cryptographic Module that received FIPS 140-2 validated at Overall Level 2, Physical Security Level 3 with certificate number 3204. At this level, the YubiKey FIPS series meets Authenticator Assurance Level 3 (AAL3) as defined in NIST SP800-63B, that enables compliance with Federal Risk and Authorization Management Program (FedRAMP)  and Defense Federal Acquisition Regulation Supplement (DFARS) requirements.

FIPS certification is essential for many branches of the US government and contractors, in addition to those in the private sector that collect and transmit sensitive but unclassified (SBU) information.

The YubiKey FIPS Series hardware authentication devices include keychain and nano form-factors for USB-A and USB-C interfaces. The YubiKey FIPS Series is the only FIPS validated multi-protocol security key in the market supporting five authentication protocols; FIDO U2F, smart card (PIV), Yubico OTP, OpenPGP, and OATH-HOTP/TOTP.  Now, federal entities and federal-compliant enterprises can comply with the high assurance security requirements for on-premise or cloud deployments using the YubiKey FIPS Series.

Companies including Google, Facebook, Salesforce and thousands more trust the YubiKey to protect account access to computers, networks and online services. Now, we are able to deliver the same simple, trusted protection as a FIPS validated solution.

For more information and technical details on the new product line, visit the YubiKey FIPS page. Starting at $46, YubiKey FIPS Series security keys are available now for purchase online at the  Yubico store or by contacting Yubico Sales.

Jesper Johansson

WebUSB in Google Chrome and Responsible Disclosure

Authored by Venkat Venkataraju & Jesper Johansson

Yubico Blog Update and Statement – 6/18/18

On June 13, 2018 we published this blog post and security advisory regarding WebUSB issues in Chrome. In hindsight we realize that we did not give enough credit in our blog post and security advisory to the foundational work done by Markus Vervier and Michele Orrù, who highlighted and demonstrated the first security vulnerability in WebUSB at OffensiveCon, and which was subsequently written up in a WIRED article. After posting, we communicated with them, apologized for this, and made updates to the blog post and security advisory to make sure proper credit was given.

Building on the publicly available information about work by Markus and Michele described in the article, Yubico investigated the issue and developed our own proof of concept (PoC) test tools. In the process we discovered additional issues with WebUSB and began outreach with Google on March 1st. Yubico first spoke with the researchers on March 2nd. The formal bug report which Yubico submitted to Google on March 5th, referenced the OffensiveCon talk by Markus and Michele and their original public announcement of the CCID issue in the first sentence. We submitted this privately to protect our customers and the broader U2F ecosystem.

Markus and Michele’s research provided a critical foundation, and we made a mistake by not clearly acknowledging them for their original research in our security advisory. We learned only on June 13, after we published our advisory, that Markus and Michele also discovered and reported HID issues to Google. We understand that better communication after the issue was fixed would have ensured that all parties were in sync, and will use this as an opportunity for improvement.

Yubico has always strived to be transparent and we regret the missed opportunity to work more collaboratively with Markus and Michele. Historically, Yubico has worked closely with security researchers across the globe and we are committed to continue to do so.

————-end update—————–

To improve the entire security ecosystem, Yubico is a strong believer in responsible disclosure practices. We believe that the best outcome happens when security researchers  confidentially provide research and reporting to an impacted company, so a fix can be in place before any public disclosure to help protect users from the exploitation of the vulnerability.

This year, Yubico worked with Google under responsible disclosure to address WebUSB vulnerabilies in Google Chrome that affected the entire ecosystem of FIDO U2F authenticators, manufactured by Yubico and well as other vendors.

The original issue first surfaced in a news article in March 2018 describing how security researchers Markus Vervier and Michele Orrù had demonstrated how to circumvent the FIDO U2F origin check using WebUSB functionality in Google Chrome and the YubiKey NEO’s USB CCID U2F interface.

Once Yubico was informed of the CCID issue, our own researchers quickly discovered there was a broader set of security concerns within WebUSB that affected the entire ecosystem of FIDO U2F authenticators. To help protect the U2F ecosystem, we disclosed these issues to Google in early March and worked closely with their engineering teams on a mitigation plan to address this issue and secure all U2F customers.

With the May 29, 2018 release of Chrome 67, Google fixed the WebUSB vulnerability and the issue could no longer affect any (Yubico or other) U2F authenticators. To read the detailed report of the WebUSB issue in Chrome, please visit our Security Advisories page for full analysis.  

For this research and disclosure, Google awarded Yubico a bug bounty in the amount of $5,000, which Yubico has opted to donate to charity. Yubico chose Girls Who Code, a non-profit that aims to support and increase the number of women in computer science. Additionally, Google has matched the donation with another $5,000, resulting in a $10,000 donation to Girls Who Code, to further support efforts at increasing diversity in our field.

The security ecosystem is only as strong as the weakest link and if we, as a community of vendors and security researchers effectively and respectfully work together, we can secure not only end users, but the entire ecosystem from continually evolving threats.  

For the protection of everyone, we encourage all researchers to responsibly disclose any discovered security concerns to the affected company so they may implement a fix before any public disclosure. To contact the security team at Yubico please email security@yubico.com.


June 13th Update:
We were just made aware that the original researchers reported the Windows HID issue to Google around the same time we submitted it to Google. We were not aware of this at the time, we independently discovered it while investigating the public CCID issue, and followed standard responsible disclosure practices by sending all our findings, including the Windows HID issue, only to the affected vendor in order to afford maximum protection for the ecosystem. 

 

Ronnie Manning

Yubico Lands a16z Investment and Grows Board of Directors

Today, Yubico is proud to announce its latest round of investment from Andreessen Horowitz (a16z). a16z is supporting Yubico’s mission to create a safer internet for everyone by providing ubiquitous secure access to computers, networks and servers. The company has been growing with profits over the last six years, and funds from the new investment will be used for scaling engineering, product and development teams.

In addition to company backing, Martin Casado, general partner for a16z, will be joining the Yubico board of directors. With an extensive background in computer science, software-defined networking, and security, Martin will support the company in a rapid growth phase. Helping Yubico scale as the hardware root of trust for users and servers, as we move toward the passwordless future.  

“Internet security is an area I’m personally very passionate about and I’m a true believer in the Yubico vision and approach. I’m thrilled to be joining the board and working with the team on this journey forward,” said Casado.

The YubiKey is the authenticator of choice for thousands of business customers and millions of users in more than 160 countries, including a16z, who currently deploy YubiKeys to every employee. This decision was made prior to the investment in Yubico, as a16z determined that the YubiKey was the most secure approach for protecting accounts and sensitive company data.  

Yubico CEO and Founder Stina Ehrensvard worked with Martin Casado on the a16z Podcast episode ‘The State of Security’ from earlier this year to provide insight into the crossroads of software and hardware in the security space. Specifically, Stina spoke about the increasingly important role of authentication  in a world where we hear of new data breaches and stolen user credentials on a daily basis.

Previous Yubico investors include NEA and renowned Silicon Valley entrepreneurs Marc Benioff, CEO of Salesforce, and Ram Shriram, Yubico Chairman and Google founding board member.

Stina Ehrensvard

What is FIDO2?

Last month, open authentication standards reached an important milestone; Microsoft launched support for FIDO2 and CTAP, and the World Wide Web Consortium (W3C) won approval for WebAuthn. Since then, Yubico has received questions on how these efforts are related, what role FIDO U2F and Yubico have in the mix, and what organizations can implement now — and in the future — to enable simple, strong authentication for employees and end-users. This blog will bring some clarity to those questions.

What is the difference between FIDO U2F and FIDO2?

U2F was developed by Yubico and Google, and contributed to the FIDO Alliance after it was successfully deployed for Google employees. The protocol is designed to act as a second factor to strengthen existing username/password-based login flows. It’s built on Yubico’s invention of a scalable public-key model in which a new key pair is generated for each service and an unlimited number of services can be supported, all while maintaining full separation between them to preserve privacy.

Essentially, FIDO2 is the passwordless evolution of FIDO U2F. The overall objective for FIDO2 is to provide an extended set of functionality to cover additional use-cases, with the main driver being passwordless login flows. The U2F model is still the basis for FIDO2 and compatibility for existing U2F deployments is provided in the FIDO2 specs.

What is WebAuthn & CTAP?

A new, extensible web authentication API, called Webauthn, has been developed within W3C, which supports both existing FIDO U2F and upcoming FIDO2 credentials.

The FIDO U2F client-side protocol has been renamed CTAP1, and a new, extensible client-to-authenticator protocol (CTAP2) has been developed to allow for external authenticators (tokens, phones, smart cards etc.) to interface with FIDO2-enabled browsers and Operating Systems

WebAuthn and CTAP2 are both required to deliver the FIDO2 passwordless login experience, but WebAuthn still supports FIDO U2F authenticators, since CTAP1 is also part of the WebAuthn specification.

How can organizations deploy FIDO2?

So, what can organizations do if they are aiming to provide support for FIDO2? We recommend making support for WebAuthn as it works with existing FIDO U2F authenticators and also FIDO 2 authenticators.

Mozilla Firefox 60 recently added support for WebAuthn, Chrome 67 will be shipping with WebAuthn support in the near future, and Microsoft has already announced they will support WebAuthn in Edge browsers. The U2F web API continues to work for U2F authenticators, but is limited to the Chrome and Opera browsers.

To evaluate WebAuthn with FIDO U2F and FIDO2 authenticators today, Yubico offers a test service at demo.yubico.com/webauthn, and soon we will provide more complete open source FIDO2 servers on GitHub. Organizations can sign up for updates from the Yubico Developer Program to get information on FIDO2 and WebAuthn resources.

So, what’s our role in all of this?

From Yubico’s perspective, we’re proud and pleased to see our vision of one single security key to any number of services become a reality. We’ve watched this vision progress from our launch of the first YubiKey in 2008, to early U2F development in 2011, to the launch of FIDO2 in 2018.

With WebAuthn providing a seamless evolution from U2F to FIDO2, and with upcoming support for built-in authenticators and additional use-cases, WebAuthn becomes the center of a ubiquitous ecosystem for authentication.

Our mission has always been to drive standards and adoption by providing technical specifications, open source components, and developer tools; and to be the gold standard for authenticators. With the open standards ecosystem growing, we see the vision of providing strong authentication for everyone coming true.

Interested in exploring FIDO2 and passwordless login? Get started today with the Security Key by Yubico.

Ronnie Manning

YubiKey comes to the iPhone with Mobile SDK for iOS and LastPass support

It’s a question that we receive often, ‘so how does the YubiKey work with iPhone?’ Until now, the answer to that question has been a bit unclear because of limited support for NFC in iOS. But today, we have a clear answer: YubiKey iOS support is here, now, with two exciting pieces of news.

For application developers, we are introducing a new Mobile SDK for iOS that allows any iOS mobile app to rapidly add support for hardware-based two-factor authentication (2FA) using YubiKey OTP over NFC. Second, LastPass, one of our longest and most prominent integrations, has released the latest version of its password management app with fully integrated support for the YubiKey NEO over NFC on iOS. This was completed using our Mobile SDK for iOS, but we’ll share more on this milestone a little later.

A user authenticates to their LastPass app on iPhone using a YubiKey NEO over near field communication (NFC).

The launch of iOS 11 last year saw Apple provide support for NFC tag reading, which allowed developers to build apps with one-time passcode (OTP) support. Given that the YubiKey NEO can generate an OTP and send it to the requesting app via NFC, it became possible to authenticate with Yubico one-time password (Yubico OTP) with a YubiKey NEO — a feature requested by many YubiKey users. However, documentation and reference code for developers to add this support to applications was lacking and unnecessarily complicated.

To help mobile application developers simplify rollouts and deliver on this functionality, Yubico created the Mobile SDK for iOS. It’s available now for download and is also part of the Yubico Developer Program mobile track, and provides developers all the necessary tools to rapidly up-level their iOS mobile app security with Yubico OTP.

By introducing YubiKey hardware-based authentication via NFC to iPhone applications, users no longer need to toggle between apps and temporarily memorize a throw away code before it expires. Now users can just tap the YubiKey to authenticate, which is four times faster than typing in an OTP! Not to mention, users and app developers no longer have to run the risk of potential security and reliability issues by relying on SMS or mobile authentication.

LastPass iOS App Supports Yubico OTP via NFC
The LastPass password manager remains one of the most popular YubiKey integrations for Yubico OTP, and the application has supported NFC on Android devices for many years.

Today, LastPass is the very first password manager application on iOS to enhance its security with Yubico OTP authentication through NFC. This means that LastPass users with iPhone 7 or above, running iOS 11 and above, can now authenticate to their LastPass Premium, Families, Teams, or Enterprise accounts on their mobile device with the same YubiKey NEO that they use for their desktop or laptop. Users will touch the YubiKey NEO to the iPhone to wirelessly transfer a Yubico OTP and securely authenticate to the application

“LastPass has long supported YubiKey as a multi-factor authentication option for adding an extra layer of security to LastPass accounts and values the partnership we have with the Yubico team,” said Akos Putz, Principal Product Manager for LastPass at LogMeIn. “With the new mobile SDK for iOS, our customers now benefit from the strength and security of hardware-backed YubiKey 2FA with the support for our iOS app.”

For current LastPass users, the iOS application will receive an automatic update (version 4.2.7) via the App Store and you can set up YubiKey in your account settings. If you’re an iPhone user, you can download the latest version of LastPass here and for further instructions on setup, visit here.

We applaud LastPass for supporting this milestone leap in YubiKey mobile app authentication for iPhones and iOS. With this announcement, the YubiKey now provides simple and secure authentication for all leading mobile platforms including Android, Windows mobile, and iOS. Find out more about our new Mobile SDK for iOS here.

UPDATE (09/25/18): LastPass also supports the YubiKey 5 NFC over NFC for iOS. Read their announcement here.

John Bradley

New NIST Authentication Guidelines for Public Safety and First Responders

Over the past few months, Yubico has been working closely with the U.S. National Institute of Standards (NIST) National Cybersecurity Center of Excellence (NCCoE) to improve mobile authentication methods for public safety professionals and first responders. Today, we’re happy to share that this guidance is now available in the form of a three-volume draft practice guide: NIST Special Publication 1800-13, Mobile Application Single Sign-On: Improving Authentication for Public Safety and First Responders.

This has been an important project for Yubico and the NCCoE as simple, secure access to critical data can often be a matter of life or death in an emergency response scenario. In high-alert situations, first responder and public safety personnel are often dispatched in the field and are heavily reliant on mobile platforms to access data in real-time that’s needed to deliver proper care. This data may include personally identifiable information (PII), law enforcement sensitive information, or protected health information (PHI), and it is imperative that access to this type of information is highly protected. However, complex and cumbersome authentication requirements to access sensitive information that cause even the slightest of delays in the emergency response process, can potentially risk the life of an individual.

To mitigate the security and access challenges for public safety and first responder personnel, the NCCoE collaborated with several technology vendors, including Yubico, to develop mobile authentication requirements and implement a reference design that assembles commercially available technologies that support the following open standards:

Yubico was a core contributor to this process. The reference implementation, which is documented in the practice guide, uses the NFC-enabled YubiKey (YubiKey NEO) in combination with Federation technology OpenID Connect to strongly secure user access to sensitive applications, improve usability and efficiency of user account management, and share identities across organizational boundaries.

It was recognized early on in the project that reliance on passwords alone can expand the scope of a single data compromise from one service to multiple services due to password reuse. The use of FIDO U2F for authentication provides protection beyond the password, and eliminates problems with social engineering, man-in-the-middle attacks, replay attacks, and phishing, which all present real threats to password-based and OTP-based (SMS, mobile push) authentication systems.

The following diagram from the NCCoE practice guide illustrates the recommended authentication flow for a native app on an Android device using standards-based technologies such as OAuth 2.0, OpenID Connect / SAML, and FIDO U2F with the YubiKey as the trusted second factor.

The OAuth 2.0 for native apps specification requires that applications use a system browser for making authorization requests. This allows a Software-as-a-Service (SaaS) provider, such as Motorola Solutions or GIS, to redirect authentication back to the user’s agency or enterprise via a standard authentication protocol such as OpenID Connect or SAML.

Using the system browser also enables the built-in operating system (OS) support for FIDO U2F authentication to be used without requiring special support in the native apps. This allows a generic SaaS application to support thousands of different identity providers, and different types of external FIDO U2F multi-factor authenticators (like the YubiKey) within a single native application. This avoids having to customize native apps for each organization and instead, allows the reuse of generic components that can make these systems available to even the smallest of organizations.

The combination of FIDO, OAuth, and SAML/OpenID Connect has been shown to be a robust and flexible solution for public safety use cases. In fact, one of the collaborators in the practice guide, Motorola Solutions, has incorporated this model into their commercial product PSX Cocpit, which is currently being deployed in a number of verticals.

From an end user perspective, these standards-based technologies are delivering a simple touch-and-go experience while maintaining the highest levels of security. To access sensitive data within a mobile application, first responder personnel will only require an NFC- and FIDO U2F-enabled hardware authentication device such as the YubiKey NEO. By simply touching the device to their phone, they will be securely authenticated to the app within seconds.

This particular project with NCCoE targets a first-responders use case, however the practice guide is equally applicable to many enterprise mobile scenarios. For more information on the project and to download the Mobile Application Single Sign-On practice guide, please visit the National Cybersecurity Center of Excellence (NCCoE) website. The NCCoE is also accepting public comments on the guide until June 18, 2018.

Stina Ehrensvard

Yubico and Microsoft Introduce Passwordless Login

Ten years ago, at the 2008 RSA Conference, Yubico launched the first YubiKey with the goal of making secure login easy and accessible for everyone. The vision was one single security key to work across any number of services, with great user experience, security, and privacy.

On this anniversary, Yubico has taken another major leap forward toward this vision with the announcement that the recently-launched Security Key by Yubico, with FIDO2, will be supported in Windows 10 devices and Microsoft Azure Active Directory (Azure AD). The feature is currently in limited preview for Microsoft Technology Adoption Program (TAP) customers.

FIDO2 is the passwordless evolution of the FIDO Universal 2nd Factor (U2F) standard, created by Yubico and Google. While U2F included a username and password, FIDO2 supports more use cases, including passwordless authentication. Yubico has worked in close collaboration with Microsoft on developing the FIDO2 technical specifications, and the Security Key by Yubico is the first FIDO2 authentication device on the market.

What Does This Mean?

Organizations will soon have the option to enable employees and customers to sign in to an Azure AD joined device with no password, by simply using a Security Key to get single sign-on to all Azure AD based applications and services. This is just the beginning; Google and Mozilla also announced Chrome and Firefox support for the Web Authentication API (WebAuthn) developed by Yubico and members of the World Wide Web Consortium (W3C) and included in the FIDO2 specification.

Why Is This Important?

Nearly every digital experience today requires passwords, an increasingly frustrating fact of life for businesses and users. For any one person there can be hundreds of sites and devices — both personal and business related — that require memorized passwords. This leads to poor password hygiene: shared and reused passwords. And it is a real cost for businesses managing, storing and resetting passwords for employees and end-users.

Working in conjunction with Windows and Microsoft cloud services, the new Security Key by Yubico offers a secure, seamless and passwordless login experience with one of the world’s largest computer operating systems. Use cases include retail, healthcare, transportation, finance, manufacturing, and more.

How Does It Work?

FIDO2 is built on the same security and privacy features of FIDO U2F: strong public key cryptography, no drivers or client software and one key for unlimited account access with no shared secrets. With FIDO U2F, the user entered a username and password, inserted a  security key in the USB-port, and touched the gold area. FIDO2 adds more options to the login process:

  • Single Factor: This only requires possession of the Security Key to log in, allowing for a passwordless tap-and-go experience.
  • Second-Factor: In a two-factor authentication scenario, such as the current Google and Facebook FIDO U2F implementations, the Security Key by Yubico is used as a strong second factor along with a username and password.
  • Multi-Factor: This allows the use of the Security Key by Yubico with an additional factor such as a PIN (instead of a password), to meet the high-assurance requirements of  operations like financial transactions, or submitting a prescription.

Who Can Get Involved?

Everyone is encouraged to get involved, and accelerate progress to a secure and passwordless world. As with any open standard, advancement will be a collective industry effort and a process of global adoption. Yubico helped the majority of services in making support for FIDO U2F by providing open source code and support. Together with W3C and FIDO Alliance we have made the FIDO2 open authentication standard available, and we are helping support its rapid integration into services and applications through our new Yubico Developer Program.

Enterprises → Learn about using FIDO2 with Windows 10 devices and Microsoft Azure Active Directory in your enterprise environment. Explore the benefits of FIDO2.

Developers → Implement early support for FIDO2 by signing up for updates from Yubico’s Developer Program. Members will have first access to resources to implement FIDO2 within their applications and services.

Individuals → Are you tired of passwords? If you had a choice to securely and easily login to any device or online service without them, would you? Ask for it! Visit your favorite service or businesses on Twitter and tell them you want to securely login to your account without a password by using FIDO2 and the Security Key by @Yubico!

Are you interested in learning more about going passwordless? Learn more about the Security Key by Yubico and benefits of FIDO 2.

Ronnie Manning

Yubico at RSA 2018: Passwordless Logins, Developer Programs, and More

Heading to RSA in San Francisco next week? We’ll be there too, celebrating our 10th year at the conference!

Be sure to stop by Booth #S2241 to see all the awesome things we will be showing, and if you haven’t registered for the conference yet, use this code (X8EYUBIC) for a free expo pass on us.  

An industry first, we are showcasing passwordless login with the just released Security Key by Yubico, the first hardware authentication device to support both FIDO U2F and FIDO2. Yubico is a leading contributor to the new FIDO2 open authentication standard which shares many of the same characteristics as FIDO U2F: public key cryptography, no shared secrets, and no drivers or client software. However, with FIDO2, there’s no need for passwords as user credentials are tied directly to the Security Key. The device can also be conveniently paired with PINs, biometrics, or other human gestures as an additional factor.

At Yubico we’re constantly innovating to make simple, secure authentication a standard for the industry. Along with the announcement of our new FIDO2-enabled security key, we are also announcing our new Yubico Developer Program to provide resources for rapidly enabling strong authentication in web and mobile applications across all our supported protocols including FIDO U2F, PIV (smart card), OpenPGP, OTP (one-time password), the new FIDO2 protocol and for the YubiHSM2. Developer resources include workshops, webinars, implementation guides, reference code, APIs and SDKs. RSA attendees (and those who are reading this blog) will be able to sign up for early access to resources to support implementation of FIDO2.

We also invite you to join our CEO & Founder, Stina Ehrensvärd, and SVP of Product, Jerrod Chong, who will be speaking on the importance of strong authentication for today and tomorrow’s cyber landscape.

Stina’s speaking session at CyberScoop’s Cyber Talks

  • 10 Percent Is Too Little: Time to Pay Attention to Two-Factor Authentication
  • Monday, April 16 at 11:20am PT
  • Four Seasons Hotel San Francisco

Jerrod’s speaking session at Security B-Sides SF

  • Simple. Open. Mobile: A Look at the Future of Strong Authentication
  • Monday, April 16 at 11:00am PT
  • City View at Metreon

Yubico is extremely proud of  what we’ve accomplished over the last ten years. The YubiKey is used by millions around the globe and works with hundreds of services right out of the box, and this number is rapidly growing. That’s one key for an unlimited number of personal or business accounts.

At RSA, be on the lookout for Yubico Technology Partner booths to see how the YubiKey seamlessly integrates with their services. Participating Yubico Technology Partners include:

Yubico at Booth #S2241

If you’re attending RSA next week, please stop by our booth and say hi! We will have team members on site to answer any questions, provide product demonstrations, offer recommendations for specific use-cases and chat about the new Security Key by Yubico and Yubico Developer Program.

Also, make sure you follow us on Twitter for updates during the show. We’ll see you there!

Stina Ehrensvard

The Diver and the YubiKey

If you are driving on highway 101 between Palo Alto and San Francisco in the coming couple of weeks, you may come across a billboard with a diver holding up a YubiKey. The same diver also appears on our website homepage. The photo was shot by Alessio, principal engineer at Yubico, from his adventure under 20 meters of water in the Philippines.

The same image inspired Josh, web developer at Yubico, to try logging into his email underwater with a waterproof phone and YubiKey. And yes, it worked! Please check out the short video below that Josh and other members of our team just created.

At Yubico, we highly regard our adventurous and multi-talented engineers. Last year, we doubled our engineering team in Stockholm, Palo Alto and Seattle. This year we are doubling again. If you are a software or hardware engineer who wants to make the internet safer for everyone – on land or underwater – we welcome you to apply for our open job positions!

Alex Yakubov

Yubico Launches Passwordless Login with new Security Key and FIDO2

Today, together with the FIDO Alliance, we made a big announcement that paves the way to a passwordless future. We revealed the new Security Key by Yubico as well as our new Developer Program, both of which support the new FIDO2 open standard for passwordless authentication.

Why is this important? Think of a time when you have created a new account and didn’t have to create a new password.

For all of us, the account creation process for any application or online service has always started with the pairing of a password to your username, but with today’s announcement that is going to change. With FIDO2, it’s now possible to redesign the process to remove the weak link of passwords, and we’re gearing up to support the ecosystem and developer community to make that happen. Whether you’ve followed Yubico for years, or you’re just learning about us, read ahead to find out more about the significance of the FIDO2 project.

 The FIDO2 Project

In 2011, Yubico invented the concept of a single security key to protect user accounts from phishing and unauthorized access, for any number of services with no shared secrets. We worked with Google to further develop this concept to what today is the FIDO U2F standard.

Now, Yubico has worked in collaboration with Microsoft on the evolution of the FIDO U2F authentication standard, to create FIDO2. With FIDO2, the Security Key with its strong authentication can now solve multiple use case scenarios and experiences:

  • — second factor in a two factor authentication solution
  • — strong first factor, with the possession of the device only, allowing for a passwordless experience like tap and go
  • — multi-factor with possession of the device AND PIN, to solve high assurance requirements such as financial transactions, or submitting a prescription.

Capabilities enabled by the FIDO2 project

FIDO2 has already received support from the FIDO Alliance, World Wide Web Consortium (W3C), and all major web browsers to aid in its global standardization and adoption. With this foundation, FIDO2 is positioned to help services, applications, and enterprise organizations seamlessly transition to a more secure, easy to use replacement for the static password.

Read more about FIDO2 here. If you’re interested in developing with this new standard, you’ll need a Security Key by Yubico and we encourage you to sign up for FIDO2 updates as part of our newly announced Yubico Developer Program.

NEW  Security Key by Yubico

The Security Key by Yubico delivers FIDO2 and FIDO U2F in a single device, supporting existing U2F two-factor authentication (2FA) as well as FIDO2 implementations.

The new Security Key by Yubico supports both the Web Authentication (WebAuthn) API, and Client to Authenticator Protocol (CTAP) which are required for FIDO2-based authentication.

FIDO2 and the Security Key are delivering on trusted, touch-and-go authentication for the modern, flexible and mobile workforce that is meeting the needs of our on-demand society. Together, these technologies will be integrated into many verticals including: retail, healthcare, transportation, finance, manufacturing, and more.

We will be demonstrating the new Security Key by Yubico and new FIDO2 functionality at the RSA South Expo hall at Booth #2241. You can purchase one up from our webstore today ($20 USD). Read more about the Security Key by Yubico here.

 NEW  Yubico Developer Program

This year marks the 10 year anniversary of the launch of the first YubiKey, that millions of users in more than 160 countries around the world love for its ease of use, security, and affordability. We made our YubiKeys available with free open source servers that encouraged adoption and growth of a thriving ecosystem of services supporting our technology. We’ve learned a lot from our partnerships, which is why we today announced a formalized Developer Program. This provides developers with the resources to rapidly integrate the YubiKey with mobile and computer login, across all our supported protocols including U2F, Yubico OTP, PIV-compatible Smart Card, OpenPGP, OATH (HOTP/TOTP), and the new FIDO2 Client to Authenticator Protocol (CTAP) specification, and the YubiHSM.

We encourage developers and security architects interested in FIDO2 to sign up for updates as part of the Yubico Developer Program, to get access to resources needed to aid in early implementations of the FIDO2 open authentication standard.

Jesper Johansson

The Anatomy of a Phishing Email: 5 Things to Look For Before You Click

Phishing attacks are now considered the main source of data breaches.

91% of cyber attacks start with a phishing email *

Ten years ago, if you asked someone what ‘phishing’ was, they probably would have no idea. Since then, times have changed considerably; phishing attacks are now responsible for a significant number of major data breaches

Phishing may have made its way into the mainstream vernacular, but there is still confusion about the subject—and rightfully so. Here’s a more in-depth look at “what is phishing?”.

Phishing attacks are becoming more sophisticated and targeted, and even the most tech- or security-savvy people can find themselves a victim. So, how do you make sure you don’t fall victim as well? Use this five-point checklist to closely examine the validity of incoming email. When in doubt, don’t click!

The Sender

This is your first clue that an email may not be legitimate. Do you know the sender? If not, treat the mail with suspicion, and don’t open any attachments until you verify with the purported sender that they meant to send them. If you believe you do know the sender, double check the actual email address. Often, a phishing email will be designed to look like it comes from a person you know, but there will be a slight variation in the address or they will spoof the envelope to show you a name you recognize.

The Subject

Pay attention to subject lines! While something like, ‘Claim your ultimate deal now!,’ can be an obvious sign of a phishing email, the far more successful subject lines are the ones that don’t raise that much suspicion. ‘Account action required’, ‘Delivery status update’, or ‘Billing statement confirmation’ can all be ploys to weaken the email recipient’s defenses through seemingly ordinary alerts.

Remember, if something legitimate is that important, your bank, employer, doctor’s office, retailer, or credit card company will find an alternate way to contact you when you’re not responding over email. When in doubt, call to ask if they’ve sent you an email, but do not make that call to a number that was in the email message you are calling about!

Most clicked email phishing subject lines.*

A delivery attempt was made (18%)

A UPS label delivery  (16%)

Change of password required immediately (15%)

Unusual sign-in activity (9%)

The Body

The body of the email can hold a whole new set of clues, including misspelled words and confusing context. For example, are you asked to verify a banking account or login to a financial institution that you don’t have an account with? Did you get an email from someone you may know that has nothing in it other than a short URL? Does the content apply to you or make sense based on recent conversations or events? Similarly, if it is a known contact, is there a reason they would be sending you this email?

Hackers can also use current or popular events to their advantage. For example, holiday shopping, tax season, and natural disaster or tragedy relief efforts are all used to sneak an unsuspecting phishing email into the inbox of thousands of targets. Did you know that the IRS reported a 400 percent increase in phishing scams for the 2016 tax season alone?

How will you know if an email is valid or not? This is where other email clues will come in handy!

The Attachments

The golden rule — do NOT open an attachment if any other aspect of the email seems suspicious. Attachments often carry malware and can infect your entire machine.

7.3% of successful phishing attacks used a link or an attachment**

The URLs

Similar to attachments, do NOT click on a link if anything else about the email seems suspicious. This is usually the attacker’s ultimate goal in a phishing scam — lure users to a malicious site and trick them into entering login credentials or personal information, allowing the attacker full account access.

If you do click on a link, be sure to also verify the actual URL. Are you on Google.com or Go0gle.com? The variations can be slight, but they make all the difference! That said, be aware that a malicious site will not always be visibly reflected in the URL, and therefore you will not be able to tell the difference. If this is the case, most browsers have built-in phishing protection to alert you that something is wrong.  

15% of individuals who fall for an initial phishing attack admit to falling for a phishing attack a second time.**

 

By using these five email checkpoints, you will be more equipped to decipher a phishing email. However, some phishing attacks are so sophisticated that they can even fool the savviest of users. The good news is that there are technology solutions, such as two-factor authentication, that can help, and we strongly recommend 2FA with the YubiKey

If you’d like to get started using a YubiKey, head over to the Yubico store to shop for the key that suits you best! 

Looking for more information on phishing? What is phishing?” reveals the common features of a phishing scheme, how phishing schemes work to obtain your personal information, and the simple solution to protect yourself. 

 

— Co-Authored with Ashton Tupper

 

*   KnowBe4 Q4 2017 Top-Clicked Phishing Email Subjects

** Verizon Data Breach Report, 2017

Ronnie Manning

Yubico CEO recognized as the Most Powerful Swedish Woman Entrepreneur 2018

On Thursday, March 8, Yubico CEO & Founder Stina Ehrensvard was named “The Most Powerful Woman Entrepreneur, 2018” by Veckans Affärer, the leading weekly business magazine in Sweden.

“With a product that is becoming a world leading standard, she is today one of Sweden’s most powerful, as well as most successful entrepreneurs,” shared the jury for the award.

Following the award, Veckans Affärer published a feature on Stina and her story. In the article, Stina thanked her parents for never stopping her from climbing trees as a young girl, and for instead asking how the view was from the top. She also emphasized that the most important foundation in a company is the team and that every award she gets represents Yubico as a whole.

The Most Powerful Woman Award is celebrating its 20th year anniversary, having started in 1998 to honor and highlight successful, influential women business leaders and entrepreneurs. At the time, there were only 2 women board members for Swedish companies listed on the stock exchange.  Today, the number of women has grown tenfold.

The award was handed out at the gala dinner and award ceremony in central Stockholm, attended by leading Swedish business executives.

Stina Ehrensvard

Buckle Up for a Safer Internet

Some cynics say that the problem of internet security will only continue to get worse, and that there is nothing we can do, but manage and minimize damages and losses. As an optimist, I completely disagree. Throughout our existence, people have faced and resolved extremely complex and evolving challenges—a great example of which is automobile safety.

A few years back, I wrote a blog post entitled Internet Identity and the Safety Belt. It focused on the introduction of the three-point seatbelt and its significant contribution to the automobile industry by making cars safer for drivers and passengers. Today, there are 10 times more cars on the road, but a lower total number of fatal car accidents. While driving will never be completely safe,  millions of lives have been saved through the realization of the problem, innovation, education, market demand, open standards, and government regulations. I am confident that we will make the information superhighway safer for everyone through the same efforts.

For the automobile industry, the seatbelt is an innovation that has had the greatest positive impact on passenger safety. Further advancements in car safety designs and driver’s education programs have similarly equipped new drivers with the tools they need to safely navigate any unforeseen turns.

What if there was a driver’s education program to help internet users move safely across the internet? Perhaps this should become a staple in a school curriculum just like Math and History?

Education, innovation, and collaboration are key to helping us all solve this complex challenge together. With that in mind, I am sharing a security quiz that we developed for basic IT security training of new Yubico employees. I invite you to test your security knowledge, and please feel free to share the quiz with family, friends, and coworkers.

Safe driving on the internet!

Yubico Team

Find Your Perfect YubiKey Match

At Yubico, we love security. As we approach Valentine’s Day, we’re reminded of this, and we want to share the love!

From February 12 to 18, we are offering a 25% discount on the purchase of two single YubiKeys (Hint: keep reading). Share the second key with a loved one or use it as a backup.

To help you find your perfect YubiKey match, we’ve created a product quiz that provides YubiKey recommendations based on your work style, computer type, and security needs. The YubiKey comes with a wide range of features in different form factors and designs, so after completing the quiz you’ll have found your perfect YubiKey match.

Ready to meet these YubiKey sweethearts?

 

Take the YubiKey product quiz. Once you’ve made your decision, head over to the Yubico store, add two YubiKeys of your choice to the cart, and use the coupon code YK18-143 at check out to receive 25% off. The Valentine’s Day promotional offer is valid from 12:01 a.m. PT on Monday, February 12 to Sunday, February 18 at 11:59 p.m. PT.

Looking to share the love with your friends? Spread the word with a tweet!

David Treece

Yubico Simplifies Smart Card Deployment in the Enterprise

In the enterprise, smart cards are used to simplify logging into computers, VPNs, and online applications. Smart cards can also be used for digitally signing emails and documents. While smart cards are known for delivering strong authentication, they have not always been known for being the simplest to deploy. For example, to use a smart card in an enterprise setting, an admin needs to install client / driver software on every computer, and an external smart card reader is typically required.

Since 2015, the YubiKey has supported smart card PIV functionality with the ability for the YubiKey to act as both a smart card reader and a smart card, meaning that no extra hardware is required. Most recently, we have simplified smart card deployment with the introduction of a YubiKey smart card minidriver. The new YubiKey minidriver enables users to simply self-enroll using the native Windows GUI, and even manage their smart card PIN from Windows Ctrl+Alt+Del. Administrators also benefit from the YubiKey minidriver by being able to do user provisioning using the Microsoft built-in MMC.

Smart card functionality is one of the five authentication protocols supported by the YubiKey, including Yubico and OATH one time password, FIDO U2F, and Open PGP smart card. With this multi-protocol support, the YubiKey is suitable for deployment across the enterprise to secure access to computers, networks, and services.

Learn more about YubiKey smart card in the enterprise.

Why_2018_will_be_the_year_for_authentication_hardware_blog_crown
Stina Ehrensvard

Why 2018 will be the year for authentication hardware

A journalist recently asked me why the world is seeing the return of hardware authentication. My response is that hardware actually never went away. Today, there is no more prevalent form of user verification than hardware. If there had been an easier and more secure way to deploy and revoke user credentials for billions of people, we would not have hardware SIM cards in our phones or chip credit cards in our wallets.

Security is all about minimizing attack surface and achieving separation. The recent Spectre and Meltdown attacks illustrated that it’s hard to achieve watertight separation between processes as systems become increasingly complex. General purpose computing devices that are connected to the internet have big attack surfaces, making them vulnerable to attacks from many fronts, including malware, phishing, malicious apps, Wifi exploits, VPN masking, and social engineering.

However, hardware security devices by themselves do not automatically make things more secure. Modern threats require stronger cryptography with a tighter integration to the applications they’re designed to protect. As a result, we will see increased awareness and adoption of hardware-based authentication and encryption devices using public key cryptography throughout 2018. These devices keep cryptographic information physically separated from the computing device they are connected to, dramatically minimizing the attack surface.

The benefits of using hardware authenticators go beyond just security. Users wanting to ensure privacy do not want to leave footprints that tie their identity to a particular device. Most mobile devices are controlled or monitored by the telecom or platform providers, collecting data about user activities. Furthermore, tying user identity to a device does not easily allow for multiple identities, such as separate identities for work and personal accounts, or being anonymous. Hardware authenticators, such as the YubiKey, do not require you to share any personal details of yourself to authenticate.

Additionally, there are enterprises who do not allow their employees to bring their phones to work, which makes mobile device based authentication inaccessible. In some geographic locations, there are regulations in place that prohibit companies from forcing employees to download business applications on personal computing devices.

Mobility is another important benefit of hardware-based authenticators. With your credentials tied to an integrated device, it can be difficult to move your login credentials between devices, as there is no seamless communication standard between all computers and mobile platform. Using a hardware authenticator with multiple communication methods solves this problem.

Finally, hardware authenticators offer significant benefits related to backups. Independent of what type of authentication technology selected, users will sooner or later lose, break, or reset their login devices. When organizations allow the use of multiple affordable hardware authenticators, one as a primary and others as backups, productive work will increase and support calls will decrease. A hardware authenticator, such as the YubiKey, can cost less than a support call, and a fraction of the expense of using a mobile phone.

Today, in 2018, Yubico and all leading browsers and platform providers are engaged in open standards work based on hardware and public key crypto across leading standards organizations, including the FIDO Alliance, W3C, IETF, and OpenID. We work together not as competitors, but as true leaders collaboratively driving the open standards that will stop the number one problem of IT security breaches for login, payments, IoT, and beyond: stolen user credentials.

Ronnie Manning

WIRED and Ars Technica Experts Choose the YubiKey 4 for New Subscribers

Credibility is defined as the quality of being trusted and believed in. As Yubico continues to grow the trust from our users, partners, and peers, it is truly valued. It’s with this trust that we continue to drive forward in creating strong, open authentication standards and delivering on our vision and belief of a secure internet for all.

Today, we are honored to announce we are partnering with Ars Technica, as part of celebrating its 20 year anniversary, by offering the YubiKey 4 to new Ars Pro++ subscribers. Ars Technica is a highly respected online publication within the technology community and combines technical savvy content with wide-ranging coverage of human arts and sciences, while specializing in bringing readers the right answer, the first time.

Eric Bangeman, Managing Editor, Ars Technica says, “Keeping your online accounts and personal data safe can be a challenge, but YubiKey’s flexibility and best-in-class two-factor authentication capabilities offers a deeper level of security for its users. Ars Technica is proud to offer the Yubikey 4 as a gift for its Ars++ subscribers.”

Limited Edition WIRED and Ars Technica YubiKeys

Also today, we are equally excited to say we are partnering with WIRED magazine to deliver YubiKeys to their new subscribers as well. WIRED is the ultimate authority on the people and ideas changing our world. With a particular focus on emerging technologies, they don’t just write about the future, they ignite it.

As Nicholas Thompson, Editor-in-Chief, WIRED states, “We’re thrilled to be able to offer our subscribers free YubiKeys. Our readers are sophisticated technology users who value their security, which is why we picked YubiKey as a natural gift for them.”  

With both of these powerful and forward-thinking audiences, we are extremely honored that experts from WIRED and Ars Technica chose the YubiKey as the gift of security for their readers. The best part is, subscribers are not receiving a regular YubiKey — they are receiving a limited edition YubiKey 4 with a laser-etched WIRED or Ars Technica logo. The cool factor is upped considerably here. 

Now, new WIRED and Ars Technica subscribers will be able to add the most secure, easy-to-use multi-factor authentication to their business and personal accounts. YubiKey support is available with services such as Google, Facebook, and Dropbox, plus popular password managers, and hundreds of other services — all with a simple touch.  

Looking to read about some of the best in tech? Are you an avid WIRED or Ars reader?  Want to get your hands on one of these limited edition YubiKeys? Check out the subscription information for WIRED and Ars Technica!

Ronnie Manning

Yubico CEO Wins Ernst & Young Entrepreneur of the Year Award

Today, we are proud to announce that Yubico CEO & Founder, Stina Ehrensvard, won the national finals for Ernst & Young’s Entrepreneur of the Year, earning her the title of Female Shooting Star, Sweden. This follows her acceptance of the regional Female Shooting Star award for Stockholm, which was awarded in November 2017.

Stina shares, “Few entrepreneurs succeed alone, and this award would not be possible without a fantastic team. As American anthropologist Margaret Mead once said, ‘Never doubt that a small group of thoughtful, committed citizens can change the world; indeed, it’s the only thing that ever has’.”

The annual Entrepreneur of the Year awards recognize exceptional business leaders who create products and services that drive a healthier worldwide economy. Specifically, the Female Shooting Star award is reserved for the woman who leads significant company growth in a short period of time. Ernst & Young organizes and distributes the awards regionally, nationally, and internationally with a mission to encourage entrepreneurial interest and inspiration among future generations.

The judging committee concludes, “Stina Ehrensvard has developed the solution for a growing problem and created an international company. The path from idea to success was not a straight line, but thanks to drive and dedicated work she found the key to success. Her product may be small, but it makes the difference for internet security across the globe.”

To learn more about Stina’s entrepreneurial journey and the passion, technology and teamwork that contributed to Yubico’s success, read more about her story in Entreprenör Magazine and Marie Claire. Additional information on the Entrepreneur of the Year awards can be found here.

privacy-aware-blog-crown
Jesper Johansson

5 Best Practices for Companies Serious About Data Privacy

If you caught this month’s earlier blog, you’ll know that Yubico is partnering with the National Cybersecurity Alliance to support Data Privacy Day, which takes place on January 28. Protecting privacy is one of the main end goals of a security program. It’s incredibly important to us at Yubico to empower and educate individuals and businesses on the best ways to stay safe online.

Our first Data Privacy Day blog focused on the individual user by outlining some of the most common ways internet credentials are stolen, and a surprisingly easy solution to protect against them. In the second blog of our two-part Data Privacy Day series, we take a closer look at how a security program supports your data privacy initiatives.

Companies who take data privacy seriously all have five things in common. If you are advocating for better data privacy in your organization, you want to start with a security program that supports these efforts. Such a program has a few common characteristics.

Leadership buy-in

Prioritizing the protection of data and systems starts at the top. The entire executive team, including the CEO and the Board, must know that security is a key priority for your organization. Otherwise, when it comes to allocating finances and resources, security will take a back seat.

This can seem daunting, but it’s actually becoming less difficult to receive this sort of leadership buy-in. For those who ever need a good selling point, just look at the volume and tone of press coverage after some of the most recent data breaches.

A person responsible for security and privacy

Explicitly identify and designate one individual who is responsible for overall security and privacy at the company. This means building out a C-level position to own all aspects of security and privacy, as well as legal and compliance risks. Not only will this ensure that there is a holistic, comprehensive approach to the security and privacy strategy, but it will also help further leadership buy-in by giving security a seat at the executive table and decision-making process. By having security and privacy at the company leadership level, the group can better work with the business by planning for organizational initiatives rather than being surprised by them.

A culture of security and privacy

It’s no surprise that a lot of security and privacy incidents within an enterprise are related to human errors. With tight deadlines and busy schedules, it can be attractive for ambitious, well-intentioned employees to cut corners, and security is usually one of the first areas to take a hit. Reusing passwords, using easily-guessed passwords, sharing credentials, leaving work devices unattended or unlocked, and mistakenly clicking on malicious links are just a few common employee practices that result in breaches. Employees have a job to do, and if security hinders them rather than helps them, they will work around controls they don’t understand.

Companies that take security and privacy seriously run programs that are designed to ensure every employee knows, understands, and follows company security and privacy protocols. These programs also have clear expectations and consequences for failure to abide by the policies. To be clear, this doesn’t—and shouldn’t—mean leading with fear. It means taking the time to educate different groups of people about the negative impact a data breach could have on revenue, safety, and overall company health and reputation. The best security and privacy teams focus on enabling employees to do their best work by enabling them to do security right.

Clear processes and policies

Having a good governance framework won’t matter if users aren’t familiar with the processes and policies involved. After all, it’s important to ensure that the plan can actually be implemented.

It’s also critical to know how to measure the success of the program. The ability to demonstrate the return on investment (ROI) for security products and services is invaluable to CEOs and the Board. Return on mitigation (ROM) is another valuable metric. This shifts the conversation from the potential losses of risk as business gains by calculating how much would not be lost through effective mitigation.

An incident response plan

While no company wants to deal with a data breach, companies that prepare for doing so before it happens weather the storm better. After you get compromised is a terrible time to draft the notification to the board and your customers, and is just as bad for figuring out how to determine what happened and stop it.  A clear, and tested, response plan helps all parties involved know what to do, what their role is, and how to communicate internally and externally.

At Yubico, we are experts at authentication—trusted by millions all around the globe to guide them through securing access to devices, networks, and web applications. That’s because we drive innovation and have modernized strong authentication, making strong two factor authentication (2FA) easy to use, all while reducing IT costs.

Don’t forget, Data Privacy Day is happening on January 28, and we welcome you to join in the movement! Start now by helping to educate and empower individuals and businesses on becoming #PrivacyAware. For additional tips on how to improve online safety, read more here.

privacy-aware-blog-crown
Yubico Team

5 Surprisingly Easy Ways Your Online Account Credentials Can Be Stolen

This month, Yubico is partnering with the National Cybersecurity Alliance (NCSA) to support and promote Data Privacy Day, an initiative to empower individuals and encourage businesses to respect privacy, safeguard data, and enable trust. While Data Privacy Day is a one-day event taking place on January 28, security is our focus at Yubico everyday, and we are starting the conversation about online security and privacy early!

When it comes to compromised internet security, it can be difficult to know what you’re defending against, because attacker objectives, victims, and techniques vary significantly. That said, we do know that internet credential theft and misuse is involved in nearly 81% of hacker-related breaches. Since stealing someone’s password or other authentication data is relatively easy to do from afar, and there’s little risk of or danger in getting caught, it’s become one of the most common attacks in the world.

In this two-part blog series, we will uncover some of the most common techniques for stealing internet credentials, popular and proven methods of defending against these attacks, and best practices to keep your data safe. Before we can effectively protect ourselves online, we must first understand the threats that we’re facing.

Weak Password Guessing

Attackers try common passwords with specific or common usernames across many sites, and this can be surprisingly successful. Unfortunately, most people struggle with creating or remembering strong passwords. As a result, people often choose weak passwords for convenience, or because they don’t think it matters, and rarely change them if circumstances change.

Password Reuse Abuse – Credential Stuffing

Attackers regularly take credentials stolen from one site and try them on another, as it’s very common for people to use the same password, or a variant, across multiple sites. This problem is exacerbated by the large volume of stolen credentials available for sale on the dark web with hundreds of millions of credentials available to attackers. Attackers have also reportedly targeted weaker sites to gain an individual’s credentials. If they’re successful, they’ll use those same credentials on other sites that they’re actually interested in.

Man in the Middle (MitM) Attacks

Sometimes, attackers have access to the network path between their victim’s computer and the site they are accessing. This can enable the attacker to view what sites someone is accessing and steal their data if the connection is not encrypted or if the victim believes the attacker’s system is legitimate.

This privileged position can be used to wait for users to access the site of interest, or it can be used in combination with other techniques, such as phishing, to entice someone to visit the site of interest.

Phishing

Phishing carries serious risks for internet users. Credential phishing typically uses some pretext to convince a person to reveal their credentials directly, or to visit some site that does the same. Attackers do this via SMS verification, email, telephone, instant message, social networks, dating sites, physical mail, or by any other means available.

Account Recovery Exploitation

Due to the large scale of users for many services and the general desire to keep support costs low everywhere, account recovery flows can be much weaker than the primary authentication channel. For example, it’s common for companies deploying strong two-factor authentication (2FA) solutions as their primary method to leave SMS as a backup. Alternatively, companies may simply allow help desk personnel to reset credentials or set temporary bypass codes with just a phone call and little to no identity verification requirements.

Services implementing 2FA need to strengthen both the primary and the recovery login flow so that users aren’t compromised by the weaker path.

The Silver Lining

There is an equally surprisingly easy and affordable way to protect online accounts from all of these attacks. It’s called FIDO Universal 2nd Factor (U2F), a modern security protocol invented by Yubico and Google that is specifically designed to help online services and users tackle these common attacker techniques. Since its inception in 2012, U2F has become widely adopted by many services, including Gmail, Dropbox, Facebook, GitHub, Salesforce.com, and more.

The protocol works by registering a physical hardware device, like the YubiKey, with your service. Once paired, the service will challenge you to provide your account password (something you know) and to present your YubiKey (something you have) by inserting it into the USB port and touching the gold contact (called test of user presence). There are no codes to type or apps to load. The YubiKey does the work for you.

A single U2F device, like the YubiKey, can be used with nearly unlimited services and accounts all while providing data privacy. That’s because the YubiKey generates a new pair of keys for every service, and only that service stores that specific public key. With this approach, no secrets are shared between service providers.

So how does the YubiKey stop hackers even when they’ve stolen your account password? Without also stealing your YubiKey (a physical device), an attacker can’t get access to your account. Once you’ve turned on U2F, you can also help secure your accounts against account recovery exploitations by turning off less secure forms of 2FA like SMS, wherever possible.

For more information on internet credential theft and misuse, read our whitepaper. Also stay tuned for part two of of our blog series!

Alex Yakubov

IBM and Yubico Simplify Strong Security for Enterprises

Raise your hand if you’re a fan of security products that live up to their name and also deliver a delightful user experience! You know we are, and that’s why we’re happy to announce a joint effort with IBM to deliver FIDO Universal 2nd Factor (U2F) protection with the YubiKey through the IBM Security Access Manager (ISAM). The FIDO U2F open authentication standard provides the highest level of security assurance and protects against phishing and man-in-the middle attacks aimed at stealing credentials and gaining access to enterprise systems and services.

If you’re an ISAM customer, and are currently evaluating two-factor authentication (2FA) or multi-factor authentication (MFA) options, then look no further. IBM has integrated the strongest level of 2FA to ISAM with YubiKey and FIDO U2F support. The YubiKey FIDO U2F Settings Configurator for ISAM is available in the IBM Security App Exchange, a marketplace where developers across the industry can share applications based on IBM Security technologies.

The new app enables ISAM Administrators to quickly and easily reconfigure the ISAM appliance to enforce FIDO U2F with YubiKey attestation in a matter of minutes. From there, end users are able to register their own YubiKeys for easy, secure access to any systems you have connected for Single Sign-On (SSO).The YubiKey offers a frictionless authentication experience for ISAM admins, users throughout the organization, and external customers.

For a limited time, we’re offering ISAM Admins the YubiKey Experience Pack for $100* ($268 value), which includes one of all six YubiKey form factors. Use them to test out the integration in your environment, and let us know how we can help when you’re ready to rollout the YubiKey to your organization.

*Offer valid through 11:59pm PT December 15, 2017, while supplies last.

Jerrod Chong

How to Navigate FIDO U2F in Firefox Quantum

Firefox Quantum is the latest internet browser to natively support FIDO Universal 2nd Factor (U2F) devices, and we couldn’t be more thrilled to see this advancement! With Mozilla jumping on board, millions of Firefox users can now begin to experience the ease-of-use and security of the YubiKey and U2F authentication...with one small caveat. FIDO U2F is not turned on by default in the Firefox browser.

If you’re among the individuals testing the FIDO U2F YubiKey with Firefox Quantum, you’ve likely already experienced a few common challenges. First, FIDO U2F is not a default setting with the latest Firefox browser. It requires configuration in advanced settings. Second, even after enabling FIDO U2F, some services may not recognize it. We understand that this can be frustrating or inconvenient for users, and as a principal inventor of the FIDO U2F open authentication standard, we’d like to provide additional clarity and guidance.

Why isn’t FIDO U2F a default setting in Firefox Quantum?

Mozilla plans to only support the out-of-the-box experience with FIDO U2F devices using Web Authentication APIs (as part of FIDO 2) versus FIDO U2F APIs. Per the company’s Security/Crypto Engineering wiki page, they intend to “...permit use of U2F tokens via a user-controllable preference (not on by default) in Firefox 56 or 57 (Done in Firefox 57), and Web Authentication (on by default) in Firefox 59 or 60.”

In many ways, FIDO 2 is the next-generation of FIDO U2F, as it will pave the way for things like multi-factor and passwordless login, while still supporting two-factor authentication (2FA) functionalities of the original FIDO U2F standard. As Web Authentication specifications will likely not be complete until early 2018, users will need to wait for the seamless experience with U2F devices in Firefox until the Web Authentication API integration is done.

How do I enable FIDO U2F in Firefox Quantum?

While the FIDO U2F experience in Firefox is limited at the moment, turning it on is very simple. It only takes three steps.

1. Type about:config into the Firefox browser.

2. Search for “u2f”.

3. Double click on security.webauth.u2f to enable U2F support.

Even after enabling FIDO U2F in Firefox Quantum, why won’t YubiKeys work for some U2F-enabled sites?

Integrating with FIDO U2F v1.1 JS API will allow a developer’s web app to support U2F on Firefox. That said, it’s important to understand that every FIDO U2F implementation can vary from the official specifications. For example, Mozilla did not fully implement the FIDO AppID and Facet Specification. Some sites supporting FIDO U2F have made accommodations for the incompleteness of Firefox’s implementation, but some have not. In other situations, some services may not work with Firefox Quantum because of a service-specific implementation. For this reason, Firefox Quantum users are currently having trouble authenticating with their FIDO U2F devices for some sites that typically support FIDO U2F devices. Our recommendation? Make a request to both Mozilla and that particular service to refine their FIDO U2F support, allowing for Firefox compatibility.

Ultimately, Mozilla’s FIDO U2F support is a huge progression toward strong, unphishable authentication. We can only hope to see the platform’s FIDO U2F authentication experience grow to become seamless and simple as the FIDO standard intends.

5.9.18 Update -  Firefox 60 is the first browser to support the new security standard, FIDO2, Web Authentication (WebAuthn) and U2F

Yubico Team

Yubico Closes 2017 with Four Major Events

Typically, the Winter holiday season can make for a more quiet year-end for businesses, but things are still in full swing here at Yubico! Over the course of the next two weeks, you’ll find us at four major tech events across the United States and Europe: AWS Re:invent, Gartner IAM Summit, Trustech, and BlackHat Europe.

Whether you attend a speaking session, or stop by our booth, visit us to talk all things YubiKey. Let’s chat about identity and access management (IAM) integrations, next-gen payment and identity ecosystems, IT trends and research, and the future of authentication. We can also catch you up on Yubico’s latest and greatest, including the recently launched YubiHSM 2. To get you up to speed, here are few of the things we’ve been working on over the last few months:

  • YubiHSM 2 is now available. Launched October 31, it’s the world’s smallest and most cost-effective hardware security module (HSM) for server protection, costing only $650.
  • We launched our latest YubiKey form factor, the YubiKey 4C Nano, in September. It’s the only multi-protocol USB-C authenticator of its kind, and is a true design and engineering triumph.
  • A recent integration with identity proofing provider ID.me marks the first roll out of FIDO U2F and YubiKey two-factor authentication for government agencies in the US.
  • The reality of passwordless login is closer with joint efforts from Yubico and Microsoft on the FIDO 2 open authentication standard. The first public demonstration of this was given at the 2017 Cloud Identity Summit (CIS) using a Microsoft Windows 10 computer through Azure Active Directory (AAD) and a YubiKey.

We’d love to fill you in on all of the exciting things we’re working on and how it all plays into the greater security and identity ecosystem, so be sure to pay us a visit! Wondering where you can find us at each show? You can get all the details on our events page.

Yubico Team

Yubico CEO Awarded 2017 Shooting Star by Ernst & Young

Today, we are proud to announce that Yubico CEO & Founder Stina Ehrensvard was awarded the 2017 Female Shooting Star by Ernst & Young’s Entrepreneur of the Year awards in Stockholm.

The annual Entrepreneur of the Year awards recognize exceptional business leaders who create products and services that drive a healthier worldwide economy. Specifically, the Female Shooting Star award is reserved for the woman who leads significant company growth in a short period of time. Ernst & Young organizes and distributes the awards regionally, nationally, and internationally with a mission to encourage entrepreneurial interest and inspiration among future generations.

All award finalists are evaluated by a jury based on entrepreneurial spirit, innovation, personal integrity, financial performance, strategic direction, market impact, and social responsibility. The jury for Stockholm’s regional finalists included previous Swedish award winners and local business representatives with solid knowledge and experience of entrepreneurship. Upon the jury’s delivery of the award to Stina, it was noted:

“With an impressive and inspiring forward-looking mindset and goal-consciousness, Stina is building a new world standard in one of the most competitive sectors in the IT world. A future-defining entrepreneur can create something that the world has not seen before. This entrepreneur demonstrates that she is about to do this. Backed by an impressive customer list and explosive growth, she is aiming for gold.”

To learn more about Yubico’s corporate growth and industry leadership, read our press release. Additional information on the Entrepreneur of the Year awards can be found here.

Yubico Team

YubiHSM 2 is here: Providing root of trust for servers and computing devices

If you were to ask someone who Yubico is or what we do, you’ll likely get the answer, ‘YubiKeys’, and rightfully so. YubiKeys are our foundation, and at the core of our mission to provide tried and true multi-factor authentication since 2008. They are used and loved by some of the world’s largest companies and by millions of individuals in more than 160 countries. But what a lot of people don’t know is that our product portfolio is more extensive. We’re also in the business of protecting servers and the keys stored on those servers, and today, we are thrilled to launch the YubiHSM 2.

True to Yubico form, the YubiHSM 2 defies a conventional design approach to hardware security modules (HSM) with the company’s signature traits of simplicity and affordability. The ultra-slim nano form factor YubiHSM 2 device is affordable at $650, offering advanced capabilities and benefits at a price within reach for all organizations. This is far from the traditional $10,000 HSM box that might typically come to mind.

Many customers will use the YubiHSM 2 to secure their certificate authorities’ (CAs) root keys and to verify signatures. The YubiHSM 2 also offers advanced signing with EdDSA curve 25519.

So, how does the new YubiHSM 2 fit into your organization? Our VP of Product Jerrod Chong gives us a real-world snapshot of the YubiHSM 2 in action:

Q: Why would an enterprise or SMB have a need for an HSM?

Every organization needs to protect their server environments and the cryptographic keys stored on those servers. Approximately 95% of all IT breaches happen when a user credential or server gets hacked. HSM hardware delivers advanced protection to prevent the theft of keys while at rest or in use. This protects against both logical attacks against the server, such as zero-day exploits or malware, and physical theft of a server or its hard drive. However, most companies have taken a software-based approach, as hardware-based protection has always been cost prohibitive with traditional HSM solutions. That is not the case with the YubiHSM 2.

Q: What would a typical YubiHSM 2 enterprise deployment look like?

A typical YubiHSM 2 deployment for enterprise would include the use of hardware-backed keys for a Microsoft-based PKI implementation. Deploying the YubiHSM 2 for Microsoft Active Directory Certificate services not only protects the CA root keys, but also protects all signing and verification services using the root key. For this particular type of YubiHSM 2 deployment, implementation is fairly plug-and-play.

Q: What were some of the more unique or creative ways people were using YubiHSM 2 during the beta program?

While protection of root keys for Microsoft AD Certificate services is a common use case, participants in our beta program also explored the use of the YubiHSM 2 for improving security on manufacturing lines, increasing security for IoT gateways and network appliances, and augmenting security on legacy SCADA.

Q: Can the YubiHSM 2 be used on virtual systems?

Yes, the YubiHSM 2 is network-sharable. While it plugs into a USB port on a host machine, communication is handled via a connector that can speak HTTPS. This means it can speak with any application connected to the network using HTTPS, a feature not previously available on the original YubiHSM model and not frequently supported by lower-priced HSMs. This can be especially advantageous on a physical server that is hosting multiple virtual machines (particularly for cloud applications), so organizations are not bound to the host machine USB ports.

Q: The size of the YubiHSM 2 is rare for an HSM. What was the impetus behind selecting the “nano” form factor?

One of the drawbacks with traditional HSM solutions is that they are large in size, making it difficult to deploy on servers that use rack-based installations. The Yubico nano form factor allows the HSM to be inserted completely inside a USB-A port with minimal protrusion. This allows for optimized placement in tightly constrained server racks.

For more information on additional YubiHSM 2 capabilities and technical specifications, visit https://www.yubico.com/products/yubihsm. Alternatively, if you are ready to purchase the YubiHSM 2 for your organization, units are available on our store.

Growing our security and open standards team
Yubico Team

Growing our security and open standards team

In celebration of this week’s National Cybersecurity Awareness Month theme, The Internet Wants YOU: Consider a Career in Cybersecurity, we asked three of our security and open standards rockstars — Jesper Johansson, Torbjörn Granlund, and John Bradley — to share their career background, and the journey that led them to Yubico.

Jesper Johansson, Chief Security Architect, Yubico

Jesper joins Yubico’s Seattle office to grow and lead the Yubico Security Team. He leaves his post at Google, where he worked in the Security & Privacy team. Prior to that, he spent a decade at Amazon, rising to Chief Security Architect for Amazon's Worldwide Consumer business, and was a security strategist and founding team member of the Trustworthy Computing Team at Microsoft.

When asked to impart some advice to those pursuing a career in cybersecurity, he shared:

“Two things -- first, learn another field as well. You can't be an expert in security without being an expert in some related field. Security is all about protecting something, and you have to have a good understanding of that something else. Second, be pragmatic. The biggest mistake security folks make is trying to secure things to a level that far exceeds the value of the asset you are protecting, or the risk to that asset. We need to focus on security solutions that support the business rather than those that hinder it.”

Jesper is the author of three books, many articles, and blog posts, and has delivered more presentations on security than anyone could remember.

Torbjörn Granlund, Senior Software Engineer, Yubico

Torbjörn recently joined our Stockholm office as an expert in efficient and side channel resilient asymmetric cryptography. He has contributed fundamental functionality to the GNU project, which is used by Linux for file copying, string and memory operations, as well as the GNU compiler.

Torbjörn proves that following your passion and honing your skills can lead to a fulfilling career and significant breakthroughs. “I’ve always been into maths, and in my teens turned into programming. I took a Masters in Science in CS. Far into my career, I realized that my maths skills were lacking, and decided to take a PhD with more maths and more theoretical CS,” said Torbjörn.

Torbjörn developed and authored the GMP arithmetic library, the de facto standard library for arithmetic within the areas of computational number theory — truly a great achievement in the field of mathematics. It is used for asymmetric cryptography in libgcrypt, nettle, GnuTLS, and optionally in OpenSSL.

John Bradley, Senior Technical Architect, Yubico

With more than 15 years of experience, John is an Identity Management subject matter expert and IT professional, whose primary focus at Yubico is on open identity standards. John is treasurer of the openID Foundation and the Open Identity Exchange (OIX), and an active contributor to SAML, OAuth, and other IETF standards. He is also one of the leaders of OSIS and the OpenID Certification, forums that vendors use for industry interoperability testing.

In a previous role, John was asked for a solution that offered the same level of security used for the US Government Service Agency (GSA), but was simple enough for the average user. Meeting the challenge, John co-authored the ICAM protocol profiles at Protiviti Government Services on behalf of GSA, and is currently co-authoring the next version of the openID specification and related standards.

“The standards are all coming together for 2018, as observed by Microsoft at CIS. We also made progress this year by updating NIST SP-800-63 to a third revision to accommodate the new techniques beyond the original smart card model,” he continued. “The goal is to make possible end-to-end proof of possession security from the first authentication through to the last access token.”

With an impressive list of achievements between the three, we are thrilled and proud to welcome them into the Yubico team.

Interested in a career in cybersecurity at Yubico? Check out our open job opportunities here.

Jerrod Chong

iPhone support for YubiKey OTP via NFC

Will my YubiKey NEO work on iPhones now that iOS 11 added some NFC support? It’s a fair question – one that we’ve been getting a lot of. This blog explains some of the details about iPhone support for YubiKey OTP to help bring some clarity to YubiKey users.

First, it’s important to understand the limited scope of Apple’s NFC support. Apple’s NFC APIs for iOS (Core NFC) allow iPhone apps to read the NFC Data Exchange Format (NDEF) records from certain NDEF tags (only supported on iPhone 7, 7 Plus, and up). However, there are a few limitations. Besides the fact that the NFC Reader interface can only be fired up from an app, Core NFC does not allow for write operations that are required for authentication protocols like FIDO U2F. That said, NFC on the iOS platform does not support Google’s recently announced Advanced Protection Program.

However, because NFC tag reading is supported, it allows developers to build apps, including consumer facing or purpose-built enterprise applications, with one-time passcode (OTP) support. Given that the YubiKey NEO can generate an OTP and send it to the requesting app via NFC, we finally have some good news for iPhone lovers: the YubiKey NEO will support OTP over NFC for applications that run on iOS11 and iPhone versions 7+. While Yubico acknowledges this progress, ubiquitous Apple support for strong authentication, namely FIDO protocols, remains out of reach at the moment.

For YubiKey users, this improves OTP two-factor authentication on the iPhone. Now they can authenticate with just a tap of their YubiKey NEO against the phone. Additionally, developers have a better authentication option to integrate with their mobile applications. One caveat remains: developers will have to build NFC support into each individual application to retrieve the OTP from the NDEF tag. Edit (28 May, 2018): See our new Mobile SDK for iOS.

In contrast, Android supports NFC natively in the platform. For example, Android developers can open the NDEF record for a URL with the default browser instead of opening up the specific app to read the NDEF tag. Furthermore, Android developers can also add FIDO U2F support using the Android FIDO U2F APIs.

While this is encouraging news, we realize it is not yet the complete desired solution. With Apple finally opening up parts of its NFC technology (just like with Touch ID a few years ago), we are hopeful that this standards-based approach will evolve. We know security is only as strong as its weakest link; it is high on our bucket list of things to solve for the ecosystem!

What can you do? As Yubico continues to advocate for ubiquitous, strong authentication for all, we invite you to join us in voicing or tweeting your concerns and desires to Apple to expand their NFC on iOS. As a customer-centric company, Apple will greatly value your input. To send developer feedback to Apple, visit their contact page or send a tweet to @AppleSupport.

Yubico Team

Catch today’s webinar: Next-gen Identity Management

Are your users really who they claim to be? What is the impact to your business if your end-users are registering as fake individuals, or impersonating others? If the identity of your users matters to your business, then you’ll want to join today’s webinar hosted by SC Magazine.

Identity, the internet, and your business—architecting your online product/service once was as simple as enabling someone to create a user name and a password. It’s not that easy or simple anymore. User names are easily guessed and passwords are easily breached. The answer, of course, is that identity and access management software need to be absolutely certain that the identity is correct and not an attacker pretending to be the authorized user. NIST 800-63-3 recommends combining identity proofing with multi-factor authentication.

Tune in to today’s webinar on next-gen identity management. Yubico’s foremost Identity expert, John Bradley will chat with SC Media’s Editor, Stephen Lawton about identity proofing in the real world, and how companies can ensure a user’s identity is accurate and not an imposter.

 

About John Bradley

John has over 15 years experience in the information technology and identity management field. He advises Government Agencies and commercial organizations on the policy and technical requirements of Identity Management, Federated Identity, PKI and smart card solutions. He is often consulted and brought in to brief clients, vendors, staff, and standards organizations on complex state-of-the-art identity management concepts, best practices, and technical requirements because of his amazing ability to make complex topics simple.

Google Advanced Protection Program Keys
Alex Yakubov

Yubico Partners with Google’s Advanced Protection Program

Today, Google formally announced their Advanced Protection Program designed to safeguard the personal Google Accounts of those most at risk of targeted online attacks, including journalists, business leaders, and political campaign teams. Yubico has partnered with Google on this initiative as part of our ongoing commitment to working with people at risk including human rights organizations, such as Freedom of the Press, EFF, and The ISC Project, as well as journalists at the NY Times and other news publications.

Modern phishing and man-in-the-middle (MiTM) attacks are creating new threats for users and Google’s Advanced protection Program is an important initiative to protect those most at risk. An extensive Google research study, found that traditional 2-step verification and other authentication methods such as codes sent via SMS, one-time password tokens, and mobile apps are now phishable and susceptible to these attacks.

Personal Google Account Advanced Protection Program Login Flow

This is why Yubico and Google co-created the FIDO Universal 2nd Factor (U2F) standard, and why Yubico created the unphishable Security Key, supported by Google since 2014. Both the FIDO U2F standard and the Security Key form the foundation for Google’s new Advanced Protection Program.

Google’s Advanced Protection Program extends the benefits of using YubiKey security keys with important security enhancements.

  • The strongest defense against phishing - Advanced Protection makes it a requirement to use both a password with a physical security key when signing in. Other authentication methods that can be more easily phished by attackers, including codes sent via SMS or the Google Authenticator app, are not permitted and will no longer work.
  • Limit data access to trusted apps - Advanced Protection automatically prevents non Google apps from accessing your most sensitive data, like your emails or documents.
  • Block fraudulent account access - Advanced Protection adds extra steps to verify your identity during the account recovery process to safeguard against fraudulent account access.

In partnership with Google, Yubico is proud and honored to announce our participation and support of those signing up for Google’s Advanced Protection Program. Get a recommended YubiKey Advanced Protection bundle here.

You can read more about how to sign up to the program at Google’s Advanced Protection Program information page.

Yubico Team

Infineon RSA Key Generation Issue

Infineon Technologies, one of Yubico’s secure element vendors, has informed us of a security issue in their cryptographic firmware library. The issue affects TPMs in millions of computers, and multiple smart card and security token vendors.

For Yubico, the issue weakens the strength of on-chip RSA key generation, and affects some use cases for the PIV smart card and OpenPGP functionality of the YubiKey 4 platform. We’ve issued a security advisory on this issue.

FIDO U2F, OTP, and OATH functions of the YubiKey 4 platform are not affected. The YubiKey NEO, FIDO U2F Security Key and YubiHSM are not impacted, nor are the deprecated products YubiKey Standard and YubiKey Edge. Externally generated RSA keys are not affected.

Yubico estimates that approximately 2% of YubiKey customers utilize the functionality affected by this issue. We have addressed this issue in all shipments of YubiKey 4, YubiKey 4 Nano, and YubiKey 4C, since June 6, 2017.

At this time, we are not aware of any security breaches due to this issue. We are committed to always improving how we protect our customers and continuously invest in making our products even more secure.

We offer customers who are affected mitigation recommendations and optional YubiKey replacement. For more information please refer to our dedicated customer portal.

Stina Ehrensvard

The key to GDPR compliance and online privacy protection

The EU General Data Protection Regulation (GDPR) is a new set of mandates aimed to protect the privacy of internet users. From May, 2018, any organization operating, storing or processing data of EU citizens will be subject to the requirements. With the threat of hefty fines of €20M or 4% of worldwide turnover for non-compliance, whichever is greater, GDPR has got everyone’s attention.

One of the key components for GDPR compliance is the need for strong authentication. With billions of stolen credentials now in circulation, the use of username and passwords is no longer sufficient for protecting personal data. The European Union Agency for Network and Information Security – ENISA –  describes authentication as ‘key to securing computer systems’ and as the first step ‘in using a remote service or facility, and performing access control’. Referenced as GDPR-compliant authentication solutions are one time password solutions, smart cards, and FIDO Universal 2nd Factor (U2F).

At Yubico, it’s been our mission to make strong two factor authentication easy to use and deploy, and available for everyone. We disrupted One Time Password (OTP) technology introducing the simple touch and no client software install solution of the YubiKey. We co-created the FIDO U2F open standard and developed a next generation, simplified, and more secure PIV smart card technology. All these protocols and acronyms – OTP, PIV, FIDO U2F – enable one YubiKey to provide strong authentication for secure access to the majority of IT systems, ranging from computers and phones to networks and online services.

But of all the three protocols, FIDO U2F is the most powerful.

FIDO U2F has today proven at scale that it is the strongest defense against modern phishing attacks that hijack the session, the so called man-in-the middle attacks. As well as being easy and affordable to use and support, FIDO U2F preserves the privacy of internet citizens.

Many online authentication and identity technologies store user data and cryptographic secrets in centralized servers. An essential feature of FIDO U2F is that it does not store any means of personally identifiable information (PII), and while it works across any number of services, it does this without sharing any information between the services. And it is these game changing privacy measures that make the YubiKey and FIDO U2F optimal for GDPR compliance.

Government regulations supporting public safety are not new. Several times before we have seen government step up and re-write laws when the health and security of citizens are at risk. We may like it or not, but some of these laws have been effective. For example, today, significantly fewer people are killed by cars and cigarettes compared to the 1950s.

With the May 28, 2018 deadline for GDPR rapidly approaching, the days of usernames and passwords as an acceptable authentication technique are numbered. The hefty fines that can be imposed for GDPR non-compliance may be the necessary means for organizations to become responsible when operating, storing or processing data of EU citizens. Learn more about the security, usability, cost and privacy benefits of FIDO U2F.

Please contact us if we can help you with GDPR compliant authentication.

Stina Ehrensvard

Creating the Unphishable Security Key

How the FIDO U2F security key and YubiKey stop phishing and man-in-the-middle attacks

Security is never stronger than its weakest link, and that weakest link is often the user. Not surprisingly, phishing attacks that target users are increasing not only in volume, but also in sophistication. Google knows that. Recently, the search giant updated their login security policy to enable users to set up security keys as their preferred and only authentication method, no longer requiring the use of SMS or a mobile authenticator app.

SMS and mobile authenticator apps are no longer effective at protecting against the modern man-in-the-middle phishing attacks that are able to hijack the session.

To prevent state-of-the-art and old school phishing attacks, Yubico and Google combined a number of advanced security features, listed below, when co-creating the FIDO Universal 2nd Factor (U2F) protocol, to deliver the unphishable key.

Origin bound keys
One of the most common phishing attacks is to trick users to visit and log in to a fake website, where the user gives away sensitive login data and performs a fraudulent transaction. With the increasing sophistication of hackers, it is becoming difficult for most users to see the difference between a fake and a real site. Some fake sites may even include the green light indicating a secure connection and an SSL certificate.

The latest sophisticated phishing attacks, so called man-in-the middle, are even more aggressive: hijacking the communication between the user and service, and automatically redirecting the user to the fake web site.

With the YubiKey and FIDO U2F Security Key, user login is bound to the origin, meaning that only the real site can authenticate with the key. The authentication will fail on the fake site even if the user was fooled into thinking it was real.

Verification of user presence
By requiring a simple human touch to trigger the key to authenticate, the YubiKey and FIDO U2F Security Key verify that the person logging in is a real live human behind the computer, and not a remote hacker, bot, or trojan.

No shared secrets
U2F relies on the concept of minting a cryptographic key pair for each service. This means that the authentication secrets for each service are not shared. By using public-key cryptography, the server only has to store the public key for the user. Furthermore, this enhances user privacy as different sites cannot learn for which sites the user has registered.

Token binding
Token binding is an additional protection supported by FIDO U2F that secures the connection between the browser and the service to prevent man in the middle attacks.

Token binding allows servers to create cryptographically bound tokens (such as cookies, OAuth tokens) to the TLS layer, to prevent attacks where an attacker exports a bearer token from the user’s machine to present to a web service and impersonate the user.Token binding is used by FIDO U2F keys to bind the fido authentication token to the user agents TLS connection with the service.

Native platform/OS support
The YubiKey and FIDO U2F Security Key were intentionally designed so that no additional client software is required. With all the authentication software built into the key, this design brings zero friction for the user. Additionally, this eliminates the vulnerability and risk of compromise that comes from any extra client software that needs to be downloaded to a phone or computer.

Secure backup
Any authentication technology and device can be lost. The affordable hardware-based design of the security key makes it easy for users to setup multiple keys for their accounts. This approach enables secure backups for users at considerably lower support cost compared to using mobile phone authentication technology.  

Ease of use
Last, but not least, the unphishable YubiKey and FIDO U2F Security Key were designed to be easy to use and deploy.

All these security features work seamlessly. For the user, it is just a simple touch to authenticate. To further simplify, services and users can choose their own policies on how often they need to authenticate with a security key. With the way Facebook has implemented FIDO U2F, users only need to register and authenticate once per trusted laptop or phone.  

Any online service can easily make support for FIDO U2F using Yubico’s free and open source server code, and integration can be done within a few days. Alternatively, U2F can be implemented via Google and Facebook social login. Through this federation model, millions of websites and billions of users globally have access to online identity protection through unphishable security keys.

Learn more about FIDO U2F and social login.

Yubico Team

Our Family is Growing! YubiKey 4C Nano Unveiled at Microsoft Ignite

Today, at Microsoft Ignite (Booth #2063), we proudly announced the first-ever — and the world’s smallest — USB-C authentication device of its kind: the YubiKey 4C Nano.

The YubiKey 4C Nano form factor shares unique features with two of its siblings — the YubiKey 4C and YubiKey 4 Nano. Similar to the 4C, the YubiKey 4C Nano is designed for use with the latest USB-C devices, such as the newly designed Mac and PC laptops. Akin to the 4 Nano, the YubiKey 4C Nano’s miniature design and ultra-low profile allows the device to be left in a USB-C port without any disturbance to a user’s work environment or device mobility.

With the YubiKey 4C Nano’s patent-pending micro-design, the device is built with the same robust, multi-protocol authentication support of the YubiKey 4 product suite. This enables flexible and secure access to a variety of applications: computer login, remote server access, identity access managers, password managers, and an ever-growing number of online web accounts, including Google, Facebook, Dropbox, and more.

Delivering enterprise-grade authentication within a micro-sized hardware device is quite frankly an engineering and product design triumph! That said, we talked to Yubico CTO Jakob Ehrensvard for a closer look at some of the behind-the-scenes effort it took to make this happen. Here’s what he had to say:

Q: Many users, enterprises, and consumers alike are excited about the YubiKey 4C Nano. How did you know this was the best next step in terms of product development?

Jakob: The YubiKey nano design has become popular for users who want their Yubikey to almost be an integral part of their laptop. Particularly, when the user needs to authenticate often, this setup becomes very convenient. So, immediately after we launched the YubiKey 4C earlier this year, customers began asking us for a nano design.

Q: As discussed, the YubiKey 4C Nano size and design is incredibly impressive. What is some of the unseen work that went into this?

Jakob: At first glance, we thought it could not be done. There was simply not enough space to fit both a connector and electronics. The first couple of prototypes simply did not match the elegance of the YubiKey Nano, so we had to go back to the drawing board, and actually design a USB-C connector from the ground up. Fitting the electronics into the small form-factor, and being able to mass-produce them has been a design challenge, but I believe the final result is in keeping with the promise of a YubiKey Nano. It “is just there”, without interfering with everyday use, and without blocking any other ports.

Q: How do you see this product addition strengthening Yubico’s position to better serve enterprises and consumers?

Jakob: With the increasing adoption of USB-C on mobile devices and Apple’s “all in” approach, where they removed all other ports, we believe devices designed specifically for USB-C make the everyday use of the YubiKey simpler and smoother. Going forward, we anticipate a migration to USB-C, where it becomes the ubiquitous standard for peripheral connectivity, from desktop to phones.

Q: Moving forward, what will be the next new thing we see from Yubico?

Jakob: Broadening the hardware options is one part of the equation. In parallel, we’re working on broadening the protocol and platform support to keep the promise of the YubiKey being the ultimate authentication solution. The upcoming FIDO2 and WebAuthn standards will expand the capabilities and platform support, and we’re excited to be driving this effort. In addition to that, we’re finalizing our second-generation YubiHSM product, which extends the reach of the YubiKey to the backend of the authentication and encryption ecosystem, bringing cryptography for servers to the masses.

For more information regarding the full suite of YubiKey 4 products, visit https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/. The YubiKey 4C Nano is available today at  www.yubico.com/store for $60 US. The product is also being demonstrated  at Yubico Booth #2063 at Microsoft Ignite.

Stina Ehrensvard

Firefox Nightly enables support for FIDO U2F Security Keys

This week, Mozilla enabled support for FIDO U2F (Universal 2nd Factor) security keys in the pre-beta release of Firefox, Firefox Nightly. Firefox is the second largest internet browser by user base. In the near future, 80% of the world’s desktop users, including Chrome and Opera users, will benefit from the open authentication standard and YubiKey support out of the box.

When GitHub made support for U2F in 2015, the open source community voted U2F as the most wanted feature in Firefox. We are delighted to now see it happening. Yubico has helped with U2F integration for Firefox and for other platforms and browsers that have or are in the process of making support, as it is critical for taking the YubiKey and U2F unphishable authentication to the global masses.

In today’s world, software installation brings with it not only added complexity for the user, but also the potential risk of malware. Chrome has already enabled millions of websites and services to deploy FIDO U2F seamlessly, mainly through Google and Facebook social login, to help mitigate that. Now with native support for FIDO U2F security keys in Firefox, millions more will benefit from strong, hardware-based two-factor authentication without the need to download or install client software.

Thanks Mozilla for working on increasing security and usability for internet users!

Stina Ehrensvard

First US e-Government Services Protected with FIDO U2F Unphishable Security Keys

Today, at the 2017 Federal Identity Forum (FedID), we are taking an important step towards a more secure internet for everyone by introducing the first US federal services to offer identity proofing protection with an unphishable FIDO U2F security key.  This solution is enabled through identity proofing provider ID.me, and marks the first roll out of FIDO U2F two-factor authentication for government agencies in the US. We will be demonstrating this integration at the Yubico FedID booth #636.

As the co-author of U2F and the leading maker of FIDO U2F security keys, Yubico is thrilled to see ID.me become the first in helping protect US government services using FIDO U2F security keys. Today, US citizens can use the same YubiKey to log in securely to leading internet services, including Google and Facebook, and now on federal sites where ID.me is used for identity proofing.  This is a great milestone for all the contributors of the FIDO U2F standards.

Register your security key

“Thieves can guess or steal passwords from a database, and they can spoof biometrics,” said Blake Hall, CEO of ID.me.

“A physical FIDO U2F security key is ‘unphishable’ – to provide more robust and easy to use security to all customers, it’s essential to support FIDO U2F based standards and the adoption of security keys.”

This week’s announcement of US e-Government support for FIDO U2F follows last year’s launch by the UK government. Similar to the US government  initiatives, the GOV.UK Verify service for UK citizens offers a combination of identity proofing, single-sign on, and secure authentication with FIDO U2F security keys.  GOV.UK Verify used with FIDO U2F was enabled through identity provider Digidentity. Yubico is in dialogue with many other countries around the world that are considering offering U2F authentication for citizen-facing government services.

Yubico and ID.me will discuss the new capabilities at FedID during their “Unphishable” Authentication by the VA Panel session on Thursday, September 14th , 2017, at 2:15pm-3:15pm.

Additionally, Yubico will also be participating in the below discussions at FedID.

Wednesday, September 13 | 11:00am – 12:00pm
Panel: Proving (or Hiding) Your Identity Online

Wednesday, September 13 | 3:16pm – 4:14pm
Panel: A Survey of Identity Standards

For more information on FIDO U2F security keys, go to www.yubico.com.

Yubico blog crown with Las Vegas, Washington DC, Orlando, Dallas, and London images
Yubico Team

Yubico on the Road: 5 Tech Events You Wouldn’t Want To Miss

Two countries. Five cities. One month. The coming weeks will be busy and exciting for the Yubico team.  so we’ve compiled our full travel itinerary for those of you keeping tabs. If you are attending any of the events below, please come by and say hello — you’ll know where to find us.

True to Yubico form, we will showcase the seamless power of our multi-protocol YubiKeys with in-booth demos for Okta, Google, GitHub, and more. Got something you want to see? Let us know! If you’re looking for more behind-the-scenes details on leading identity and authentication open standards, you can attend some of our speaking sessions.

Oktane: August 28-30 | Las Vegas, NV

Visit us at Booth #E1, or attend our speaking session.

Panel: The Future of Identity and Security
Tuesday, August 29 at 3:45 – 4:30pm
John Bradley, Senior Architect at Yubico, joins Google, Okta, and OATH to discuss the future of identity, security, and access.

AFCEA: September 12 – 14 | Washington D.C.

Visit us at Booth #636, or attend our speaking sessions.

Panel: Proving (or Hiding) Your Identity Online
Wednesday, September 13 at 11:00am – 12:00pm
Stina Ehrensvard, CEO and Founder of Yubico, joins Venable, Experian, and FIDO Alliance to discuss best approaches to achieving balanced and privacy-preserving web authentication.

Panel: A Survey of Identity Standards
Wednesday, September 13 at 3:16 – 4:14pm
John Bradley, Senior Architect at Yubico, joins Axiomatics, SaliPoint, and MorphoTrust to dive into the realm of open identity standards.

“Un-Phishable” Authentication by the VA Panel
Thursday, September 14 at 2:16 – 3:14pm
Stina Ehrensvard, CEO and Founder of Yubico, joins members from ID.me and FIDO Alliance to discuss strong authentication that can withstand sophisticated modern attacks.

Microsoft Ignite: September 25-29 | Orlando, FL

Visit us at Booth #2063.

ASIS: September 25-28 | Dallas, TX

Attend our speaking session.

Stop Sweating the Password and Learn to Love Public Key Cryptography
Tuesday, September 26 at 11:00am – 12:15pm
Chris Streeks, Solutions Engineer at Yubico, explores the benefits and authentication advantages of the emerging FIDO Universal 2nd Factor (U2F) open standard.

Wired UK: September 28 | London, UK

Attend our speaking session.

A Safer Internet for Everyone
Thursday, September 28 at 3:20 – 4:30pm
Stina Ehrensvard, CEO and Founder at Yubico, shares her vision for a secure, privacy-preserving internet that is accessible for everyone worldwide.

 

We’ve got a busy month ahead, and we hope to catch up with you while we’re on the road. Be sure to stop by our booth or join us for one of our speaking sessions. To get the scoop on where we’re heading to next, follow us on Twitter, Facebook, Instagram, and LinkedIn.

Yubico Team

Yubico CEO and Founder wins SC Media Reboot Leadership Award

Yubico is proud to announce that our CEO and Founder, Stina Ehrensvard, won in the Thought Leaders category of the inaugural SC Media Reboot Leadership Awards. Honorees across a range of professional categories were revealed in today’s special editorial section at SCMagazine.com, and recognized for their outstanding service, qualifications, and advancements in cybersecurity.

“Businesses today are increasingly under threat by a range of cybercriminals,” said Teri Robinson, Executive Editor, SC Media. “The cybersecurity leaders we’re celebrating with these leadership awards are on the frontlines every day to help defend and protect our critical systems, data, and privacy from their attacks. To showcase their advances is SC’s honor.”

The awards program is designed to showcase and acknowledge industry luminaries who positively impact the cybersecurity arena. As an extension of SC Media’s annual Reboot edition, the announcement will also be published in print at the end of the year, when the editorial team identifies the best and brightest cybersecurity professionals and their many achievements.

“Winning the SC Media Reboot Leadership Award, in its very first year, is truly an honor and one that represents our company as a whole,” said Ehrensvard. “Our core product, the YubiKey, has become the gold-standard for easy-to-use authentication and encryption. In close collaboration with our customers and top internet companies, we will continue to drive innovation, enabling a safer internet for everyone.”

Contenders in various categories faced a thorough judging process conducted by SC Media’s editorial team. The process included a review of their professional background, references, efforts to benefit the wider industry, and any other research deemed necessary by editorial leaders.

“Stina Ehrensvard exemplifies leadership in one of the most vibrant and fast-evolving industries today,” continued Robinson. “That’s what this awards program is all about – highlighting some of the strongest leaders of the cybersecurity arena whose efforts more often than not underpin every business and leisure activity we all undertake online nowadays. The advances made in this marketplace to protect data, privacy and people are vital to all that we do.”

After this inaugural year, the SC Media Reboot Leadership Awards program will continue to be an annual celebration of the notable contributions, thought leadership, and unique improvements made by a wide range of IT and information security players. To see the profiles of this year’s SC Media Reboot Leadership Awards honorees, go to SCMagazine.com.

August 2017 webcasts blog crown
Yubico Team

Listen in and learn: Upcoming webcasts featuring Yubico experts

Webcasts galore! Yubico is taking over the airwaves this month with 4 exciting and thought-provoking webcasts. We are collaborating with IT security leaders Microsoft and the FIDO Alliance, plus other industry professionals, to give updates on the future of FIDO and enterprise authentication. Tune in, and learn from the experts.

On August 3, Jerrod Chong, Yubico’s VP of Solutions, will partner with Andrew Shikiar, FIDO Alliance’s Senior Director of Marketing, to deliver a case study on how FIDO, Federation, and Identity Proofing can work together to create a robust identity ecosystem.

Following Microsoft’s game-changing demo at CIS, Derek Hanson, Yubico’s Director of Solutions Architecture and Standards, will join forces with Microsoft’s Alex Simons, Partner Director of Program Management for Microsoft’s Identity Division, on August 9 to discuss modern authentication with FIDO 2.0-based passwordless logins.

On August 15, Jerrod Chong will be back online to share valuable insights on various enterprise authentication techniques, including one-time password, mobile push, smart card, and FIDO U2F, and going beyond the security / simplicity trade-off with Yubico’s enterprise-wide authentication solutions.

Finally, on August 17, Tommaso De Orchi, Yubico’s EMEA Solutions Manager, will speak on the global impact of the General Data Protection Regulation (GDPR), and how organizations can leverage open standards like FIDO U2F and security keys to achieve GDPR compliance.

Join the conversation, and sign up to attend all of our webcasts below:

Aug 3 – Case Study: FIDO, Federation, ID Proofing
10:00AM PDT
Jerrod Chong, VP of Solutions, Yubico
Andrew Shikiar, Senior Director of Marketing, FIDO Alliance
Register to attend

Aug 9 – The Future of Authentication with FIDO
11:00AM PDT
Derek Hanson, Director of Solutions Architecture and Standards, Yubico
Alex Simons, Partner Director of Program Management for Microsoft’s Identity Division, Microsoft
Register to attend

Aug 15 – Enterprise Authentication: Understanding the security / simplicity trade-off
12:00PM PDT
Jerrod Chong, VP of Solutions, Yubico
Register to attend

Aug 17 – Using Open Standards to Comply with GDPR
1:00AM PDT
Tommaso De Orchi, EMEA Solutions Manager, Yubico
Register to attend

Subscribe here to receive Yubico news and updates. Check out our previous webcasts and video content. Follow Yubico on Twitter, Facebook, Instagram, and LinkedIn to get real-time updates and social posts.

Yubico at BlackHat 2017 blog crown
Yubico Team

Don’t Roll The Dice on Security! Meet Yubico at Black Hat

This week, information security enthusiasts and experts across the country will make their way to Las Vegas, NV to attend the annual Black Hat cybersecurity conference. Find us during the expo (July 26 – 27) at Booth #572, where we will double down on our award-winning YubiKeys, demonstrate the simplicity of hardware-backed authentication, and speak on the advantages of physical, one-touch YubiKey authentication over other authentication methods, such as push or SMS.

Simplicity and flexibility are not often associated with strong authentication. That is not the case here at Yubico. We believe in making easy-to-use yet exceptional internet security accessible to everyone, and our YubiKeys deliver on that promise. With built-in support for multiple authentication protocols, a single YubiKey can secure an unlimited number of applications with just one touch. No shared secrets, drivers, or client software needed — it’s not part of a Vegas magic show, we swear!

Black Hat attendees can experience innovative authentication in action at the Yubico booth. We will demonstrate the ease, speed, and flexibility of multi-protocol YubiKeys in different scenarios — from U2F authentication across cloud platforms like Google and Dropbox, to leading IAM integrations, to smart card (PIV) authentication for computer login.

On Wednesday afternoon, Jerrod Chong, VP of Solutions, will take the stage to deliver his presentation, “Think All MFA is the Same? Think Again.”

Wednesday, July 26 | 12:30pm – 1:20pm
Think All MFA is the Same? Think Again
Location: Oceanside F, Level 2

Authentication’s evolution is unfolding as newer protocols and multi-function hardware-backed keys offer fortified security compared to today’s weak and vulnerable credentials. These enhanced capabilities are designed to defend enterprises and individuals against advanced phishing techniques, and protect privacy by delivering public key crypto in the form of FIDO’s Universal 2nd Factor (U2F) protocol and next-gen smart card functionalities. Jerrod Chong, Yubico’s VP of Solutions, will discuss the advantages of hardware-backed keys using several MFA capabilities on a single device to address today’s advanced credential thefts.

If you are attending Black Hat, we’d love to meet you. Stop by Booth #572 and grab a seat during Jerrod’s presentation! To learn more about how your organization can benefit from the authentication power of multi-protocol YubiKeys, click here.

Flexible Modern Authentication blog crown
David Maples

Flexible Modern Authentication with the Multi-Protocol YubiKey

Most organizations work with multiple services and applications, and thus different authentication protocols, to meet all their security needs. Oftentimes, the protocol is predetermined by the application or service provider. However, in other cases, a business or systems integrator has some flexibility on which integration approach or third party to use. When it comes to authentication choices, there is typically no such thing as a silver bullet. The YubiKey was designed with this in mind to support multiple methods for authentication, enabling users and integrators to utilize the best method for each solution.

YubiKeys have multiple authentication protocols, spanning One-Time Passwords (OTP), CCID (smart card), and Universal 2nd Factor (U2F). Each protocol has support for different services and apps, much like a toolbox, allowing the user to select the correct tool for the task at hand.

OTP supports protocols where a single use code is entered to provide authentication. These protocols tend to be older and more widely supported in legacy applications. The YubiKey communicates via the HID keyboard interface, sending output as a series of keystrokes. This means OTP protocols can work across all OS/Environments that support USB keyboards, as well as with any app that can accept keyboard input. Some common services that use OTPs are network devices like VPNs and local authentication services with user login, as support for OTPs tend to be the most straightforward to integrate.

CCID, or smart cards as their interface is more commonly called, is another supported protocol on the YubiKey. The YubiKey identifies itself as a smart card reader with a smart card plugged in, so it will work with most common smart card drivers. Windows has native support, Linux has the OpenSC project, and macOS has support for smart cards natively on Sierra (10.12) and higher. The YubiKey allows 3 different CCID protocols to be used simultaneously – PIV, as defined by the NIST standard for authentication; OpenPGP for encryption, decryption, and signing; and OATH, for client apps like Yubico Authenticator and Windows Hello. The open source nature of the supported smart card protocols make them ideal for integrating with existing environments, such as Windows Authentication, Active Directory Federated Services, SSH or OpenPGP, and derived services.

FIDO U2F is the newest protocol supported by the YubiKey. Developed by Yubico and Google, the U2F protocol provides strong authentication without requiring a complex backend or framework to support it. Turning traditional authentication on its head, FIDO U2F makes the authentication device (like the YubiKey) the authentication provider. It issues unique keys to the services it is authenticating against, ensures each service does not have any information about the others, and removes the need for a central authentication service. With FIDO 2.0, the specification is growing to meet evolving industry needs, while ensuring that the previous generation is not rendered obsolete. The security built into the U2F protocol makes it ideal for web applications or customer-facing apps, which may be exposed to attacks on the information in transit between the user client and server.

Each protocol has strengths and weaknesses, restricting the situations where each one is most effective. However, the YubiKey resolves this limitation by supporting all of the different protocols on a single device, all at the same time. Like a carpenter using the right tool in his toolbox for the job at hand, users and integrators are able to secure their applications and services with the YubiKey using the appropriate protocol for each environment.

To learn more about the protocols supported by the YubiKey, please refer to our Developer site.

Photo of Stina with Female Executive of the Year award
Yubico Team

Yubico CEO Wins ‘Female Executive of the Year’ Award

June has been a busy and exciting month for us here at Yubico. We have been on the road speaking and exhibiting at multiple conferences, were named ‘Best Multifactor Solution’ by SC Magazine Awards Europe, and revealed two new integrations for our YubiKeys. And we’re not done yet!

Yesterday, Yubico CEO and founder Stina Ehrensvard was named Female Executive of the Year by the Women World Awards. This category honors women executives worldwide from all types of organizations and industries. Nominees were evaluated based on important and notable accomplishments within the past 12 months, as well as organizational impact.

“These achievements are not my own,” said Stina. “I could not have brought the company to where it is without the amazing team we have on board. I am proud to lead such an incredible, bright, and committed group of people; and in moments like this, I consider these accomplishments to be for all of us.”

Indeed, we are all honored to receive such an award. Stina’s thoughtful and strategic leadership has been paramount to the company’s success, leading us to a $30M investment and company expansion across four continents. With her direction, Yubico secures 9 of the top 10 internet companies and millions of users in 160 countries.

“I didn’t start this company to make money,” said Stina. “I started it to make a secure internet accessible for everyone.” Yubico is driven by passion, and we’ve felt it every step of the way!

To hear more, listen to Stina talk about her entrepreneurial journey with Yubico.

NIST Special Publication 800-63.3
Jerrod Chong

NIST publishes new authentication standards, FIDO U2F achieves AAL3

After a year of review, the National Institute for Science and Technology (NIST) today released version 3 of its latest digital identity guidelines, outlining a number of updates that play to the multi-protocol functionality of the YubiKey.

NIST Special Publication 800-63 Revision 3 covers guidelines on identity proofing and authentication of users, such as employees, contractors, private individuals, and commercial entities, working with government IT systems over open networks. These guidelines are used as part of the risk assessment and implementation of federal agencies’ digital services.

Three notable changes outlined in the document are the separation of identity assurance from authenticator assurance, the deprecation of short message service (SMS) as one-time password (OTP) authentication, and the recognition of technologies like FIDO U2F within the highest level — Authenticator Assurance Level 3 (AAL3).

The first major change we want to highlight is the decoupling of user identity assurance from the strength of the authentication method used. This enables organizations to make quantifiable security improvements by offering alternative feature-compatible devices that act like a smart card, or providing FIDO authentication for all users. The previous model had the unintended consequence of lowering the authentication security for users where the identity proofing was not needed at Identity Assurance Level 3 (IAL3). In this new model (see table 6-2 Acceptable Combinations of IAL and AAL in section 6.4), a higher Authenticator Assurance Level can be paired with a lower Identity Assurance Level to meet an acceptable combination.

Another change worth noting is NIST’s update on the framework for quantifying authenticator security, particularly for guidance on using SMS as a form of OTP authentication. In July 2016, NIST put out a blog deprecating the process for delivering an OTP over SMS. This position is bolstered by the updated classification of authenticators allowing OTP to be used in lower security systems. Additionally, the YubiKey’s OTP capabilities do not fall under NIST’s deprecation of SMS/OTP out-of-band authenticators.

Lastly, the guidelines recognize technologies like FIDO U2F at AAL3. This opens the door for FIDO U2F and classifies the protocol as a strong credential option, as it meets government guidelines for asymmetric, public-key (PK) cryptography for authentication. With FIDO U2F’s ease of use and quick deployments, the number of services implementing FIDO U2F integrations is steadily growing. Federal agencies now have more options to deploy strong authentication for cloud applications.

The YubiKey meets all these tenets in its versatility and flexibility as a multi-protocol authentication device that combines three of the permitted authenticator types in one physical device.

Single-factor OTP device = OTP

  • The YubiKey spans various OTP capabilities, including Yubico OTP, HOTP, TOTP, and communicates via the HID keyboard interface, allowing the OTP protocol to work across all OS/Environments that support USB keyboards

Single-factor cryptographic device = FIDO U2F

  • Developed by Yubico and Google, FIDO U2F is the newest protocol supported by the YubiKey. This protocol allows the YubiKey to work securely and instantly with hundreds of applications, and with no secrets shared across separate services

Multi-factor cryptographic device =Smart card / PIV-compatible / OpenPGP

  • The YubiKey identifies itself as a smart card reader with a smart card plugged in, and will work with most common smart card drivers.

“While the guidelines themselves are final, we strongly believe that work on this document isn’t truly complete until, like open standards, it has been implemented to tease out bugs and complexities,” said Paul Grassi, one of the 800-63 authors, in a blog post. “Our ability to predict and respond to changes in the market and technology needs to match the speed of innovation, as well as threats.” He added, “Over time, NIST wants the [guidelines] to be adaptive to innovations in the market so anyone, public or private, can better serve their users.”

We celebrate this historic release of NIST SP 800-63-3, as it ushers in a bright future for the YubiKey, FIDO U2F, and federal agencies here in the US and abroad. With this latest revision, the overwhelming response of over 1,400 contributor submissions from within and outside the US validates NIST SP 800-63-3 as a leading resource for global digital identity.

Microsoft demoing FIDO 2 at CIS 2017
Jerrod Chong

Future of FIDO Authentication demonstrated by Microsoft at CIS

Microsoft unveiled a major FIDO milestone today at the Cloud Identity Summit (CIS) by demonstrating an early implementation of a FIDO 2-based passwordless login on a Microsoft Windows 10 computer through Azure Active Directory (AAD) using a YubiKey.  

For the demonstrated login flow, the user inserted and touched the YubiKey, using AAD to instantly authenticate the user, while simultaneously signing into the Windows environment, and allowing access to all integrated business applications. All of this done without the need to type in a username/password.

Under the covers, the login relied on the forthcoming FIDO 2 Client to Authenticator Protocol (CTAP), which will ramp up the YubiKey’s value on the Microsoft platform. While this was a demo of future functionality, YubiKey users can look forward to native support in the Windows 10 OS environment. This is a massive leap forward in the global adoption of FIDO open standards, and a future integration into one of the world’s largest computer operating systems.

Alex Simons, Microsoft’s Director of Product Management for Microsoft Identity Division, and Nitika Gupta, Product Manager for Microsoft Identity Security and Services, delivered the demonstration during the keynote “Open standards: The key to a world of secure clouds & secure devices”. This keynote provided insight into the increasingly critical role of open standards for the future of identity.  

While there is no immediate date on availability, stop by booth #425 at CIS and talk to us about this game changing demonstration. To learn more about how your organization can benefit from the authentication power of multi-protocol YubiKeys, visit https://www.yubico.com/why-yubico/for-businesses/.

Blog crown for Yubico at CIS 2017 featuring the Chicago skyline and a YubiKey
Yubico Team

Yubico at CIS: FIDO, Mobile, ID Proofing. We’ll cover it all!

Today kicks off the annual Cloud Identity Summit (CIS) at the Sheraton Grand Chicago, where the brightest minds across the identity and security industry convene to discuss intelligent identity. Yubico will exhibit at the event (Booth #425) and contribute to several speaking sessions regarding FIDO, Federation, ID Proofing, Intelligent Identity, and Mobile SSO. Below are sessions we find particularly interesting.  

We kick off CIS on Monday (June 19) with Derek Hanson, Director of Solutions Architecture and Standards at Yubico, taking part in the FIDO Workshop from 9am-12pm CT, in the Sheraton Ballroom II. At 10:50am, Derek will deliver a case study on FIDO, Federation, and Facebook social login. Websites can eliminate account takeover through phishing by leveraging U2F-supported Facebook social login, which is easy to implement and already in wide global use.

On Tuesday (June 20), in the ‘New Move in Authentication’ track, Jerrod Chong, VP of Solutions Engineering at Yubico, will deliver a presentation on FIDO, Federation, and ID Proofing. You can attend this session in the Sheraton Ballroom III from 2:30-2:55 pm CT. Jerrod will discuss how identity proofing and strong authentication are often at odds when it comes to privacy — and that it doesn’t need to be that way. Diving deeper, he will provide a look at how three building blocks can work together to create a robust identity ecosystem. The solution is a three-fold component-based architecture for remote identity proofing to create a privacy-preserving credential, an identity proofing engine using OpenID Connect, and strong authentication using FIDO protocols.

David Treece, Senior Solutions Architect at Yubico, will participate in a separate panel discussion on Tuesday. David will speak on the ‘Intelligent Identity Architecture’ panel from 4:20-5:20 pm CT in the Sheraton Ballroom 1. With the dynamically changing nature of business and ever-increasing security risk, identity access management (IAM) systems struggle to keep up. IAM systems are complex, inflexible, and difficult to change. Instead, these systems need to be intelligent enough to understand context and new entities, interpret risk, and deliver a simple user experience. This panel will reveal — from the trenches — how to move an IAM program forward to implement intelligent capabilities while dealing with the realities of budgets, existing infrastructure, and competing priorities.

With all of the fantastic upcoming content at CIS, we also want to highlight the following sessions, which we are excited to be part of:

Monday – June 19

  • 10:35 AM – 11:15 AM Workshop: NCCoE mobile application single sign on for public safety and first responders
    Location: Sheraton Ballroom I
  • 5:25 PM  –  5:50 PM Panel: Mobile – who do you trust?
    Location: Michigan

Wednesday – June 21

  • 8:15 AM  –  8:45 AM Keynote: Open standards: The key to a world of secure clouds & secure devices!
    Location: Ballroom

Thursday – June 22

  • 11:15 AM  –  11:40 AM Panel: The mobile identity user experience
    Location: Chicago Ballroom VIII

If you are attending CIS, come see us at some of our sessions, and stop by booth #425 to explore all that the YubiKey has to offer.  

To learn more about how your organization can benefit from the authentication power of multi-protocol YubiKeys, visit https://www.yubico.com/why-yubico/for-businesses/.

Keeper login screen with a YubiKey in a Microsoft Surface.
Yubico Team

Find us this week at the Gartner and AFCEA events in Maryland!

We have a busy week ahead! Come watch us show off our award-winning YubiKeys at two Maryland events: Gartner Security & Risk Management Summit (National Harbor) on June 12 to 15 and AFCEA’s Defensive Cyber Operations Symposium (Baltimore Convention Center) on June 13 to 15.  

New U2F integration with Keeper Security

We are excited to showcase our latest FIDO Universal 2nd Factor (U2F) integration with password manager and secure digital vault Keeper Security. As part of Keeper’s core offering, U2F and YubiKey support is immediately available as a new, free feature to its 11 million individual users and enterprise accounts. With our mission to make the internet secure for everyone, we couldn’t be more thrilled that Keeper now delivers the highest level of security with FIDO U2F and YubiKey two-factor authentication (2FA) to their customers.

“More than 81% of data breaches are due to weak or poor password management,” said Darren Guccione, CEO and co-founder of Keeper Security, Inc. “Our highest priority is to protect our customers from cyber theft, and this integration of Yubikeys will drastically reduce the impact of a stolen or leaked password.”

Experience the 2FA power of YubiKeys

In addition to demoing our YubiKeys for Keeper sign-on at both events, we will feature some of our top U2F integrations with Google, Dropbox, and Facebook, support for leading identity access management platforms (IAMs), as well as PIV smart card functionality. We will also present other capabilities to showcase the ease-of-use and simplicity of one-touch secure login with YubiKey.

If you are attending these shows, please stop by Booth #744 at the Gartner Security & Risk Management Summit and Booth #566 at AFCEA’s Defensive Cyber Operations Symposium, and discover why our YubiKey 4 Series was recognized as SC Awards’ ‘Best Multifactor Solution’.

To learn more about how your organization can benefit from the authentication power of multi-protocol YubiKeys, visit https://www.yubico.com/why-yubico/for-businesses/.

Global map showing Yubico
Stina Ehrensvard

Yubico scales up with new investors, expands across four continents

Today, I am happy to announce that new investors are joining Yubico’s mission to create a safer internet for everyone by securing all logins and secrets on servers.

$30M in combined new and secondary shares has been invested in the company. Our new investors include NEA, one of the largest and most active global venture capital firms, leading Swedish growth equity firm Bure, and young Silicon Valley-based venture capitalist The Valley Fund.

Today, half of the privately held company is owned by the Yubico founders and team members, and the remaining shares are evenly split across US and Swedish investors. Existing investors include renowned Silicon Valley entrepreneurs Marc Benioff, CEO of Salesforce, and Ram Shriram, Yubico Chairman and Google founding board member. All Yubico shareholders enjoy common shares and a democratic shareholder agreement. The combined total assets for all investors in Yubico exceeds $30 billion.

Since our start in Sweden in 2007 with modest funds of $4.5M from angel investors, we have grown organically into a global security leader with four consecutive years of profit. YubiKeys are the authenticator of choice for thousands of business customers and millions of users in 160 countries. As the Yubico team continues to grow, we take great pride in being a multinational and multicultural company. We are now established in four continents with employees in the US, Sweden, Germany, UK, Australia, and Singapore.

“With nine of the top ten internet companies as YubiKey users, Yubico has built a strong foundation as an innovator of new global authentication standards,” said Pete Sonsini, General Partner, NEA. “In a time when software does not offer sufficient protection for online accounts and sensitive data on servers, Yubico’s hardware backed keys are proven at scale.”

Funds from new investments will be used to expand the Yubico hardware platform beyond authentication to more advanced software, services, and use cases, including IoT and server encryption.

SC Awards Europe 2017 Winner blog crown
Yubico Team

We Won! YubiKey 4 Series Recognized as SC Awards ‘Best Multifactor Solution’

Today, at InfoSecurity Europe in London, Yubico graciously received the SC Awards Europe 2017 Excellence Award for Best Multifactor Solution. The YubiKey 4 won in the category of Threat Solutions.

“As a contender among four other established and well regarded authentication technologies, the recognition of our YubiKey 4 Series is a great honor,” said Stina Ehrensvard, CEO and Founder, Yubico.

“We’ve worked hard to create one simple, cost-effective hardware technology that affords enterprises secure access to computers, networks, and online platforms. The YubiKey 4 Series was put in front of a wide range of security experts, and received a resounding stamp of approval; we are extremely grateful. This is a true testament to the value, market share, and high-level security that the YubiKey provides.”

Yubikey-wins-best-multifactor-solution

Yubico accepts the SC Awards Europe 2017 Excellence Award for Best Multifactor Solution at InfoSecurity Europe in London

Every year, some of Europe’s most elite security leaders — hailing from private and public sectors, academia, end-user companies, consulting communities, and analyst firms — gather to evaluate hundreds of SC Magazine Europe Award nominations. This panel of judges decides which products, professionals, and services best enhance various aspects of enterprise security. The Multifactor Solution category acknowledges products that provide enhanced security to end users by offering credentials for access to an authenticator or authentication server. Not only are judges advised to review the submission materials, but they are also asked to consider additional information such as analyst reports and/or product reviews.

The YubiKey 4 Series comes in three different form factors, all supporting the same multiple authentication protocols, to meet the needs of every enterprise and individual. To learn more about the award-winning YubiKey 4 Series, read more here. To see YubiKeys in action, come meet us at InfoSecurity Europe at stand #M110.

Image: How millions of accounts can eliminate phishing blog crown
Alex Yakubov

How Millions of Websites Can Eliminate Account Takeover from Phishing

Creating accounts online just got a whole lot easier. Now anyone can log in to or register a new account using their existing credentials from social networking services, such as Facebook and Google. With social logins, users won’t have to rack their brain for another password, saving time and securely authenticating their identity.

Websites that use social login move the responsibility of maintaining cutting-edge data security, identity protection, and login support away from themselves and onto the infrastructures of social networking sites. During the second quarter of 2016, research revealed that 53.1% of social logins went through a Facebook account, with Google accounts pulling 44.8%.

Facebook and Google are among thousands of online services that support FIDO Universal 2nd Factor (U2F). U2F protects against well-known attacks, such as phishing and man-in-the-middle, and other online threats on the horizon. Additionally, all websites supporting U2F work seamlessly with the two-factor authentication (2FA) provided by YubiKeys.

SMS is another commonly used 2FA option, but it is susceptible to both man-in-the-middle and phishing attacks (which we saw in the recent SS7 protocol SMS hack). This is validated by the National Institute of Standards and Technology (NIST), which no longer recommends SMS for 2FA, as highlighted in section 5.1.3.2 in the latest draft of its Digital Authentication Guidelines.

Other websites use push notification-based applications as a second step in the login process. However, much like SMS, push apps do not typically prevent phishing or man-in-the-middle attacks. These can even mislead the freshly phished user into believing that they accessed a legitimate site because they receive the confirmation push message at the same instant that the attacker attempts to log in using their credentials. Most websites also limit the overall effectiveness of 2FA by keeping SMS and/or One-Time Password (OTP) enabled for usability and account recovery. For an in-depth look at credential abuse mitigations, read our Internet Credential Theft white paper here.

So why is social login with U2F and hardware security keys better? Even if an attacker has a user’s password, the attacker won’t be able to access the account. U2F is based on public-key cryptography: when a YubiKey is registered with a U2F service like Google or Facebook, it creates a unique asymmetric key pair with each website. The private key resides on the YubiKey, and the public key on the service.

Think of it as a handshake. When the YubiKey is touched, the public and private keys instantly confirm they are the correct pair, and only that registered YubiKey will allow access. There is no need to re-register the YubiKey. U2F even protects privacy because it was designed to be anonymous, which means no personal data or secrets are shared among service providers, making it impossible to track a user across multiple web sites.That’s it – using the same YubiKey, users get simple and highly secure access to an unlimited number of websites.

Let’s walk through a typical login flow with a U2F- and YubiKey-protected account using Spotify with Facebook social login as an example.

Spotify-social-login

Upon entering a Facebook username and password, the user is prompted to touch their registered YubiKey to authenticate their identity. Just like that, the user is logged in.

Social-login-2fa-security-key

This provides not only a best-in-class authentication experience (all the user has to do is touch the button), but also the peace of mind knowing that the YubiKey ensures user accounts are accessed only by the users themselves.

Now, millions of online stores, games, and applications around the world can eliminate account takeover through phishing by leveraging social login. As more websites and online services do this, our vision of having one device to secure all your online accounts is quickly becoming a reality. To learn more about how to implement social login to websites completely free of charge, visit Google and Facebook for their instructions and code.

Woman
Yubico Team

10 Easy Ways to Protect Your Identity Online

This week, the Oslo Freedom Forum is hosting its ninth annual conference, bringing together a global community of activists, tech entrepreneurs, and thought leaders sharing the vision of a freer and safer world, including the Internet.

Yubico was invited to the event to share how you can use YubiKeys and FIDO U2F (Universal 2nd Factor) to protect your online identity. We have compiled a list of actions–in addition to strong two-factor authentication–that you can take to ensure your identity stays safe online with the highest level of privacy.

1. Properly manage your passwords

Usernames and passwords are the first line of defense to accessing your personal information online. As such, it’s important to be as diligent as possible in creating the strongest passwords and securely managing these passwords.

  • Ideally, strong passwords should be randomly generated. At a minimum, avoid using information about yourself or your friends and family, such as birthdays, sports teams, pet names, etc.
  • Never reuse passwords between sites. Yes, this means that you will need a different password for each account you have. According to a report, the average person has 90 online accounts, so that’s a lot of passwords to remember!
  • To help with this process, we recommend using a password manager to generate passwords and store them securely for you.
  • Once your password manager is set, make sure you protect it with two-factor authentication, like a security key, to make it even more secure. Examples of password managers are KeePass, LastPass, and Dashlane, all of which offer two-factor authentication. Additionally, Dashlane supports U2F.

2. When possible, use two-factor authentication

Having the strongest usernames and passwords isn’t a failsafe method. If they are compromised, a hacker can easily access your accounts. To prevent this, always enable two-factor authentication and ensure that another form of identity is required to access your account.

Hardware security keys supported over U2F are the most secure form of two-factor authentication and are always recommended when available for use. Many common services support these keys, such as DashLane, Google, Facebook, and Dropbox.

If you are not able to secure your account with a security key or a YubiKey, we recommend that you use another method, such as an authenticator application like Google Authenticator.

Whatever you do, do not enable SMS codes as your second form of authentication. NIST recently rendered these highly ineffective. While some services require using SMS to initially set up 2FA, you can choose to disable SMS after setting up other factors, such as security keys.

3. Always update! 

Most software systems have built-in security functionality to help catch and prevent attacks before they happen. They often enhance these features over time.

To ensure you have the latest and greatest security across all technologies, always update:

  • Computer and phone operating system software
  • Any anti-virus programs
  • Mobile apps
  • Web browsers

4. Verify email validity before clicking on a link or downloading an attachment

Phishing/malicious emails can often look like credible emails, and may even come from one of your known contacts. To ensure it’s legitimate, ask yourself the following:

  • Do you recognize the email address?
    Phishing emails can come from a random email–in which case, you should never open–or from a known contact. If it’s coming from a known contact, check to see if the email address is an exact match. If so, proceed to verify the rest of the email, as an exact email match still doesn’t qualify for safety.
  • Are there spelling errors in the email?
    Hackers can purposefully include spelling errors to make the email appear more human and evade spam detectors.
  • Does the link or attachment make sense?
    Is there a reason why this contact would be sending you this email? Does it make sense based on the context of your discussions and/or relationship? When in doubt, pick up the phone to ask.

5. Check the plugins and addons connected to your email inbox

Each email platform has an option to view what third-party services and applications have access to your account. If you notice an application you have not authorized, immediately remove the permission for its access. You should also remove authorization for applications that you are no longer using.

6. Check for HTTPS security on any website you enter

HTTPS indicates that the web page you are on is secure and can be trusted. If you are not on a web page secured with HTTPS, it is best to not enter any sensitive information while on that site.

HTTPS can easily be identified in the URL bar of your browser. It will be listed in the URL itself. The bar will also display a small green lock that says “secure” next to it.

7. Utilize browser extensions to help protect your online activity

Browser extensions help you access the best parts of the internet without having to worry about your safety and security. With today’s sophisticated technology, it’s easy for third-parties to track your online activity and access your information. It’s even easier for you to suddenly find yourself on an unsafe domain. Simply put, these addons will do the thinking for you, and will help keep people out of your business and keep you away from unsafe territory.

A few tools we recommend include:

  • Privacy badger
    This extension prevents tracking and cookies, so your data and browsing history are kept safe from unwanted advertisers and other third-parties.
  • Adblock Plus
    This extension will block banner ads, pop-up ads, rollover ads, and more. It stops you from visiting known malware-hosting domains, and also disables third-party tracking cookies and scripts.
  • HTTPS Everywhere
    This addon enforces you to always access sites over HTTPS, if they support it.
  • Panopticlick
    If you’re unsure how safe your browser is, you can test it here.

8. Don’t divulge sensitive information

Any additional piece of PII (personally identifiable information) can make a hacker’s job easier.

This is more of a concern in the day and age of social media. If you wouldn’t want a stranger having access to a piece of information about you (phone number, address), don’t put this on your public profiles (Twitter, LinkedIn, Facebook, WordPress blogs, personal websites, etc).

If possible, update your privacy settings to only allow friends and family access to your profile. Frequently revisit these settings as well to ensure nothing was disabled.

9. Be cautious of public Wi-Fi

Public Wi-Fi doesn’t qualify as a secure network, and therefore, gives hackers a greater advantage at stealing information or pushing malicious attacks.

If you must use public Wi-Fi, stick to sites that don’t deal with sensitive information. In other words, don’t maintain your bank account or anything of this nature on public Wi-Fi.

When possible, always avoid public Wi-Fi and use other solutions such as a secured personal hotspot or VPN solution. A VPN will make it difficult for third-parties to determine your identity or location. There are many free options available.

10. Stay informed!

Most major data breaches are covered in the news, so this is often a good place to keep a pulse on any attacks that could have compromised your personal information.

If you think you’re a target or have already been compromised, start by changing all of your passwords. Then, go through this list to ensure you have all the necessary security measures in place.

YK4 with 5 star review on Amazon Prime
Yubico Team

Ready, Set, Earn: Become a Yubico Affiliate through Amazon

We have great news for Yubico ambassadors! We’ve found a program that carries on the values of our now-retired Yubico Affiliate Program while empowering affiliates to profit from products they choose to advocate.

Amazon’s widely successful Amazon Associates program is booming for a reason. The program gives everyone a chance to earn up to 10% commission on completed orders of qualifying products by promoting the items online. With YubiKeys in the product roster, you can earn extra cash and help raise awareness on account protection at the same time. How awesome is that?

Another great thing about this program is that you will earn commission on a shopper’s entire order on Amazon. If a shopper completes a purchase with a YubiKey plus any other qualifying product, you’ll earn commission on all of those items.

All you need to do now is sign up for the Amazon Associates program then share a link to the YubiKeys’ product pages with your audience on your website, blog, or social media accounts. Signing up is free and easy to do.

We’re moving closer towards our vision of making the internet a safer space for everyone across the globe. Now you can help us make that a reality by simply posting a link. For more information about the Amazon Associates program, visit this page. For updates on special promotions or Yubico product launches on Amazon, subscribe here.

If you are interested in collaborating with Yubico as an official reseller, please reach out to our team at yubi.co/sales.

Crown image with Star Wars fan fiction blog title
Yubico Team

Episode Y: The Rise of 2FA

The security revolution has begun. In a final act of resistance against the dark might of the enemy, the brave heroes have deployed their ultimate weapon, a powerful layer of defense beyond the strength of the password known as 2FA, to a vast group of web sites throughout the universe.

As 2FA spreads, a group of security jedis have used the 4C to establish an impenetrable shield around their users’ accounts. The effort has brought forth a great victory, with users avoiding data breaches, identity threats, and phishing attacks.

Meanwhile on the remote planet Wilhacku, the YubiKey fleet, led by Lieutenant Stinasvard, has fought bravely against evil malware droids, successfully destroying the last of the Empire’s hacker army.

With the Empire defeated, peace has finally been restored across the galaxy. Billions of websites can now harness the power of 2FA, and under its protection, people are trusting the internet once again.

 

We at Yubico are HUGE fans of Star Wars. To celebrate May 4th, we have fun Star Wars-themed social posts coming your way on Twitter, Facebook, Instagram, and LinkedIn. Stay tuned, and May the 4th be with you!

OLD YubiKey 4C body
Jeff Wallace

Leave Nothing to Chance: Have a Backup and Recovery Plan

A backup and recovery process is an indispensable component of every security solutions strategy, and is something to think carefully about as you develop a plan to integrate YubiKeys into yours. Having a proper backup and recovery process keeps employees productive without them having to worry about losing their YubiKey or losing access to systems and accounts. More importantly, your backup and recovery process must be secure and should not diminish the overall security in place. Remember, your security is only as good as its weakest link.

The most secure plan is for each user to have two YubiKeys. Establishing a backup YubiKey ensures that the user can effortlessly access all of their accounts if they accidentally misplace their primary YubiKey. We strongly recommend this approach to all customers as a general best practice, as it guarantees that all users have a recovery solution easily accessible to them at any time. Having a backup YubiKey gives users peace of mind and eliminates the need for them to go through complicated, time-consuming processes to access their accounts. While other backup and recovery options are available, they come with a variety of pros and cons.

Other Backup and Recovery Options

One such alternative is having a Service Desk team issue a secondary temporary key on demand. This is the next best approach to having a backup YubiKey for all users, as it supplies a physical device registered with the same authentication system to the user at the time of need. With the YubiKey at its core, this approach removes many areas of risk that come with alternate solutions, and can serve as an extension of the two YubiKey approach if a user loses both keys. However, this option requires additional time, processes, and personnel, as the Service Desk must always be open to the user should they have an immediate need for a key.

Another popular backup alternative is having a mobile authenticator. Using an app like Google Authenticator provides a valid backup method by issuing a temporary passcode to users. However, mobile authenticators are often based on older technology, and do not provide the same protection that the YubiKey delivers, as the secrets used to generate the passcodes can be deciphered if enough codes are intercepted. Should you decide to use a mobile authenticator as a backup option, we encourage you to use it sparingly to avoid the risk of security breaches.

Beyond these, you can establish other backup methods, but they will not be as secure or as stable as a multi-key approach. SMS and email, for example, are the least secure backup and recovery methods, as they are susceptible to man in the middle and phishing attacks. In fact, section 5.1.3.2 of the NIST 800-63-3 guidelines, which will soon be published, recommends deprecating SMS due to security limitations. Additionally, a phone can run out of battery, be lost, stolen or broken, get infected by malware, or have storage retrieved by a connected computer. Conversely, the YubiKey is not vulnerable to most of these concerns.

While we understand that cost plays a key role in restricting organizations’ options for secure backup and recovery solutions, we do not recommend processes that could allow remote access to a corporate resource or introduce social engineering risk, reducing the initial security that our YubiKey solution was designed to protect against. Security always comes first! This is precisely why we urge all customers to consider using the two YubiKey approach as a best practice.

YubiHSM 2 inserted into server
Yubico Team

YubiHSM 2 open beta launched!

With IT security breaches becoming a staple in daily news reports, organizations big and small alike need to ramp up their defense. More than 95% of all IT breaches happen when a user credential or server gets hacked. While the YubiKey protects user accounts from remote hijacking, millions of servers storing sensitive data still lack physical security.

Hardware security modules (HSMs) offer the physical protection of servers, but are historically limited by its cost, size, and performance. The YubiHSM 2 breaks that mold with its extensive range of use cases. Applications include protecting data centers, cloud server infrastructures, manufacturing and industrial products and services, and many more.

The YubiHSM 2 delivers practical security to a wide variety of server environments with unrivaled affordability, convenience, and ultra-portability (it sits inside a USB-A port!). Moving beyond the features of the first generation YubiHSM, the YubiHSM 2 adds asymmetric cryptography and more to its list of capabilities.

After holding a successful closed beta for YubiHSM 2, we were thrilled to see great feedback from our participants, which include the world’s leading online services, software companies, and research institutions. Today, we are excited to announce that we are running an open beta for the YubiHSM 2, and we invite everyone to apply for a slot (spaces are limited)!

Learn more about the YubiHSM 2 or submit your application to participate in the open beta here. We look forward to hearing your feedback!

User authenticates to Facebook using YubiKey NEO with their mobile device
Yubico Team

Tour d’Europe: Identity, Mobile, and YubiKey NEO

Mobile World Congress 2017 Today, Yubico joins the FIDO Alliance and thousands of people from around the globe in Barcelona for the GSMA’s Mobile World Congress (MWC) 2017. Find us at the FIDO Pavilion 2UP.40 #4! No one can deny it. User acquisition is king! To acquire users as quickly and cheaply as possible, mobile app and online service providers frequently sacrifice strong authentication security in favor of fast and easy access. With YubiKey NEO and FIDO U2F, businesses needn't compromise. No longer must developers complicate mobile login or frustrate users in order to protect customers, because security based on FIDO U2F changes the game. YubiKey NEO YubiKey NEO (US $50) is an innovative USB device featuring NFC (near-field communication, a wireless communication method). With a tap of their YubiKey NEO to an NFC-enabled Android device, users can quickly and easily authenticate themselves to supported services. YubiKey NEO gives mobile online security a better user experience while providing stronger security and reducing risks. Stop by the FIDO Pavilion, 2UP.40 #4 at MWC 2017, to see a demo and chat with a Yubico security expert. Next week, find us in London at the Gartner Identity and Access Management Summit EMEA 2017 at booth S14 (6-7 March). Then, follow us to Disneyland® Paris for the IT Partners fair (7-8 March). Visit our booth to see how YubiKeys can help you and your customers reduce risks, increase employee productivity, and unlock additional revenue potential. You can buy a Key NEO from our web store, on Amazon, or through any authorized reseller.
RSA 2017
Yubico Team

Yubico at RSA 2017 – Our Hardware Beats Your Malware

It’s that time of year again! We’re heading back to the RSA Conference in San Francisco to show off our latest and greatest at booth #N4421.

Keeping online data, accounts, and identities protected is a challenge, and it’s abundantly clear that usernames and passwords are the weakest defense. Daily breaches, hacks, and evolving phishing techniques have taught us that two-factor authentication (2FA) is no longer a nice-to-have, but a must-have if you’re taking security seriously. The elegance of the YubiKey is in its ease of use and security, which adds a physical defense to your accounts that is activated with a simple touch to authenticate.

At the RSA Conference, we are launching a new YubiKey design (which is a top user request). We’re also demonstrating a massive FIDO U2F implementation that expands the reach of the YubiKey far beyond organizations and enterprises and into the global mass of social media.

USB-A and USB-C ports

Illustration: USB-A and USB-C

Available for purchase today*, the YubiKey 4C is the world’s first multi-protocol USB-C authentication device. The YubiKey 4C contains the same proven firmware and functionality as the YubiKey 4. The YubiKey 4 family, which is now comprised of the original YubiKey 4, the YubiKey 4 Nano, and YubiKey 4C, all perform FIDO U2F, Yubico OTP, OATH, OpenPGP (up to RSA 4096), as well as PIV smart card (up to RSA 2048 and up to ECC P384). The YubiKey 4C is perfect for new laptops, such as the MacBook Pro and HP Spectre, which feature only USB-C ports.

Recently Facebook announced support for FIDO U2F and YubiKey security keys to its 1.8 billion users. Facebook now joins dozens of other online services that have integrated U2F. We are demonstrating how a single YubiKey or FIDO U2F Security Key is used to secure the growing list of services supporting U2F, including Google, Dropbox, GitHub and many more. Whether with the YubiKey 4 (USB-A), YubiKey 4C (USB-C), YubiKey NEO (NFC), or FIDO U2F Security Key, Facebook business and personal users can now protect their accounts with unphishable 2FA.

If you are at the RSA Conference, there will be quite a few of us around and about – be on the lookout for the big Yubico logos and stop by our booth, #N4421. Say hi, ask us what’s new, and feel free to show us your YubiKey!

YubiKey 4C

YubiKey 4C | US$50

UPDATE (8:53AM PST)

YubiKey 4C - Sold Out! We feel the love! Due to high demand, YubiKey 4C is temporarily out of stock. Sign up to be notified when it is available again. Notify me

Image of Facebook Security Settings
Stina Ehrensvard

YubiKey & FIDO U2F Protect Facebook Users… Like!

Many say that if it didn’t happen on Facebook, then it didn’t really happen.

Well, today, a HUGE thumbs up has happened — Facebook has upgraded the login security for its 1.8 billion users by integrating the unphishable protection of the FIDO U2F Security Key into its social platform.

Simply put, this means that Facebook users, from individuals to the largest organizations, can have peace-of-mind knowing their account is safe with a simple touch of a Security Key, like the YubiKey. Picture it: you have a physical key to your car and home, and now you have a physical key protecting your Facebook. This also means all the services that you access with Facebook login are protected too. And the same Security Key can also be used for the growing list of services supporting U2F, including Google, Dropbox, and many more.

The need for two-factor authentication (logging in with something you have and something you know) grows daily as we hear about new breaches and hacked passwords. However, recent security threats have shown that mobile push apps and SMS do not offer enough protection against phishing and man-in-the-middle attacks.

If you currently have a U2F-enabled YubiKey and a Facebook account, you can go into your Facebook security settings and set it up now! You can buy a FIDO U2F Security Key or YubiKey here (or two, as we recommend having a backup). Once a U2F Security Key or YubiKey is registered and authenticated with your Facebook account, you will not need to use your key again to log in on that device until you clear your browser’s cache. Facebook considers your device as “trusted” for convenience. Which means if a hacker attempts to log in to your account from another device, they will be blocked unless they also have your password and your physical Security Key.

With a Security Key, you can remove SMS which will raise your security for all mobile devices. To achieve the strongest level of security for mobile, you can use a YubiKey NEO on Android phones with NFC.

“We’re excited to offer security keys as an additional option to make login to Facebook even more secure. We’re grateful to Yubico for the support and feedback they’ve provided.” said Brad Hill, Facebook Security Engineer.

Yubico and Google co-created U2F with the vision to scale easy-to-use, strong, public key cryptography for all internet users. Yubico developed the first FIDO U2F authenticator, published free and open source code for clients and servers, and we continue to drive this work within open standards organizations, including the FIDO Alliance, and W3C.

A study on internal and external Security Key usage by Google validates that U2F is one of the most secure, easy to use, and cost-efficient authentication technologies. And as users can have multiple affordable backup keys, support calls are greatly reduced compared to phone authenticators.

Historically, strong authentication has been tied to users’ real identities or a central service provider. During the U2F development work, Yubico’s CTO, Jakob Ehrensvard, introduced the concept of an authenticator that works across any number of services with no shared secrets. This allows users to be anonymous, and have multiple, yet secure identities. Today, U2F and YubiKeys are used to protect the privacy of individuals and organizations in 160 countries, including journalists and dissidents at risk.

In a time when security breaches have become a serious threat to our trust in the internet, FIDO U2F offers a secure link between the user and the services we connect to. It’s an open standard, not controlled by governments or corporations — but a simple way for users to take control over their own security and privacy.

Today’s support in Facebook is an important milestone for making the internet safer for everyone.

P.S. It was fun playing the bad guy in the short video above.

Yubico Founder and CEO plays hacker in Facebook video

Implementing FIDO U2F
Alex Yakubov

3 Top Things to Consider When Implementing FIDO U2F With Your Service

Now more than ever, security must be built into everything. By leveraging open standards, instead of building security protocols from the ground up, organizations can provide strong authentication faster than ever before.

We created the Universal 2nd Factor (U2F) protocol together with Google several years ago and offered it the world for free along with open source clients and server libraries. After years of working with the majority of service providers who have made support for the U2F standard, we have learned a lot about what makes a successful implementation.

Here are 3 of the top things to consider when implementing FIDO U2F with your service:

1. Backup and Recovery

Just as your users often forget their passwords today, it is possible that the methods they use for two-factor authentication will not always be available. Phones run out of battery, can be lost, stolen, or broken. Hardware-backed keys, such as the YubiKey, and other tokens like RSA SecurID, can be left at home, lost, or stolen. We highly recommend encouraging users to register at least two FIDO U2F security keys for backup, as this is the most secure and affordable option available. Other methods, such as backup codes and email, have their weaknesses and usability challenges.

You need to provide a backup two-factor method but bear in mind that security is never stronger than its weakest link. Some of the most commonly-used backup options are still susceptible to man-in-the-middle and phishing attacks. SMS, for instance, is no longer recommended by the National Institute of Standards and Technology (NIST), section 5.1.3.2 in the latest draft of its Digital Authentication Guidelines.

Providing flexibility for users to select various backup options will substantially reduce the need to perform a full account recovery, which often involves the user calling your customer service help desk. A new technique used by leading services is social recovery (asking a number of friends to authorize the recovery). We do not recommend email as a recovery method since it is common for the user seeking recovery to have lost or forgotten their email credentials as well.

2. Mobile User Experience

If your service is accessible on mobile devices, it is imperative that you take the mobile user experience into account.

Today, both Google and Dropbox services require verification codes as the second factor when accessing from a mobile device. Google will also generate a unique app password for each native application for account access. For example, Google sets a specific password for native apps such as Mail on an iPhone or Mac, or Outlook on a Windows PC when accessing Gmail.

Soon, services will be able to use two wireless transport methods, Near Field Communications (NFC) and Bluetooth Low Energy (BLE), for U2F authentication on mobile devices. Here are some considerations for each of them.

NFC - At this time, we are most confident in NFC as a secure, and reliable contactless U2F communication method. Android mobile devices featuring NFC will soon allow users to authenticate with a tap of an NFC-capable U2F security key as the second factor. However, for iOS devices, Apple only recently added NFC capabilities to their mobile platform but continues to restrict the NFC stack to their applications, such as Apple Pay. Therefore, external U2F authenticators will not work on all mobile devices over NFC.

BLE - For iOS, BLE is a transport option, but the user experience is not optimal. BLE-capable U2F security keys must be paired with each mobile device before registration can occur. This additional pairing process adds friction for users as it is made more difficult in high-density environments where there are many Bluetooth devices in a small area. BLE-capable security keys also require batteries, bringing with them the possibility of running out of power and resulting in shipping and handling regulations as it pertains to dangerous and hazardous goods.

Alternatively, the FIDO ecosystem is currently exploring using a U2F USB security key in conjunction with a mobile app for accessing services on mobile devices. This approach is similar to what is today deployed by several European online services, which combine smart card devices with mobile applications. For the highest level of security, some of these services require a user to first register a smart card device with the service from a computer before allowing the user to then download and use the mobile app. In this scenario, we recommend leveraging U2F device attestation to identify the kind of U2F authenticator during registration (hardware, software, certified, and so on), and implementing assurance policies.

3. Support

You are likely thinking about how the first two considerations will impact your support team. (If you are not, then you should be!) Case studies show dramatic decreases in support costs after implementing U2F security keys. The keys to success are having clear, concise documentation for self-help, and allowing your users to provision more than one U2F security key. For instance, when Google switched employees to FIDO U2F Security Keys by Yubico, support calls and costs were cut in half compared to using mobile phone authenticators. An important part of that success is also due to the user's ability to register backup keys.

In conclusion, you are not alone in your journey to implement FIDO U2F. More than a dozen organizations (both consumer-facing and B2B) have already rolled it out to their end-users, and countless others are in the process today. We are committed to the success of U2F and will continue to share best practices. And we applaud you for considering FIDO U2F for your service!

-----

FIDO U2F Best Practices eGuide

Are you in the process of, or interested in, implementing FIDO U2F and want help? Sign up to receive our best practices and implementation recommendations.
  • This field is for validation purposes and should be left unchanged.
Matt
Yubico Team

Can Two-Factor Protect Democracy?

Millions of people use YubiKeys all across the globe, and our customers often share how they use YubiKeys at work and for their personal accounts. Now and then we hear a unique story from a new perspective that catches our attention.

Today’s youth is growing up online, always connected, and used to having their personal identities sync directly with their online personas. We are happy to see that even at the youngest of ages, the importance of two-factor authentication (2FA) is making its way into their lives.

We received the story below from a customer who was proud to tell us that his son, Matt, recently won first place at his school's science fair. His project, “So you think you can Phish?” is the first we have heard of including YubiKeys in a high school science fair!

Science Fair Project Display

Matt's Winning Science Fair Project

In his project, Matt identifies the importance of 2FA, specifically the use of YubiKey and the FIDO Universal 2nd Factor (U2F) authentication standard, and illustrates how this simple added step could have prevented a recent, highly publicized phishing attack.

In Matt’s conclusion, he states that even though John Podesta fell for a phishing attack, the former chairman of the 2016 Hillary Clinton presidential campaign could have protected his email account against unauthorized access had he enabled 2FA with a YubiKey. Ultimately, Podesta could have eliminated any potential for leaked emails. Which leaves many people wondering, could this have affected the recent election? Some say yes, some say no, but what it makes clear is that usernames and passwords simply are not enough.

Spreading the value of 2FA cannot be understated, and students like Matt are helping to not only inform their peers but their educators as well. We wish Matt the best of luck at regionals and potentially nationals!

We love to hear new stories and uses from our customers. Please email us at press@yubico.com if you have any that you would like to share.

The NEW YubiKey 4C available February 2017
Ronnie Manning

We hope to USB-C you at CES!

Each year the Consumer Electronics Show (CES) ushers in the new year by revealing the latest in tech, and we’re excited to take part. This year, our CEO is speaking on a security panel, and we’re showing off our new YubiKey 4C with a USB-C design!

Yes, Apple fans! We heard your lament over absent HDMI and USB 3.0 ports, and your transition to USB-C on the newest MacBook Pro.

YubiKey trio

The YubiKey 4C (pictured middle) will be available in the Yubico store for US$50 beginning February 13, 2017

The YubiKey 4C, the world’s first multi-protocol USB-C authentication device, will be previewed at ShowStoppers @ CES, 6-10 PM, at the Wynn Las Vegas. You have asked, and we have listened to your requests for a USB-C form factor. We are extremely proud of the upcoming YubiKey 4C, which will be available for purchase in the Yubico store for US$50 beginning February 13, 2017.

And kicking off the day on January 5, 2017, at the CES Cybersecurity Forum 2017, our CEO and Founder Stina Ehrensvard is speaking in a panel discussion, "Battening Down the Hatches: Data and Devices." The panel will dive into the tools needed to keep connected devices safe and secure, highlighting endpoint protection, secure browsers, and apps protection. The panel begins at 9:15 AM in Room Lando 4301 on Level 4 of The Venetian Las Vegas.

Built on the proven foundation of the YubiKey 4, the YubiKey 4C also supports multiple protocols including Yubico OTP, OATH, FIDO Universal 2nd Factor (U2F), up to RSA 4096 for the OpenPGP function, as well as up to RSA 2048 and up to ECC P384 for the PIV smart card function. This lineup of functionality is contained in a new keychain design for laptops, such as the MacBook Pro, which rely solely on USB-C ports.

We are working on an additional smaller YubiKey form factor with a USB-C design akin to the YubiKey 4 Nano, but do not yet have a time frame for availability.

Secure login for everyone - woman taking a selfie in Times Square, NYC
Stina Ehrensvard

Secure login for everyone

In early 2016, a major enterprise (that at the time was not yet a Yubico customer) asked us two great questions. Why does Yubico exist? And how come 9 of the top 10 internet companies trust a company with less than 100 employees? In this, our first blog of the year, we will share the answers to these questions.

Yubico was founded with the mission to make secure login easy and available for everyone. And our vision was to enable a single key to access any number of services. To make that happen, we decided to work in close collaboration with the internet giants on the assumption that, by carefully listening to their requirements, our technology would have the opportunity to reach all computing devices, platforms, and services.

We won the trust of the world’s leading internet brands, not by selling to them, but by offering our top innovation capabilities and focusing on open standards. To simplify the use of OATH one-time passwords, we removed the need to retype codes from one device to another. For systems requiring a long and complicated static password, we created a way to generate the code in a simple touch. To prevent trojans from hacking a PIV smart card device, we added user presence, touch-to-sign, and device attestation. And to take strong public key crypto to all internet users, we invented the concept of an authenticator that can work with any number of services, with no shared secrets -- which is the core innovation and foundation behind FIDO standards.

We won the trust of the internet giants with exactly the right team, and size to be agile, innovative, and humble. During 2017, billions of people will be safer online because of our past and future contributions to open standards. And that is also the answer to why Yubico exists.

To quote American anthropologist and author Margaret Mead, “Never doubt that a small group of thoughtful, committed citizens can change the world. Indeed, it is the only thing that ever has.”

U2F Security Keys by Yubico
Yubico Team

U2F Security Key Cuts Google AdWords Fraud

After a successful deployment of FIDO U2F enabled YubiKeys for all its staff, Google is now seeing the benefits of offering the technology to its customers with AdWords accounts.

Hijacking of online advertising accounts not only costs customers whose accounts get bumped offline, but Google loses revenue when those accounts are dormant. The Association of National Advertisers estimates that $7.2 billion will be lost to digital ad fraud in 2016.

As the world's leading digital advertising network, Google is fighting back. In a recently published blog, the company highlights how two digital marketing agencies, Jellyfish and iProspect, protect their AdWords accounts, customers, and revenue using FIDO U2F Security Keys by Yubico.

AdWords users were trained in the simple three-step process to register the FIDO U2F Security Key with their Google accounts. On subsequent use, users only need to touch the key in order to securely log in. Jellyfish rolled out FIDO U2F Security Keys by Yubico to all team members in the UK and South Africa, and iProspect says the security key provides peace of mind that Google accounts are safe.

One of the most important features of the FIDO U2F protocol is the ability to defeat rapidly increasing phishing and man-in-the-middle security attacks. Google’s 2-Step Verification mobile technologies do not offer the same level of protection against these attacks.

Historically, great security has come with high cost and complexity. Yubico changes the equation. Check out the short video Google produced to explain the importance and simplicity of using 2-Step Verification with FIDO U2F Security Keys by Yubico.

Additionally, Google will be having a live broadcast "How to Protect Your AdWords Account" on Thursday, February 16th at 4:00 PM GMT / 11:00 AM EDT / 8:00 AM PDT.  The Online Safety Series will cover key topics in online safety, such as account hijacking prevention, recognizing bad websites, adherence to Google policies, and online privacy. RSVP for this Google Advertiser Community Event!

holiday ornaments made out of a YubiKey 4, imitation Christmas tree, toy train, and Star of David
Yubico Team

Give the Gift Security Geeks Love to Get

'Tis the season to be jolly and reflect on everything we're thankful for. It's been an incredible year at Yubico, and we're delighted YubiKeys continue to make news this gift giving season. 

We've compiled our favorite gift guides because these are just too awesome not to share. And yes, we’re on each of them!

US and EU Shoppers: Hoping to receive your order before December 25? Unfortunately, we cannot guarantee shipping times at this time of year. We recommend that you place your order at yubico.com/store by Friday, December 16. You can also buy YubiKeys on Amazon (Pro tip: Amazon has guaranteed shipping times)!

Note: Yubico Store shipping times can vary depending on your country of origin, weather, and other unforeseen obstacles for which we cannot plan.

Photo: Markus Spiske

YubiKey 4 Limited Edition White

YubiKey 4 - Limited Edition White $40
Great stocking stuffer! We’ve produced a limited edition white YubiKey 4 to celebrate the return of smart card support for Macs, available in the Yubico Store. Quantities are limited, so order today!

YubiKey in Smart Card Mode with Windows Remote Desktop Protocol
Yubico Team

Computer Login with YubiKey in Smart Card Mode

The humble smart card dates back to the 1970s, but the mature technology is not without innovation in a world of new-fangled authentication.

Personal Identity Verification (PIV) smart cards, best known as staples in government agencies, incorporate standards developed by the National Institute of Standards and Technology (NIST).

Yubico’s recent webinar, “YubiKey Smart Code Mode for Computer Login,” walks viewers through PIV support on operating systems from Microsoft, Apple, and various Linux distributions. A recording of the webinar is embedded at the bottom of this blog. Yubico’s PIV implementation also supports PKCS#11 and open source tools such as OpenSC.

The YubiKey 4, YubiKey 4 Nano, and YubiKey NEO all incorporate the NIST standards and put ease-of-use innovation into the technology by eliminating the need for a card reader, middleware, extra software, and additional drivers on Microsoft and Apple operating systems. Login and code signing operations are just some of the functions that require only a touch of the YubiKey to activate.

The webinar includes demos using YubiKeys as a smart card to log in on macOS Sierra, Windows domains, remote desktops, and the new Windows Hello authentication platform.

Presenter David Maples, a Yubico Senior Solutions Engineer, details all the platform configurations needed to support the YubiKey and PIV.

He also highlights the YubiKey’s versatility with features and integrations that support additional protocols, such as FIDO’s U2F, using the same YubiKey that provides PIV smart card features.

The webinar opens with a brief introduction to Yubico and the Yubikey.

Webinar: YubiKey Smart Card Mode for Computer Login from Yubico on Vimeo.

Earth
Ronnie Manning

Where to find Yubico this week

We are kicking off the week at the O’Reilly Security Conference on Tuesday in New York with sponsored events, and exhibitions in Booth #405 where we will showcase the broad functionality of the YubiKey (U2F, OTP, PIV) across many of our integrations.

Additionally, at O’Reilly Security, you won’t want to miss our CEO and Founder, Stina Ehrensvard’s speaking session “The Future of Strong Online Identities – Simple, Open, and Mobile” on the first day of the conference at 4:45pm in room Rendezvous Trianon.

On Wednesday, at 10:00 a.m. PDT, join us virtually for a live webinar on the YubiKey as a smart card for computer login. The session will include demos on Windows, Mac, and Linux machines, as well as Windows and Citrix remote desktops. Register here

Finally, we will close out the week at Black Hat Europe 2016 in London, starting on Thursday, Nov. 3rd where we will demonstrate YubiKey two-factor authentication technology to Europe’s top security experts. Find us at Booth #104 to see what all the buzz is about.

There’s lots of activity this week, and we hope to see you at some of these events! (And even more in the future!)

YubiKey now works with Salesforce U2F
Ronnie Manning

Dreamforce 2016 – FIDO U2F YubiKey Log In to Salesforce

Momentum is the motion of a moving body, measured as a product of its mass and velocity. Today, we see the mass and velocity of the world’s largest cloud ecosystem get behind FIDO Universal 2nd Factor (U2F) strong authentication.

At this week’s Dreamforce 2016, conference attendees will get the first look at new native support of U2F in the Salesforce Winter ’17 release. Once enabled by an organization’s Salesforce administrator, end users can authenticate with any YubiKey that supports U2F to securely log in to their Salesforce accounts with superior security and unmatched simplicity. Furthermore, that same YubiKey can be used to authenticate to the ever-growing list of services that support U2F.  

After a Salesforce user registers their YubiKey with their account, they log on as usual with their username and password. But before they are granted access, they are prompted to insert their YubiKey into their computer’s USB port and touch the device’s button. This  completes a strong authentication based on public key cryptography, that thwarts phishing and man-in-the-middle attacks that plague other solutions such as one-time codes sent via SMS.  

Users can register both a YubiKey and the Salesforce Phone App with their Salesforce account so they always have a backup authenticator. If their phone is dead a user can use their YubiKey. Or if they don’t have their YubiKey, they can use the phone app.

To learn more about U2F, YubiKey, and the Salesforce integration, sign up to attend a joint webinar hosted by Yubico and Salesforce on Oct. 20 (sign up here!). Together, we will demonstrate how easy it is to activate U2F on the Salesforce platform. We will also dive into the growing importance of the FIDO Alliance protocol, and discuss the cost savings achieved with YubiKey as a second factor for authentication.

Salesforce’s U2F integration comes on the heels of more than a dozen online services that have made support for U2F beginning with Google, Github, Dropbox, and most recently Okta, Gitlab, Dashlane, and Bitbucket. As we read daily about new password and data breaches, companies are moving to strong, open authentication built on U2F. Google tracked the authentication habits of 50,000 employees using U2F within the company over a two-year period. The results showed that compared against Google’s own authenticator phone app, U2F was faster, more secure, and reduced support costs by thousands of hours per year.

We hope to see you in San Francisco. Stop by our Dreamforce Booth #345 in Moscone South Hall. We are demoing the YubiKey with Salesforce Winter ’17, along with other slick U2F-based services.

Lock Down Your Login with YubiKey
Alex Yakubov

Lock Down Your Login with YubiKey

“78 percent [of Americans] strongly or somewhat agree it is important that companies, government entities and other stakeholders work together to find new ways of securing accounts beyond the use of passwords.”
- National Cyber Security Alliance (NCSA) Strong Authentication Survey, July 2016

Research is clear -- the world needs new and better ways of securing their accounts beyond passwords. That’s why we are participating in the National Cyber Security Alliance’s internet safety and security initiative.

At Yubico, we’re passionate about making it easy for anyone to protect their data and privacy online. Although our security experts have created an affordable and easy-to-use security key, that’s only one piece of the puzzle.

Today, we announce our commitment to the National Cyber Security Alliance’s “Lock Down Your Login” internet safety and security initiative to empower Americans to better protect their online accounts by moving beyond passwords. The campaign, which was announced by the White House in February 2016 as part of its Cybersecurity National Action Plan, calls for all Americans to secure their online accounts by moving beyond just passwords and adding an extra layer of authentication.

Over 40 businesses (including Google, Microsoft, MasterCard, and PayPal) have taken up this initiative. However, many service providers still do not offer strong authentication and rely only on passwords, which are often weak or reused across accounts.

Hundreds of companies have already integrated support for YubiKeys, including popular consumer services like Google Apps and Dropbox, as well as the most popular password managers such as Dashlane and LastPass. They’ve done so because YubiKeys are easy, safe, affordable, and scalable.

As participants in this campaign, we are developing free resources (including Yubico’s Best Practices eGuides) for those businesses that want to introduce stronger authentication but aren’t quite sure how to get started. For details, click here and sign up to receive a notification as resources are released. Educating businesses and individuals is a tall order. Help us reach more people by sharing this with others!

To kick things off, we’ll be offering a 22% discount on the purchase of 2 YubiKeys for 24 hours (12:00AM - 11:59PM PST), on October 4, in the Yubico Store (because it’s best practice to have a backup just in case you misplace your YubiKey). Mark your calendar!

2FACTOR22 Coupon
Derek Hanson

YubiKey Works With Windows Hello

With Windows 10, Microsoft is introducing its most complete authentication platform ever. The Anniversary Edition of the operating system includes expanded user verification options, standards-based authentication, and diverse management controls grouped under the name Windows Hello. YubiKey now works with this ecosystem.

Microsoft is spreading Windows Hello to enterprises and consumers, and across its platforms including desktops, mobile devices, Active Directory, Azure AD (which lives in the cloud), and independent cloud service providers that support modern FIDO Alliance protocols. The list of authentication methods include built-in biometrics, external companion devices, and smart cards/PKI.

This expanded list of authentication possibilities lands right in Yubico’s wheelhouse. YubiKey and its support for multiple protocols helps usher in the era of FIDO for Windows.

In Windows 10 language, Microsoft will support both key-based and certificate-based authentication. Key-based authentications are equal to the FIDO model of public key cryptography; while certificate-based authentication relates to smart cards and PKI. Enterprises that don’t use PKI, or want to minimize reliance on certificates, are prime converts for key-based Windows 10 authentication credentials. With a design focused on ease-of-use, it’s a natural place for end users to finally duck behind the protection of strong authentication.

The YubiKey is a versatile authentication device that is built for this environment. Our strategy around strong authentication includes supporting many standards-based authentication protocols for host-based and cloud-based services. Today, users of services such as Google, Dropbox, and GitHub have access to FIDO-based strong authentication with the YubiKey.

Initially, we have built a simple, single-function app called YubiKey for Windows Hello, which is now one of many options in Windows 10 for unlocking a computer. The app, built on the Windows Companion Device Framework, is available now in the Windows Store. To learn more about YubiKey for Windows Hello and see it in action, watch our video (below). Microsoft introduced Yubico’s app today during its annual Windows Ignite conference.

The Windows Hello platform will create many options, and Yubico will be ready to support them with a simple touch of the YubiKey.

YubiKey now works with macOS Sierra!
Jerrod Chong

YubiKey Smart Card Support For macOS Sierra

Have you ever wanted to use your YubiKey to protect your Mac? Starting today, PIV-enabled YubiKeys can be used to log in to your Mac and your Keychain on macOS Sierra without complex configurations or software.

Up until the release of Mac OS X Lion (10.7) in July 2011, Apple included native support for login using smart cards. Since that feature was removed, users have found it more challenging to make smart cards work with Mac OS X. The release of macOS Sierra 10.12 marks a new beginning for smart card users, as Apple has taken a step towards support for PIV compatible smart cards without requiring any vendor software or drivers to be installed.

At Yubico we want to make it easy for our customers to use best-of-breed security solutions like smart cards, so we added PIV smart card support to the YubiKey starting with the YubiKey NEO in Fall 2013. Today, PIV smart card support also is available on the YubiKey 4. We’ve also enhanced the YubiKey PIV Manager app running on Sierra with a simple self-provisioning wizard that allows non-enterprise users to easily create macOS-compatible PIV credentials on any PIV-enabled YubiKey.

Enterprises already know that PIV-enabled YubiKeys work great with Microsoft Windows environments, and now they can use the same YubiKey to login to Windows and macOS.

With Apple, smart cards are making a comeback, and we are making sure they do it with YubiKey style. To celebrate this significant milestone, Yubico is offering a limited-edition white YubiKey available only in the Yubico Store.

If you have a Mac that only supports USB-C, you can use a USB-C adapter to join in Apple’s smart card revival.

Watch our video that introduces YubiKey to macOS Sierra.

 

Yubico awarded NSTIC grant
Stina Ehrensvard

Yubico awarded NSTIC grant

Yubico was awarded a $2.27 million grant today to develop and deploy a pilot program enabling US citizens to securely access state and local government services. The grant comes through the US Department of Commerce’s National Institute of Standards and Technology (NIST) as part of the White House initiative National Strategy for Trusted Identities in Cyberspace (NSTIC), and is one of six pilots that were awarded today.

The pilot program will focus on providing secure online identities for citizens in Wisconsin and Colorado. In both states, we will deploy FIDO Alliance Universal 2nd Second Factor (U2F)-based YubiKeys and use the OpenID Connect protocol to develop an “identity toolkit” – with the goal of making the solution simple to deploy and use.

FIDO U2F is an open authentication standard, enabling public key cryptography to secure transactions and prevent phishing attacks that hackers use to steal a user’s credentials. OpenID Connect, also an open standard, allows all types of clients, including browser-based and native mobile apps, to support sign-in flows and receive verifiable claims about the identity of signed-in users.

The NSTIC National Program Office, which is run by the US National Institute of Standards and Technology (NIST), has been awarding cooperative agreements as part of their pilot program since 2012. The program office works to improve online identity for individuals and organizations. Their vision is to enable individuals and organizations to utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.

John Fontana

Over A Dozen Services Supporting FIDO U2F

Updated Oct. 10, 2016 to include U2F support added to Opera browser, Salesforce

Standards creation is hard work that only sweetens when the market starts to arrive and validate the effort with real world deployments.

On June 22, Bitbucket, GitLab, and Sentry all released support for FIDO U2F strong authentication in their cloud-based products. None of these companies are members of the FIDO Alliance or had an investment in developing U2F. Their sole motivation was finding and adopting the best authentication technology to help users protect their accounts. U2F’s public key crypto topped the list.

A month earlier, Compose, an IBM company offering hosted databases, also added U2F to its security feature list. This week, FastMail ushered its users into the U2F strong authentication revolution.

Again, neither had an investment in FIDO’s creation, but both recognize what’s become obvious to Dropbox, GitHub, Dashlane, Salesforce.com (adopted Oct. 2016), and Digidentity/UK Government (the UK recently joined FIDO, but the others are not members). U2F provides an environment for strong authentication that thwarts man-in-the-middle-attacks, can’t be phished, and is easy-to-use.

Yubico is delighted, of course, that all these organizations are using U2F-compliant YubiKeys. There is also free and open source server code that Yubico and Google make available on GitHub (Google reference code, Yubico Server Libraries). But more important, these companies are validating FIDO Alliance protocols and the value of open, strong second-factor authentication.

These companies are not the only ones joining the U2F ecosystem. In fact, we first outlined an initial surge in U2F adoption 18 months ago.

Today, the market has taken on a new vibrancy as companies recognize that strong authentication provides security that counters the fallout from the unprecedented swell of password breaches. U2F authentication is a key security component for consumer-facing Web applications and existing identity and access management environments within enterprises. These traits are coupled with adopters who find implementation requires less than a day’s worth of work.

Here is a list of the key platforms for U2F:

Browser support:
Google’s Chrome browser has long been the lone platform for U2F, but that has changed. The Opera browser (version 40) began supporting U2F in late September 2016. In addition, Mozilla hopes to wrap up in late 2016 U2F support in the Firefox browser with features on parity with Google’s U2F implementation. In fact, the two have been consulting on this work with each other and the Yubico engineering team. In addition, Mozilla plans to eventually support the WebAuthn APIs being developed by the World Wide Web Consortium (W3C) for secure browser log in. Those APIs also factor into a more complete FIDO strong authentication ecosystem. Microsoft’s Edge browser also will support those APIs when they are finalized (projected early 2017). Edge plays a pivotal role in the company’s Windows 10 Hello authentication system, which accepts a number of strong authentication types including U2F authenticators.

Cloud services:
Google added U2F support in the fall of 2014, and was followed by Dropbox, PushCoin, and GitHub in 2015. Dashlane, Bitbucket, GitLab, Salesforce, Sentry, Compose, and FastMail added support in 2016. For a detailed list, check the Yubico U2F page.

IAM software and services:
In 2015, StrongAuth, Gluu, and RCDevs added U2F support in their platforms. Digidentity added U2F in 2016 as part of its partnership with GOV.UK Verify.

What’s next
FIDO is far from finished innovating. The Alliance donated a set of FIDO Web APIs to the W3C in late 2015 for formal standardization, which should be completed early next year. The APIs, coupled with forthcoming FIDO 2.0 features, improve Web-based security, add native platform support (Windows, Android, etc.), and include capabilities such as device-to-device authentication that uses FIDO’s public key cryptography. There are a host of new efforts developing in 2016, including FIDO coupled with identity federation to secure native applications on desktops and devices.

July 2016 Newsletter
Stina Ehrensvard

The Future of Secure Online Identities

Since I started my journey as a hardware authentication innovator, I have heard people say that the future of authentication is software. Or TPMs. Or biometrics. Or invisible data intelligence that will silently protect us all. Today, it is fair to say that all these predictions were right – when they are combined into a comprehensive strategy.

But in order for secure online identities to scale to all services and users, open standards “plumbing“ is necessary. And it includes open authentication and identity standards that are natively supported in leading platforms and browsers, enabling strong crypto between a range of authenticators and the services they protect.

In 2013, when Wired published the first article on U2F, Yubico received many valid questions on this new authentication protocol. We shared our response in a Future of Authentication FAQ blog. The content is still valid, so if you did not read it then, we welcome you to do so now.

A couple of months ago, Yubico was invited to a panel discussion at the European Identity & Cloud Conference with the topic, “The Future of Authentication – Killing the Password.” Identity experts from Microsoft, Salesforce.com and NRI all agreed that the “plumbing” must be open standards, and that there is no silver bullet for the multi-factor options we add as an extra layer of user verification. The YubiKey did, however, get high marks – Salesforce mentioned that it took only two days to deploy YubiKeys for 17,000 employees, and Microsoft disclosed that Windows Hello will eventually accept external hardware authenticators. Until biometrics have proven to be more robust, passwords are actually not that bad. Or to quote the warning message that the latest Nexus phone presents when setting up a biometric login: “Using your fingerprint to unlock your device may be less secure than a strong password, PIN, or pattern.” (Watch the EIC panel presentation.)

Those same identity experts agreed on one more important trend: authentication and identity will be separated. FIDO U2F is one of the open standards protocols that makes that separation possible. It lets you have assorted identities, including a real identity tied to your driver’s license, a temporary identity for your work, and an identity that allows you to be “secure, yet anonymous”. This can be life critical for dissidents and journalists, and will help safeguard internet privacy for the rest of us.

P.S. The picture above is an example of the latter. I once showed up at the office disguised as the famous fictional hacker Lisbeth Salander, and no one recognized me.

NASA image acquired April 18 - October 23, 2012

This new image of the Earth at night is a composite assembled from data acquired by the Suomi National Polar-orbiting Partnership (Suomi NPP) satellite over nine days in April 2012 and thirteen days in October 2012. It took 312 orbits and 2.5 terabytes of data to get a clear shot of every parcel of Earth’s land surface and islands.

The nighttime view of Earth in visible light was made possible by the “day-night band” of the Visible Infrared Imaging Radiometer Suite. VIIRS detects light in a range of wavelengths from green to near-infrared and uses filtering techniques to observe dim signals such as gas flares, auroras, wildfires, city lights, and reflected moonlight. In this case, auroras, fires, and other stray light have been removed to emphasize the city lights.

Named for satellite meteorology pioneer Verner Suomi, NPP flies over any given point on Earth’s surface twice each day at roughly 1:30 a.m. and 1:30 p.m. The spacecraft flies 824 kilometers (512 miles) above the surface in a polar orbit, circling the planet about 14 times a day. Suomi NPP sends its data once per orbit to a ground station in Svalbard, Norway, and continuously to local direct broadcast users distributed around the world. The mission is managed by NASA with operational support from NOAA and its Joint Polar Satellite System, which manages the satellite
Yubico Team

U2F, OIDC Team Up For Strong Authentication, Federation

The New York Times sits elegantly secured behind authentication technology that combines a U2F-enabled YubiKey and standardized identity federation built on OpenID Connect (OIDC).

It’s a colorful twist for a newspaper first published in 1851 and famously known as The Gray Lady. But linked with Google and Yubico, the trio is part of an identity federation that relies on strong authentication to protect access to the online version of the newspaper.

Identity federation is the process of logging in to a single identity provider (in this case, Google) and then navigating to other sites (for example, The New York Times) without having to log in again. The YubiKey and FIDO U2F secure the identity provider login using public key cryptography, while OIDC takes care of the trusted and federated relationship between Google and The New York Times.

OIDC is an identity federation standard that we profiled along with FIDO U2F last year to show how the pair solves a wider range of authentication challenges than either technology could on its own. Yubico is also a member of the OpenID Foundation, which is the creator of OIDC, and is actively exploring how U2F plays with other standardized identity technology.

Watch this video to see federated identity with a YubiKey in action. It’s impossible to see identity federation working under the covers in this scenario, but the simplicity and security should be clearly evident. And really, that’s the desired user experience.

How to: Login with FIDO U2F and OpenID Connect from Yubico on Vimeo.

Josh Kellerman

YubiKey And The Route To USB-C

The USB-C standard has caused a lot of chatter among Apple users, some concerning the elegance of fewer wires but mostly from those that miss absent ports, such as HDMI and USB 3.0, on newer MacBooks.

Yubico has received requests to join the USB-C evolution and release a USB-C compatible YubiKey. We have built a prototype with a nifty design, but until we see strong market demand it is not ready for the mass market.

YubiKey, USB-C Adapter bundle now featured in the Yubico Store

In the meantime, however, we have tested a number of USB-C adapters, available off-the-shelf or via Amazon, that allow the YubiKey to work with the MacBook and other devices, tablets and phones with a USB-C port (see picture above).

Either YubiKey form-factor will work, but the most elegant configuration is to insert the YubiKey 4 Nano into the adapter and attach the YubiKey to a lanyard hanging from a keychain.usb c dongle keychain Check to see that the YubiKey is snug within the USB-C adapter. To avoid unintentional activation of the YubiKey, we recommend a thin, non-metal lanyard cord. Without a lanyard, tweezers or a small tool may be needed to remove the YubiKey. The functionality of the YubiKey is in no way altered by using it with a USB-C adapter.

The USB-C standard is a multi-function evolution that combines both connectivity and power. For a wireless world, a single MacBook USB-C port bumps all other accessories to a wireless connection in the absence of an adapter.

When, or if, Apple opens its Near Field Communication (NFC) environment to developers, we think NFC will be the prevailing contactless connection point for the YubiKey, outdistancing Bluetooth in most use cases on all platforms.

Until then, we’re experimenting with how we might align the YubiKey design with the changing tides in USB evolution.

Stina Ehrensvard

Google Extends Multi-Factor Options With Prompt

Google yesterday released a third option for its two-step verification, complementing the Google Authenticator phone app and FIDO U2F Security Keys.

Google Prompt is a push app for mobile authentication, similar to two-factor push solutions offered by others like Duo Security. There is no authentication solution that fits everyone’s needs, and Prompt has both advantages and challenges.

Advantages

  • Free software to download/update on a smartphone, no additional device needed
  • Allows moving from two-factor to a true multi-factor offering
  • Much easier than typing a code or PIN from Google Authenticator

Challenges

  • Requires a data connection
  • Does not protect against phishing and man-in-the-middle attacks
  • Does not work with non-Google services
  • Some organizations do not allow users to bring their phone to work
  • Support and backup issues when the user’s phone (a single, expensive authenticator) is lost, broken, or has a dead battery

Currently, users can’t have Security Keys and Google Prompt enabled at the same time. We expect this will change soon, as Prompt is a better phone-based complement to the Security Key than Google Authenticator.

Google has spent the past five years building its strong authentication strategy with Prompt the latest piece of that plan, which also includes multiple protocols, cross-platform support and administrative tools. Prompt is an attempt to match capabilities already available in the identity and access management market such as Okta Verify, Centrify Push, and PingID Swipe.

Google’s ultimate goal is to build an identity-as-a-service (IDaaS) for enterprises, including a host of federation options (SAML, OIDC), and management tools such as mobile device management and provisioning, which is currently being tested by Salesforce, Slack, and Facebook at Work. Google discussed this IDaaS plan in early June at the Cloud Identity Summit with focus on Google IDP, Firebase Auth, and customer facing login.

Management of the identity and authentication ecosystem is an absolute requirement for the enterprise and we applaud Google’s efforts here. Strong authentication isn’t one method used everywhere — it’s a combination of options matched to use cases.  Currently, FIDO U2F Security Keys, including YubiKeys, are proven to offer higher security, a faster login experience, and fewer support calls than any other authentication technology on the market.

YubiKey users can have one single and simple key to access a wide range of IT applications, including computers, servers, networks, leading online services and IAM platforms, as well as to sign and encrypt data.

Updated July 24, 2016 to clarify phishing, man-in-the-middle challenge