Jerrod Chong

Introducing the YubiKey 5 Series with New NFC and FIDO2 Passwordless Features

Today, we are announcing some exciting news that we know you’ve all been waiting for. The 5th generation YubiKey has arrived!

Our new YubiKey 5 Series is comprised of four multi-protocol security keys, including two much anticipated new features: FIDO2 / WebAuthn and NFC (near field communication).

The YubiKey 5 Series is the industry’s first set of multi-protocol security keys to support FIDO2 / WebAuthn, the open authentication standard that Yubico helped to pioneer, along with Microsoft and others. All leading platforms and browsers have either made support or are engaged in this standards work, expanding authentication choices using authentication devices, such as a YubiKey, with or without a username and password. Each key in the YubiKey 5 series supports: FIDO2 / WebAuthn, FIDO U2F, PIV (smart card), OpenPGP, Yubico OTP, OATH-TOTP, OATH-HOTP, and challenge-response.

With the new YubiKey 5 series, Yubico provides a solution that not only works for today’s authentication scenarios, but into tomorrow’s, helping to bridge the gap from existing solutions to a future of passwordless login. Users will receive the same trusted security, ease of use, and durability expected from a YubiKey, but will now have the added option of passwordless logins using FIDO2:

Authentication options with the YubiKey 5 Series.

 

Single-Factor Authentication (Passwordless) with the YubiKey 5 Series – The YubiKey 5 security keys can be used alone for strong single-factor authentication, requiring no username or password to login — just tap or touch to authenticate.

Second-Factor Authentication with the YubiKey 5 Series – Used alongside a username and password, the YubiKey 5 series offers a strong second factor of authentication. This is the YubiKey integration that exists today with services like Google, Twitter, and Facebook, and it is most familiar to our users.

Multi-Factor Authentication (Passwordless + PIN + Touch) with the YubiKey 5 Series – The YubiKey 5 series can be used in conjunction with a PIN for user verification. In this case, the PIN unlocks the device locally and touch is still required for the YubiKey to perform the authentication.

 

With this expanded choice of authentication modes, developers choosing to add support for the YubiKey will have the option to choose the authentication model that best suits their use cases and customers. Implementation resources for all of the YubiKey-supported protocols can be found on the Yubico Developer website or through the Yubico Developer Program mailing list.

Another much anticipated feature added with the YubiKey 5 series, is the addition of NFC to the YubiKey 5 NFC device, allowing for a seamless and secure tap-and-go experience with mobile devices or external NFC readers.

YubiKey 5 NFC

Combining the security and usability features of FIDO2 passwordless authentication and tap-and-go NFC provides an optimal user experience, and drastically improves security and productivity. This is especially beneficial in fast-paced, dispersed working environments within sectors such as financial services, healthcare, and retail point-of-sale (POS). FIDO2 is the first open standard authentication protocol that can take tap-and-go authentication to the masses.

The YubiKey 5 Series includes: YubiKey 5 NFC, YubiKey 5 Nano, YubiKey 5C, and YubiKey 5C Nano. To determine the key that is best for you, please reference the online comparison chart, or take our YubiKey quiz!

Beginning today, YubiKey 5 Series security keys are available for purchase exclusively at Yubico.com. Shop our store, and be one of the first to own a YubiKey 5!

Heavy Thunderstorm and lightning over the night City, Storm and Rain
Jerrod Chong

Yubico Extends Mobile SDK for iOS to Lightning

Earlier this year, Yubico announced a Mobile SDK for iOS to enable Yubico OTP authentication over NFC on iPhones. Today, we are pleased to announce that we are extending the Yubico Mobile SDK to enable rapid implementation of FIDO U2F over a lightning connection for iOS apps. We invite developers to join the Yubico Lightning Project to work with us to broaden authentication options for iOS applications.

The reality is, overall usage of mobile devices is on the rise. In fact, 79% of internet use is predicted to be on mobile by the end of 2018. Yubico’s goal has always been to make strong, simple online security truly ubiquitous, regardless of service, device, and/or operating system. However, making a hardware authenticator, such as the YubiKey, work in a secure and seamless way with iOS has been a challenge for us and the rest of the industry over the past few years.

We have researched and prototyped various iOS solutions and believe that NFC (near field communication) and USB are optimal communications transports for external authenticators because of security and usability. While it’s always possible that Apple may further open up support for NFC or USB interfaces in the future, this is currently limited or not accessible on today’s iOS devices.

The Yubico Lightning Project is designed to address these issues, with rollout in several phases. Phase one introduces our extended Mobile SDK for iOS, which enables developers to add U2F authentication to iOS apps via a lightning connection. This approach enables apps and services to have out-of-the-box U2F support. Following phases will be communicated in the future.

“Our customers love the security and ease of use of U2F Yubico security keys on their Keeper desktop and web app. Providing this ability to all users on their iPhone and Android devices is an amazing and exciting capability we’ll be ready to deploy as soon as it becomes available,” said Craig Lurey, CTO and Co-Founder of Keeper Security.

“Multi-factor authentication is a must for all organizations, helping to mitigate credential-based attacks and ensuring only the right people have access to the information they need to do their work. By working with companies like Yubico alongside our own MFA offering, we’re able to continue to provide organizations with options for simple, seamless ways to layer security on all of the devices the modern workforce is using today,” said Joe Diamond, Sr. Director of Security Product Marketing, at Okta.

Developers who are interested in taking advantage of strong U2F authentication for iOS apps, are invited to sign up here to receive more information about the Lightning Project. We also encourage you to sign up for the Yubico Developer Program mailing list to stay updated on new developer resources as they become available.

Ronnie Manning

Let’s Meet! Catch YubiKey Demos, Developer Resources & More at Black Hat

This week, we’re headed to Las Vegas for none other than the Black Hat Expo, and we’ll be showcasing all kinds of YubiKey goodness. We’ll be at booth #463, so if you’re there stop by to say hello.

Here’s a taste of what you can expect:

Passwordless Login Demos

If you’ve been keeping up with us and the authentication space, you’ll know that a passwordless future is here thanks to the introduction of the new FIDO2 open standard.

Yubico is a core contributor to this standard, and we’ve got a device that can deliver on the passwordless login experience — the Security Key by Yubico. And you guessed it, we’ll be demoing a tap-and-go login flow (no passwords needed) at Black Hat on an Azure Active Directory environment with the Security Key by Yubico. Catch a sneak peek!

New Developer Resources

We’ve been hard at work on our recently launched Yubico Developer Program, and we’re happy to share some of our latest resources with you at BlackHat.

One of our hottest new offerings is our Mobile SDK for iOS. In case you missed it, LastPass leveraged our Mobile SDK for iOS to enable the YubiKey NEO to authenticate to the LastPass iOS app via NFC (we’ll have demos at the booth). The Mobile SDK for iOS is hosted on our developer site and open for all developers to use.

If you haven’t heard about our Developer Program, sign up for our mailing list and we’ll keep you in the loop on what’s new.

Look for me!

Featured YubiKey Integrations

Here at Yubico, we like to say, “The YubiKey works with many, many locks.” We’ve built so much power, security, and usability into one little device, and those features are built upon by all of the services and applications that support the YubiKey.

That’s why we love our technology partners so much. Keep your eyes peeled and see if you can spot the “Works with YubiKey” standees when you’re walking the show floor.

Several of our partners will have these featured at their booths and will be giving demos of their own YubiKey integrations.

 

If any of this sounds interesting, or even if you’d just like to meet the people behind the key, please come say hi. We’re at booth #463, and we’d love to meet you and talk all things YubiKey.

Jerrod Chong

One Step Closer to Passwordless Login with Microsoft Edge Support for FIDO2 & WebAuthn

The industry moved one step closer to passwordless login with this week’s Microsoft announcement that starting with Microsoft Edge build 17723, the browser will support FIDO2 strong first-factor and multifactor passwordless login, and second-factor authentication.

Now, with Chrome, Firefox, and Edge all engaged to support WebAuthn, we have two-thirds of all major web browsers backing this next-generation protocol. In March this year, W3C Web Authentication Working Group announced that WebAuthn reached Candidate Recommendation (CR) status, meaning with high interoperability, any browser could add support.

This is exciting news for developers, application creators, and those who want to secure their services with WebAuthn and FIDO2 to enable a passwordless login experience.

As a leading contributor and driver of the FIDO2 and WebAuthn open authentication standards, Yubico is committed to helping the larger developer community navigate implementation. Earlier this year we launched a new Developer Program to help developers rapidly integrate with these new standards. Over 1000 companies have registered to date with the program to find resources to help them become successful in integrating FIDO2. Most recently Yubico hosted an expert FIDO2/WebAuthn webinar series focused specifically on FIDO2 and WebAuthn education and deployment:

  • FIDO2 Authentication Demystified
  • FIDO2 WebAuthn Data Flows, Attestation, and Passwordless Technical Overview
  • FIDO2 WebAuthn Server Validation Technical Overview

With new WebAuthn browser support available in Edge, Chrome, and Firefox, a FIDO2 compatible hardware-based authenticator — such as the Security Key by Yubico — can replace a username and password as a much stronger form of single-factor authentication. WebAuthn still allows for the second-factor authentication and also support the use of PIN or biometrics with both external and platform authenticators for a multi-factor passwordless login experience.

The FIDO2 momentum is strong and we encourage developers and security architects interested in the new standard to sign up for our Yubico Developer Program mailing list to stay up-to-date on workshops, webinars, implementation guides, reference code, APIs and SDKs. New content is being added on an ongoing basis with the next FIDO2 resources becoming available later this month.

For those that are still unfamiliar with FIDO2 and WebAuthn, visit our latest blog that answers some of the most common questions we’ve received about the standard so far.

(Browser market share percentage via statcounter)

Jerrod Chong

10 Things You’ve Been Wondering About FIDO2, WebAuthn, and a Passwordless World

Armed with a mission to deliver a more secure internet, Yubico has been working closely with Microsoft, Google, the FIDO Alliance and W3C to create and drive open standards that pave the way for the future of passwordless login. The FIDO2 standard is the new standard enabling the replacement of weak password-based authentication with strong hardware-based authentication using public key (asymmetric) cryptography.

FIDO2 has created quite a buzz in the security community, and as with any new technology, there’s always a bit of a learning curve. Earlier this year, we introduced our updated Yubico Developer Program to help developers get up to speed quickly with FIDO2 and WebAuthn.  

In the past few weeks, we have run a FIDO2 webinar series for developers to provide background on the FIDO2 specification and how to implement. During the course of this webinar series, we have answered many questions about the specifics of the FIDO2 standard and WebAuthn, including how it relates to our new Security Key by Yubico, and the evolution of a passwordless world. We wanted to share the most commonly asked questions and answers, that you also may have wondered about.

Are FIDO2 and WebAuthn the same thing? If not, how are they different?

FIDO2 is comprised of two standardized components, a web API (WebAuthn) and a Client to Authenticator Protocol (CTAP). The two work together and are required to achieve a passwordless experience for login. The earlier FIDO U2F protocol working with external authenticators is now renamed to CTAP1 in the WebAuthn specifications.

With Chrome and Firefox announcing WebAuthn API and CTAP1 support as the client, and Dropbox now integrating with the WebAuthn API, this has kicked off a flurry of integration activities by other services. Most recently, Microsoft Edge released support for WebAuthn API, CTAP1 and CTAP2, making it the browser with the widest authentication support.

Is FIDO2 backwards-compatible with current YubiKey models?

The WebAuthn component of FIDO2 is backwards-compatible with FIDO U2F authenticators via the CTAP1 protocol in the WebAuthn specifications. This means that all previously certified FIDO U2F Security Keys and YubiKeys will continue to work as a second-factor authentication login experience with web browsers and online services supporting WebAuthn.

The new FIDO2 passwordless experience will require the additional functionally of CTAP2, which is currently only offered in the new Security Key by Yubico. CTAP2 is not supported in previous FIDO U2F Security Keys, or current YubiKey 4 series, or the YubiKey NEO.

Is FIDO2 considered single factor, two-factor or multi-factor authentication?

Login with a FIDO2-enabled hardware device, such as the Security Key by Yubico, offers a greater choice for strong authentication including:

  • single factor passwordless
  • two-factor (2FA)
  • multi-factor authentication (MFA)

With FIDO2, a hardware-based authenticator — such as the Security Key by Yubico — can replace a username and password as a much stronger form of single factor authentication. Users can also continue to use the Security Key by Yubico as a second factor. Finally, for added security, a FIDO2 hardware authenticator can be combined with an additional factor, such as a PIN or biometric gesture, to enable strong multi-factor authentication.

How secure is FIDO2 compared to FIDO U2F and other 2FA solutions?

Single factor login with FIDO2 offers strong authentication as a single factor. In many cases, this single factor authentication is more secure than other forms of two-factor authentication (such as SMS), as there are no secrets that can be phished remotely when using FIDO2. FIDO2 single factor uses the same strong public key cryptography with origin checking to prevent phishing just like FIDO U2F, but with the additional convenience of not needing usernames and passwords as the first factor to identify the user.

Will FIDO U2F become obsolete with the expansion of FIDO2?

FIDO2 WebAuthn is backwards compatible with FIDO U2F authenticators, so over time, we expect FIDO2 will subsume FIDO U2F.

Is there an option to use FIDO2 in conjunction with an additional factor such as a pin or biometrics? Is this recommended?

Hardware authenticators supporting CTAP2 can add user verification by requiring users to use a PIN or biometric to unlock the hardware authenticator so it can perform its role. This preference is primarily dependent on the implementor’s threat vectors as well as use cases. For example, a large banking institution may want to consider the use of a PIN in conjunction with a security key for a higher level of assurance, while a warehouse-based shared kiosk environment may not.

The Security Key by Yubico is enabled with the full CTAP2 specs, and is fully enabled to support several passwordless experiences including single factor touch-and-go using the hardware authenticator (no need for a username) as well as use of a PIN with touch of the hardware authenticator.

What’s the difference between a PIN and password?

As stated above, one of the allowances with FIDO2 is the option to combine hardware-based authentication with an additional factor such as a PIN. This has many of you wondering, “Well, isn’t that the same as needing to remember a password?”

A PIN is actually different than a password. The purpose of the PIN is to unlock the Security Key so it can perform its role. A PIN is stored locally on the device, and is never sent across the network. In contrast, a password is sent across a network to the service for validation, and that can be phished. In addition, since the PIN is not part of the security context for remotely authenticating the user, the PIN does not need the same security requirements as passwords that are sent across the network for verification. This means that a PIN can be much simpler, shorter and does not need to change often, which reduces concerns and IT support loads for reset and recovery. Therefore, the hardware authenticator with a PIN provides a passwordless, phishing-resistant solution for authentication.

How does FIDO2 affect a company’s password policy of replacing passwords every 90 days?

With FIDO2, there’s no need to replace passwords, as there are no passwords required.

For those combining a hardware authenticator with a PIN, it’s important to note that PINs do not demand the same security requirement as a password. A PIN and a password are different. Since a PIN is not part of the security context for remotely authenticating the user (the PIN is not sent over the network for verification), it can be much simpler and less complex than a password, and does not need to be changed with the same frequency (or at all), which eases enterprise concerns about PIN reset and recovery.

What services provide support for FIDO2? When can we expect additional services to roll out support?

Chrome, Firefox, and Dropbox have implemented support for WebAuthn second-factor login flow. Beginning with build 17723, Microsoft Edge now supports the candidate release version of WebAuthn. This latest version of Edge is able to support FIDO2 strong single factor and multi-factor authentication, in addition to the second factor. The Yubico Developer Program offers comprehensive resources for those interested in adding support for FIDO2.

What if I lose my Security Key by Yubico? Without a password, am I locked out of my account?

Best practice is always to ensure that you have a backup Security Key in place, should you misplace your primary device. The Security Key by Yubico contains no identifiable information, so if it were to be found, it could not immediately be used to login without knowing the identity of the owner and to which accounts it is registered. The reality is that the primary attack vector for consumers and enterprises is remote account takeover — whether by credential theft, phishing scams, or man-in-the-middle attacks. FIDO2 and the Security Key by Yubico are specifically designed to protect against these types of threats.

For those who are concerned with physical threats, the option is there to require multi-factor authentication using a PIN for additional protection. That way, if someone obtains a stolen Security Key, they will still need to know which accounts it is registered with, and also have access to your additional factor (PIN) to be able to log in.

A significant benefit of an open authentication standard is that the number of implementations are limitless. With Microsoft Edge, Google Chrome and Mozilla Firefox working as the client and Dropbox working as the service, all have announced WebAuthn support with many more in the works. We’re well on our way to the future of passwordless login!

Do you want to be a part of the future of passwordless login?

If you are a developer who is interested in adding support for FIDO2, sign up for our Developer Program mailing list to stay up-to-date on workshops, webinars, implementation guides, reference code, APIs and SDKs. Also, our series of FIDO2 virtual events is now available for on-demand viewing.

If you’d like to read more about FIDO2, check out our recent blog post, “What is FIDO2?”

Stina Ehrensvard

The Key to Trust

As the principal inventor behind both the Security Key and U2F protocol, we are true supporters of open standards. To realize our mission of making secure login ubiquitous, we designed the original Security Key, and provided the majority of the open source code and test tools for FIDO U2F and the latest version of the standard, FIDO2, which offers a passwordless experience.

Innovation is core to all we do, and as the ecosystem continues to mature, U2F and FIDO2 functionality will come in many different form factors, communications methods (USB/BLE/NFC) and features, from Yubico and others.

Over the past several years, Google has deployed hundreds of thousands of FIDO U2F-enabled Yubico devices internally with amazing results. Today, Google released their own version of a security key, and while we have received the question if we were part of this production, these devices are not manufactured by Yubico.

Yubico strongly believes there are security and privacy benefits for our customers by manufacturing and programming our products in the USA and Sweden.

Google’s offering includes a Bluetooth (BLE) capable key. While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.

Yubico is a believer in NFC, and the YubiKey NEO design has proven at scale to deliver a superior contactless user experience for U2F.  Also, Yubico will soon announce another secure and user friendly solution for iOS.

YubiKey authentication devices

The FIDO U2F and FIDO2 standards work has been a long, challenging and inspiring journey convincing and engaging all leading platforms and browsers to subscribe to the Yubico mission: to make secure login easy and available for everyone.  

U2F is just one tool in the YubiKey toolbox. Today, the majority of our customers use our multi-function YubiKeys across multiple applications, services, and operating systems. In addition to FIDO U2F, we offer smart card (PIV), Yubico OTP, OpenPGP, and OATH-HOTP/TOTP, in a single device, over both USB and NFC, as well as in USB-C form factors. 

Yubico continues to work closely with Microsoft, Google and the global open standards community on FIDO2, the passwordless evolution of U2F. This next-generation standard enables the option to use a security key as a single factor, with an optional PIN or biometrics on the user device, removing the need for service providers to store and manage passwords.

We will continue to create market defining authentication products, which we are currently demonstrating at Google Cloud Next, booth #S1426. We welcome you to join us.

Ronnie Manning

5 Simple Ways to Get Started with Your YubiKey

What are your go-to apps? There are several applications and services that many of us use weekly, and in most cases, daily — Gmail, Facebook, Dropbox, a password manager — and the good news is that all of these support the YubiKey for strong authentication. And now, there is one more to add to the list!   

As of last month, Twitter users can now protect their accounts with FIDO U2F two-factor authentication using a YubiKey or Security Key by Yubico. This new feature is now available to all 328 million of Twitter’s monthly active users for both personal and business accounts.

Twitter has some simple set up instructions here for using on your computer. Once you register your YubiKey with Twitter, you will be required to present the key each time you login to your account in the future. It will ask for your username and password, and then it will ask for your YubiKey. Just insert the YubiKey into your computer’s USB port and after it starts blinking, tap it.

The YubiKey NEO is our mobile-friendly device that is equipped with near field communication (NFC). This works by just tapping the YubiKey NEO to the back of your phone. However, Twitter does not yet have support for the YubiKey in their mobile app, but we hope that this will be a feature they add in the near future.

The YubiKey is great for protecting against remote hackers trying to access your account, but you may be thinking, “What if I forget my key?” Twitter has it set up for you to have a backup form of two-factor authentication on your account as well. For example, you could use Google Authenticator or our Yubico Authenticator app to set up your backup on a second YubiKey. These forms of authentication will also be useful for mobile users. That way, you can use a YubiKey on your computer and an authenticator app for your phone.

Best practice is to have multiple YubiKeys set up for your accounts. One on your keychain, or one in your wallet, or one in a safe place at home will help to make sure you’ve always got a backup YubiKey nearby. Many services let users set up multiple YubiKeys with their account for this very reason. Twitter only allows one key at the moment. If you want more than one YubiKey on your Twitter account, or would like to have YubiKey support on mobile, help us out by sending a tweet to tell them what you’d like to see.

One of the best features of the YubiKey is that you can use just one key for any number of services and accounts. Here are the instructions on how to quickly get your other accounts secured with a YubiKey:

Google: Fun fact. Google was the first web service to support the use of U2F and YubiKeys. See how to get started with Google and the YubiKey here.

Facebook: Don’t make the mistake of overlooking the need to protect this social media account. Facebook contains a lot of personally identifiable information that can be used to advance a hacker’s efforts. See how to get started with Facebook and the YubiKey here.

Dropbox: Whether you’re sharing vacation photos or business documents, make sure your files stay safe from prying eyes. See how to get started with Dropbox and YubiKey here.

Password Managers: Did you know that the YubiKey works with 17 password managers? See how to get started with your favorite password manager and the YubiKey here.

Don’t see one of your favorites? Don’t worry. We have plenty of other services — for individual users and businesses — that support the YubiKey. You can see the full list here.

If you’d like to get started using a YubiKey, head over to the Yubico store to shop for the key that suits you best!

Ronnie Manning

Stina Ehrensvard Wins 2018 Female Executive of the Year

Today, we are excited to announce that Yubico’s CEO and Founder, Stina Ehrensvard, was named Female Executive of the Year by the Women World Awards for the second year in a row!

This news comes on the heels of several major announcements that we’ve shared over the past few weeks — YubiKey for iOS, FIPS 140-2 YubiKey Series, Andreessen Horowitz investment, FIDO2 passwordless logins — and we couldn’t be happier to keep the momentum going by celebrating Yubico’s founder and the milestones we’ve achieved together.

The Women World Awards are an annual industry and peers recognition program honoring women in business and the professions and organizations of all types and sizes from around the world. The program encompasses the world’s best in leadership, innovation, organizational performance, and new products and services from every major industry in the world.

The Female Executive of the Year category highlights individual women whose accomplishments in the last year set an impressive standard for the company as well as industry norms. Stina was selected as the Gold Winner in this category due to her significant contributions and innovations to advance the current state of internet security. Most notably, Yubico’s work in developing FIDO2 and driving new paths for the next generation of online security: passwordless logins.

“It’s an honor to be named a winner by Women World Awards,” said Stina. “These awards are an encouraging reminder that each year, Yubico is one step closer to seeing our vision of a safer internet for all become a reality. I’m proud of everything the Yubico team has done to get us there, and has been able to accomplish over the last year.”

To read more about Stina’s entrepreneurial journey and Yubico’s mission, check out her recent interview with Compelo magazine.

Jerrod Chong

Now Available! FIPS 140-2 Validated YubiKey Series

Today, we’re excited to announce the certification and availability of our YubiKey FIPS series, the first multi-protocol FIPS 140-2 validated security keys.

FIPS 140-2 is a US government computer security standard, published by the National Institute of Standards and Technology (NIST), that covers the use of cryptographic functionality such as encryption, authentication, and digital signatures. The FIPS 140-2 validated YubiKeys meet the most stringent security requirements of US federal agencies.

The YubiKey FIPS Series includes keychain and nano form-factors for USB-A and USB-C interfaces.

The YubiKey FIPS series uses the YubiKey 4 Cryptographic Module that received FIPS 140-2 validated at Overall Level 2, Physical Security Level 3 with certificate number 3204. At this level, the YubiKey FIPS series meets Authenticator Assurance Level 3 (AAL3) as defined in NIST SP800-63B, that enables compliance with Federal Risk and Authorization Management Program (FedRAMP)  and Defense Federal Acquisition Regulation Supplement (DFARS) requirements.

FIPS certification is essential for many branches of the US government and contractors, in addition to those in the private sector that collect and transmit sensitive but unclassified (SBU) information.

The YubiKey FIPS Series hardware authentication devices include keychain and nano form-factors for USB-A and USB-C interfaces. The YubiKey FIPS Series is the only FIPS validated multi-protocol security key in the market supporting five authentication protocols; FIDO U2F, smart card (PIV), Yubico OTP, OpenPGP, and OATH-HOTP/TOTP.  Now, federal entities and federal-compliant enterprises can comply with the high assurance security requirements for on-premise or cloud deployments using the YubiKey FIPS Series.

Companies including Google, Facebook, Salesforce and thousands more trust the YubiKey to protect account access to computers, networks and online services. Now, we are able to deliver the same simple, trusted protection as a FIPS validated solution.

For more information and technical details on the new product line, visit the YubiKey FIPS page. Starting at $46, YubiKey FIPS Series security keys are available now for purchase online at the  Yubico store or by contacting Yubico Sales.

Jesper Johansson

WebUSB in Google Chrome and Responsible Disclosure

Authored by Venkat Venkataraju & Jesper Johansson

Yubico Blog Update and Statement – 6/18/18

On June 13, 2018 we published this blog post and security advisory regarding WebUSB issues in Chrome. In hindsight we realize that we did not give enough credit in our blog post and security advisory to the foundational work done by Markus Vervier and Michele Orrù, who highlighted and demonstrated the first security vulnerability in WebUSB at OffensiveCon, and which was subsequently written up in a WIRED article. After posting, we communicated with them, apologized for this, and made updates to the blog post and security advisory to make sure proper credit was given.

Building on the publicly available information about work by Markus and Michele described in the article, Yubico investigated the issue and developed our own proof of concept (PoC) test tools. In the process we discovered additional issues with WebUSB and began outreach with Google on March 1st. Yubico first spoke with the researchers on March 2nd. The formal bug report which Yubico submitted to Google on March 5th, referenced the OffensiveCon talk by Markus and Michele and their original public announcement of the CCID issue in the first sentence. We submitted this privately to protect our customers and the broader U2F ecosystem.

Markus and Michele’s research provided a critical foundation, and we made a mistake by not clearly acknowledging them for their original research in our security advisory. We learned only on June 13, after we published our advisory, that Markus and Michele also discovered and reported HID issues to Google. We understand that better communication after the issue was fixed would have ensured that all parties were in sync, and will use this as an opportunity for improvement.

Yubico has always strived to be transparent and we regret the missed opportunity to work more collaboratively with Markus and Michele. Historically, Yubico has worked closely with security researchers across the globe and we are committed to continue to do so.

————-end update—————–

To improve the entire security ecosystem, Yubico is a strong believer in responsible disclosure practices. We believe that the best outcome happens when security researchers  confidentially provide research and reporting to an impacted company, so a fix can be in place before any public disclosure to help protect users from the exploitation of the vulnerability.

This year, Yubico worked with Google under responsible disclosure to address WebUSB vulnerabilies in Google Chrome that affected the entire ecosystem of FIDO U2F authenticators, manufactured by Yubico and well as other vendors.

The original issue first surfaced in a news article in March 2018 describing how security researchers Markus Vervier and Michele Orrù had demonstrated how to circumvent the FIDO U2F origin check using WebUSB functionality in Google Chrome and the YubiKey NEO’s USB CCID U2F interface.

Once Yubico was informed of the CCID issue, our own researchers quickly discovered there was a broader set of security concerns within WebUSB that affected the entire ecosystem of FIDO U2F authenticators. To help protect the U2F ecosystem, we disclosed these issues to Google in early March and worked closely with their engineering teams on a mitigation plan to address this issue and secure all U2F customers.

With the May 29, 2018 release of Chrome 67, Google fixed the WebUSB vulnerability and the issue could no longer affect any (Yubico or other) U2F authenticators. To read the detailed report of the WebUSB issue in Chrome, please visit our Security Advisories page for full analysis.  

For this research and disclosure, Google awarded Yubico a bug bounty in the amount of $5,000, which Yubico has opted to donate to charity. Yubico chose Girls Who Code, a non-profit that aims to support and increase the number of women in computer science. Additionally, Google has matched the donation with another $5,000, resulting in a $10,000 donation to Girls Who Code, to further support efforts at increasing diversity in our field.

The security ecosystem is only as strong as the weakest link and if we, as a community of vendors and security researchers effectively and respectfully work together, we can secure not only end users, but the entire ecosystem from continually evolving threats.  

For the protection of everyone, we encourage all researchers to responsibly disclose any discovered security concerns to the affected company so they may implement a fix before any public disclosure. To contact the security team at Yubico please email security@yubico.com.


June 13th Update:
We were just made aware that the original researchers reported the Windows HID issue to Google around the same time we submitted it to Google. We were not aware of this at the time, we independently discovered it while investigating the public CCID issue, and followed standard responsible disclosure practices by sending all our findings, including the Windows HID issue, only to the affected vendor in order to afford maximum protection for the ecosystem. 

 

Ronnie Manning

Yubico Lands a16z Investment and Grows Board of Directors

Today, Yubico is proud to announce its latest round of investment from Andreessen Horowitz (a16z). a16z is supporting Yubico’s mission to create a safer internet for everyone by providing ubiquitous secure access to computers, networks and servers. The company has been growing with profits over the last six years, and funds from the new investment will be used for scaling engineering, product and development teams.

In addition to company backing, Martin Casado, general partner for a16z, will be joining the Yubico board of directors. With an extensive background in computer science, software-defined networking, and security, Martin will support the company in a rapid growth phase. Helping Yubico scale as the hardware root of trust for users and servers, as we move toward the passwordless future.  

“Internet security is an area I’m personally very passionate about and I’m a true believer in the Yubico vision and approach. I’m thrilled to be joining the board and working with the team on this journey forward,” said Casado.

The YubiKey is the authenticator of choice for thousands of business customers and millions of users in more than 160 countries, including a16z, who currently deploy YubiKeys to every employee. This decision was made prior to the investment in Yubico, as a16z determined that the YubiKey was the most secure approach for protecting accounts and sensitive company data.  

Yubico CEO and Founder Stina Ehrensvard worked with Martin Casado on the a16z Podcast episode ‘The State of Security’ from earlier this year to provide insight into the crossroads of software and hardware in the security space. Specifically, Stina spoke about the increasingly important role of authentication  in a world where we hear of new data breaches and stolen user credentials on a daily basis.

Previous Yubico investors include NEA and renowned Silicon Valley entrepreneurs Marc Benioff, CEO of Salesforce, and Ram Shriram, Yubico Chairman and Google founding board member.

Stina Ehrensvard

What is FIDO2?

Last month, open authentication standards reached an important milestone; Microsoft launched support for FIDO2 and CTAP, and the World Wide Web Consortium (W3C) won approval for WebAuthn. Since then, Yubico has received questions on how these efforts are related, what role FIDO U2F and Yubico have in the mix, and what organizations can implement now — and in the future — to enable simple, strong authentication for employees and end-users. This blog will bring some clarity to those questions.

What is the difference between FIDO U2F and FIDO2?

U2F was developed by Yubico and Google, and contributed to the FIDO Alliance after it was successfully deployed for Google employees. The protocol is designed to act as a second factor to strengthen existing username/password-based login flows. It’s built on Yubico’s invention of a scalable public-key model in which a new key pair is generated for each service and an unlimited number of services can be supported, all while maintaining full separation between them to preserve privacy.

Essentially, FIDO2 is the passwordless evolution of FIDO U2F. The overall objective for FIDO2 is to provide an extended set of functionality to cover additional use-cases, with the main driver being passwordless login flows. The U2F model is still the basis for FIDO2 and compatibility for existing U2F deployments is provided in the FIDO2 specs.

What is WebAuthn & CTAP?

A new, extensible web authentication API, called Webauthn, has been developed within W3C, which supports both existing FIDO U2F and upcoming FIDO2 credentials.

The FIDO U2F client-side protocol has been renamed CTAP1, and a new, extensible client-to-authenticator protocol (CTAP2) has been developed to allow for external authenticators (tokens, phones, smart cards etc.) to interface with FIDO2-enabled browsers and Operating Systems

WebAuthn and CTAP2 are both required to deliver the FIDO2 passwordless login experience, but WebAuthn still supports FIDO U2F authenticators, since CTAP1 is also part of the WebAuthn specification.

How can organizations deploy FIDO2?

So, what can organizations do if they are aiming to provide support for FIDO2? We recommend making support for WebAuthn as it works with existing FIDO U2F authenticators and also FIDO 2 authenticators.

Mozilla Firefox 60 recently added support for WebAuthn, Chrome 67 will be shipping with WebAuthn support in the near future, and Microsoft has already announced they will support WebAuthn in Edge browsers. The U2F web API continues to work for U2F authenticators, but is limited to the Chrome and Opera browsers.

To evaluate WebAuthn with FIDO U2F and FIDO2 authenticators today, Yubico offers a test service at demo.yubico.com/webauthn, and soon we will provide more complete open source FIDO2 servers on GitHub. Organizations can sign up for updates from the Yubico Developer Program to get information on FIDO2 and WebAuthn resources.

So, what’s our role in all of this?

From Yubico’s perspective, we’re proud and pleased to see our vision of one single security key to any number of services become a reality. We’ve watched this vision progress from our launch of the first YubiKey in 2008, to early U2F development in 2011, to the launch of FIDO2 in 2018.

With WebAuthn providing a seamless evolution from U2F to FIDO2, and with upcoming support for built-in authenticators and additional use-cases, WebAuthn becomes the center of a ubiquitous ecosystem for authentication.

Our mission has always been to drive standards and adoption by providing technical specifications, open source components, and developer tools; and to be the gold standard for authenticators. With the open standards ecosystem growing, we see the vision of providing strong authentication for everyone coming true.

Interested in exploring FIDO2 and passwordless login? Get started today with the Security Key by Yubico.

Ronnie Manning

YubiKey comes to the iPhone with Mobile SDK for iOS and LastPass support

It’s a question that we receive often, ‘so how does the YubiKey work with iPhone?’ Until now, the answer to that question has been a bit unclear because of limited support for NFC in iOS. But today, we have a clear answer: YubiKey iOS support is here, now, with two exciting pieces of news.

For application developers, we are introducing a new Mobile SDK for iOS that allows any iOS mobile app to rapidly add support for hardware-based two-factor authentication (2FA) using YubiKey OTP over NFC. Second, LastPass, one of our longest and most prominent integrations, has released the latest version of its password management app with fully integrated support for the YubiKey NEO over NFC on iOS. This was completed using our Mobile SDK for iOS, but we’ll share more on this milestone a little later.

A user authenticates to their LastPass app on iPhone using a YubiKey NEO over near field communication (NFC).

The launch of iOS 11 last year saw Apple provide support for NFC tag reading, which allowed developers to build apps with one-time passcode (OTP) support. Given that the YubiKey NEO can generate an OTP and send it to the requesting app via NFC, it became possible to authenticate with Yubico one-time password (Yubico OTP) with a YubiKey NEO — a feature requested by many YubiKey users. However, documentation and reference code for developers to add this support to applications was lacking and unnecessarily complicated.

To help mobile application developers simplify rollouts and deliver on this functionality, Yubico created the Mobile SDK for iOS. It’s available now for download and is also part of the Yubico Developer Program mobile track, and provides developers all the necessary tools to rapidly up-level their iOS mobile app security with Yubico OTP.

By introducing YubiKey hardware-based authentication via NFC to iPhone applications, users no longer need to toggle between apps and temporarily memorize a throw away code before it expires. Now users can just tap the YubiKey to authenticate, which is four times faster than typing in an OTP! Not to mention, users and app developers no longer have to run the risk of potential security and reliability issues by relying on SMS or mobile authentication.

LastPass iOS App Supports Yubico OTP via NFC
The LastPass password manager remains one of the most popular YubiKey integrations for Yubico OTP, and the application has supported NFC on Android devices for many years.

Today, LastPass is the very first password manager application on iOS to enhance its security with Yubico OTP authentication through NFC. This means that LastPass users with iPhone 7 or above, running iOS 11 and above, can now authenticate to their LastPass Premium, Families, Teams, or Enterprise accounts on their mobile device with the same YubiKey NEO that they use for their desktop or laptop. Users will touch the YubiKey NEO to the iPhone to wirelessly transfer a Yubico OTP and securely authenticate to the application

“LastPass has long supported YubiKey as a multi-factor authentication option for adding an extra layer of security to LastPass accounts and values the partnership we have with the Yubico team,” said Akos Putz, Principal Product Manager for LastPass at LogMeIn. “With the new mobile SDK for iOS, our customers now benefit from the strength and security of hardware-backed YubiKey 2FA with the support for our iOS app.”

For current LastPass users, the iOS application will receive an automatic update (version 4.2.7) via the App Store and you can set up YubiKey in your account settings. If you’re an iPhone user, you can download the latest version of LastPass here and for further instructions on setup, visit here.

We applaud LastPass for supporting this milestone leap in YubiKey mobile app authentication for iPhones and iOS. With this announcement, the YubiKey now provides simple and secure authentication for all leading mobile platforms including Android, Windows mobile, and iOS. Find out more about our new Mobile SDK for iOS here.

John Bradley

New NIST Authentication Guidelines for Public Safety and First Responders

Over the past few months, Yubico has been working closely with the U.S. National Institute of Standards (NIST) National Cybersecurity Center of Excellence (NCCoE) to improve mobile authentication methods for public safety professionals and first responders. Today, we’re happy to share that this guidance is now available in the form of a three-volume draft practice guide: NIST Special Publication 1800-13, Mobile Application Single Sign-On: Improving Authentication for Public Safety and First Responders.

This has been an important project for Yubico and the NCCoE as simple, secure access to critical data can often be a matter of life or death in an emergency response scenario. In high-alert situations, first responder and public safety personnel are often dispatched in the field and are heavily reliant on mobile platforms to access data in real-time that’s needed to deliver proper care. This data may include personally identifiable information (PII), law enforcement sensitive information, or protected health information (PHI), and it is imperative that access to this type of information is highly protected. However, complex and cumbersome authentication requirements to access sensitive information that cause even the slightest of delays in the emergency response process, can potentially risk the life of an individual.

To mitigate the security and access challenges for public safety and first responder personnel, the NCCoE collaborated with several technology vendors, including Yubico, to develop mobile authentication requirements and implement a reference design that assembles commercially available technologies that support the following open standards:

Yubico was a core contributor to this process. The reference implementation, which is documented in the practice guide, uses the NFC-enabled YubiKey (YubiKey NEO) in combination with Federation technology OpenID Connect to strongly secure user access to sensitive applications, improve usability and efficiency of user account management, and share identities across organizational boundaries.

It was recognized early on in the project that reliance on passwords alone can expand the scope of a single data compromise from one service to multiple services due to password reuse. The use of FIDO U2F for authentication provides protection beyond the password, and eliminates problems with social engineering, man-in-the-middle attacks, replay attacks, and phishing, which all present real threats to password-based and OTP-based (SMS, mobile push) authentication systems.

The following diagram from the NCCoE practice guide illustrates the recommended authentication flow for a native app on an Android device using standards-based technologies such as OAuth 2.0, OpenID Connect / SAML, and FIDO U2F with the YubiKey as the trusted second factor.

The OAuth 2.0 for native apps specification requires that applications use a system browser for making authorization requests. This allows a Software-as-a-Service (SaaS) provider, such as Motorola Solutions or GIS, to redirect authentication back to the user’s agency or enterprise via a standard authentication protocol such as OpenID Connect or SAML.

Using the system browser also enables the built-in operating system (OS) support for FIDO U2F authentication to be used without requiring special support in the native apps. This allows a generic SaaS application to support thousands of different identity providers, and different types of external FIDO U2F multi-factor authenticators (like the YubiKey) within a single native application. This avoids having to customize native apps for each organization and instead, allows the reuse of generic components that can make these systems available to even the smallest of organizations.

The combination of FIDO, OAuth, and SAML/OpenID Connect has been shown to be a robust and flexible solution for public safety use cases. In fact, one of the collaborators in the practice guide, Motorola Solutions, has incorporated this model into their commercial product PSX Cocpit, which is currently being deployed in a number of verticals.

From an end user perspective, these standards-based technologies are delivering a simple touch-and-go experience while maintaining the highest levels of security. To access sensitive data within a mobile application, first responder personnel will only require an NFC- and FIDO U2F-enabled hardware authentication device such as the YubiKey NEO. By simply touching the device to their phone, they will be securely authenticated to the app within seconds.

This particular project with NCCoE targets a first-responders use case, however the practice guide is equally applicable to many enterprise mobile scenarios. For more information on the project and to download the Mobile Application Single Sign-On practice guide, please visit the National Cybersecurity Center of Excellence (NCCoE) website. The NCCoE is also accepting public comments on the guide until June 18, 2018.

Stina Ehrensvard

Yubico and Microsoft Introduce Passwordless Login

Ten years ago, at the 2008 RSA Conference, Yubico launched the first YubiKey with the goal of making secure login easy and accessible for everyone. The vision was one single security key to work across any number of services, with great user experience, security, and privacy.

On this anniversary, Yubico has taken another major leap forward toward this vision with the announcement that the recently-launched Security Key by Yubico, with FIDO2, will be supported in Windows 10 devices and Microsoft Azure Active Directory (Azure AD). The feature is currently in limited preview for Microsoft Technology Adoption Program (TAP) customers.

FIDO2 is the passwordless evolution of the FIDO Universal 2nd Factor (U2F) standard, created by Yubico and Google. While U2F included a username and password, FIDO2 supports more use cases, including passwordless authentication. Yubico has worked in close collaboration with Microsoft on developing the FIDO2 technical specifications, and the Security Key by Yubico is the first FIDO2 authentication device on the market.

What Does This Mean?

Organizations will soon have the option to enable employees and customers to sign in to an Azure AD joined device with no password, by simply using a Security Key to get single sign-on to all Azure AD based applications and services. This is just the beginning; Google and Mozilla also announced Chrome and Firefox support for the Web Authentication API (WebAuthn) developed by Yubico and members of the World Wide Web Consortium (W3C) and included in the FIDO2 specification.

Why Is This Important?

Nearly every digital experience today requires passwords, an increasingly frustrating fact of life for businesses and users. For any one person there can be hundreds of sites and devices — both personal and business related — that require memorized passwords. This leads to poor password hygiene: shared and reused passwords. And it is a real cost for businesses managing, storing and resetting passwords for employees and end-users.

Working in conjunction with Windows and Microsoft cloud services, the new Security Key by Yubico offers a secure, seamless and passwordless login experience with one of the world’s largest computer operating systems. Use cases include retail, healthcare, transportation, finance, manufacturing, and more.

How Does It Work?

FIDO2 is built on the same security and privacy features of FIDO U2F: strong public key cryptography, no drivers or client software and one key for unlimited account access with no shared secrets. With FIDO U2F, the user entered a username and password, inserted a  security key in the USB-port, and touched the gold area. FIDO2 adds more options to the login process:

  • Single Factor: This only requires possession of the Security Key to log in, allowing for a passwordless tap-and-go experience.
  • Second-Factor: In a two-factor authentication scenario, such as the current Google and Facebook FIDO U2F implementations, the Security Key by Yubico is used as a strong second factor along with a username and password.
  • Multi-Factor: This allows the use of the Security Key by Yubico with an additional factor such as a PIN (instead of a password), to meet the high-assurance requirements of  operations like financial transactions, or submitting a prescription.

Who Can Get Involved?

Everyone is encouraged to get involved, and accelerate progress to a secure and passwordless world. As with any open standard, advancement will be a collective industry effort and a process of global adoption. Yubico helped the majority of services in making support for FIDO U2F by providing open source code and support. Together with W3C and FIDO Alliance we have made the FIDO2 open authentication standard available, and we are helping support its rapid integration into services and applications through our new Yubico Developer Program.

Enterprises → Learn about using FIDO2 with Windows 10 devices and Microsoft Azure Active Directory in your enterprise environment. Explore the benefits of FIDO2.

Developers → Implement early support for FIDO2 by signing up for updates from Yubico’s Developer Program. Members will have first access to resources to implement FIDO2 within their applications and services.

Individuals → Are you tired of passwords? If you had a choice to securely and easily login to any device or online service without them, would you? Ask for it! Visit your favorite service or businesses on Twitter and tell them you want to securely login to your account without a password by using FIDO2 and the Security Key by @Yubico!

Are you interested in learning more about a life without passwords? Learn more about the Security Key by Yubico and benefits of FIDO 2.

Ronnie Manning

Yubico at RSA 2018: Passwordless Logins, Developer Programs, and More

Heading to RSA in San Francisco next week? We’ll be there too, celebrating our 10th year at the conference!

Be sure to stop by Booth #S2241 to see all the awesome things we will be showing, and if you haven’t registered for the conference yet, use this code (X8EYUBIC) for a free expo pass on us.  

An industry first, we are showcasing passwordless login with the just released Security Key by Yubico, the first hardware authentication device to support both FIDO U2F and FIDO2. Yubico is a leading contributor to the new FIDO2 open authentication standard which shares many of the same characteristics as FIDO U2F: public key cryptography, no shared secrets, and no drivers or client software. However, with FIDO2, there’s no need for passwords as user credentials are tied directly to the Security Key. The device can also be conveniently paired with PINs, biometrics, or other human gestures as an additional factor.

At Yubico we’re constantly innovating to make simple, secure authentication a standard for the industry. Along with the announcement of our new FIDO2-enabled security key, we are also announcing our new Yubico Developer Program to provide resources for rapidly enabling strong authentication in web and mobile applications across all our supported protocols including FIDO U2F, PIV (smart card), OpenPGP, OTP (one-time password), the new FIDO2 protocol and for the YubiHSM2. Developer resources include workshops, webinars, implementation guides, reference code, APIs and SDKs. RSA attendees (and those who are reading this blog) will be able to sign up for early access to resources to support implementation of FIDO2.

We also invite you to join our CEO & Founder, Stina Ehrensvärd, and SVP of Product, Jerrod Chong, who will be speaking on the importance of strong authentication for today and tomorrow’s cyber landscape.

Stina’s speaking session at CyberScoop’s Cyber Talks

  • 10 Percent Is Too Little: Time to Pay Attention to Two-Factor Authentication
  • Monday, April 16 at 11:20am PT
  • Four Seasons Hotel San Francisco

Jerrod’s speaking session at Security B-Sides SF

  • Simple. Open. Mobile: A Look at the Future of Strong Authentication
  • Monday, April 16 at 11:00am PT
  • City View at Metreon

Yubico is extremely proud of  what we’ve accomplished over the last ten years. The YubiKey is used by millions around the globe and works with hundreds of services right out of the box, and this number is rapidly growing. That’s one key for an unlimited number of personal or business accounts.

At RSA, be on the lookout for Yubico Technology Partner booths to see how the YubiKey seamlessly integrates with their services. Participating Yubico Technology Partners include:

Yubico at Booth #S2241

If you’re attending RSA next week, please stop by our booth and say hi! We will have team members on site to answer any questions, provide product demonstrations, offer recommendations for specific use-cases and chat about the new Security Key by Yubico and Yubico Developer Program.

Also, make sure you follow us on Twitter for updates during the show. We’ll see you there!

Stina Ehrensvard

The Diver and the YubiKey

If you are driving on highway 101 between Palo Alto and San Francisco in the coming couple of weeks, you may come across a billboard with a diver holding up a YubiKey. The same diver also appears on our website homepage. The photo was shot by Alessio, principal engineer at Yubico, from his adventure under 20 meters of water in the Philippines.

The same image inspired Josh, web developer at Yubico, to try logging into his email underwater with a waterproof phone and YubiKey. And yes, it worked! Please check out the short video below that Josh and other members of our team just created.

At Yubico, we highly regard our adventurous and multi-talented engineers. Last year, we doubled our engineering team in Stockholm, Palo Alto and Seattle. This year we are doubling again. If you are a software or hardware engineer who wants to make the internet safer for everyone – on land or underwater – we welcome you to apply for our open job positions!

Alex Yakubov

Yubico Launches Passwordless Login with new Security Key and FIDO2

Today, together with the FIDO Alliance, we made a big announcement that paves the way to a passwordless future. We revealed the new Security Key by Yubico as well as our new Developer Program, both of which support the new FIDO2 open standard for passwordless authentication.

Why is this important? Think of a time when you have created a new account and didn’t have to create a new password.

For all of us, the account creation process for any application or online service has always started with the pairing of a password to your username, but with today’s announcement that is going to change. With FIDO2, it’s now possible to redesign the process to remove the weak link of passwords, and we’re gearing up to support the ecosystem and developer community to make that happen. Whether you’ve followed Yubico for years, or you’re just learning about us, read ahead to find out more about the significance of the FIDO2 project.

 The FIDO2 Project

In 2011, Yubico invented the concept of a single security key to protect user accounts from phishing and unauthorized access, for any number of services with no shared secrets. We worked with Google to further develop this concept to what today is the FIDO U2F standard.

Now, Yubico has worked in collaboration with Microsoft on the evolution of the FIDO U2F authentication standard, to create FIDO2. With FIDO2, the Security Key with its strong authentication can now solve multiple use case scenarios and experiences:

  • — second factor in a two factor authentication solution
  • — strong first factor, with the possession of the device only, allowing for a passwordless experience like tap and go
  • — multi-factor with possession of the device AND PIN, to solve high assurance requirements such as financial transactions, or submitting a prescription.
Capabilities enabled by the FIDO2 project

FIDO2 has already received support from the FIDO Alliance, World Wide Web Consortium (W3C), and all major web browsers to aid in its global standardization and adoption. With this foundation, FIDO2 is positioned to help services, applications, and enterprise organizations seamlessly transition to a more secure, easy to use replacement for the static password.

Read more about FIDO2 here. If you’re interested in developing with this new standard, you’ll need a Security Key by Yubico and we encourage you to sign up for FIDO2 updates as part of our newly announced Yubico Developer Program.

NEW  Security Key by Yubico

The Security Key by Yubico delivers FIDO2 and FIDO U2F in a single device, supporting existing U2F two-factor authentication (2FA) as well as FIDO2 implementations.

The new Security Key by Yubico supports both the Web Authentication (WebAuthn) API, and Client to Authenticator Protocol (CTAP) which are required for FIDO2-based authentication.

FIDO2 and the Security Key are delivering on trusted, touch-and-go authentication for the modern, flexible and mobile workforce that is meeting the needs of our on-demand society. Together, these technologies will be integrated into many verticals including: retail, healthcare, transportation, finance, manufacturing, and more.

We will be demonstrating the new Security Key by Yubico and new FIDO2 functionality at the RSA South Expo hall at Booth #2241. You can purchase one up from our webstore today ($20 USD). Read more about the Security Key by Yubico here.

 NEW  Yubico Developer Program

This year marks the 10 year anniversary of the launch of the first YubiKey, that millions of users in more than 160 countries around the world love for its ease of use, security, and affordability. We made our YubiKeys available with free open source servers that encouraged adoption and growth of a thriving ecosystem of services supporting our technology. We’ve learned a lot from our partnerships, which is why we today announced a formalized Developer Program. This provides developers with the resources to rapidly integrate the YubiKey with mobile and computer login, across all our supported protocols including U2F, Yubico OTP, PIV-compatible Smart Card, OpenPGP, OATH (HOTP/TOTP), and the new FIDO2 Client to Authenticator Protocol (CTAP) specification, and the YubiHSM.

We encourage developers and security architects interested in FIDO2 to sign up for updates as part of the Yubico Developer Program, to get access to resources needed to aid in early implementations of the FIDO2 open authentication standard.

Jesper Johansson

The Anatomy of a Phishing Email: 5 Things to Look For Before You Click

Phishing attacks are now considered the main source of data breaches.

91% of cyber attacks start with a phishing email *

Ten years ago, if you asked someone what ‘phishing’ was, they probably would have no idea. Since then, times have changed considerably; phishing attacks are now responsible for a significant number of major data breaches.

Phishing may have made its way into the mainstream vernacular, but there is still confusion about the subject—and rightfully so. Phishing attacks are becoming more sophisticated and targeted, and even the most tech- or security-savvy people can find themselves a victim. So, how do you make sure you don’t fall victim as well? Use this five-point checklist to closely examine the validity of incoming email. When in doubt, don’t click!

The Sender

This is your first clue that an email may not be legitimate. Do you know the sender? If not, treat the mail with suspicion, and don’t open any attachments until you verify with the purported sender that they meant to send them. If you believe you do know the sender, double check the actual email address. Often, a phishing email will be designed to look like it comes from a person you know, but there will be a slight variation in the address or they will spoof the envelope to show you a name you recognize.

The Subject

Pay attention to subject lines! While something like, ‘Claim your ultimate deal now!,’ can be an obvious sign of a phishing email, the far more successful subject lines are the ones that don’t raise that much suspicion. ‘Account action required’, ‘Delivery status update’, or ‘Billing statement confirmation’ can all be ploys to weaken the email recipient’s defenses through seemingly ordinary alerts.

Remember, if something legitimate is that important, your bank, employer, doctor’s office, retailer, or credit card company will find an alternate way to contact you when you’re not responding over email. When in doubt, call to ask if they’ve sent you an email, but do not make that call to a number that was in the email message you are calling about!

Most clicked email phishing subject lines.*

A delivery attempt was made (18%)

A UPS label delivery  (16%)

Change of password required immediately (15%)

Unusual sign-in activity (9%)

The Body

The body of the email can hold a whole new set of clues, including misspelled words and confusing context. For example, are you asked to verify a banking account or login to a financial institution that you don’t have an account with? Did you get an email from someone you may know that has nothing in it other than a short URL? Does the content apply to you or make sense based on recent conversations or events? Similarly, if it is a known contact, is there a reason they would be sending you this email?

Hackers can also use current or popular events to their advantage. For example, holiday shopping, tax season, and natural disaster or tragedy relief efforts are all used to sneak an unsuspecting phishing email into the inbox of thousands of targets. Did you know that the IRS reported a 400 percent increase in phishing scams for the 2016 tax season alone?

How will you know if an email is valid or not? This is where other email clues will come in handy!

The Attachments

The golden rule — do NOT open an attachment if any other aspect of the email seems suspicious. Attachments often carry malware and can infect your entire machine.

7.3% of successful phishing attacks used a link or an attachment**

The URLs

Similar to attachments, do NOT click on a link if anything else about the email seems suspicious. This is usually the attacker’s ultimate goal in a phishing scam — lure users to a malicious site and trick them into entering login credentials or personal information, allowing the attacker full account access.

If you do click on a link, be sure to also verify the actual URL. Are you on Google.com or Go0gle.com? The variations can be slight, but they make all the difference! That said, be aware that a malicious site will not always be visibly reflected in the URL, and therefore you will not be able to tell the difference. If this is the case, most browsers have built-in phishing protection to alert you that something is wrong.  

15% of individuals who fall for an initial phishing attack admit to falling for a phishing attack a second time.**

 

By using these five email checkpoints, you will be more equipped to decipher a phishing email. However, some phishing attacks are so sophisticated that they can even fool the savviest of users. The good news is that there are technology solutions, such as two-factor authentication, that can help, and we strongly recommend 2FA with the YubiKey

If you’d like to get started using a YubiKey, head over to the Yubico store to shop for the key that suits you best!

 

— Co-Authored with Ashton Tupper

 

*   KnowBe4 Q4 2017 Top-Clicked Phishing Email Subjects

** Verizon Data Breach Report, 2017

Ronnie Manning

Yubico CEO recognized as the Most Powerful Swedish Woman Entrepreneur 2018

On Thursday, March 8, Yubico CEO & Founder Stina Ehrensvard was named “The Most Powerful Woman Entrepreneur, 2018” by Veckans Affärer, the leading weekly business magazine in Sweden.

“With a product that is becoming a world leading standard, she is today one of Sweden’s most powerful, as well as most successful entrepreneurs,” shared the jury for the award.

Following the award, Veckans Affärer published a feature on Stina and her story. In the article, Stina thanked her parents for never stopping her from climbing trees as a young girl, and for instead asking how the view was from the top. She also emphasized that the most important foundation in a company is the team and that every award she gets represents Yubico as a whole.

The Most Powerful Woman Award is celebrating its 20th year anniversary, having started in 1998 to honor and highlight successful, influential women business leaders and entrepreneurs. At the time, there were only 2 women board members for Swedish companies listed on the stock exchange.  Today, the number of women has grown tenfold.

The award was handed out at the gala dinner and award ceremony in central Stockholm, attended by leading Swedish business executives.

Stina Ehrensvard

Buckle Up for a Safer Internet

Some cynics say that the problem of internet security will only continue to get worse, and that there is nothing we can do, but manage and minimize damages and losses. As an optimist, I completely disagree. Throughout our existence, people have faced and resolved extremely complex and evolving challenges—a great example of which is automobile safety.

A few years back, I wrote a blog post entitled Internet Identity and the Safety Belt. It focused on the introduction of the three-point seatbelt and its significant contribution to the automobile industry by making cars safer for drivers and passengers. Today, there are 10 times more cars on the road, but a lower total number of fatal car accidents. While driving will never be completely safe,  millions of lives have been saved through the realization of the problem, innovation, education, market demand, open standards, and government regulations. I am confident that we will make the information superhighway safer for everyone through the same efforts.

For the automobile industry, the seatbelt is an innovation that has had the greatest positive impact on passenger safety. Further advancements in car safety designs and driver’s education programs have similarly equipped new drivers with the tools they need to safely navigate any unforeseen turns.

What if there was a driver’s education program to help internet users move safely across the internet? Perhaps this should become a staple in a school curriculum just like Math and History?

Education, innovation, and collaboration are key to helping us all solve this complex challenge together. With that in mind, I am sharing a security quiz that we developed for basic IT security training of new Yubico employees. I invite you to test your security knowledge, and please feel free to share the quiz with family, friends, and coworkers.

Safe driving on the internet!

Yubico Team

Find Your Perfect YubiKey Match

At Yubico, we love security. As we approach Valentine’s Day, we’re reminded of this, and we want to share the love!

From February 12 to 18, we are offering a 25% discount on the purchase of two single YubiKeys (Hint: keep reading). Share the second key with a loved one or use it as a backup.

To help you find your perfect YubiKey match, we’ve created a product quiz that provides YubiKey recommendations based on your work style, computer type, and security needs. The YubiKey comes with a wide range of features in different form factors and designs, so after completing the quiz you’ll have found your perfect YubiKey match.

Ready to meet these YubiKey sweethearts?

 

Take the YubiKey product quiz. Once you’ve made your decision, head over to the Yubico store, add two YubiKeys of your choice to the cart, and use the coupon code YK18-143 at check out to receive 25% off. The Valentine’s Day promotional offer is valid from 12:01 a.m. PT on Monday, February 12 to Sunday, February 18 at 11:59 p.m. PT.

Looking to share the love with your friends? Spread the word with a tweet!

David Treece

Yubico Simplifies Smart Card Deployment in the Enterprise

In the enterprise, smart cards are used to simplify logging into computers, VPNs, and online applications. Smart cards can also be used for digitally signing emails and documents. While smart cards are known for delivering strong authentication, they have not always been known for being the simplest to deploy. For example, to use a smart card in an enterprise setting, an admin needs to install client / driver software on every computer, and an external smart card reader is typically required.

Since 2015, the YubiKey has supported smart card PIV functionality with the ability for the YubiKey to act as both a smart card reader and a smart card, meaning that no extra hardware is required. Most recently, we have simplified smart card deployment with the introduction of a YubiKey smart card minidriver. The new YubiKey minidriver enables users to simply self-enroll using the native Windows GUI, and even manage their smart card PIN from Windows Ctrl+Alt+Del. Administrators also benefit from the YubiKey minidriver by being able to do user provisioning using the Microsoft built-in MMC.

Smart card functionality is one of the five authentication protocols supported by the YubiKey, including Yubico and OATH one time password, FIDO U2F, and Open PGP smart card. With this multi-protocol support, the YubiKey is suitable for deployment across the enterprise to secure access to computers, networks, and services.

Learn more about YubiKey smart card in the enterprise.

Why_2018_will_be_the_year_for_authentication_hardware_blog_crown
Stina Ehrensvard

Why 2018 will be the year for authentication hardware

A journalist recently asked me why the world is seeing the return of hardware authentication. My response is that hardware actually never went away. Today, there is no more prevalent form of user verification than hardware. If there had been an easier and more secure way to deploy and revoke user credentials for billions of people, we would not have hardware SIM cards in our phones or chip credit cards in our wallets.

Security is all about minimizing attack surface and achieving separation. The recent Spectre and Meltdown attacks illustrated that it’s hard to achieve watertight separation between processes as systems become increasingly complex. General purpose computing devices that are connected to the internet have big attack surfaces, making them vulnerable to attacks from many fronts, including malware, phishing, malicious apps, Wifi exploits, VPN masking, and social engineering.

However, hardware security devices by themselves do not automatically make things more secure. Modern threats require stronger cryptography with a tighter integration to the applications they’re designed to protect. As a result, we will see increased awareness and adoption of hardware-based authentication and encryption devices using public key cryptography throughout 2018. These devices keep cryptographic information physically separated from the computing device they are connected to, dramatically minimizing the attack surface.

The benefits of using hardware authenticators go beyond just security. Users wanting to ensure privacy do not want to leave footprints that tie their identity to a particular device. Most mobile devices are controlled or monitored by the telecom or platform providers, collecting data about user activities. Furthermore, tying user identity to a device does not easily allow for multiple identities, such as separate identities for work and personal accounts, or being anonymous. Hardware authenticators, such as the YubiKey, do not require you to share any personal details of yourself to authenticate.

Additionally, there are enterprises who do not allow their employees to bring their phones to work, which makes mobile device based authentication inaccessible. In some geographic locations, there are regulations in place that prohibit companies from forcing employees to download business applications on personal computing devices.

Mobility is another important benefit of hardware-based authenticators. With your credentials tied to an integrated device, it can be difficult to move your login credentials between devices, as there is no seamless communication standard between all computers and mobile platform. Using a hardware authenticator with multiple communication methods solves this problem.

Finally, hardware authenticators offer significant benefits related to backups. Independent of what type of authentication technology selected, users will sooner or later lose, break, or reset their login devices. When organizations allow the use of multiple affordable hardware authenticators, one as a primary and others as backups, productive work will increase and support calls will decrease. A hardware authenticator, such as the YubiKey, can cost less than a support call, and a fraction of the expense of using a mobile phone.

Today, in 2018, Yubico and all leading browsers and platform providers are engaged in open standards work based on hardware and public key crypto across leading standards organizations, including the FIDO Alliance, W3C, IETF, and OpenID. We work together not as competitors, but as true leaders collaboratively driving the open standards that will stop the number one problem of IT security breaches for login, payments, IoT, and beyond: stolen user credentials.

Ronnie Manning

WIRED and Ars Technica Experts Choose the YubiKey 4 for New Subscribers

Credibility is defined as the quality of being trusted and believed in. As Yubico continues to grow the trust from our users, partners, and peers, it is truly valued. It’s with this trust that we continue to drive forward in creating strong, open authentication standards and delivering on our vision and belief of a secure internet for all.

Today, we are honored to announce we are partnering with Ars Technica, as part of celebrating its 20 year anniversary, by offering the YubiKey 4 to new Ars Pro++ subscribers. Ars Technica is a highly respected online publication within the technology community and combines technical savvy content with wide-ranging coverage of human arts and sciences, while specializing in bringing readers the right answer, the first time.

Eric Bangeman, Managing Editor, Ars Technica says, “Keeping your online accounts and personal data safe can be a challenge, but YubiKey’s flexibility and best-in-class two-factor authentication capabilities offers a deeper level of security for its users. Ars Technica is proud to offer the Yubikey 4 as a gift for its Ars++ subscribers.”

Limited Edition WIRED and Ars Technica YubiKeys

Also today, we are equally excited to say we are partnering with WIRED magazine to deliver YubiKeys to their new subscribers as well. WIRED is the ultimate authority on the people and ideas changing our world. With a particular focus on emerging technologies, they don’t just write about the future, they ignite it.

As Nicholas Thompson, Editor-in-Chief, WIRED states, “We’re thrilled to be able to offer our subscribers free YubiKeys. Our readers are sophisticated technology users who value their security, which is why we picked YubiKey as a natural gift for them.”  

With both of these powerful and forward-thinking audiences, we are extremely honored that experts from WIRED and Ars Technica chose the YubiKey as the gift of security for their readers. The best part is, subscribers are not receiving a regular YubiKey — they are receiving a limited edition YubiKey 4 with a laser-etched WIRED or Ars Technica logo. The cool factor is upped considerably here. 

Now, new WIRED and Ars Technica subscribers will be able to add the most secure, easy-to-use multi-factor authentication to their business and personal accounts. YubiKey support is available with services such as Google, Facebook, and Dropbox, plus popular password managers, and hundreds of other services — all with a simple touch.  

Looking to read about some of the best in tech? Are you an avid WIRED or Ars reader?  Want to get your hands on one of these limited edition YubiKeys? Check out the subscription information for WIRED and Ars Technica!

Ronnie Manning

Yubico CEO Wins Ernst & Young Entrepreneur of the Year Award

Today, we are proud to announce that Yubico CEO & Founder, Stina Ehrensvard, won the national finals for Ernst & Young’s Entrepreneur of the Year, earning her the title of Female Shooting Star, Sweden. This follows her acceptance of the regional Female Shooting Star award for Stockholm, which was awarded in November 2017.

Stina shares, “Few entrepreneurs succeed alone, and this award would not be possible without a fantastic team. As American anthropologist Margaret Mead once said, ‘Never doubt that a small group of thoughtful, committed citizens can change the world; indeed, it’s the only thing that ever has’.”

The annual Entrepreneur of the Year awards recognize exceptional business leaders who create products and services that drive a healthier worldwide economy. Specifically, the Female Shooting Star award is reserved for the woman who leads significant company growth in a short period of time. Ernst & Young organizes and distributes the awards regionally, nationally, and internationally with a mission to encourage entrepreneurial interest and inspiration among future generations.

The judging committee concludes, “Stina Ehrensvard has developed the solution for a growing problem and created an international company. The path from idea to success was not a straight line, but thanks to drive and dedicated work she found the key to success. Her product may be small, but it makes the difference for internet security across the globe.”

To learn more about Stina’s entrepreneurial journey and the passion, technology and teamwork that contributed to Yubico’s success, read more about her story in Entreprenör Magazine and Marie Claire. Additional information on the Entrepreneur of the Year awards can be found here.

privacy-aware-blog-crown
Jesper Johansson

5 Best Practices for Companies Serious About Data Privacy

If you caught this month’s earlier blog, you’ll know that Yubico is partnering with the National Cybersecurity Alliance to support Data Privacy Day, which takes place on January 28. Protecting privacy is one of the main end goals of a security program. It’s incredibly important to us at Yubico to empower and educate individuals and businesses on the best ways to stay safe online.

Our first Data Privacy Day blog focused on the individual user by outlining some of the most common ways internet credentials are stolen, and a surprisingly easy solution to protect against them. In the second blog of our two-part Data Privacy Day series, we take a closer look at how a security program supports your data privacy initiatives.

Companies who take data privacy seriously all have five things in common. If you are advocating for better data privacy in your organization, you want to start with a security program that supports these efforts. Such a program has a few common characteristics.

Leadership buy-in

Prioritizing the protection of data and systems starts at the top. The entire executive team, including the CEO and the Board, must know that security is a key priority for your organization. Otherwise, when it comes to allocating finances and resources, security will take a back seat.

This can seem daunting, but it’s actually becoming less difficult to receive this sort of leadership buy-in. For those who ever need a good selling point, just look at the volume and tone of press coverage after some of the most recent data breaches.

A person responsible for security and privacy

Explicitly identify and designate one individual who is responsible for overall security and privacy at the company. This means building out a C-level position to own all aspects of security and privacy, as well as legal and compliance risks. Not only will this ensure that there is a holistic, comprehensive approach to the security and privacy strategy, but it will also help further leadership buy-in by giving security a seat at the executive table and decision-making process. By having security and privacy at the company leadership level, the group can better work with the business by planning for organizational initiatives rather than being surprised by them.

A culture of security and privacy

It’s no surprise that a lot of security and privacy incidents within an enterprise are related to human errors. With tight deadlines and busy schedules, it can be attractive for ambitious, well-intentioned employees to cut corners, and security is usually one of the first areas to take a hit. Reusing passwords, using easily-guessed passwords, sharing credentials, leaving work devices unattended or unlocked, and mistakenly clicking on malicious links are just a few common employee practices that result in breaches. Employees have a job to do, and if security hinders them rather than helps them, they will work around controls they don’t understand.

Companies that take security and privacy seriously run programs that are designed to ensure every employee knows, understands, and follows company security and privacy protocols. These programs also have clear expectations and consequences for failure to abide by the policies. To be clear, this doesn’t—and shouldn’t—mean leading with fear. It means taking the time to educate different groups of people about the negative impact a data breach could have on revenue, safety, and overall company health and reputation. The best security and privacy teams focus on enabling employees to do their best work by enabling them to do security right.

Clear processes and policies

Having a good governance framework won’t matter if users aren’t familiar with the processes and policies involved. After all, it’s important to ensure that the plan can actually be implemented.

It’s also critical to know how to measure the success of the program. The ability to demonstrate the return on investment (ROI) for security products and services is invaluable to CEOs and the Board. Return on mitigation (ROM) is another valuable metric. This shifts the conversation from the potential losses of risk as business gains by calculating how much would not be lost through effective mitigation.

An incident response plan

While no company wants to deal with a data breach, companies that prepare for doing so before it happens weather the storm better. After you get compromised is a terrible time to draft the notification to the board and your customers, and is just as bad for figuring out how to determine what happened and stop it.  A clear, and tested, response plan helps all parties involved know what to do, what their role is, and how to communicate internally and externally.

At Yubico, we are experts at authentication—trusted by millions all around the globe to guide them through securing access to devices, networks, and web applications. That’s because we drive innovation and have modernized strong authentication, making strong two factor authentication (2FA) easy to use, all while reducing IT costs.

Don’t forget, Data Privacy Day is happening on January 28, and we welcome you to join in the movement! Start now by helping to educate and empower individuals and businesses on becoming #PrivacyAware. For additional tips on how to improve online safety, read more here.

privacy-aware-blog-crown
Yubico Team

5 Surprisingly Easy Ways Your Online Account Credentials Can Be Stolen

This month, Yubico is partnering with the National Cybersecurity Alliance (NCSA) to support and promote Data Privacy Day, an initiative to empower individuals and encourage businesses to respect privacy, safeguard data, and enable trust. While Data Privacy Day is a one-day event taking place on January 28, security is our focus at Yubico everyday, and we are starting the conversation about online security and privacy early!

When it comes to compromised internet security, it can be difficult to know what you’re defending against, because attacker objectives, victims, and techniques vary significantly. That said, we do know that internet credential theft and misuse is involved in nearly 81% of hacker-related breaches. Since stealing someone’s password or other authentication data is relatively easy to do from afar, and there’s little risk of or danger in getting caught, it’s become one of the most common attacks in the world.

In this two-part blog series, we will uncover some of the most common techniques for stealing internet credentials, popular and proven methods of defending against these attacks, and best practices to keep your data safe. Before we can effectively protect ourselves online, we must first understand the threats that we’re facing.

Weak Password Guessing

Attackers try common passwords with specific or common usernames across many sites, and this can be surprisingly successful. Unfortunately, most people struggle with creating or remembering strong passwords. As a result, people often choose weak passwords for convenience, or because they don’t think it matters, and rarely change them if circumstances change.

Password Reuse Abuse – Credential Stuffing

Attackers regularly take credentials stolen from one site and try them on another, as it’s very common for people to use the same password, or a variant, across multiple sites. This problem is exacerbated by the large volume of stolen credentials available for sale on the dark web with hundreds of millions of credentials available to attackers. Attackers have also reportedly targeted weaker sites to gain an individual’s credentials. If they’re successful, they’ll use those same credentials on other sites that they’re actually interested in.

Man in the Middle (MitM) Attacks

Sometimes, attackers have access to the network path between their victim’s computer and the site they are accessing. This can enable the attacker to view what sites someone is accessing and steal their data if the connection is not encrypted or if the victim believes the attacker’s system is legitimate.

This privileged position can be used to wait for users to access the site of interest, or it can be used in combination with other techniques, such as phishing, to entice someone to visit the site of interest.

Phishing

Phishing carries serious risks for internet users. Credential phishing typically uses some pretext to convince a person to reveal their credentials directly, or to visit some site that does the same. Attackers do this via SMS verification, email, telephone, instant message, social networks, dating sites, physical mail, or by any other means available.

Account Recovery Exploitation

Due to the large scale of users for many services and the general desire to keep support costs low everywhere, account recovery flows can be much weaker than the primary authentication channel. For example, it’s common for companies deploying strong two-factor authentication (2FA) solutions as their primary method to leave SMS as a backup. Alternatively, companies may simply allow help desk personnel to reset credentials or set temporary bypass codes with just a phone call and little to no identity verification requirements.

Services implementing 2FA need to strengthen both the primary and the recovery login flow so that users aren’t compromised by the weaker path.

The Silver Lining

There is an equally surprisingly easy and affordable way to protect online accounts from all of these attacks. It’s called FIDO Universal 2nd Factor (U2F), a modern security protocol invented by Yubico and Google that is specifically designed to help online services and users tackle these common attacker techniques. Since its inception in 2012, U2F has become widely adopted by many services, including Gmail, Dropbox, Facebook, GitHub, Salesforce.com, and more.

The protocol works by registering a physical hardware device, like the YubiKey, with your service. Once paired, the service will challenge you to provide your account password (something you know) and to present your YubiKey (something you have) by inserting it into the USB port and touching the gold contact (called test of user presence). There are no codes to type or apps to load. The YubiKey does the work for you.

A single U2F device, like the YubiKey, can be used with nearly unlimited services and accounts all while providing data privacy. That’s because the YubiKey generates a new pair of keys for every service, and only that service stores that specific public key. With this approach, no secrets are shared between service providers.

So how does the YubiKey stop hackers even when they’ve stolen your account password? Without also stealing your YubiKey (a physical device), an attacker can’t get access to your account. Once you’ve turned on U2F, you can also help secure your accounts against account recovery exploitations by turning off less secure forms of 2FA like SMS, wherever possible.

For more information on internet credential theft and misuse, read our whitepaper. Also stay tuned for part two of of our blog series!

Alex Yakubov

IBM and Yubico Simplify Strong Security for Enterprises

Raise your hand if you’re a fan of security products that live up to their name and also deliver a delightful user experience! You know we are, and that’s why we’re happy to announce a joint effort with IBM to deliver FIDO Universal 2nd Factor (U2F) protection with the YubiKey through the IBM Security Access Manager (ISAM). The FIDO U2F open authentication standard provides the highest level of security assurance and protects against phishing and man-in-the middle attacks aimed at stealing credentials and gaining access to enterprise systems and services.

If you’re an ISAM customer, and are currently evaluating two-factor authentication (2FA) or multi-factor authentication (MFA) options, then look no further. IBM has integrated the strongest level of 2FA to ISAM with YubiKey and FIDO U2F support. The YubiKey FIDO U2F Settings Configurator for ISAM is available in the IBM Security App Exchange, a marketplace where developers across the industry can share applications based on IBM Security technologies.

The new app enables ISAM Administrators to quickly and easily reconfigure the ISAM appliance to enforce FIDO U2F with YubiKey attestation in a matter of minutes. From there, end users are able to register their own YubiKeys for easy, secure access to any systems you have connected for Single Sign-On (SSO).The YubiKey offers a frictionless authentication experience for ISAM admins, users throughout the organization, and external customers.

For a limited time, we’re offering ISAM Admins the YubiKey Experience Pack for $100* ($268 value), which includes one of all six YubiKey form factors. Use them to test out the integration in your environment, and let us know how we can help when you’re ready to rollout the YubiKey to your organization.

*Offer valid through 11:59pm PT December 15, 2017, while supplies last.

Jerrod Chong

How to Navigate FIDO U2F in Firefox Quantum

Firefox Quantum is the latest internet browser to natively support FIDO Universal 2nd Factor (U2F) devices, and we couldn’t be more thrilled to see this advancement! With Mozilla jumping on board, millions of Firefox users can now begin to experience the ease-of-use and security of the YubiKey and U2F authentication...with one small caveat. FIDO U2F is not turned on by default in the Firefox browser.

If you’re among the individuals testing the FIDO U2F YubiKey with Firefox Quantum, you’ve likely already experienced a few common challenges. First, FIDO U2F is not a default setting with the latest Firefox browser. It requires configuration in advanced settings. Second, even after enabling FIDO U2F, some services may not recognize it. We understand that this can be frustrating or inconvenient for users, and as a principal inventor of the FIDO U2F open authentication standard, we’d like to provide additional clarity and guidance.

Why isn’t FIDO U2F a default setting in Firefox Quantum?

Mozilla plans to only support the out-of-the-box experience with FIDO U2F devices using Web Authentication APIs (as part of FIDO 2) versus FIDO U2F APIs. Per the company’s Security/Crypto Engineering wiki page, they intend to “...permit use of U2F tokens via a user-controllable preference (not on by default) in Firefox 56 or 57 (Done in Firefox 57), and Web Authentication (on by default) in Firefox 59 or 60.”

In many ways, FIDO 2 is the next-generation of FIDO U2F, as it will pave the way for things like multi-factor and passwordless login, while still supporting two-factor authentication (2FA) functionalities of the original FIDO U2F standard. As Web Authentication specifications will likely not be complete until early 2018, users will need to wait for the seamless experience with U2F devices in Firefox until the Web Authentication API integration is done.

How do I enable FIDO U2F in Firefox Quantum?

While the FIDO U2F experience in Firefox is limited at the moment, turning it on is very simple. It only takes three steps.

1. Type about:config into the Firefox browser.

2. Search for “u2f”.

3. Double click on security.webauth.u2f to enable U2F support.

Even after enabling FIDO U2F in Firefox Quantum, why won’t YubiKeys work for some U2F-enabled sites?

Integrating with FIDO U2F v1.1 JS API will allow a developer’s web app to support U2F on Firefox. That said, it’s important to understand that every FIDO U2F implementation can vary from the official specifications. For example, Mozilla did not fully implement the FIDO AppID and Facet Specification. Some sites supporting FIDO U2F have made accommodations for the incompleteness of Firefox’s implementation, but some have not. In other situations, some services may not work with Firefox Quantum because of a service-specific implementation. For this reason, Firefox Quantum users are currently having trouble authenticating with their FIDO U2F devices for some sites that typically support FIDO U2F devices. Our recommendation? Make a request to both Mozilla and that particular service to refine their FIDO U2F support, allowing for Firefox compatibility.

Ultimately, Mozilla’s FIDO U2F support is a huge progression toward strong, unphishable authentication. We can only hope to see the platform’s FIDO U2F authentication experience grow to become seamless and simple as the FIDO standard intends.

5.9.18 Update -  Firefox 60 is the first browser to support the new security standard, FIDO2, Web Authentication (WebAuthn) and U2F

Yubico Team

Yubico Closes 2017 with Four Major Events

Typically, the Winter holiday season can make for a more quiet year-end for businesses, but things are still in full swing here at Yubico! Over the course of the next two weeks, you’ll find us at four major tech events across the United States and Europe: AWS Re:invent, Gartner IAM Summit, Trustech, and BlackHat Europe.

Whether you attend a speaking session, or stop by our booth, visit us to talk all things YubiKey. Let’s chat about identity and access management (IAM) integrations, next-gen payment and identity ecosystems, IT trends and research, and the future of authentication. We can also catch you up on Yubico’s latest and greatest, including the recently launched YubiHSM 2. To get you up to speed, here are few of the things we’ve been working on over the last few months:

  • YubiHSM 2 is now available. Launched October 31, it’s the world’s smallest and most cost-effective hardware security module (HSM) for server protection, costing only $650.
  • We launched our latest YubiKey form factor, the YubiKey 4C Nano, in September. It’s the only multi-protocol USB-C authenticator of its kind, and is a true design and engineering triumph.
  • A recent integration with identity proofing provider ID.me marks the first roll out of FIDO U2F and YubiKey two-factor authentication for government agencies in the US.
  • The reality of passwordless login is closer with joint efforts from Yubico and Microsoft on the FIDO 2 open authentication standard. The first public demonstration of this was given at the 2017 Cloud Identity Summit (CIS) using a Microsoft Windows 10 computer through Azure Active Directory (AAD) and a YubiKey.

We’d love to fill you in on all of the exciting things we’re working on and how it all plays into the greater security and identity ecosystem, so be sure to pay us a visit! Wondering where you can find us at each show? You can get all the details on our events page.

Yubico Team

Yubico CEO Awarded 2017 Shooting Star by Ernst & Young

Today, we are proud to announce that Yubico CEO & Founder Stina Ehrensvard was awarded the 2017 Female Shooting Star by Ernst & Young’s Entrepreneur of the Year awards in Stockholm.

The annual Entrepreneur of the Year awards recognize exceptional business leaders who create products and services that drive a healthier worldwide economy. Specifically, the Female Shooting Star award is reserved for the woman who leads significant company growth in a short period of time. Ernst & Young organizes and distributes the awards regionally, nationally, and internationally with a mission to encourage entrepreneurial interest and inspiration among future generations.

All award finalists are evaluated by a jury based on entrepreneurial spirit, innovation, personal integrity, financial performance, strategic direction, market impact, and social responsibility. The jury for Stockholm’s regional finalists included previous Swedish award winners and local business representatives with solid knowledge and experience of entrepreneurship. Upon the jury’s delivery of the award to Stina, it was noted:

“With an impressive and inspiring forward-looking mindset and goal-consciousness, Stina is building a new world standard in one of the most competitive sectors in the IT world. A future-defining entrepreneur can create something that the world has not seen before. This entrepreneur demonstrates that she is about to do this. Backed by an impressive customer list and explosive growth, she is aiming for gold.”

To learn more about Yubico’s corporate growth and industry leadership, read our press release. Additional information on the Entrepreneur of the Year awards can be found here.

Yubico Team

YubiHSM 2 is here: Providing root of trust for servers and computing devices

If you were to ask someone who Yubico is or what we do, you’ll likely get the answer, ‘YubiKeys’, and rightfully so. YubiKeys are our foundation, and at the core of our mission to provide tried and true multi-factor authentication since 2008. They are used and loved by some of the world’s largest companies and by millions of individuals in more than 160 countries. But what a lot of people don’t know is that our product portfolio is more extensive. We’re also in the business of protecting servers and the keys stored on those servers, and today, we are thrilled to launch the YubiHSM 2.

True to Yubico form, the YubiHSM 2 defies a conventional design approach to hardware security modules (HSM) with the company’s signature traits of simplicity and affordability. The ultra-slim nano form factor YubiHSM 2 device is affordable at $650, offering advanced capabilities and benefits at a price within reach for all organizations. This is far from the traditional $10,000 HSM box that might typically come to mind.

Many customers will use the YubiHSM 2 to secure their certificate authorities’ (CAs) root keys and to verify signatures. The YubiHSM 2 also offers advanced signing with EdDSA curve 25519.

So, how does the new YubiHSM 2 fit into your organization? Our VP of Product Jerrod Chong gives us a real-world snapshot of the YubiHSM 2 in action:

Q: Why would an enterprise or SMB have a need for an HSM?

Every organization needs to protect their server environments and the cryptographic keys stored on those servers. Approximately 95% of all IT breaches happen when a user credential or server gets hacked. HSM hardware delivers advanced protection to prevent the theft of keys while at rest or in use. This protects against both logical attacks against the server, such as zero-day exploits or malware, and physical theft of a server or its hard drive. However, most companies have taken a software-based approach, as hardware-based protection has always been cost prohibitive with traditional HSM solutions. That is not the case with the YubiHSM 2.

Q: What would a typical YubiHSM 2 enterprise deployment look like?

A typical YubiHSM 2 deployment for enterprise would include the use of hardware-backed keys for a Microsoft-based PKI implementation. Deploying the YubiHSM 2 for Microsoft Active Directory Certificate services not only protects the CA root keys, but also protects all signing and verification services using the root key. For this particular type of YubiHSM 2 deployment, implementation is fairly plug-and-play.

Q: What were some of the more unique or creative ways people were using YubiHSM 2 during the beta program?

While protection of root keys for Microsoft AD Certificate services is a common use case, participants in our beta program also explored the use of the YubiHSM 2 for improving security on manufacturing lines, increasing security for IoT gateways and network appliances, and augmenting security on legacy SCADA.

Q: Can the YubiHSM 2 be used on virtual systems?

Yes, the YubiHSM 2 is network-sharable. While it plugs into a USB port on a host machine, communication is handled via a connector that can speak HTTPS. This means it can speak with any application connected to the network using HTTPS, a feature not previously available on the original YubiHSM model and not frequently supported by lower-priced HSMs. This can be especially advantageous on a physical server that is hosting multiple virtual machines (particularly for cloud applications), so organizations are not bound to the host machine USB ports.

Q: The size of the YubiHSM 2 is rare for an HSM. What was the impetus behind selecting the “nano” form factor?

One of the drawbacks with traditional HSM solutions is that they are large in size, making it difficult to deploy on servers that use rack-based installations. The Yubico nano form factor allows the HSM to be inserted completely inside a USB-A port with minimal protrusion. This allows for optimized placement in tightly constrained server racks.

For more information on additional YubiHSM 2 capabilities and technical specifications, visit https://www.yubico.com/products/yubihsm. Alternatively, if you are ready to purchase the YubiHSM 2 for your organization, units are available on our store.

Growing our security and open standards team
Yubico Team

Growing our security and open standards team

In celebration of this week’s National Cybersecurity Awareness Month theme, The Internet Wants YOU: Consider a Career in Cybersecurity, we asked three of our security and open standards rockstars — Jesper Johansson, Torbjörn Granlund, and John Bradley — to share their career background, and the journey that led them to Yubico.

Jesper Johansson, Chief Security Architect, Yubico

Jesper joins Yubico’s Seattle office to grow and lead the Yubico Security Team. He leaves his post at Google, where he worked in the Security & Privacy team. Prior to that, he spent a decade at Amazon, rising to Chief Security Architect for Amazon's Worldwide Consumer business, and was a security strategist and founding team member of the Trustworthy Computing Team at Microsoft.

When asked to impart some advice to those pursuing a career in cybersecurity, he shared:

“Two things -- first, learn another field as well. You can't be an expert in security without being an expert in some related field. Security is all about protecting something, and you have to have a good understanding of that something else. Second, be pragmatic. The biggest mistake security folks make is trying to secure things to a level that far exceeds the value of the asset you are protecting, or the risk to that asset. We need to focus on security solutions that support the business rather than those that hinder it.”

Jesper is the author of three books, many articles, and blog posts, and has delivered more presentations on security than anyone could remember.

Torbjörn Granlund, Senior Software Engineer, Yubico

Torbjörn recently joined our Stockholm office as an expert in efficient and side channel resilient asymmetric cryptography. He has contributed fundamental functionality to the GNU project, which is used by Linux for file copying, string and memory operations, as well as the GNU compiler.

Torbjörn proves that following your passion and honing your skills can lead to a fulfilling career and significant breakthroughs. “I’ve always been into maths, and in my teens turned into programming. I took a Masters in Science in CS. Far into my career, I realized that my maths skills were lacking, and decided to take a PhD with more maths and more theoretical CS,” said Torbjörn.

Torbjörn developed and authored the GMP arithmetic library, the de facto standard library for arithmetic within the areas of computational number theory — truly a great achievement in the field of mathematics. It is used for asymmetric cryptography in libgcrypt, nettle, GnuTLS, and optionally in OpenSSL.

John Bradley, Senior Technical Architect, Yubico

With more than 15 years of experience, John is an Identity Management subject matter expert and IT professional, whose primary focus at Yubico is on open identity standards. John is treasurer of the openID Foundation and the Open Identity Exchange (OIX), and an active contributor to SAML, OAuth, and other IETF standards. He is also one of the leaders of OSIS and the OpenID Certification, forums that vendors use for industry interoperability testing.

In a previous role, John was asked for a solution that offered the same level of security used for the US Government Service Agency (GSA), but was simple enough for the average user. Meeting the challenge, John co-authored the ICAM protocol profiles at Protiviti Government Services on behalf of GSA, and is currently co-authoring the next version of the openID specification and related standards.

“The standards are all coming together for 2018, as observed by Microsoft at CIS. We also made progress this year by updating NIST SP-800-63 to a third revision to accommodate the new techniques beyond the original smart card model,” he continued. “The goal is to make possible end-to-end proof of possession security from the first authentication through to the last access token.”

With an impressive list of achievements between the three, we are thrilled and proud to welcome them into the Yubico team.

Interested in a career in cybersecurity at Yubico? Check out our open job opportunities here.

Jerrod Chong

iPhone support for YubiKey OTP via NFC

Will my YubiKey NEO work on iPhones now that iOS 11 added some NFC support? It’s a fair question – one that we’ve been getting a lot of. This blog explains some of the details about iPhone support for YubiKey OTP to help bring some clarity to YubiKey users.

First, it’s important to understand the limited scope of Apple’s NFC support. Apple’s NFC APIs for iOS (Core NFC) allow iPhone apps to read the NFC Data Exchange Format (NDEF) records from certain NDEF tags (only supported on iPhone 7, 7 Plus, and up). However, there are a few limitations. Besides the fact that the NFC Reader interface can only be fired up from an app, Core NFC does not allow for write operations that are required for authentication protocols like FIDO U2F. That said, NFC on the iOS platform does not support Google’s recently announced Advanced Protection Program.

However, because NFC tag reading is supported, it allows developers to build apps, including consumer facing or purpose-built enterprise applications, with one-time passcode (OTP) support. Given that the YubiKey NEO can generate an OTP and send it to the requesting app via NFC, we finally have some good news for iPhone lovers: the YubiKey NEO will support OTP over NFC for applications that run on iOS11 and iPhone versions 7+. While Yubico acknowledges this progress, ubiquitous Apple support for strong authentication, namely FIDO protocols, remains out of reach at the moment.

For YubiKey users, this improves OTP two-factor authentication on the iPhone. Now they can authenticate with just a tap of their YubiKey NEO against the phone. Additionally, developers have a better authentication option to integrate with their mobile applications. One caveat remains: developers will have to build NFC support into each individual application to retrieve the OTP from the NDEF tag. Edit (28 May, 2018): See our new Mobile SDK for iOS.

In contrast, Android supports NFC natively in the platform. For example, Android developers can open the NDEF record for a URL with the default browser instead of opening up the specific app to read the NDEF tag. Furthermore, Android developers can also add FIDO U2F support using the Android FIDO U2F APIs.

While this is encouraging news, we realize it is not yet the complete desired solution. With Apple finally opening up parts of its NFC technology (just like with Touch ID a few years ago), we are hopeful that this standards-based approach will evolve. We know security is only as strong as its weakest link; it is high on our bucket list of things to solve for the ecosystem!

What can you do? As Yubico continues to advocate for ubiquitous, strong authentication for all, we invite you to join us in voicing or tweeting your concerns and desires to Apple to expand their NFC on iOS. As a customer-centric company, Apple will greatly value your input. To send developer feedback to Apple, visit their contact page or send a tweet to @AppleSupport.

Yubico Team

Catch today’s webinar: Next-gen Identity Management

Are your users really who they claim to be? What is the impact to your business if your end-users are registering as fake individuals, or impersonating others? If the identity of your users matters to your business, then you’ll want to join today’s webinar hosted by SC Magazine.

Identity, the internet, and your business—architecting your online product/service once was as simple as enabling someone to create a user name and a password. It’s not that easy or simple anymore. User names are easily guessed and passwords are easily breached. The answer, of course, is that identity and access management software need to be absolutely certain that the identity is correct and not an attacker pretending to be the authorized user. NIST 800-63-3 recommends combining identity proofing with multi-factor authentication.

Tune in to today’s webinar on next-gen identity management. Yubico’s foremost Identity expert, John Bradley will chat with SC Media’s Editor, Stephen Lawton about identity proofing in the real world, and how companies can ensure a user’s identity is accurate and not an imposter.

 

About John Bradley

John has over 15 years experience in the information technology and identity management field. He advises Government Agencies and commercial organizations on the policy and technical requirements of Identity Management, Federated Identity, PKI and smart card solutions. He is often consulted and brought in to brief clients, vendors, staff, and standards organizations on complex state-of-the-art identity management concepts, best practices, and technical requirements because of his amazing ability to make complex topics simple.

Google Advanced Protection Program Keys
Alex Yakubov

Yubico Partners with Google’s Advanced Protection Program

Today, Google formally announced their Advanced Protection Program designed to safeguard the personal Google Accounts of those most at risk of targeted online attacks, including journalists, business leaders, and political campaign teams. Yubico has partnered with Google on this initiative as part of our ongoing commitment to working with people at risk including human rights organizations, such as Freedom of the Press, EFF, and The ISC Project, as well as journalists at the NY Times and other news publications.

Modern phishing and man-in-the-middle (MiTM) attacks are creating new threats for users and Google’s Advanced protection Program is an important initiative to protect those most at risk. An extensive Google research study, found that traditional 2-step verification and other authentication methods such as codes sent via SMS, one-time password tokens, and mobile apps are now phishable and susceptible to these attacks.

Personal Google Account Advanced Protection Program Login Flow

This is why Yubico and Google co-created the FIDO Universal 2nd Factor (U2F) standard, and why Yubico created the unphishable Security Key, supported by Google since 2014. Both the FIDO U2F standard and the Security Key form the foundation for Google’s new Advanced Protection Program.

Google’s Advanced Protection Program extends the benefits of using YubiKey security keys with important security enhancements.

  • The strongest defense against phishing - Advanced Protection makes it a requirement to use both a password with a physical security key when signing in. Other authentication methods that can be more easily phished by attackers, including codes sent via SMS or the Google Authenticator app, are not permitted and will no longer work.
  • Limit data access to trusted apps - Advanced Protection automatically prevents non Google apps from accessing your most sensitive data, like your emails or documents.
  • Block fraudulent account access - Advanced Protection adds extra steps to verify your identity during the account recovery process to safeguard against fraudulent account access.

In partnership with Google, Yubico is proud and honored to announce our participation and support of those signing up for Google’s Advanced Protection Program. Get a recommended YubiKey Advanced Protection bundle here.

You can read more about how to sign up to the program at Google’s Advanced Protection Program information page.

Yubico Team

Infineon RSA Key Generation Issue

Infineon Technologies, one of Yubico’s secure element vendors, has informed us of a security issue in their cryptographic firmware library. The issue affects TPMs in millions of computers, and multiple smart card and security token vendors.

For Yubico, the issue weakens the strength of on-chip RSA key generation, and affects some use cases for the PIV smart card and OpenPGP functionality of the YubiKey 4 platform. We’ve issued a security advisory on this issue.

FIDO U2F, OTP, and OATH functions of the YubiKey 4 platform are not affected. The YubiKey NEO, FIDO U2F Security Key and YubiHSM are not impacted, nor are the deprecated products YubiKey Standard and YubiKey Edge. Externally generated RSA keys are not affected.

Yubico estimates that approximately 2% of YubiKey customers utilize the functionality affected by this issue. We have addressed this issue in all shipments of YubiKey 4, YubiKey 4 Nano, and YubiKey 4C, since June 6, 2017.

At this time, we are not aware of any security breaches due to this issue. We are committed to always improving how we protect our customers and continuously invest in making our products even more secure.

We offer customers who are affected mitigation recommendations and optional YubiKey replacement. For more information please refer to our dedicated customer portal.

Stina Ehrensvard

The key to GDPR compliance and online privacy protection

The EU General Data Protection Regulation (GDPR) is a new set of mandates aimed to protect the privacy of internet users. From May, 2018, any organization operating, storing or processing data of EU citizens will be subject to the requirements. With the threat of hefty fines of €20M or 4% of worldwide turnover for non-compliance, whichever is greater, GDPR has got everyone’s attention.

One of the key components for GDPR compliance is the need for strong authentication. With billions of stolen credentials now in circulation, the use of username and passwords is no longer sufficient for protecting personal data. The European Union Agency for Network and Information Security – ENISA –  describes authentication as ‘key to securing computer systems’ and as the first step ‘in using a remote service or facility, and performing access control’. Referenced as GDPR-compliant authentication solutions are one time password solutions, smart cards, and FIDO Universal 2nd Factor (U2F).

At Yubico, it’s been our mission to make strong two factor authentication easy to use and deploy, and available for everyone. We disrupted One Time Password (OTP) technology introducing the simple touch and no client software install solution of the YubiKey. We co-created the FIDO U2F open standard and developed a next generation, simplified, and more secure PIV smart card technology. All these protocols and acronyms – OTP, PIV, FIDO U2F – enable one YubiKey to provide strong authentication for secure access to the majority of IT systems, ranging from computers and phones to networks and online services.

But of all the three protocols, FIDO U2F is the most powerful.

FIDO U2F has today proven at scale that it is the strongest defense against modern phishing attacks that hijack the session, the so called man-in-the middle attacks. As well as being easy and affordable to use and support, FIDO U2F preserves the privacy of internet citizens.

Many online authentication and identity technologies store user data and cryptographic secrets in centralized servers. An essential feature of FIDO U2F is that it does not store any means of personally identifiable information (PII), and while it works across any number of services, it does this without sharing any information between the services. And it is these game changing privacy measures that make the YubiKey and FIDO U2F optimal for GDPR compliance.

Government regulations supporting public safety are not new. Several times before we have seen government step up and re-write laws when the health and security of citizens are at risk. We may like it or not, but some of these laws have been effective. For example, today, significantly fewer people are killed by cars and cigarettes compared to the 1950s.

With the May 28, 2018 deadline for GDPR rapidly approaching, the days of usernames and passwords as an acceptable authentication technique are numbered. The hefty fines that can be imposed for GDPR non-compliance may be the necessary means for organizations to become responsible when operating, storing or processing data of EU citizens. Learn more about the security, usability, cost and privacy benefits of FIDO U2F.

Please contact us if we can help you with GDPR compliant authentication.

Stina Ehrensvard

Creating the Unphishable Security Key

How the FIDO U2F security key and YubiKey stop phishing and man-in-the-middle attacks

Security is never stronger than its weakest link, and that weakest link is often the user. Not surprisingly, phishing attacks that target users are increasing not only in volume, but also in sophistication. Google knows that. Recently, the search giant updated their login security policy to enable users to set up security keys as their preferred and only authentication method, no longer requiring the use of SMS or a mobile authenticator app.

SMS and mobile authenticator apps are no longer effective at protecting against the modern man-in-the-middle phishing attacks that are able to hijack the session.

To prevent state-of-the-art and old school phishing attacks, Yubico and Google combined a number of advanced security features, listed below, when co-creating the FIDO Universal 2nd Factor (U2F) protocol, to deliver the unphishable key.

Origin bound keys
One of the most common phishing attacks is to trick users to visit and log in to a fake website, where the user gives away sensitive login data and performs a fraudulent transaction. With the increasing sophistication of hackers, it is becoming difficult for most users to see the difference between a fake and a real site. Some fake sites may even include the green light indicating a secure connection and an SSL certificate.

The latest sophisticated phishing attacks, so called man-in-the middle, are even more aggressive: hijacking the communication between the user and service, and automatically redirecting the user to the fake web site.

With the YubiKey and FIDO U2F Security Key, user login is bound to the origin, meaning that only the real site can authenticate with the key. The authentication will fail on the fake site even if the user was fooled into thinking it was real.

Verification of user presence
By requiring a simple human touch to trigger the key to authenticate, the YubiKey and FIDO U2F Security Key verify that the person logging in is a real live human behind the computer, and not a remote hacker, bot, or trojan.

No shared secrets
U2F relies on the concept of minting a cryptographic key pair for each service. This means that the authentication secrets for each service are not shared. By using public-key cryptography, the server only has to store the public key for the user. Furthermore, this enhances user privacy as different sites cannot learn for which sites the user has registered.

Token binding
Token binding is an additional protection supported by FIDO U2F that secures the connection between the browser and the service to prevent man in the middle attacks.

Token binding allows servers to create cryptographically bound tokens (such as cookies, OAuth tokens) to the TLS layer, to prevent attacks where an attacker exports a bearer token from the user’s machine to present to a web service and impersonate the user.Token binding is used by FIDO U2F keys to bind the fido authentication token to the user agents TLS connection with the service.

Native platform/OS support
The YubiKey and FIDO U2F Security Key were intentionally designed so that no additional client software is required. With all the authentication software built into the key, this design brings zero friction for the user. Additionally, this eliminates the vulnerability and risk of compromise that comes from any extra client software that needs to be downloaded to a phone or computer.

Secure backup
Any authentication technology and device can be lost. The affordable hardware-based design of the security key makes it easy for users to setup multiple keys for their accounts. This approach enables secure backups for users at considerably lower support cost compared to using mobile phone authentication technology.  

Ease of use
Last, but not least, the unphishable YubiKey and FIDO U2F Security Key were designed to be easy to use and deploy.

All these security features work seamlessly. For the user, it is just a simple touch to authenticate. To further simplify, services and users can choose their own policies on how often they need to authenticate with a security key. With the way Facebook has implemented FIDO U2F, users only need to register and authenticate once per trusted laptop or phone.  

Any online service can easily make support for FIDO U2F using Yubico’s free and open source server code, and integration can be done within a few days. Alternatively, U2F can be implemented via Google and Facebook social login. Through this federation model, millions of websites and billions of users globally have access to online identity protection through unphishable security keys.

Learn more about FIDO U2F and social login.

Yubico Team

Our Family is Growing! YubiKey 4C Nano Unveiled at Microsoft Ignite

Today, at Microsoft Ignite (Booth #2063), we proudly announced the first-ever — and the world’s smallest — USB-C authentication device of its kind: the YubiKey 4C Nano.

The YubiKey 4C Nano form factor shares unique features with two of its siblings — the YubiKey 4C and YubiKey 4 Nano. Similar to the 4C, the YubiKey 4C Nano is designed for use with the latest USB-C devices, such as the newly designed Mac and PC laptops. Akin to the 4 Nano, the YubiKey 4C Nano’s miniature design and ultra-low profile allows the device to be left in a USB-C port without any disturbance to a user’s work environment or device mobility.

With the YubiKey 4C Nano’s patent-pending micro-design, the device is built with the same robust, multi-protocol authentication support of the YubiKey 4 product suite. This enables flexible and secure access to a variety of applications: computer login, remote server access, identity access managers, password managers, and an ever-growing number of online web accounts, including Google, Facebook, Dropbox, and more.

Delivering enterprise-grade authentication within a micro-sized hardware device is quite frankly an engineering and product design triumph! That said, we talked to Yubico CTO Jakob Ehrensvard for a closer look at some of the behind-the-scenes effort it took to make this happen. Here’s what he had to say:

Q: Many users, enterprises, and consumers alike are excited about the YubiKey 4C Nano. How did you know this was the best next step in terms of product development?

Jakob: The YubiKey nano design has become popular for users who want their Yubikey to almost be an integral part of their laptop. Particularly, when the user needs to authenticate often, this setup becomes very convenient. So, immediately after we launched the YubiKey 4C earlier this year, customers began asking us for a nano design.

Q: As discussed, the YubiKey 4C Nano size and design is incredibly impressive. What is some of the unseen work that went into this?

Jakob: At first glance, we thought it could not be done. There was simply not enough space to fit both a connector and electronics. The first couple of prototypes simply did not match the elegance of the YubiKey Nano, so we had to go back to the drawing board, and actually design a USB-C connector from the ground up. Fitting the electronics into the small form-factor, and being able to mass-produce them has been a design challenge, but I believe the final result is in keeping with the promise of a YubiKey Nano. It “is just there”, without interfering with everyday use, and without blocking any other ports.

Q: How do you see this product addition strengthening Yubico’s position to better serve enterprises and consumers?

Jakob: With the increasing adoption of USB-C on mobile devices and Apple’s “all in” approach, where they removed all other ports, we believe devices designed specifically for USB-C make the everyday use of the YubiKey simpler and smoother. Going forward, we anticipate a migration to USB-C, where it becomes the ubiquitous standard for peripheral connectivity, from desktop to phones.

Q: Moving forward, what will be the next new thing we see from Yubico?

Jakob: Broadening the hardware options is one part of the equation. In parallel, we’re working on broadening the protocol and platform support to keep the promise of the YubiKey being the ultimate authentication solution. The upcoming FIDO2 and WebAuthn standards will expand the capabilities and platform support, and we’re excited to be driving this effort. In addition to that, we’re finalizing our second-generation YubiHSM product, which extends the reach of the YubiKey to the backend of the authentication and encryption ecosystem, bringing cryptography for servers to the masses.

For more information regarding the full suite of YubiKey 4 products, visit https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/. The YubiKey 4C Nano is available today at  www.yubico.com/store for $60 US. The product is also being demonstrated  at Yubico Booth #2063 at Microsoft Ignite.

Stina Ehrensvard

Firefox Nightly enables support for FIDO U2F Security Keys

This week, Mozilla enabled support for FIDO U2F (Universal 2nd Factor) security keys in the pre-beta release of Firefox, Firefox Nightly. Firefox is the second largest internet browser by user base. In the near future, 80% of the world’s desktop users, including Chrome and Opera users, will benefit from the open authentication standard and YubiKey support out of the box.

When GitHub made support for U2F in 2015, the open source community voted U2F as the most wanted feature in Firefox. We are delighted to now see it happening. Yubico has helped with U2F integration for Firefox and for other platforms and browsers that have or are in the process of making support, as it is critical for taking the YubiKey and U2F unphishable authentication to the global masses.

In today’s world, software installation brings with it not only added complexity for the user, but also the potential risk of malware. Chrome has already enabled millions of websites and services to deploy FIDO U2F seamlessly, mainly through Google and Facebook social login, to help mitigate that. Now with native support for FIDO U2F security keys in Firefox, millions more will benefit from strong, hardware-based two-factor authentication without the need to download or install client software.

Thanks Mozilla for working on increasing security and usability for internet users!

Stina Ehrensvard

First US e-Government Services Protected with FIDO U2F Unphishable Security Keys

Today, at the 2017 Federal Identity Forum (FedID), we are taking an important step towards a more secure internet for everyone by introducing the first US federal services to offer identity proofing protection with an unphishable FIDO U2F security key.  This solution is enabled through identity proofing provider ID.me, and marks the first roll out of FIDO U2F two-factor authentication for government agencies in the US. We will be demonstrating this integration at the Yubico FedID booth #636.

As the co-author of U2F and the leading maker of FIDO U2F security keys, Yubico is thrilled to see ID.me become the first in helping protect US government services using FIDO U2F security keys. Today, US citizens can use the same YubiKey to log in securely to leading internet services, including Google and Facebook, and now on federal sites where ID.me is used for identity proofing.  This is a great milestone for all the contributors of the FIDO U2F standards.

Register your security key

“Thieves can guess or steal passwords from a database, and they can spoof biometrics,” said Blake Hall, CEO of ID.me.

“A physical FIDO U2F security key is ‘unphishable’ – to provide more robust and easy to use security to all customers, it’s essential to support FIDO U2F based standards and the adoption of security keys.”

This week’s announcement of US e-Government support for FIDO U2F follows last year’s launch by the UK government. Similar to the US government  initiatives, the GOV.UK Verify service for UK citizens offers a combination of identity proofing, single-sign on, and secure authentication with FIDO U2F security keys.  GOV.UK Verify used with FIDO U2F was enabled through identity provider Digidentity. Yubico is in dialogue with many other countries around the world that are considering offering U2F authentication for citizen-facing government services.

Yubico and ID.me will discuss the new capabilities at FedID during their “Unphishable” Authentication by the VA Panel session on Thursday, September 14th , 2017, at 2:15pm-3:15pm.

Additionally, Yubico will also be participating in the below discussions at FedID.

Wednesday, September 13 | 11:00am – 12:00pm
Panel: Proving (or Hiding) Your Identity Online

Wednesday, September 13 | 3:16pm – 4:14pm
Panel: A Survey of Identity Standards

For more information on FIDO U2F security keys, go to www.yubico.com.

Yubico blog crown with Las Vegas, Washington DC, Orlando, Dallas, and London images
Yubico Team

Yubico on the Road: 5 Tech Events You Wouldn’t Want To Miss

Two countries. Five cities. One month. The coming weeks will be busy and exciting for the Yubico team.  so we’ve compiled our full travel itinerary for those of you keeping tabs. If you are attending any of the events below, please come by and say hello — you’ll know where to find us.

True to Yubico form, we will showcase the seamless power of our multi-protocol YubiKeys with in-booth demos for Okta, Google, GitHub, and more. Got something you want to see? Let us know! If you’re looking for more behind-the-scenes details on leading identity and authentication open standards, you can attend some of our speaking sessions.

Oktane: August 28-30 | Las Vegas, NV

Visit us at Booth #E1, or attend our speaking session.

Panel: The Future of Identity and Security
Tuesday, August 29 at 3:45 – 4:30pm
John Bradley, Senior Architect at Yubico, joins Google, Okta, and OATH to discuss the future of identity, security, and access.

AFCEA: September 12 – 14 | Washington D.C.

Visit us at Booth #636, or attend our speaking sessions.

Panel: Proving (or Hiding) Your Identity Online
Wednesday, September 13 at 11:00am – 12:00pm
Stina Ehrensvard, CEO and Founder of Yubico, joins Venable, Experian, and FIDO Alliance to discuss best approaches to achieving balanced and privacy-preserving web authentication.

Panel: A Survey of Identity Standards
Wednesday, September 13 at 3:16 – 4:14pm
John Bradley, Senior Architect at Yubico, joins Axiomatics, SaliPoint, and MorphoTrust to dive into the realm of open identity standards.

“Un-Phishable” Authentication by the VA Panel
Thursday, September 14 at 2:16 – 3:14pm
Stina Ehrensvard, CEO and Founder of Yubico, joins members from ID.me and FIDO Alliance to discuss strong authentication that can withstand sophisticated modern attacks.

Microsoft Ignite: September 25-29 | Orlando, FL

Visit us at Booth #2063.

ASIS: September 25-28 | Dallas, TX

Attend our speaking session.

Stop Sweating the Password and Learn to Love Public Key Cryptography
Tuesday, September 26 at 11:00am – 12:15pm
Chris Streeks, Solutions Engineer at Yubico, explores the benefits and authentication advantages of the emerging FIDO Universal 2nd Factor (U2F) open standard.

Wired UK: September 28 | London, UK

Attend our speaking session.

A Safer Internet for Everyone
Thursday, September 28 at 3:20 – 4:30pm
Stina Ehrensvard, CEO and Founder at Yubico, shares her vision for a secure, privacy-preserving internet that is accessible for everyone worldwide.

 

We’ve got a busy month ahead, and we hope to catch up with you while we’re on the road. Be sure to stop by our booth or join us for one of our speaking sessions. To get the scoop on where we’re heading to next, follow us on Twitter, Facebook, Instagram, and LinkedIn.

Yubico Team

Yubico CEO and Founder wins SC Media Reboot Leadership Award

Yubico is proud to announce that our CEO and Founder, Stina Ehrensvard, won in the Thought Leaders category of the inaugural SC Media Reboot Leadership Awards. Honorees across a range of professional categories were revealed in today’s special editorial section at SCMagazine.com, and recognized for their outstanding service, qualifications, and advancements in cybersecurity.

“Businesses today are increasingly under threat by a range of cybercriminals,” said Teri Robinson, Executive Editor, SC Media. “The cybersecurity leaders we’re celebrating with these leadership awards are on the frontlines every day to help defend and protect our critical systems, data, and privacy from their attacks. To showcase their advances is SC’s honor.”

The awards program is designed to showcase and acknowledge industry luminaries who positively impact the cybersecurity arena. As an extension of SC Media’s annual Reboot edition, the announcement will also be published in print at the end of the year, when the editorial team identifies the best and brightest cybersecurity professionals and their many achievements.

“Winning the SC Media Reboot Leadership Award, in its very first year, is truly an honor and one that represents our company as a whole,” said Ehrensvard. “Our core product, the YubiKey, has become the gold-standard for easy-to-use authentication and encryption. In close collaboration with our customers and top internet companies, we will continue to drive innovation, enabling a safer internet for everyone.”

Contenders in various categories faced a thorough judging process conducted by SC Media’s editorial team. The process included a review of their professional background, references, efforts to benefit the wider industry, and any other research deemed necessary by editorial leaders.

“Stina Ehrensvard exemplifies leadership in one of the most vibrant and fast-evolving industries today,” continued Robinson. “That’s what this awards program is all about – highlighting some of the strongest leaders of the cybersecurity arena whose efforts more often than not underpin every business and leisure activity we all undertake online nowadays. The advances made in this marketplace to protect data, privacy and people are vital to all that we do.”

After this inaugural year, the SC Media Reboot Leadership Awards program will continue to be an annual celebration of the notable contributions, thought leadership, and unique improvements made by a wide range of IT and information security players. To see the profiles of this year’s SC Media Reboot Leadership Awards honorees, go to SCMagazine.com.

August 2017 webcasts blog crown
Yubico Team

Listen in and learn: Upcoming webcasts featuring Yubico experts

Webcasts galore! Yubico is taking over the airwaves this month with 4 exciting and thought-provoking webcasts. We are collaborating with IT security leaders Microsoft and the FIDO Alliance, plus other industry professionals, to give updates on the future of FIDO and enterprise authentication. Tune in, and learn from the experts.

On August 3, Jerrod Chong, Yubico’s VP of Solutions, will partner with Andrew Shikiar, FIDO Alliance’s Senior Director of Marketing, to deliver a case study on how FIDO, Federation, and Identity Proofing can work together to create a robust identity ecosystem.

Following Microsoft’s game-changing demo at CIS, Derek Hanson, Yubico’s Director of Solutions Architecture and Standards, will join forces with Microsoft’s Alex Simons, Partner Director of Program Management for Microsoft’s Identity Division, on August 9 to discuss modern authentication with FIDO 2.0-based passwordless logins.

On August 15, Jerrod Chong will be back online to share valuable insights on various enterprise authentication techniques, including one-time password, mobile push, smart card, and FIDO U2F, and going beyond the security / simplicity trade-off with Yubico’s enterprise-wide authentication solutions.

Finally, on August 17, Tommaso De Orchi, Yubico’s EMEA Solutions Manager, will speak on the global impact of the General Data Protection Regulation (GDPR), and how organizations can leverage open standards like FIDO U2F and security keys to achieve GDPR compliance.

Join the conversation, and sign up to attend all of our webcasts below:

Aug 3 – Case Study: FIDO, Federation, ID Proofing
10:00AM PDT
Jerrod Chong, VP of Solutions, Yubico
Andrew Shikiar, Senior Director of Marketing, FIDO Alliance
Register to attend

Aug 9 – The Future of Authentication with FIDO
11:00AM PDT
Derek Hanson, Director of Solutions Architecture and Standards, Yubico
Alex Simons, Partner Director of Program Management for Microsoft’s Identity Division, Microsoft
Register to attend

Aug 15 – Enterprise Authentication: Understanding the security / simplicity trade-off
12:00PM PDT
Jerrod Chong, VP of Solutions, Yubico
Register to attend

Aug 17 – Using Open Standards to Comply with GDPR
1:00AM PDT
Tommaso De Orchi, EMEA Solutions Manager, Yubico
Register to attend

Subscribe here to receive Yubico news and updates. Check out our previous webcasts and video content. Follow Yubico on Twitter, Facebook, Instagram, and LinkedIn to get real-time updates and social posts.

Yubico at BlackHat 2017 blog crown
Yubico Team

Don’t Roll The Dice on Security! Meet Yubico at Black Hat

This week, information security enthusiasts and experts across the country will make their way to Las Vegas, NV to attend the annual Black Hat cybersecurity conference. Find us during the expo (July 26 – 27) at Booth #572, where we will double down on our award-winning YubiKeys, demonstrate the simplicity of hardware-backed authentication, and speak on the advantages of physical, one-touch YubiKey authentication over other authentication methods, such as push or SMS.

Simplicity and flexibility are not often associated with strong authentication. That is not the case here at Yubico. We believe in making easy-to-use yet exceptional internet security accessible to everyone, and our YubiKeys deliver on that promise. With built-in support for multiple authentication protocols, a single YubiKey can secure an unlimited number of applications with just one touch. No shared secrets, drivers, or client software needed — it’s not part of a Vegas magic show, we swear!

Black Hat attendees can experience innovative authentication in action at the Yubico booth. We will demonstrate the ease, speed, and flexibility of multi-protocol YubiKeys in different scenarios — from U2F authentication across cloud platforms like Google and Dropbox, to leading IAM integrations, to smart card (PIV) authentication for computer login.

On Wednesday afternoon, Jerrod Chong, VP of Solutions, will take the stage to deliver his presentation, “Think All MFA is the Same? Think Again.”

Wednesday, July 26 | 12:30pm – 1:20pm
Think All MFA is the Same? Think Again
Location: Oceanside F, Level 2

Authentication’s evolution is unfolding as newer protocols and multi-function hardware-backed keys offer fortified security compared to today’s weak and vulnerable credentials. These enhanced capabilities are designed to defend enterprises and individuals against advanced phishing techniques, and protect privacy by delivering public key crypto in the form of FIDO’s Universal 2nd Factor (U2F) protocol and next-gen smart card functionalities. Jerrod Chong, Yubico’s VP of Solutions, will discuss the advantages of hardware-backed keys using several MFA capabilities on a single device to address today’s advanced credential thefts.

If you are attending Black Hat, we’d love to meet you. Stop by Booth #572 and grab a seat during Jerrod’s presentation! To learn more about how your organization can benefit from the authentication power of multi-protocol YubiKeys, click here.

Flexible Modern Authentication blog crown
David Maples

Flexible Modern Authentication with the Multi-Protocol YubiKey

Most organizations work with multiple services and applications, and thus different authentication protocols, to meet all their security needs. Oftentimes, the protocol is predetermined by the application or service provider. However, in other cases, a business or systems integrator has some flexibility on which integration approach or third party to use. When it comes to authentication choices, there is typically no such thing as a silver bullet. The YubiKey was designed with this in mind to support multiple methods for authentication, enabling users and integrators to utilize the best method for each solution.

YubiKeys have multiple authentication protocols, spanning One-Time Passwords (OTP), CCID (smart card), and Universal 2nd Factor (U2F). Each protocol has support for different services and apps, much like a toolbox, allowing the user to select the correct tool for the task at hand.

OTP supports protocols where a single use code is entered to provide authentication. These protocols tend to be older and more widely supported in legacy applications. The YubiKey communicates via the HID keyboard interface, sending output as a series of keystrokes. This means OTP protocols can work across all OS/Environments that support USB keyboards, as well as with any app that can accept keyboard input. Some common services that use OTPs are network devices like VPNs and local authentication services with user login, as support for OTPs tend to be the most straightforward to integrate.

CCID, or smart cards as their interface is more commonly called, is another supported protocol on the YubiKey. The YubiKey identifies itself as a smart card reader with a smart card plugged in, so it will work with most common smart card drivers. Windows has native support, Linux has the OpenSC project, and macOS has support for smart cards natively on Sierra (10.12) and higher. The YubiKey allows 3 different CCID protocols to be used simultaneously – PIV, as defined by the NIST standard for authentication; OpenPGP for encryption, decryption, and signing; and OATH, for client apps like Yubico Authenticator and Windows Hello. The open source nature of the supported smart card protocols make them ideal for integrating with existing environments, such as Windows Authentication, Active Directory Federated Services, SSH or OpenPGP, and derived services.

FIDO U2F is the newest protocol supported by the YubiKey. Developed by Yubico and Google, the U2F protocol provides strong authentication without requiring a complex backend or framework to support it. Turning traditional authentication on its head, FIDO U2F makes the authentication device (like the YubiKey) the authentication provider. It issues unique keys to the services it is authenticating against, ensures each service does not have any information about the others, and removes the need for a central authentication service. With FIDO 2.0, the specification is growing to meet evolving industry needs, while ensuring that the previous generation is not rendered obsolete. The security built into the U2F protocol makes it ideal for web applications or customer-facing apps, which may be exposed to attacks on the information in transit between the user client and server.

Each protocol has strengths and weaknesses, restricting the situations where each one is most effective. However, the YubiKey resolves this limitation by supporting all of the different protocols on a single device, all at the same time. Like a carpenter using the right tool in his toolbox for the job at hand, users and integrators are able to secure their applications and services with the YubiKey using the appropriate protocol for each environment.

To learn more about the protocols supported by the YubiKey, please refer to our Developer site.

Photo of Stina with Female Executive of the Year award
Yubico Team

Yubico CEO Wins ‘Female Executive of the Year’ Award

June has been a busy and exciting month for us here at Yubico. We have been on the road speaking and exhibiting at multiple conferences, were named ‘Best Multifactor Solution’ by SC Magazine Awards Europe, and revealed two new integrations for our YubiKeys. And we’re not done yet!

Yesterday, Yubico CEO and founder Stina Ehrensvard was named Female Executive of the Year by the Women World Awards. This category honors women executives worldwide from all types of organizations and industries. Nominees were evaluated based on important and notable accomplishments within the past 12 months, as well as organizational impact.

“These achievements are not my own,” said Stina. “I could not have brought the company to where it is without the amazing team we have on board. I am proud to lead such an incredible, bright, and committed group of people; and in moments like this, I consider these accomplishments to be for all of us.”

Indeed, we are all honored to receive such an award. Stina’s thoughtful and strategic leadership has been paramount to the company’s success, leading us to a $30M investment and company expansion across four continents. With her direction, Yubico secures 9 of the top 10 internet companies and millions of users in 160 countries.

“I didn’t start this company to make money,” said Stina. “I started it to make a secure internet accessible for everyone.” Yubico is driven by passion, and we’ve felt it every step of the way!

To hear more, listen to Stina talk about her entrepreneurial journey with Yubico.

NIST Special Publication 800-63.3
Jerrod Chong

NIST publishes new authentication standards, FIDO U2F achieves AAL3

After a year of review, the National Institute for Science and Technology (NIST) today released version 3 of its latest digital identity guidelines, outlining a number of updates that play to the multi-protocol functionality of the YubiKey.

NIST Special Publication 800-63 Revision 3 covers guidelines on identity proofing and authentication of users, such as employees, contractors, private individuals, and commercial entities, working with government IT systems over open networks. These guidelines are used as part of the risk assessment and implementation of federal agencies’ digital services.

Three notable changes outlined in the document are the separation of identity assurance from authenticator assurance, the deprecation of short message service (SMS) as one-time password (OTP) authentication, and the recognition of technologies like FIDO U2F within the highest level — Authenticator Assurance Level 3 (AAL3).

The first major change we want to highlight is the decoupling of user identity assurance from the strength of the authentication method used. This enables organizations to make quantifiable security improvements by offering alternative feature-compatible devices that act like a smart card, or providing FIDO authentication for all users. The previous model had the unintended consequence of lowering the authentication security for users where the identity proofing was not needed at Identity Assurance Level 3 (IAL3). In this new model (see table 6-2 Acceptable Combinations of IAL and AAL in section 6.4), a higher Authenticator Assurance Level can be paired with a lower Identity Assurance Level to meet an acceptable combination.

Another change worth noting is NIST’s update on the framework for quantifying authenticator security, particularly for guidance on using SMS as a form of OTP authentication. In July 2016, NIST put out a blog deprecating the process for delivering an OTP over SMS. This position is bolstered by the updated classification of authenticators allowing OTP to be used in lower security systems. Additionally, the YubiKey’s OTP capabilities do not fall under NIST’s deprecation of SMS/OTP out-of-band authenticators.

Lastly, the guidelines recognize technologies like FIDO U2F at AAL3. This opens the door for FIDO U2F and classifies the protocol as a strong credential option, as it meets government guidelines for asymmetric, public-key (PK) cryptography for authentication. With FIDO U2F’s ease of use and quick deployments, the number of services implementing FIDO U2F integrations is steadily growing. Federal agencies now have more options to deploy strong authentication for cloud applications.

The YubiKey meets all these tenets in its versatility and flexibility as a multi-protocol authentication device that combines three of the permitted authenticator types in one physical device.

Single-factor OTP device = OTP

  • The YubiKey spans various OTP capabilities, including Yubico OTP, HOTP, TOTP, and communicates via the HID keyboard interface, allowing the OTP protocol to work across all OS/Environments that support USB keyboards

Single-factor cryptographic device = FIDO U2F

  • Developed by Yubico and Google, FIDO U2F is the newest protocol supported by the YubiKey. This protocol allows the YubiKey to work securely and instantly with hundreds of applications, and with no secrets shared across separate services

Multi-factor cryptographic device =Smart card / PIV-compatible / OpenPGP

  • The YubiKey identifies itself as a smart card reader with a smart card plugged in, and will work with most common smart card drivers.

“While the guidelines themselves are final, we strongly believe that work on this document isn’t truly complete until, like open standards, it has been implemented to tease out bugs and complexities,” said Paul Grassi, one of the 800-63 authors, in a blog post. “Our ability to predict and respond to changes in the market and technology needs to match the speed of innovation, as well as threats.” He added, “Over time, NIST wants the [guidelines] to be adaptive to innovations in the market so anyone, public or private, can better serve their users.”

We celebrate this historic release of NIST SP 800-63-3, as it ushers in a bright future for the YubiKey, FIDO U2F, and federal agencies here in the US and abroad. With this latest revision, the overwhelming response of over 1,400 contributor submissions from within and outside the US validates NIST SP 800-63-3 as a leading resource for global digital identity.

Microsoft demoing FIDO 2 at CIS 2017
Jerrod Chong

Future of FIDO Authentication demonstrated by Microsoft at CIS

Microsoft unveiled a major FIDO milestone today at the Cloud Identity Summit (CIS) by demonstrating an early implementation of a FIDO 2-based passwordless login on a Microsoft Windows 10 computer through Azure Active Directory (AAD) using a YubiKey.  

For the demonstrated login flow, the user inserted and touched the YubiKey, using AAD to instantly authenticate the user, while simultaneously signing into the Windows environment, and allowing access to all integrated business applications. All of this done without the need to type in a username/password.

Under the covers, the login relied on the forthcoming FIDO 2 Client to Authenticator Protocol (CTAP), which will ramp up the YubiKey’s value on the Microsoft platform. While this was a demo of future functionality, YubiKey users can look forward to native support in the Windows 10 OS environment. This is a massive leap forward in the global adoption of FIDO open standards, and a future integration into one of the world’s largest computer operating systems.

Alex Simons, Microsoft’s Director of Product Management for Microsoft Identity Division, and Nitika Gupta, Product Manager for Microsoft Identity Security and Services, delivered the demonstration during the keynote “Open standards: The key to a world of secure clouds & secure devices”. This keynote provided insight into the increasingly critical role of open standards for the future of identity.  

While there is no immediate date on availability, stop by booth #425 at CIS and talk to us about this game changing demonstration. To learn more about how your organization can benefit from the authentication power of multi-protocol YubiKeys, visit https://www.yubico.com/why-yubico/for-businesses/.

Blog crown for Yubico at CIS 2017 featuring the Chicago skyline and a YubiKey
Yubico Team

Yubico at CIS: FIDO, Mobile, ID Proofing. We’ll cover it all!

Today kicks off the annual Cloud Identity Summit (CIS) at the Sheraton Grand Chicago, where the brightest minds across the identity and security industry convene to discuss intelligent identity. Yubico will exhibit at the event (Booth #425) and contribute to several speaking sessions regarding FIDO, Federation, ID Proofing, Intelligent Identity, and Mobile SSO. Below are sessions we find particularly interesting.  

We kick off CIS on Monday (June 19) with Derek Hanson, Director of Solutions Architecture and Standards at Yubico, taking part in the FIDO Workshop from 9am-12pm CT, in the Sheraton Ballroom II. At 10:50am, Derek will deliver a case study on FIDO, Federation, and Facebook social login. Websites can eliminate account takeover through phishing by leveraging U2F-supported Facebook social login, which is easy to implement and already in wide global use.

On Tuesday (June 20), in the ‘New Move in Authentication’ track, Jerrod Chong, VP of Solutions Engineering at Yubico, will deliver a presentation on FIDO, Federation, and ID Proofing. You can attend this session in the Sheraton Ballroom III from 2:30-2:55 pm CT. Jerrod will discuss how identity proofing and strong authentication are often at odds when it comes to privacy — and that it doesn’t need to be that way. Diving deeper, he will provide a look at how three building blocks can work together to create a robust identity ecosystem. The solution is a three-fold component-based architecture for remote identity proofing to create a privacy-preserving credential, an identity proofing engine using OpenID Connect, and strong authentication using FIDO protocols.

David Treece, Senior Solutions Architect at Yubico, will participate in a separate panel discussion on Tuesday. David will speak on the ‘Intelligent Identity Architecture’ panel from 4:20-5:20 pm CT in the Sheraton Ballroom 1. With the dynamically changing nature of business and ever-increasing security risk, identity access management (IAM) systems struggle to keep up. IAM systems are complex, inflexible, and difficult to change. Instead, these systems need to be intelligent enough to understand context and new entities, interpret risk, and deliver a simple user experience. This panel will reveal — from the trenches — how to move an IAM program forward to implement intelligent capabilities while dealing with the realities of budgets, existing infrastructure, and competing priorities.

With all of the fantastic upcoming content at CIS, we also want to highlight the following sessions, which we are excited to be part of:

Monday – June 19

  • 10:35 AM – 11:15 AM Workshop: NCCoE mobile application single sign on for public safety and first responders
    Location: Sheraton Ballroom I
  • 5:25 PM  –  5:50 PM Panel: Mobile – who do you trust?
    Location: Michigan

Wednesday – June 21

  • 8:15 AM  –  8:45 AM Keynote: Open standards: The key to a world of secure clouds & secure devices!
    Location: Ballroom

Thursday – June 22

  • 11:15 AM  –  11:40 AM Panel: The mobile identity user experience
    Location: Chicago Ballroom VIII

If you are attending CIS, come see us at some of our sessions, and stop by booth #425 to explore all that the YubiKey has to offer.  

To learn more about how your organization can benefit from the authentication power of multi-protocol YubiKeys, visit https://www.yubico.com/why-yubico/for-businesses/.

Keeper login screen with a YubiKey in a Microsoft Surface.
Yubico Team

Find us this week at the Gartner and AFCEA events in Maryland!

We have a busy week ahead! Come watch us show off our award-winning YubiKeys at two Maryland events: Gartner Security & Risk Management Summit (National Harbor) on June 12 to 15 and AFCEA’s Defensive Cyber Operations Symposium (Baltimore Convention Center) on June 13 to 15.  

New U2F integration with Keeper Security

We are excited to showcase our latest FIDO Universal 2nd Factor (U2F) integration with password manager and secure digital vault Keeper Security. As part of Keeper’s core offering, U2F and YubiKey support is immediately available as a new, free feature to its 11 million individual users and enterprise accounts. With our mission to make the internet secure for everyone, we couldn’t be more thrilled that Keeper now delivers the highest level of security with FIDO U2F and YubiKey two-factor authentication (2FA) to their customers.

“More than 81% of data breaches are due to weak or poor password management,” said Darren Guccione, CEO and co-founder of Keeper Security, Inc. “Our highest priority is to protect our customers from cyber theft, and this integration of Yubikeys will drastically reduce the impact of a stolen or leaked password.”

Experience the 2FA power of YubiKeys

In addition to demoing our YubiKeys for Keeper sign-on at both events, we will feature some of our top U2F integrations with Google, Dropbox, and Facebook, support for leading identity access management platforms (IAMs), as well as PIV smart card functionality. We will also present other capabilities to showcase the ease-of-use and simplicity of one-touch secure login with YubiKey.

If you are attending these shows, please stop by Booth #744 at the Gartner Security & Risk Management Summit and Booth #566 at AFCEA’s Defensive Cyber Operations Symposium, and discover why our YubiKey 4 Series was recognized as SC Awards’ ‘Best Multifactor Solution’.

To learn more about how your organization can benefit from the authentication power of multi-protocol YubiKeys, visit https://www.yubico.com/why-yubico/for-businesses/.

Global map showing Yubico
Stina Ehrensvard

Yubico scales up with new investors, expands across four continents

Today, I am happy to announce that new investors are joining Yubico’s mission to create a safer internet for everyone by securing all logins and secrets on servers.

$30M in combined new and secondary shares has been invested in the company. Our new investors include NEA, one of the largest and most active global venture capital firms, leading Swedish growth equity firm Bure, and young Silicon Valley-based venture capitalist The Valley Fund.

Today, half of the privately held company is owned by the Yubico founders and team members, and the remaining shares are evenly split across US and Swedish investors. Existing investors include renowned Silicon Valley entrepreneurs Marc Benioff, CEO of Salesforce, and Ram Shriram, Yubico Chairman and Google founding board member. All Yubico shareholders enjoy common shares and a democratic shareholder agreement. The combined total assets for all investors in Yubico exceeds $30 billion.

Since our start in Sweden in 2007 with modest funds of $4.5M from angel investors, we have grown organically into a global security leader with four consecutive years of profit. YubiKeys are the authenticator of choice for thousands of business customers and millions of users in 160 countries. As the Yubico team continues to grow, we take great pride in being a multinational and multicultural company. We are now established in four continents with employees in the US, Sweden, Germany, UK, Australia, and Singapore.

“With nine of the top ten internet companies as YubiKey users, Yubico has built a strong foundation as an innovator of new global authentication standards,” said Pete Sonsini, General Partner, NEA. “In a time when software does not offer sufficient protection for online accounts and sensitive data on servers, Yubico’s hardware backed keys are proven at scale.”

Funds from new investments will be used to expand the Yubico hardware platform beyond authentication to more advanced software, services, and use cases, including IoT and server encryption.

SC Awards Europe 2017 Winner blog crown
Yubico Team

We Won! YubiKey 4 Series Recognized as SC Awards ‘Best Multifactor Solution’

Today, at InfoSecurity Europe in London, Yubico graciously received the SC Awards Europe 2017 Excellence Award for Best Multifactor Solution. The YubiKey 4 won in the category of Threat Solutions.

“As a contender among four other established and well regarded authentication technologies, the recognition of our YubiKey 4 Series is a great honor,” said Stina Ehrensvard, CEO and Founder, Yubico.

“We’ve worked hard to create one simple, cost-effective hardware technology that affords enterprises secure access to computers, networks, and online platforms. The YubiKey 4 Series was put in front of a wide range of security experts, and received a resounding stamp of approval; we are extremely grateful. This is a true testament to the value, market share, and high-level security that the YubiKey provides.”

Yubikey-wins-best-multifactor-solution

Yubico accepts the SC Awards Europe 2017 Excellence Award for Best Multifactor Solution at InfoSecurity Europe in London

Every year, some of Europe’s most elite security leaders — hailing from private and public sectors, academia, end-user companies, consulting communities, and analyst firms — gather to evaluate hundreds of SC Magazine Europe Award nominations. This panel of judges decides which products, professionals, and services best enhance various aspects of enterprise security. The Multifactor Solution category acknowledges products that provide enhanced security to end users by offering credentials for access to an authenticator or authentication server. Not only are judges advised to review the submission materials, but they are also asked to consider additional information such as analyst reports and/or product reviews.

The YubiKey 4 Series comes in three different form factors, all supporting the same multiple authentication protocols, to meet the needs of every enterprise and individual. To learn more about the award-winning YubiKey 4 Series, read more here. To see YubiKeys in action, come meet us at InfoSecurity Europe at stand #M110.

Image: How millions of accounts can eliminate phishing blog crown
Alex Yakubov

How Millions of Websites Can Eliminate Account Takeover from Phishing

Creating accounts online just got a whole lot easier. Now anyone can log in to or register a new account using their existing credentials from social networking services, such as Facebook and Google. With social logins, users won’t have to rack their brain for another password, saving time and securely authenticating their identity.

Websites that use social login move the responsibility of maintaining cutting-edge data security, identity protection, and login support away from themselves and onto the infrastructures of social networking sites. During the second quarter of 2016, research revealed that 53.1% of social logins went through a Facebook account, with Google accounts pulling 44.8%.

Facebook and Google are among thousands of online services that support FIDO Universal 2nd Factor (U2F). U2F protects against well-known attacks, such as phishing and man-in-the-middle, and other online threats on the horizon. Additionally, all websites supporting U2F work seamlessly with the two-factor authentication (2FA) provided by YubiKeys.

SMS is another commonly used 2FA option, but it is susceptible to both man-in-the-middle and phishing attacks (which we saw in the recent SS7 protocol SMS hack). This is validated by the National Institute of Standards and Technology (NIST), which no longer recommends SMS for 2FA, as highlighted in section 5.1.3.2 in the latest draft of its Digital Authentication Guidelines.

Other websites use push notification-based applications as a second step in the login process. However, much like SMS, push apps do not typically prevent phishing or man-in-the-middle attacks. These can even mislead the freshly phished user into believing that they accessed a legitimate site because they receive the confirmation push message at the same instant that the attacker attempts to log in using their credentials. Most websites also limit the overall effectiveness of 2FA by keeping SMS and/or One-Time Password (OTP) enabled for usability and account recovery. For an in-depth look at credential abuse mitigations, read our Internet Credential Theft white paper here.

So why is social login with U2F and hardware security keys better? Even if an attacker has a user’s password, the attacker won’t be able to access the account. U2F is based on public-key cryptography: when a YubiKey is registered with a U2F service like Google or Facebook, it creates a unique asymmetric key pair with each website. The private key resides on the YubiKey, and the public key on the service.

Think of it as a handshake. When the YubiKey is touched, the public and private keys instantly confirm they are the correct pair, and only that registered YubiKey will allow access. There is no need to re-register the YubiKey. U2F even protects privacy because it was designed to be anonymous, which means no personal data or secrets are shared among service providers, making it impossible to track a user across multiple web sites.That’s it – using the same YubiKey, users get simple and highly secure access to an unlimited number of websites.

Let’s walk through a typical login flow with a U2F- and YubiKey-protected account using Spotify with Facebook social login as an example.

Spotify-social-login

Upon entering a Facebook username and password, the user is prompted to touch their registered YubiKey to authenticate their identity. Just like that, the user is logged in.

Social-login-2fa-security-key

This provides not only a best-in-class authentication experience (all the user has to do is touch the button), but also the peace of mind knowing that the YubiKey ensures user accounts are accessed only by the users themselves.

Now, millions of online stores, games, and applications around the world can eliminate account takeover through phishing by leveraging social login. As more websites and online services do this, our vision of having one device to secure all your online accounts is quickly becoming a reality. To learn more about how to implement social login to websites completely free of charge, visit Google and Facebook for their instructions and code.

Woman
Yubico Team

10 Easy Ways to Protect Your Identity Online

This week, the Oslo Freedom Forum is hosting its ninth annual conference, bringing together a global community of activists, tech entrepreneurs, and thought leaders sharing the vision of a freer and safer world, including the Internet.

Yubico was invited to the event to share how you can use YubiKeys and FIDO U2F (Universal 2nd Factor) to protect your online identity. We have compiled a list of actions–in addition to strong two-factor authentication–that you can take to ensure your identity stays safe online with the highest level of privacy.

1. Properly manage your passwords

Usernames and passwords are the first line of defense to accessing your personal information online. As such, it’s important to be as diligent as possible in creating the strongest passwords and securely managing these passwords.

  • Ideally, strong passwords should be randomly generated. At a minimum, avoid using information about yourself or your friends and family, such as birthdays, sports teams, pet names, etc.
  • Never reuse passwords between sites. Yes, this means that you will need a different password for each account you have. According to a report, the average person has 90 online accounts, so that’s a lot of passwords to remember!
  • To help with this process, we recommend using a password manager to generate passwords and store them securely for you.
  • Once your password manager is set, make sure you protect it with two-factor authentication, like a security key, to make it even more secure. Examples of password managers are KeePass, LastPass, and Dashlane, all of which offer two-factor authentication. Additionally, Dashlane supports U2F.

2. When possible, use two-factor authentication

Having the strongest usernames and passwords isn’t a failsafe method. If they are compromised, a hacker can easily access your accounts. To prevent this, always enable two-factor authentication and ensure that another form of identity is required to access your account.

Hardware security keys supported over U2F are the most secure form of two-factor authentication and are always recommended when available for use. Many common services support these keys, such as DashLane, Google, Facebook, and Dropbox.

If you are not able to secure your account with a security key or a YubiKey, we recommend that you use another method, such as an authenticator application like Google Authenticator.

Whatever you do, do not enable SMS codes as your second form of authentication. NIST recently rendered these highly ineffective. While some services require using SMS to initially set up 2FA, you can choose to disable SMS after setting up other factors, such as security keys.

3. Always update! 

Most software systems have built-in security functionality to help catch and prevent attacks before they happen. They often enhance these features over time.

To ensure you have the latest and greatest security across all technologies, always update:

  • Computer and phone operating system software
  • Any anti-virus programs
  • Mobile apps
  • Web browsers

4. Verify email validity before clicking on a link or downloading an attachment

Phishing/malicious emails can often look like credible emails, and may even come from one of your known contacts. To ensure it’s legitimate, ask yourself the following:

  • Do you recognize the email address?
    Phishing emails can come from a random email–in which case, you should never open–or from a known contact. If it’s coming from a known contact, check to see if the email address is an exact match. If so, proceed to verify the rest of the email, as an exact email match still doesn’t qualify for safety.
  • Are there spelling errors in the email?
    Hackers can purposefully include spelling errors to make the email appear more human and evade spam detectors.
  • Does the link or attachment make sense?
    Is there a reason why this contact would be sending you this email? Does it make sense based on the context of your discussions and/or relationship? When in doubt, pick up the phone to ask.

5. Check the plugins and addons connected to your email inbox

Each email platform has an option to view what third-party services and applications have access to your account. If you notice an application you have not authorized, immediately remove the permission for its access. You should also remove authorization for applications that you are no longer using.

6. Check for HTTPS security on any website you enter

HTTPS indicates that the web page you are on is secure and can be trusted. If you are not on a web page secured with HTTPS, it is best to not enter any sensitive information while on that site.

HTTPS can easily be identified in the URL bar of your browser. It will be listed in the URL itself. The bar will also display a small green lock that says “secure” next to it.

7. Utilize browser extensions to help protect your online activity

Browser extensions help you access the best parts of the internet without having to worry about your safety and security. With today’s sophisticated technology, it’s easy for third-parties to track your online activity and access your information. It’s even easier for you to suddenly find yourself on an unsafe domain. Simply put, these addons will do the thinking for you, and will help keep people out of your business and keep you away from unsafe territory.

A few tools we recommend include:

  • Privacy badger
    This extension prevents tracking and cookies, so your data and browsing history are kept safe from unwanted advertisers and other third-parties.
  • Adblock Plus
    This extension will block banner ads, pop-up ads, rollover ads, and more. It stops you from visiting known malware-hosting domains, and also disables third-party tracking cookies and scripts.
  • HTTPS Everywhere
    This addon enforces you to always access sites over HTTPS, if they support it.
  • Panopticlick
    If you’re unsure how safe your browser is, you can test it here.

8. Don’t divulge sensitive information

Any additional piece of PII (personally identifiable information) can make a hacker’s job easier.

This is more of a concern in the day and age of social media. If you wouldn’t want a stranger having access to a piece of information about you (phone number, address), don’t put this on your public profiles (Twitter, LinkedIn, Facebook, WordPress blogs, personal websites, etc).

If possible, update your privacy settings to only allow friends and family access to your profile. Frequently revisit these settings as well to ensure nothing was disabled.

9. Be cautious of public Wi-Fi

Public Wi-Fi doesn’t qualify as a secure network, and therefore, gives hackers a greater advantage at stealing information or pushing malicious attacks.

If you must use public Wi-Fi, stick to sites that don’t deal with sensitive information. In other words, don’t maintain your bank account or anything of this nature on public Wi-Fi.

When possible, always avoid public Wi-Fi and use other solutions such as a secured personal hotspot or VPN solution. A VPN will make it difficult for third-parties to determine your identity or location. There are many free options available.

10. Stay informed!

Most major data breaches are covered in the news, so this is often a good place to keep a pulse on any attacks that could have compromised your personal information.

If you think you’re a target or have already been compromised, start by changing all of your passwords. Then, go through this list to ensure you have all the necessary security measures in place.

YK4 with 5 star review on Amazon Prime
Yubico Team

Ready, Set, Earn: Become a Yubico Affiliate through Amazon

We have great news for Yubico ambassadors! We’ve found a program that carries on the values of our now-retired Yubico Affiliate Program while empowering affiliates to profit from products they choose to advocate.

Amazon’s widely successful Amazon Associates program is booming for a reason. The program gives everyone a chance to earn up to 10% commission on completed orders of qualifying products by promoting the items online. With YubiKeys in the product roster, you can earn extra cash and help raise awareness on account protection at the same time. How awesome is that?

Another great thing about this program is that you will earn commission on a shopper’s entire order on Amazon. If a shopper completes a purchase with a YubiKey plus any other qualifying product, you’ll earn commission on all of those items.

All you need to do now is sign up for the Amazon Associates program then share a link to the YubiKeys’ product pages with your audience on your website, blog, or social media accounts. Signing up is free and easy to do.

We’re moving closer towards our vision of making the internet a safer space for everyone across the globe. Now you can help us make that a reality by simply posting a link. For more information about the Amazon Associates program, visit this page. For updates on special promotions or Yubico product launches on Amazon, subscribe here.

If you are interested in collaborating with Yubico as an official reseller, please reach out to our team at yubi.co/sales.

Crown image with Star Wars fan fiction blog title
Yubico Team

Episode Y: The Rise of 2FA

The security revolution has begun. In a final act of resistance against the dark might of the enemy, the brave heroes have deployed their ultimate weapon, a powerful layer of defense beyond the strength of the password known as 2FA, to a vast group of web sites throughout the universe.

As 2FA spreads, a group of security jedis have used the 4C to establish an impenetrable shield around their users’ accounts. The effort has brought forth a great victory, with users avoiding data breaches, identity threats, and phishing attacks.

Meanwhile on the remote planet Wilhacku, the YubiKey fleet, led by Lieutenant Stinasvard, has fought bravely against evil malware droids, successfully destroying the last of the Empire’s hacker army.

With the Empire defeated, peace has finally been restored across the galaxy. Billions of websites can now harness the power of 2FA, and under its protection, people are trusting the internet once again.

 

We at Yubico are HUGE fans of Star Wars. To celebrate May 4th, we have fun Star Wars-themed social posts coming your way on Twitter, Facebook, Instagram, and LinkedIn. Stay tuned, and May the 4th be with you!

OLD YubiKey 4C body
Jeff Wallace

Leave Nothing to Chance: Have a Backup and Recovery Plan

A backup and recovery process is an indispensable component of every security solutions strategy, and is something to think carefully about as you develop a plan to integrate YubiKeys into yours. Having a proper backup and recovery process keeps employees productive without them having to worry about losing their YubiKey or losing access to systems and accounts. More importantly, your backup and recovery process must be secure and should not diminish the overall security in place. Remember, your security is only as good as its weakest link.

The most secure plan is for each user to have two YubiKeys. Establishing a backup YubiKey ensures that the user can effortlessly access all of their accounts if they accidentally misplace their primary YubiKey. We strongly recommend this approach to all customers as a general best practice, as it guarantees that all users have a recovery solution easily accessible to them at any time. Having a backup YubiKey gives users peace of mind and eliminates the need for them to go through complicated, time-consuming processes to access their accounts. While other backup and recovery options are available, they come with a variety of pros and cons.

Other Backup and Recovery Options

One such alternative is having a Service Desk team issue a secondary temporary key on demand. This is the next best approach to having a backup YubiKey for all users, as it supplies a physical device registered with the same authentication system to the user at the time of need. With the YubiKey at its core, this approach removes many areas of risk that come with alternate solutions, and can serve as an extension of the two YubiKey approach if a user loses both keys. However, this option requires additional time, processes, and personnel, as the Service Desk must always be open to the user should they have an immediate need for a key.

Another popular backup alternative is having a mobile authenticator. Using an app like Google Authenticator provides a valid backup method by issuing a temporary passcode to users. However, mobile authenticators are often based on older technology, and do not provide the same protection that the YubiKey delivers, as the secrets used to generate the passcodes can be deciphered if enough codes are intercepted. Should you decide to use a mobile authenticator as a backup option, we encourage you to use it sparingly to avoid the risk of security breaches.

Beyond these, you can establish other backup methods, but they will not be as secure or as stable as a multi-key approach. SMS and email, for example, are the least secure backup and recovery methods, as they are susceptible to man in the middle and phishing attacks. In fact, section 5.1.3.2 of the NIST 800-63-3 guidelines, which will soon be published, recommends deprecating SMS due to security limitations. Additionally, a phone can run out of battery, be lost, stolen or broken, get infected by malware, or have storage retrieved by a connected computer. Conversely, the YubiKey is not vulnerable to most of these concerns.

While we understand that cost plays a key role in restricting organizations’ options for secure backup and recovery solutions, we do not recommend processes that could allow remote access to a corporate resource or introduce social engineering risk, reducing the initial security that our YubiKey solution was designed to protect against. Security always comes first! This is precisely why we urge all customers to consider using the two YubiKey approach as a best practice.

YubiHSM 2 inserted into server
Yubico Team

YubiHSM 2 open beta launched!

With IT security breaches becoming a staple in daily news reports, organizations big and small alike need to ramp up their defense. More than 95% of all IT breaches happen when a user credential or server gets hacked. While the YubiKey protects user accounts from remote hijacking, millions of servers storing sensitive data still lack physical security.

Hardware security modules (HSMs) offer the physical protection of servers, but are historically limited by its cost, size, and performance. The YubiHSM 2 breaks that mold with its extensive range of use cases. Applications include protecting data centers, cloud server infrastructures, manufacturing and industrial products and services, and many more.

The YubiHSM 2 delivers practical security to a wide variety of server environments with unrivaled affordability, convenience, and ultra-portability (it sits inside a USB-A port!). Moving beyond the features of the first generation YubiHSM, the YubiHSM 2 adds asymmetric cryptography and more to its list of capabilities.

After holding a successful closed beta for YubiHSM 2, we were thrilled to see great feedback from our participants, which include the world’s leading online services, software companies, and research institutions. Today, we are excited to announce that we are running an open beta for the YubiHSM 2, and we invite everyone to apply for a slot (spaces are limited)!

Learn more about the YubiHSM 2 or submit your application to participate in the open beta here. We look forward to hearing your feedback!

User authenticates to Facebook using YubiKey NEO with their mobile device
Yubico Team

Tour d’Europe: Identity, Mobile, and YubiKey NEO

Mobile World Congress 2017

Image Credit: GSMA

Today, Yubico joins the FIDO Alliance and thousands of people from around the globe in Barcelona for the GSMA’s Mobile World Congress (MWC) 2017. Find us at the FIDO Pavilion 2UP.40 #4!

No one can deny it. User acquisition is king! To acquire users as quickly and cheaply as possible, mobile app and online service providers frequently sacrifice strong authentication security in favor of fast and easy access. With YubiKey NEO and FIDO U2F, businesses needn't compromise. No longer must developers complicate mobile login or frustrate users in order to protect customers, because security based on FIDO U2F changes the game.

YubiKey NEO

YubiKey NEO with Android Smartphone

YubiKey NEO (US $50) is an innovative USB device featuring NFC (near-field communication, a wireless communication method). With a tap of their YubiKey NEO to an NFC-enabled Android device, users can quickly and easily authenticate themselves to supported services. YubiKey NEO gives mobile online security a better user experience while providing stronger security and reducing risks. Stop by the FIDO Pavilion, 2UP.40 #4 at MWC 2017, to see a demo and chat with a Yubico security expert.

Next week, find us in London at the Gartner Identity and Access Management Summit EMEA 2017 at booth S14 (6-7 March). Then, follow us to Disneyland® Paris for the IT Partners fair (7-8 March). Visit our booth to see how YubiKeys can help you and your customers reduce risks, increase employee productivity, and unlock additional revenue potential.

You can buy a Key NEO from our web store, on Amazon, or through any authorized reseller.

YubiKey NEO

$50

Buy Now
RSA 2017
Yubico Team

Yubico at RSA 2017 – Our Hardware Beats Your Malware

It’s that time of year again! We’re heading back to the RSA Conference in San Francisco to show off our latest and greatest at booth #N4421.

Keeping online data, accounts, and identities protected is a challenge, and it’s abundantly clear that usernames and passwords are the weakest defense. Daily breaches, hacks, and evolving phishing techniques have taught us that two-factor authentication (2FA) is no longer a nice-to-have, but a must-have if you’re taking security seriously. The elegance of the YubiKey is in its ease of use and security, which adds a physical defense to your accounts that is activated with a simple touch to authenticate.

At the RSA Conference, we are launching a new YubiKey design (which is a top user request). We’re also demonstrating a massive FIDO U2F implementation that expands the reach of the YubiKey far beyond organizations and enterprises and into the global mass of social media.

USB-A and USB-C ports

Illustration: USB-A and USB-C

Available for purchase today*, the YubiKey 4C is the world’s first multi-protocol USB-C authentication device. The YubiKey 4C contains the same proven firmware and functionality as the YubiKey 4. The YubiKey 4 family, which is now comprised of the original YubiKey 4, the YubiKey 4 Nano, and YubiKey 4C, all perform FIDO U2F, Yubico OTP, OATH, OpenPGP (up to RSA 4096), as well as PIV smart card (up to RSA 2048 and up to ECC P384). The YubiKey 4C is perfect for new laptops, such as the MacBook Pro and HP Spectre, which feature only USB-C ports.

Recently Facebook announced support for FIDO U2F and YubiKey security keys to its 1.8 billion users. Facebook now joins dozens of other online services that have integrated U2F. We are demonstrating how a single YubiKey or FIDO U2F Security Key is used to secure the growing list of services supporting U2F, including Google, Dropbox, GitHub and many more. Whether with the YubiKey 4 (USB-A), YubiKey 4C (USB-C), YubiKey NEO (NFC), or FIDO U2F Security Key, Facebook business and personal users can now protect their accounts with unphishable 2FA.

If you are at the RSA Conference, there will be quite a few of us around and about – be on the lookout for the big Yubico logos and stop by our booth, #N4421. Say hi, ask us what’s new, and feel free to show us your YubiKey!

YubiKey 4C

YubiKey 4C | US$50

UPDATE (8:53AM PST)

YubiKey 4C - Sold Out! We feel the love! Due to high demand, YubiKey 4C is temporarily out of stock. Sign up to be notified when it is available again. Notify me

Image of Facebook Security Settings
Stina Ehrensvard

YubiKey & FIDO U2F Protect Facebook Users… Like!

Many say that if it didn’t happen on Facebook, then it didn’t really happen.

Well, today, a HUGE thumbs up has happened — Facebook has upgraded the login security for its 1.8 billion users by integrating the unphishable protection of the FIDO U2F Security Key into its social platform.

Simply put, this means that Facebook users, from individuals to the largest organizations, can have peace-of-mind knowing their account is safe with a simple touch of a Security Key, like the YubiKey. Picture it: you have a physical key to your car and home, and now you have a physical key protecting your Facebook. This also means all the services that you access with Facebook login are protected too. And the same Security Key can also be used for the growing list of services supporting U2F, including Google, Dropbox, and many more.

The need for two-factor authentication (logging in with something you have and something you know) grows daily as we hear about new breaches and hacked passwords. However, recent security threats have shown that mobile push apps and SMS do not offer enough protection against phishing and man-in-the-middle attacks.

If you currently have a U2F-enabled YubiKey and a Facebook account, you can go into your Facebook security settings and set it up now! You can buy a FIDO U2F Security Key or YubiKey here (or two, as we recommend having a backup). Once a U2F Security Key or YubiKey is registered and authenticated with your Facebook account, you will not need to use your key again to log in on that device until you clear your browser’s cache. Facebook considers your device as “trusted” for convenience. Which means if a hacker attempts to log in to your account from another device, they will be blocked unless they also have your password and your physical Security Key.

With a Security Key, you can remove SMS which will raise your security for all mobile devices. To achieve the strongest level of security for mobile, you can use a YubiKey NEO on Android phones with NFC.

“We’re excited to offer security keys as an additional option to make login to Facebook even more secure. We’re grateful to Yubico for the support and feedback they’ve provided.” said Brad Hill, Facebook Security Engineer.

Yubico and Google co-created U2F with the vision to scale easy-to-use, strong, public key cryptography for all internet users. Yubico developed the first FIDO U2F authenticator, published free and open source code for clients and servers, and we continue to drive this work within open standards organizations, including the FIDO Alliance, and W3C.

A study on internal and external Security Key usage by Google validates that U2F is one of the most secure, easy to use, and cost-efficient authentication technologies. And as users can have multiple affordable backup keys, support calls are greatly reduced compared to phone authenticators.

Historically, strong authentication has been tied to users’ real identities or a central service provider. During the U2F development work, Yubico’s CTO, Jakob Ehrensvard, introduced the concept of an authenticator that works across any number of services with no shared secrets. This allows users to be anonymous, and have multiple, yet secure identities. Today, U2F and YubiKeys are used to protect the privacy of individuals and organizations in 160 countries, including journalists and dissidents at risk.

In a time when security breaches have become a serious threat to our trust in the internet, FIDO U2F offers a secure link between the user and the services we connect to. It’s an open standard, not controlled by governments or corporations — but a simple way for users to take control over their own security and privacy.

Today’s support in Facebook is an important milestone for making the internet safer for everyone.

P.S. It was fun playing the bad guy in the short video above.

Yubico Founder and CEO plays hacker in Facebook video

Implementing FIDO U2F
Alex Yakubov

3 Top Things to Consider When Implementing FIDO U2F With Your Service

Now more than ever, security must be built into everything. By leveraging open standards, instead of building security protocols from the ground up, organizations can provide strong authentication faster than ever before.

We created the Universal 2nd Factor (U2F) protocol together with Google several years ago and offered it the world for free along with open source clients and server libraries. After years of working with the majority of service providers who have made support for the U2F standard, we have learned a lot about what makes a successful implementation.

Here are 3 of the top things to consider when implementing FIDO U2F with your service:

1. Backup and Recovery

Just as your users often forget their passwords today, it is possible that the methods they use for two-factor authentication will not always be available. Phones run out of battery, can be lost, stolen, or broken. Hardware-backed keys, such as the YubiKey, and other tokens like RSA SecurID, can be left at home, lost, or stolen. We highly recommend encouraging users to register at least two FIDO U2F security keys for backup, as this is the most secure and affordable option available. Other methods, such as backup codes and email, have their weaknesses and usability challenges.

You need to provide a backup two-factor method but bear in mind that security is never stronger than its weakest link. Some of the most commonly-used backup options are still susceptible to man-in-the-middle and phishing attacks. SMS, for instance, is no longer recommended by the National Institute of Standards and Technology (NIST), section 5.1.3.2 in the latest draft of its Digital Authentication Guidelines.

Providing flexibility for users to select various backup options will substantially reduce the need to perform a full account recovery, which often involves the user calling your customer service help desk. A new technique used by leading services is social recovery (asking a number of friends to authorize the recovery). We do not recommend email as a recovery method since it is common for the user seeking recovery to have lost or forgotten their email credentials as well.

2. Mobile User Experience

If your service is accessible on mobile devices, it is imperative that you take the mobile user experience into account.

Today, both Google and Dropbox services require verification codes as the second factor when accessing from a mobile device. Google will also generate a unique app password for each native application for account access. For example, Google sets a specific password for native apps such as Mail on an iPhone or Mac, or Outlook on a Windows PC when accessing Gmail.

Soon, services will be able to use two wireless transport methods, Near Field Communications (NFC) and Bluetooth Low Energy (BLE), for U2F authentication on mobile devices. Here are some considerations for each of them.

NFC - At this time, we are most confident in NFC as a secure, and reliable contactless U2F communication method. Android mobile devices featuring NFC will soon allow users to authenticate with a tap of an NFC-capable U2F security key as the second factor. However, for iOS devices, Apple only recently added NFC capabilities to their mobile platform but continues to restrict the NFC stack to their applications, such as Apple Pay. Therefore, external U2F authenticators will not work on all mobile devices over NFC.

BLE - For iOS, BLE is a transport option, but the user experience is not optimal. BLE-capable U2F security keys must be paired with each mobile device before registration can occur. This additional pairing process adds friction for users as it is made more difficult in high-density environments where there are many Bluetooth devices in a small area. BLE-capable security keys also require batteries, bringing with them the possibility of running out of power and resulting in shipping and handling regulations as it pertains to dangerous and hazardous goods.

Alternatively, the FIDO ecosystem is currently exploring using a U2F USB security key in conjunction with a mobile app for accessing services on mobile devices. This approach is similar to what is today deployed by several European online services, which combine smart card devices with mobile applications. For the highest level of security, some of these services require a user to first register a smart card device with the service from a computer before allowing the user to then download and use the mobile app. In this scenario, we recommend leveraging U2F device attestation to identify the kind of U2F authenticator during registration (hardware, software, certified, and so on), and implementing assurance policies.

3. Support

You are likely thinking about how the first two considerations will impact your support team. (If you are not, then you should be!) Case studies show dramatic decreases in support costs after implementing U2F security keys. The keys to success are having clear, concise documentation for self-help, and allowing your users to provision more than one U2F security key. For instance, when Google switched employees to FIDO U2F Security Keys by Yubico, support calls and costs were cut in half compared to using mobile phone authenticators. An important part of that success is also due to the user's ability to register backup keys.

In conclusion, you are not alone in your journey to implement FIDO U2F. More than a dozen organizations (both consumer-facing and B2B) have already rolled it out to their end-users, and countless others are in the process today. We are committed to the success of U2F and will continue to share best practices. And we applaud you for considering FIDO U2F for your service!

-----

FIDO U2F Best Practices eGuide

Are you in the process of, or interested in, implementing FIDO U2F and want help? Sign up to receive our best practices and implementation recommendations.
  • This field is for validation purposes and should be left unchanged.
Matt
Yubico Team

Can Two-Factor Protect Democracy?

Millions of people use YubiKeys all across the globe, and our customers often share how they use YubiKeys at work and for their personal accounts. Now and then we hear a unique story from a new perspective that catches our attention.

Today’s youth is growing up online, always connected, and used to having their personal identities sync directly with their online personas. We are happy to see that even at the youngest of ages, the importance of two-factor authentication (2FA) is making its way into their lives.

We received the story below from a customer who was proud to tell us that his son, Matt, recently won first place at his school's science fair. His project, “So you think you can Phish?” is the first we have heard of including YubiKeys in a high school science fair!

Science Fair Project Display

Matt's Winning Science Fair Project

In his project, Matt identifies the importance of 2FA, specifically the use of YubiKey and the FIDO Universal 2nd Factor (U2F) authentication standard, and illustrates how this simple added step could have prevented a recent, highly publicized phishing attack.

In Matt’s conclusion, he states that even though John Podesta fell for a phishing attack, the former chairman of the 2016 Hillary Clinton presidential campaign could have protected his email account against unauthorized access had he enabled 2FA with a YubiKey. Ultimately, Podesta could have eliminated any potential for leaked emails. Which leaves many people wondering, could this have affected the recent election? Some say yes, some say no, but what it makes clear is that usernames and passwords simply are not enough.

Spreading the value of 2FA cannot be understated, and students like Matt are helping to not only inform their peers but their educators as well. We wish Matt the best of luck at regionals and potentially nationals!

We love to hear new stories and uses from our customers. Please email us at press@yubico.com if you have any that you would like to share.

The NEW YubiKey 4C available February 2017
Ronnie Manning

We hope to USB-C you at CES!

Each year the Consumer Electronics Show (CES) ushers in the new year by revealing the latest in tech, and we’re excited to take part. This year, our CEO is speaking on a security panel, and we’re showing off our new YubiKey 4C with a USB-C design!

Yes, Apple fans! We heard your lament over absent HDMI and USB 3.0 ports, and your transition to USB-C on the newest MacBook Pro.

YubiKey trio

The YubiKey 4C (pictured middle) will be available in the Yubico store for US$50 beginning February 13, 2017

The YubiKey 4C, the world’s first multi-protocol USB-C authentication device, will be previewed at ShowStoppers @ CES, 6-10 PM, at the Wynn Las Vegas. You have asked, and we have listened to your requests for a USB-C form factor. We are extremely proud of the upcoming YubiKey 4C, which will be available for purchase in the Yubico store for US$50 beginning February 13, 2017.

And kicking off the day on January 5, 2017, at the CES Cybersecurity Forum 2017, our CEO and Founder Stina Ehrensvard is speaking in a panel discussion, "Battening Down the Hatches: Data and Devices." The panel will dive into the tools needed to keep connected devices safe and secure, highlighting endpoint protection, secure browsers, and apps protection. The panel begins at 9:15 AM in Room Lando 4301 on Level 4 of The Venetian Las Vegas.

Built on the proven foundation of the YubiKey 4, the YubiKey 4C also supports multiple protocols including Yubico OTP, OATH, FIDO Universal 2nd Factor (U2F), up to RSA 4096 for the OpenPGP function, as well as up to RSA 2048 and up to ECC P384 for the PIV smart card function. This lineup of functionality is contained in a new keychain design for laptops, such as the MacBook Pro, which rely solely on USB-C ports.

We are working on an additional smaller YubiKey form factor with a USB-C design akin to the YubiKey 4 Nano, but do not yet have a time frame for availability.

Secure login for everyone - woman taking a selfie in Times Square, NYC
Stina Ehrensvard

Secure login for everyone

In early 2016, a major enterprise (that at the time was not yet a Yubico customer) asked us two great questions. Why does Yubico exist? And how come 9 of the top 10 internet companies trust a company with less than 100 employees? In this, our first blog of the year, we will share the answers to these questions.

Yubico was founded with the mission to make secure login easy and available for everyone. And our vision was to enable a single key to access any number of services. To make that happen, we decided to work in close collaboration with the internet giants on the assumption that, by carefully listening to their requirements, our technology would have the opportunity to reach all computing devices, platforms, and services.

We won the trust of the world’s leading internet brands, not by selling to them, but by offering our top innovation capabilities and focusing on open standards. To simplify the use of OATH one-time passwords, we removed the need to retype codes from one device to another. For systems requiring a long and complicated static password, we created a way to generate the code in a simple touch. To prevent trojans from hacking a PIV smart card device, we added user presence, touch-to-sign, and device attestation. And to take strong public key crypto to all internet users, we invented the concept of an authenticator that can work with any number of services, with no shared secrets -- which is the core innovation and foundation behind FIDO standards.

We won the trust of the internet giants with exactly the right team, and size to be agile, innovative, and humble. During 2017, billions of people will be safer online because of our past and future contributions to open standards. And that is also the answer to why Yubico exists.

To quote American anthropologist and author Margaret Mead, “Never doubt that a small group of thoughtful, committed citizens can change the world. Indeed, it is the only thing that ever has.”

U2F Security Keys by Yubico
Yubico Team

U2F Security Key Cuts Google AdWords Fraud

After a successful deployment of FIDO U2F enabled YubiKeys for all its staff, Google is now seeing the benefits of offering the technology to its customers with AdWords accounts.

Hijacking of online advertising accounts not only costs customers whose accounts get bumped offline, but Google loses revenue when those accounts are dormant. The Association of National Advertisers estimates that $7.2 billion will be lost to digital ad fraud in 2016.

As the world's leading digital advertising network, Google is fighting back. In a recently published blog, the company highlights how two digital marketing agencies, Jellyfish and iProspect, protect their AdWords accounts, customers, and revenue using FIDO U2F Security Keys by Yubico.

AdWords users were trained in the simple three-step process to register the FIDO U2F Security Key with their Google accounts. On subsequent use, users only need to touch the key in order to securely log in. Jellyfish rolled out FIDO U2F Security Keys by Yubico to all team members in the UK and South Africa, and iProspect says the security key provides peace of mind that Google accounts are safe.

One of the most important features of the FIDO U2F protocol is the ability to defeat rapidly increasing phishing and man-in-the-middle security attacks. Google’s 2-Step Verification mobile technologies do not offer the same level of protection against these attacks.

Historically, great security has come with high cost and complexity. Yubico changes the equation. Check out the short video Google produced to explain the importance and simplicity of using 2-Step Verification with FIDO U2F Security Keys by Yubico.

Additionally, Google will be having a live broadcast "How to Protect Your AdWords Account" on Thursday, February 16th at 4:00 PM GMT / 11:00 AM EDT / 8:00 AM PDT.  The Online Safety Series will cover key topics in online safety, such as account hijacking prevention, recognizing bad websites, adherence to Google policies, and online privacy. RSVP for this Google Advertiser Community Event!

holiday ornaments made out of a YubiKey 4, imitation Christmas tree, toy train, and Star of David
Yubico Team

Give the Gift Security Geeks Love to Get

'Tis the season to be jolly and reflect on everything we're thankful for. It's been an incredible year at Yubico, and we're delighted YubiKeys continue to make news this gift giving season. 

We've compiled our favorite gift guides because these are just too awesome not to share. And yes, we’re on each of them!

US and EU Shoppers: Hoping to receive your order before December 25? Unfortunately, we cannot guarantee shipping times at this time of year. We recommend that you place your order at yubico.com/store by Friday, December 16. You can also buy YubiKeys on Amazon (Pro tip: Amazon has guaranteed shipping times)!

Note: Yubico Store shipping times can vary depending on your country of origin, weather, and other unforeseen obstacles for which we cannot plan.

Photo: Markus Spiske

YubiKey 4 Limited Edition White

YubiKey 4 - Limited Edition White $40
Great stocking stuffer! We’ve produced a limited edition white YubiKey 4 to celebrate the return of smart card support for Macs, available in the Yubico Store. Quantities are limited, so order today!

YubiKey in Smart Card Mode with Windows Remote Desktop Protocol
Yubico Team

Computer Login with YubiKey in Smart Card Mode

The humble smart card dates back to the 1970s, but the mature technology is not without innovation in a world of new-fangled authentication.

Personal Identity Verification (PIV) smart cards, best known as staples in government agencies, incorporate standards developed by the National Institute of Standards and Technology (NIST).

Yubico’s recent webinar, “YubiKey Smart Code Mode for Computer Login,” walks viewers through PIV support on operating systems from Microsoft, Apple, and various Linux distributions. A recording of the webinar is embedded at the bottom of this blog. Yubico’s PIV implementation also supports PKCS#11 and open source tools such as OpenSC.

The YubiKey 4, YubiKey 4 Nano, and YubiKey NEO all incorporate the NIST standards and put ease-of-use innovation into the technology by eliminating the need for a card reader, middleware, extra software, and additional drivers on Microsoft and Apple operating systems. Login and code signing operations are just some of the functions that require only a touch of the YubiKey to activate.

The webinar includes demos using YubiKeys as a smart card to log in on macOS Sierra, Windows domains, remote desktops, and the new Windows Hello authentication platform.

Presenter David Maples, a Yubico Senior Solutions Engineer, details all the platform configurations needed to support the YubiKey and PIV.

He also highlights the YubiKey’s versatility with features and integrations that support additional protocols, such as FIDO’s U2F, using the same YubiKey that provides PIV smart card features.

The webinar opens with a brief introduction to Yubico and the Yubikey.

Webinar: YubiKey Smart Card Mode for Computer Login from Yubico on Vimeo.

Earth
Ronnie Manning

Where to find Yubico this week

We are kicking off the week at the O’Reilly Security Conference on Tuesday in New York with sponsored events, and exhibitions in Booth #405 where we will showcase the broad functionality of the YubiKey (U2F, OTP, PIV) across many of our integrations.

Additionally, at O’Reilly Security, you won’t want to miss our CEO and Founder, Stina Ehrensvard’s speaking session “The Future of Strong Online Identities – Simple, Open, and Mobile” on the first day of the conference at 4:45pm in room Rendezvous Trianon.

On Wednesday, at 10:00 a.m. PDT, join us virtually for a live webinar on the YubiKey as a smart card for computer login. The session will include demos on Windows, Mac, and Linux machines, as well as Windows and Citrix remote desktops. Register here

Finally, we will close out the week at Black Hat Europe 2016 in London, starting on Thursday, Nov. 3rd where we will demonstrate YubiKey two-factor authentication technology to Europe’s top security experts. Find us at Booth #104 to see what all the buzz is about.

There’s lots of activity this week, and we hope to see you at some of these events! (And even more in the future!)

YubiKey now works with Salesforce U2F
Ronnie Manning

Dreamforce 2016 – FIDO U2F YubiKey Log In to Salesforce

Momentum is the motion of a moving body, measured as a product of its mass and velocity. Today, we see the mass and velocity of the world’s largest cloud ecosystem get behind FIDO Universal 2nd Factor (U2F) strong authentication.

At this week’s Dreamforce 2016, conference attendees will get the first look at new native support of U2F in the Salesforce Winter ’17 release. Once enabled by an organization’s Salesforce administrator, end users can authenticate with any YubiKey that supports U2F to securely log in to their Salesforce accounts with superior security and unmatched simplicity. Furthermore, that same YubiKey can be used to authenticate to the ever-growing list of services that support U2F.  

After a Salesforce user registers their YubiKey with their account, they log on as usual with their username and password. But before they are granted access, they are prompted to insert their YubiKey into their computer’s USB port and touch the device’s button. This  completes a strong authentication based on public key cryptography, that thwarts phishing and man-in-the-middle attacks that plague other solutions such as one-time codes sent via SMS.  

Users can register both a YubiKey and the Salesforce Phone App with their Salesforce account so they always have a backup authenticator. If their phone is dead a user can use their YubiKey. Or if they don’t have their YubiKey, they can use the phone app.

To learn more about U2F, YubiKey, and the Salesforce integration, sign up to attend a joint webinar hosted by Yubico and Salesforce on Oct. 20 (sign up here!). Together, we will demonstrate how easy it is to activate U2F on the Salesforce platform. We will also dive into the growing importance of the FIDO Alliance protocol, and discuss the cost savings achieved with YubiKey as a second factor for authentication.

Salesforce’s U2F integration comes on the heels of more than a dozen online services that have made support for U2F beginning with Google, Github, Dropbox, and most recently Okta, Gitlab, Dashlane, and Bitbucket. As we read daily about new password and data breaches, companies are moving to strong, open authentication built on U2F. Google tracked the authentication habits of 50,000 employees using U2F within the company over a two-year period. The results showed that compared against Google’s own authenticator phone app, U2F was faster, more secure, and reduced support costs by thousands of hours per year.

We hope to see you in San Francisco. Stop by our Dreamforce Booth #345 in Moscone South Hall. We are demoing the YubiKey with Salesforce Winter ’17, along with other slick U2F-based services.

Lock Down Your Login with YubiKey
Alex Yakubov

Lock Down Your Login with YubiKey

“78 percent [of Americans] strongly or somewhat agree it is important that companies, government entities and other stakeholders work together to find new ways of securing accounts beyond the use of passwords.”
- National Cyber Security Alliance (NCSA) Strong Authentication Survey, July 2016

Research is clear -- the world needs new and better ways of securing their accounts beyond passwords. That’s why we are participating in the National Cyber Security Alliance’s internet safety and security initiative.

At Yubico, we’re passionate about making it easy for anyone to protect their data and privacy online. Although our security experts have created an affordable and easy-to-use security key, that’s only one piece of the puzzle.

Today, we announce our commitment to the National Cyber Security Alliance’s “Lock Down Your Login” internet safety and security initiative to empower Americans to better protect their online accounts by moving beyond passwords. The campaign, which was announced by the White House in February 2016 as part of its Cybersecurity National Action Plan, calls for all Americans to secure their online accounts by moving beyond just passwords and adding an extra layer of authentication.

Over 40 businesses (including Google, Microsoft, MasterCard, and PayPal) have taken up this initiative. However, many service providers still do not offer strong authentication and rely only on passwords, which are often weak or reused across accounts.

Hundreds of companies have already integrated support for YubiKeys, including popular consumer services like Google Apps and Dropbox, as well as the most popular password managers such as Dashlane and LastPass. They’ve done so because YubiKeys are easy, safe, affordable, and scalable.

As participants in this campaign, we are developing free resources (including Yubico’s Best Practices eGuides) for those businesses that want to introduce stronger authentication but aren’t quite sure how to get started. For details, click here and sign up to receive a notification as resources are released. Educating businesses and individuals is a tall order. Help us reach more people by sharing this with others!

To kick things off, we’ll be offering a 22% discount on the purchase of 2 YubiKeys for 24 hours (12:00AM - 11:59PM PST), on October 4, in the Yubico Store (because it’s best practice to have a backup just in case you misplace your YubiKey). Mark your calendar!

2FACTOR22 Coupon
Derek Hanson

YubiKey Works With Windows Hello

With Windows 10, Microsoft is introducing its most complete authentication platform ever. The Anniversary Edition of the operating system includes expanded user verification options, standards-based authentication, and diverse management controls grouped under the name Windows Hello. YubiKey now works with this ecosystem.

Microsoft is spreading Windows Hello to enterprises and consumers, and across its platforms including desktops, mobile devices, Active Directory, Azure AD (which lives in the cloud), and independent cloud service providers that support modern FIDO Alliance protocols. The list of authentication methods include built-in biometrics, external companion devices, and smart cards/PKI.

This expanded list of authentication possibilities lands right in Yubico’s wheelhouse. YubiKey and its support for multiple protocols helps usher in the era of FIDO for Windows.

In Windows 10 language, Microsoft will support both key-based and certificate-based authentication. Key-based authentications are equal to the FIDO model of public key cryptography; while certificate-based authentication relates to smart cards and PKI. Enterprises that don’t use PKI, or want to minimize reliance on certificates, are prime converts for key-based Windows 10 authentication credentials. With a design focused on ease-of-use, it’s a natural place for end users to finally duck behind the protection of strong authentication.

The YubiKey is a versatile authentication device that is built for this environment. Our strategy around strong authentication includes supporting many standards-based authentication protocols for host-based and cloud-based services. Today, users of services such as Google, Dropbox, and GitHub have access to FIDO-based strong authentication with the YubiKey.

Initially, we have built a simple, single-function app called YubiKey for Windows Hello, which is now one of many options in Windows 10 for unlocking a computer. The app, built on the Windows Companion Device Framework, is available now in the Windows Store. To learn more about YubiKey for Windows Hello and see it in action, watch our video (below). Microsoft introduced Yubico’s app today during its annual Windows Ignite conference.

The Windows Hello platform will create many options, and Yubico will be ready to support them with a simple touch of the YubiKey.

YubiKey now works with macOS Sierra!
Jerrod Chong

YubiKey Smart Card Support For macOS Sierra

Have you ever wanted to use your YubiKey to protect your Mac? Starting today, PIV-enabled YubiKeys can be used to log in to your Mac and your Keychain on macOS Sierra without complex configurations or software.

Up until the release of Mac OS X Lion (10.7) in July 2011, Apple included native support for login using smart cards. Since that feature was removed, users have found it more challenging to make smart cards work with Mac OS X. The release of macOS Sierra 10.12 marks a new beginning for smart card users, as Apple has taken a step towards support for PIV compatible smart cards without requiring any vendor software or drivers to be installed.

At Yubico we want to make it easy for our customers to use best-of-breed security solutions like smart cards, so we added PIV smart card support to the YubiKey starting with the YubiKey NEO in Fall 2013. Today, PIV smart card support also is available on the YubiKey 4. We’ve also enhanced the YubiKey PIV Manager app running on Sierra with a simple self-provisioning wizard that allows non-enterprise users to easily create macOS-compatible PIV credentials on any PIV-enabled YubiKey.

Enterprises already know that PIV-enabled YubiKeys work great with Microsoft Windows environments, and now they can use the same YubiKey to login to Windows and macOS.

With Apple, smart cards are making a comeback, and we are making sure they do it with YubiKey style. To celebrate this significant milestone, Yubico is offering a limited-edition white YubiKey available only in the Yubico Store.

If you have a Mac that only supports USB-C, you can use a USB-C adapter to join in Apple’s smart card revival.

Watch our video that introduces YubiKey to macOS Sierra.

 

Yubico awarded NSTIC grant
Stina Ehrensvard

Yubico awarded NSTIC grant

Yubico was awarded a $2.27 million grant today to develop and deploy a pilot program enabling US citizens to securely access state and local government services. The grant comes through the US Department of Commerce’s National Institute of Standards and Technology (NIST) as part of the White House initiative National Strategy for Trusted Identities in Cyberspace (NSTIC), and is one of six pilots that were awarded today.

The pilot program will focus on providing secure online identities for citizens in Wisconsin and Colorado. In both states, we will deploy FIDO Alliance Universal 2nd Second Factor (U2F)-based YubiKeys and use the OpenID Connect protocol to develop an “identity toolkit” – with the goal of making the solution simple to deploy and use.

FIDO U2F is an open authentication standard, enabling public key cryptography to secure transactions and prevent phishing attacks that hackers use to steal a user’s credentials. OpenID Connect, also an open standard, allows all types of clients, including browser-based and native mobile apps, to support sign-in flows and receive verifiable claims about the identity of signed-in users.

The NSTIC National Program Office, which is run by the US National Institute of Standards and Technology (NIST), has been awarding cooperative agreements as part of their pilot program since 2012. The program office works to improve online identity for individuals and organizations. Their vision is to enable individuals and organizations to utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.

John Fontana

Over A Dozen Services Supporting FIDO U2F

Updated Oct. 10, 2016 to include U2F support added to Opera browser, Salesforce

Standards creation is hard work that only sweetens when the market starts to arrive and validate the effort with real world deployments.

On June 22, Bitbucket, GitLab, and Sentry all released support for FIDO U2F strong authentication in their cloud-based products. None of these companies are members of the FIDO Alliance or had an investment in developing U2F. Their sole motivation was finding and adopting the best authentication technology to help users protect their accounts. U2F’s public key crypto topped the list.

A month earlier, Compose, an IBM company offering hosted databases, also added U2F to its security feature list. This week, FastMail ushered its users into the U2F strong authentication revolution.

Again, neither had an investment in FIDO’s creation, but both recognize what’s become obvious to Dropbox, GitHub, Dashlane, Salesforce.com (adopted Oct. 2016), and Digidentity/UK Government (the UK recently joined FIDO, but the others are not members). U2F provides an environment for strong authentication that thwarts man-in-the-middle-attacks, can’t be phished, and is easy-to-use.

Yubico is delighted, of course, that all these organizations are using U2F-compliant YubiKeys. There is also free and open source server code that Yubico and Google make available on GitHub (Google reference code, Yubico Server Libraries). But more important, these companies are validating FIDO Alliance protocols and the value of open, strong second-factor authentication.

These companies are not the only ones joining the U2F ecosystem. In fact, we first outlined an initial surge in U2F adoption 18 months ago.

Today, the market has taken on a new vibrancy as companies recognize that strong authentication provides security that counters the fallout from the unprecedented swell of password breaches. U2F authentication is a key security component for consumer-facing Web applications and existing identity and access management environments within enterprises. These traits are coupled with adopters who find implementation requires less than a day’s worth of work.

Here is a list of the key platforms for U2F:

Browser support:
Google’s Chrome browser has long been the lone platform for U2F, but that has changed. The Opera browser (version 40) began supporting U2F in late September 2016. In addition, Mozilla hopes to wrap up in late 2016 U2F support in the Firefox browser with features on parity with Google’s U2F implementation. In fact, the two have been consulting on this work with each other and the Yubico engineering team. In addition, Mozilla plans to eventually support the WebAuthn APIs being developed by the World Wide Web Consortium (W3C) for secure browser log in. Those APIs also factor into a more complete FIDO strong authentication ecosystem. Microsoft’s Edge browser also will support those APIs when they are finalized (projected early 2017). Edge plays a pivotal role in the company’s Windows 10 Hello authentication system, which accepts a number of strong authentication types including U2F authenticators.

Cloud services:
Google added U2F support in the fall of 2014, and was followed by Dropbox, PushCoin, and GitHub in 2015. Dashlane, Bitbucket, GitLab, Salesforce, Sentry, Compose, and FastMail added support in 2016. For a detailed list, check the Yubico U2F page.

IAM software and services:
In 2015, StrongAuth, Gluu, and RCDevs added U2F support in their platforms. Digidentity added U2F in 2016 as part of its partnership with GOV.UK Verify.

What’s next
FIDO is far from finished innovating. The Alliance donated a set of FIDO Web APIs to the W3C in late 2015 for formal standardization, which should be completed early next year. The APIs, coupled with forthcoming FIDO 2.0 features, improve Web-based security, add native platform support (Windows, Android, etc.), and include capabilities such as device-to-device authentication that uses FIDO’s public key cryptography. There are a host of new efforts developing in 2016, including FIDO coupled with identity federation to secure native applications on desktops and devices.

July 2016 Newsletter
Stina Ehrensvard

The Future of Secure Online Identities

Since I started my journey as a hardware authentication innovator, I have heard people say that the future of authentication is software. Or TPMs. Or biometrics. Or invisible data intelligence that will silently protect us all. Today, it is fair to say that all these predictions were right – when they are combined into a comprehensive strategy.

But in order for secure online identities to scale to all services and users, open standards “plumbing“ is necessary. And it includes open authentication and identity standards that are natively supported in leading platforms and browsers, enabling strong crypto between a range of authenticators and the services they protect.

In 2013, when Wired published the first article on U2F, Yubico received many valid questions on this new authentication protocol. We shared our response in a Future of Authentication FAQ blog. The content is still valid, so if you did not read it then, we welcome you to do so now.

A couple of months ago, Yubico was invited to a panel discussion at the European Identity & Cloud Conference with the topic, “The Future of Authentication – Killing the Password.” Identity experts from Microsoft, Salesforce.com and NRI all agreed that the “plumbing” must be open standards, and that there is no silver bullet for the multi-factor options we add as an extra layer of user verification. The YubiKey did, however, get high marks – Salesforce mentioned that it took only two days to deploy YubiKeys for 17,000 employees, and Microsoft disclosed that Windows Hello will eventually accept external hardware authenticators. Until biometrics have proven to be more robust, passwords are actually not that bad. Or to quote the warning message that the latest Nexus phone presents when setting up a biometric login: “Using your fingerprint to unlock your device may be less secure than a strong password, PIN, or pattern.” (Watch the EIC panel presentation.)

Those same identity experts agreed on one more important trend: authentication and identity will be separated. FIDO U2F is one of the open standards protocols that makes that separation possible. It lets you have assorted identities, including a real identity tied to your driver’s license, a temporary identity for your work, and an identity that allows you to be “secure, yet anonymous”. This can be life critical for dissidents and journalists, and will help safeguard internet privacy for the rest of us.

P.S. The picture above is an example of the latter. I once showed up at the office disguised as the famous fictional hacker Lisbeth Salander, and no one recognized me.

NASA image acquired April 18 - October 23, 2012

This new image of the Earth at night is a composite assembled from data acquired by the Suomi National Polar-orbiting Partnership (Suomi NPP) satellite over nine days in April 2012 and thirteen days in October 2012. It took 312 orbits and 2.5 terabytes of data to get a clear shot of every parcel of Earth’s land surface and islands.

The nighttime view of Earth in visible light was made possible by the “day-night band” of the Visible Infrared Imaging Radiometer Suite. VIIRS detects light in a range of wavelengths from green to near-infrared and uses filtering techniques to observe dim signals such as gas flares, auroras, wildfires, city lights, and reflected moonlight. In this case, auroras, fires, and other stray light have been removed to emphasize the city lights.

Named for satellite meteorology pioneer Verner Suomi, NPP flies over any given point on Earth’s surface twice each day at roughly 1:30 a.m. and 1:30 p.m. The spacecraft flies 824 kilometers (512 miles) above the surface in a polar orbit, circling the planet about 14 times a day. Suomi NPP sends its data once per orbit to a ground station in Svalbard, Norway, and continuously to local direct broadcast users distributed around the world. The mission is managed by NASA with operational support from NOAA and its Joint Polar Satellite System, which manages the satellite
Yubico Team

U2F, OIDC Team Up For Strong Authentication, Federation

The New York Times sits elegantly secured behind authentication technology that combines a U2F-enabled YubiKey and standardized identity federation built on OpenID Connect (OIDC).

It’s a colorful twist for a newspaper first published in 1851 and famously known as The Gray Lady. But linked with Google and Yubico, the trio is part of an identity federation that relies on strong authentication to protect access to the online version of the newspaper.

Identity federation is the process of logging in to a single identity provider (in this case, Google) and then navigating to other sites (for example, The New York Times) without having to log in again. The YubiKey and FIDO U2F secure the identity provider login using public key cryptography, while OIDC takes care of the trusted and federated relationship between Google and The New York Times.

OIDC is an identity federation standard that we profiled along with FIDO U2F last year to show how the pair solves a wider range of authentication challenges than either technology could on its own. Yubico is also a member of the OpenID Foundation, which is the creator of OIDC, and is actively exploring how U2F plays with other standardized identity technology.

Watch this video to see federated identity with a YubiKey in action. It’s impossible to see identity federation working under the covers in this scenario, but the simplicity and security should be clearly evident. And really, that’s the desired user experience.

How to: Login with FIDO U2F and OpenID Connect from Yubico on Vimeo.

Josh Kellerman

YubiKey And The Route To USB-C

The USB-C standard has caused a lot of chatter among Apple users, some concerning the elegance of fewer wires but mostly from those that miss absent ports, such as HDMI and USB 3.0, on newer MacBooks.

Yubico has received requests to join the USB-C evolution and release a USB-C compatible YubiKey. We have built a prototype with a nifty design, but until we see strong market demand it is not ready for the mass market.

YubiKey, USB-C Adapter bundle now featured in the Yubico Store

In the meantime, however, we have tested a number of USB-C adapters, available off-the-shelf or via Amazon, that allow the YubiKey to work with the MacBook and other devices, tablets and phones with a USB-C port (see picture above).

Either YubiKey form-factor will work, but the most elegant configuration is to insert the YubiKey 4 Nano into the adapter and attach the YubiKey to a lanyard hanging from a keychain.usb c dongle keychain Check to see that the YubiKey is snug within the USB-C adapter. To avoid unintentional activation of the YubiKey, we recommend a thin, non-metal lanyard cord. Without a lanyard, tweezers or a small tool may be needed to remove the YubiKey. The functionality of the YubiKey is in no way altered by using it with a USB-C adapter.

The USB-C standard is a multi-function evolution that combines both connectivity and power. For a wireless world, a single MacBook USB-C port bumps all other accessories to a wireless connection in the absence of an adapter.

When, or if, Apple opens its Near Field Communication (NFC) environment to developers, we think NFC will be the prevailing contactless connection point for the YubiKey, outdistancing Bluetooth in most use cases on all platforms.

Until then, we’re experimenting with how we might align the YubiKey design with the changing tides in USB evolution.

Stina Ehrensvard

Google Extends Multi-Factor Options With Prompt

Google yesterday released a third option for its two-step verification, complementing the Google Authenticator phone app and FIDO U2F Security Keys.

Google Prompt is a push app for mobile authentication, similar to two-factor push solutions offered by others like Duo Security. There is no authentication solution that fits everyone’s needs, and Prompt has both advantages and challenges.

Advantages

  • Free software to download/update on a smartphone, no additional device needed
  • Allows moving from two-factor to a true multi-factor offering
  • Much easier than typing a code or PIN from Google Authenticator

Challenges

  • Requires a data connection
  • Does not protect against phishing and man-in-the-middle attacks
  • Does not work with non-Google services
  • Some organizations do not allow users to bring their phone to work
  • Support and backup issues when the user’s phone (a single, expensive authenticator) is lost, broken, or has a dead battery

Currently, users can’t have Security Keys and Google Prompt enabled at the same time. We expect this will change soon, as Prompt is a better phone-based complement to the Security Key than Google Authenticator.

Google has spent the past five years building its strong authentication strategy with Prompt the latest piece of that plan, which also includes multiple protocols, cross-platform support and administrative tools. Prompt is an attempt to match capabilities already available in the identity and access management market such as Okta Verify, Centrify Push, and PingID Swipe.

Google’s ultimate goal is to build an identity-as-a-service (IDaaS) for enterprises, including a host of federation options (SAML, OIDC), and management tools such as mobile device management and provisioning, which is currently being tested by Salesforce, Slack, and Facebook at Work. Google discussed this IDaaS plan in early June at the Cloud Identity Summit with focus on Google IDP, Firebase Auth, and customer facing login.

Management of the identity and authentication ecosystem is an absolute requirement for the enterprise and we applaud Google’s efforts here. Strong authentication isn’t one method used everywhere — it’s a combination of options matched to use cases.  Currently, FIDO U2F Security Keys, including YubiKeys, are proven to offer higher security, a faster login experience, and fewer support calls than any other authentication technology on the market.

YubiKey users can have one single and simple key to access a wide range of IT applications, including computers, servers, networks, leading online services and IAM platforms, as well as to sign and encrypt data.

Updated July 24, 2016 to clarify phishing, man-in-the-middle challenge

Jakob Ehrensvärd

YubiKey, U2F Tracking Bluetooth Maturity

At Yubico, we have been experimenting and innovating for a long time with additional YubiKey interface options, like Bluetooth Classic and Bluetooth Smart. Once the Bluetooth work stream was formed within FIDO U2F, we were active in completing the specification. We have passed the FIDO U2F BLE interoperability tests, and are happy to report that this week FIDO awarded us our BLE certification.

However, Bluetooth comprises several practical challenges that make it tough to incorporate the product design, security lineage and user experience one would expect from a YubiKey. We have tested a few different designs with user groups and are now proud to deploy the latest version of YubiKey BLE into initial pilot projects.

Although we’re both proud and excited about this new wireless solution, we do want to share some of the practicalities we will continue to improve on, both for our own product and within the scope of the FIDO Alliance.

  • Bluetooth pairing is the most critical function from a user experience point of view. Although it is perfectly understandable from an engineering perspective, the pairing can be highly confusing for the user. Whereas USB and NFC devices are “connect by intent” by their very nature, Bluetooth devices can have up to 30 meters of range. Since this is a security product, as a user you want to be certain you are communicating with the correct endpoint.
  • Device and operating system compatibility issues. Bluetooth has evolved over a long period of time, and early versions of iOS and many Android flavors today still have aging BLE implementations with user interface issues. While support in audio and peripherals is common, mobile devices and operating systems embedding Bluetooth have been slow to support security centric protocols and devices. U2F Bluetooth devices rely on the most recent version of the standard, known as Bluetooth Low Energy, a.k.a. BLE, but there are still major platforms that have either inadequate or limited support. Over time this issue goes away, but today it is at the heart of some design and implementation challenges.
  • Battery life. Bluetooth devices require batteries; YubiKeys do not, which is a signature trait of our products and allows for a practically unlimited lifetime and shelf life. The Bluetooth battery requirement provides a number of design challenges around usability and regulatory issues, such as product safety, environmental concerns, disposal, and logistics.
  • Radio regulatory issues. Although Bluetooth works in an open radio spectrum, devices that emit radio frequency do have to pass certain certifications. This is a complex procedure and is unfortunately tied to geographic regions.

In summary, we are selectively releasing the YubiKey BLE into specific pilots. As platform support matures during the second half of 2017, we will increase the pace of our Bluetooth certifications. Stay tuned and once the entire ecosystem is ready for prime-time, we are too.

Klas Lindfors

YubiKey 4 has fresh look, attestation capabilities

The smallest YubiKey 4 is getting a facelift, and both form factors have new trust capabilities that validate device type, manufacturer, and generated key material.

The new YubiKey 4 Nano takes on a “molded” form factor (see above), which makes it impossible to insert the Nano in backwards, and provides a waterproof environment.

The YubiKey 4 and YubiKey 4 Nano firmware have been upgraded to add a “touch-policy cache,” which simplifies and strengthens smart card use in a Microsoft Windows login by adding the touch-policy cache option to augment or replace a PIN.

But perhaps most important, both YubiKey form factors have gained a new Personal Identity Verification (PIV) attestation capability that validates where the cryptographic keys were created and the attestation entity used to attest the key.

For example, when coupled with the PIV protocol, attestation shows where the PIV credential is generated and who attested the credential. With Secure Shell (SSH) login using a key pair generated by a YubiKey 4, attestation is used to sign and validate that a key pair was generated on hardware and that the key was manufactured by Yubico.

These validations are important to establish trust and to bind a user account to a credential on the hardware, and to do so with an easy-to-use device. The need for such operations are gaining popularity in the security community and ecosystem.

The need for higher levels of trust for specific operations means some companies and organizations can’t rely on just a software layer, but instead need a cryptographic device such as a hardware key.

On the YubiKey 4, attestation works via a special key slot called “f9” that comes pre-loaded with the attestation certificate signed by a Yubico CA. The slot can be overwritten by individual users, specifically provisioned for a customer rollout, or granularly provisioned per device.

Keys generated in a normal slot on the YubiKey are then “attested” by the key and certificate in the f9 slot. Attestation features are detailed in our Introduction to PIV Attestation. The YubiKey PIV Tool Command Line Guide explains how the tool interacts with the PIV application on a YubiKey. Similar attestation capabilities are found in Yubico’s implementation of the FIDO Universal 2nd Factor (U2F) protocol.

YubiKey 4 and YubiKey 4 Nano with the new YubiKey 4.3.1 firmware is available now from Amazon and the Yubico Store. Use the YubiKey Personalization Tool to identify the firmware version of your YubiKey.

Klas Lindfors is a Senior Software Developer at Yubico.

Ronnie Manning

Yubico CEO awarded KTH Great Prize

Yubico is proud to announce that our CEO and Founder, Stina Ehrensvärd, has been named the winner of the 2016 KTH Royal Institute of Technology Great Prize.  Founded in 1827, KTH is Sweden’s first polytechnic university and is one of Scandinavia’s largest institutions of higher education in technology.

Kth_logo

Yubico CEO and Founder, Stina Ehrensvärd, awarded 2016 KTH Great Prize

First awarded in 1945, the annual KTH Great Prize was founded and funded from the proceeds of a 1944 anonymous donation.

According to the sponsor of the award, the prize shall be presented to, “A person who, through epoch-making discoveries and the creation of new values and by ingenious applications of findings gained on the practical aspects of life, promotes Sweden’s continued material progress, or a person who by means of scientific research has discovered particularly valuable principles or methods which are useful for applications, which promote the above purpose, or a person who through artistic activities ‘exerts a powerful influence particularly on the spiritual life of her own people.”

“Stina Ehrensvärd is a very worthy recipient of the KTH Great Prize,” said Peter Gudmundson, President of KTH “A combination of innovation and entrepreneurship is key to meeting society’s challenges, for both Stina and for KTH. IT security is absolutely critical in our digitized world, and this is why Stina’s effort is significant.”

Stina is extremely honored and happily surprised by this honor, but stresses that credit for Yubico’s success is not hers alone. “It would not have been possible without my great team at Yubico. And a special thanks to Jakob Ehrensvärd, the company’s CTO, and my husband, whom I would have liked to share this prize with. It has been said that behind every successful man stands a strong woman. In our case it is the opposite, and it’s Jakob who developed most of the technology.”

When asked to give advice to the next generation of innovators, Stina said, “Inspiration and hard work are the secret. Find a solution to a real problem. If it makes you so happy that the idea of devoting several years to implement this solution, product or service makes it hard for you to sit still, then you’re probably on the right track. Surround yourself with a really good team that complements you. Think big. Listen to your gut.”

Stina says that joining a list of KTH Grand Prize honorees is exciting and a little unreal.  Previous winners include: Niklas Zennström, Co-founder of Skype; Daniel Ek, founder of Spotify; Robyn, pop singer and producer; Jan Uddenfeldt, contributor to the GSM standard; Gunilla Pontén, fashion designer; and Assar Gabrielsson, Co-founder of Volvo.

Click to view the full list of KTH Great Prize winners.

Jerrod Chong

Yubico Expands FIPS Security Certification

For the past two years, Yubico has executed on an aggressive strategy to validate its cryptographic devices against established federal standards.

The first YubiKey device was validated in 2014 (NIST cert #2267) and, last week, the YubiKey 4 began the National Institute of Standards and Technology (NIST) validation process for compliance with the Federal Information Processing Standard (FIPS) Publication 140-2.

Our objective is to achieve FIPS 140-2 at Level 2 overall and Level 3 physical security in order to meet the highest level of assurance at Level 4 for the electronic authentication guidelines outlined in NIST special publication 800-63-2.

Cryptography and encryption are important constructs for the security technology industry and its customers. FIPS 140-2 standards set requirements for handling sensitive but unclassified information and are mandated by law. FIPS 140-2 validation is required for US and Canadian government acquisition of products using cryptography, but many governments and commercial entities throughout the world also use this as a basis for selecting vendors and products.

Yubico’s customers requesting this certification include federal governments, state and local governments, healthcare, financial services, and federal contractors who routinely process, store, and transmit sensitive federal information using their own information systems. The protection of sensitive federal information while residing in non-federal information systems and organizations is of paramount importance to federal agencies because it can directly impact their ability to successfully carry out their missions and business operations.

Agencies, organizations, and the general public can review our progress through NIST’s Cryptographic Module Validation Program.

The YubiKey 4 validation is Yubico’s investment in the future of our cryptographic platform so enterprises and organizations can trust our devices and hardware to comply with federal regulations that meet their needs. Given that the YubiKey 4 was launched less than six months ago, we have been very aggressive with getting this device through certification. Our goal is to ensure that any company working with, or within, regulated industries will have full confidence that Yubico’s cryptographic tools meet the security industry’s highest standards.

YubiNews April 2016
Ronnie Manning

Webinar showcases Centrify’s ID platform, YubiKey support

Yubico’s partner Centrify has built one of the best showcases for the YubiKey’s multi-protocol versatility.

With support for Personal Identity Verification (PIV)-based capabilities, one-time passwords (OTP), and mobile authentication, Centrify is the first identity and access management (IAM) platform to support such a deep lineup of protocols using a YubiKey.

Centrify will detail and demo the multi-factor authentication options for its Identity Platform as part of a joint webinar hosted by Yubico. (Listen to replay of May 24, 2016 webinar).

These authentication options are attractive to users and businesses because they’re contained in a single YubiKey that addresses multiple use cases, simplifies user training, and improves security. Centrify’s Identity Platform is the foundation for assigning multi-factor authentication policies across enterprise applications and resources. The platform also adds management features, including enrollment, per-app policies and enforcement, and context-based multi-factor authentication across users, apps and servers.

The YubiKey supports a number of scenarios:

• Smart card Active Directory-based login to Mac OS X or Linux.
• Smart card login to Centrify’s cloud service for Single Sign-On (SSO), secure remote access, or administration.
• OATH-HOTP as a second factor for secure SSO to cloud apps.
• OATH-HOTP for multi-factor authentication (MFA) to privilege elevation on servers.
• Physical NFC token-based MFA for secure access to apps on mobile devices.

To learn more about these scenarios and to see them in action, join us for our joint webinar. Registration is free.

Jakob Ehrensvärd

Secure Hardware vs. Open Source

Recently there have been discussions regarding Yubico’s OpenPGP implementation on the YubiKey 4. While open source and security remains central to our mission, we think some clarifications and context around current OpenPGP support would be beneficial to explain what we are doing, why, and how it reflects our commitment to improved security and open source.

To start off, let me say that Yubico is a strong supporter of free and open source software (FOSS). We use it daily in the development of new products, and a large portion of our software projects are released as open source software — we have close to 100 projects available on GitHub. This includes libraries for interfacing or integrating with our devices, tools used for programming and customization, server software which supports our products, specifications for custom protocols, and many more. We believe strongly that this benefits the community, as well as Yubico.

Some basic facts:

  • The YubiKey hardware with its integral firmware has never been open sourced, whereas almost all of the supporting applications are open source.
  • The YubiKey NEO is a two-chip design. There is one “non-secure” USB interface controller and one secure crypto processor, which runs Java Card (JCOP 2.4.2 R1). There is a clear security boundary between these two chips. This platform is limited to RSA with key lengths up to 2048 bits and ECC up to 320 bits.
  • The YubiKey 4 is a single-chip design without a Java Card/Global Platform environment, featuring RSA with key lengths up to 4096 bits and ECC up to 521 bits.  Yubico has developed the firmware from the ground up. These devices are loaded by Yubico and cannot be updated.
  • The OpenPGP applet for the YubiKey NEO was (and still is) published as open source.
  • When the  YubiKey NEO was released back in 2012, we had open (= known) card manager (CM) keys, allowing for applet management.
  • Since late 2013, we ship all NEOs with randomized card manager keys, which prevents applet management. So although the OpenPGP applet is available, users can’t load it on a NEO.
  • We do have a NEO developer program, where we allow custom applet development and key distribution.

There are quite a few reasons we’ve done it this way, but none of them represent a change in our commitment to a free, open internet. Here’s our thinking:

First, and most important in our decision-making, has been to move away from what we call “non-secure hardware” and into secure elements that are specifically designed for security applications and have passed at least Common Criteria EAL5+ certification.

The reason is simple — we have to provide security hardware that not only implements a cryptographic protocol correctly, but also physically protects key material and protects the cryptographic operations from leakage or modification. Over the past couple of years, many publications have provided evidence of various forms of intrusive and non-intrusive attacks against hardware devices (including the YubiKey 2). Much can be said (and has indeed been said) about this subject, but there is no question that this is a serious matter. Attacks varying from “chip-cloning” and “decapsulation and probing” to fault injection and passive side-channel analysis have shown that a large number of devices are vulnerable.

It’s important to understand what we mean by “secure hardware.” Secure hardware features a secure chip, which has built-in countermeasures to mitigate a long list of attacks. Standard microcontrollers lacks these features. Built-in countermeasures make intrusive- and non-intrusive attacks an order of magnitude more complicated to perform. Secure hardware relies on secure firmware, where additional firmware countermeasures are implemented to further strengthen the device against attacks.

Given these developments, we, as a product company, have taken a clear stand against implementations based on off-the-shelf components and further believe that something like a commercial-grade AVR or ARM controller is unfit to be used in a security product. In most cases, these controllers are easy to attack, from breaking in via a debug/JTAG/TAP port to probing memory contents. Various forms of fault injection and side-channel analysis are possible, sometimes allowing for a complete key recovery in a shockingly short period of time. In this specific context (fault injection and side-channel analysis), an open source strategy would provide little or no remedy to a serious and growing industry problem. One could say it actually works the other way. In fact, the attacker’s job becomes much easier as the code to attack is fully known and the attacker owns the hardware freely. Without any built-in security countermeasures, the attacker can fully profile the behavior in a way that is impossible with a secure chip.

So — why not combine the best of two worlds then, i.e. using secure hardware in an open source design? There are a few problems with that:

  • There is an inverse relationship between making a chip open and achieving security certifications, such as Common Criteria. In order to achieve these higher levels of certifications, certain requirements are put on the final products and their use and available modes.
  • There are, in practice, only two major players providing secure silicon and none of their products/platforms are available on the open market for developers except in very large volumes.
  • Even for large volume orders, there is a highly bureaucratic process to even get started with these suppliers: procedures, non-disclosure agreements, secure access to datasheets, export control, licensing terms, IP, etc.
  • Since there is no debug port, embedded development becomes a matter of having an expensive emulator and special developer licenses, again available only under NDA.
  • Although this does not prevent the source code from being published, without the datasheets, security guidelines, and a platform for performing tests, the outcome is questionable, with little practical value.

Secure elements are still a small market compared with generic bread-and-butter microcontrollers. Given the high costs to achieve and maintain certification and the procedural hassle, it is quite easy to understand the current state of affairs.

Let’s for a moment return to the question of the YubiKey NEO and why we decided to remove the ability to manage the applets. As we began to produce the NEO in larger volumes, we had to make some tough choices:

  • With open card manager keys, the devices are open to potential denial-of-service attacks as well as someone replacing a known applet with a bogus one. What if a bad guy took your new NEO and overwrote the OpenPGP applet with an evil one, thereby providing a key back door? If you’re hardcore about security, you’d immediately set your own CM keys, locking out that possibility, but then how would we control who is capable of this and who we actually expose to a potential threat?
  • Devices with known keys become vulnerable to modifications when in transit.
  • We tried a scheme of randomizing keys and making them available for developers under certain conditions. The practical problems of authenticating users and securely distributing keys plus the paperwork needed made it impossible.
  • Given that the NXP toolchain and extended libraries for JCOP are not free and available, applet development becomes more a theoretical possibility than a practical one.

Although we had initially hoped to take a different approach to applet management, I believe we made the right decisions given our choices. We do provide a developer program, giving access to the full toolchain as well as open CM keys. We don’t charge for it, but given the paperwork required, we need to have a compelling business case in order to justify the effort.

I’d like to bring up another aspect when it comes to providing integrated products. With the YubiKey, we see the firmware being integral with the hardware and we take responsibility for the aggregated functionality. We have made a conscious decision not to provide any means for upgrading the firmware out in the field, in order to eliminate the chance a device could be modified by an attacker.

That means that any device with a security issue is a lost device: if there are any problems, issues come up with returns, support for users moving their keys, destruction of the keys, etc. In a “software-only” open source project, handling a serious issue like that could be as simple as issuing a security bulletin and pushing a fix.

Enterprise customers deploying at million-unit scale have engaged independent third parties to review our firmware source code and algorithm implementations, and we would consider this with others of a similar or larger scale (given the extensive load on our engineering team to support such analysis). Such analysis is restricted to the contracting parties.

The chain of trust for any security product is pivotal to understanding how to implement a secure scheme for the entire lifecycle from production to deployment. Again, using commercial, off-the-shelf components with open designs creates some very hard nuts to crack. What prevents your hardware or chip from being compromised in the first place? What if the bootloader has been compromised, maybe in transit? Moving towards a fully-integrated design, like the YubiKey 4, actually solves a very practical problem. The security boundary includes the initial loader, which is protected by keys.

Consider the following questions and statements:

  • What is the attack scenario you’re most worried about — a backdoor or bug, accessible via the standard interface over the network, someone owning your computer while extracting sensitive information from your security token, or that someone in possession of your key could retrieve such information?
  • If you have to pick only one, is it more important to have the source code available for review or to have a product that includes serious countermeasures for attacks against the integrity of your keys?
  • Although you may feel good about having reviewed the source and loaded the firmware yourself, do you trust and feel comfortable that the very same interface you used for that loading procedure is not a backdoor for extracting the key? Is the bootloader there trustworthy? The memory fuse? The JTAG lock-out feature? Are these properly documented and scrutinized?
  • One has to recognize the hard problem of trust. Considering a utopian scenario with an open-and-fully-transparent-and-proven-secure-ip-less chip, given the complexity and astronomical costs of chip development, who would make it? And if it was available, how would they then provide the proof, making it more trustworthy than anything else already available?
  • Is it more rational to put a large amount of trust in a large monolith like a Java Card OS, while at the same time being highly suspicious of a considerably smaller piece of custom code? This assumes that both have been subject to third-party review in a similar fashion.

In conclusion, we want our customers and community to know that we have made conscious choices to some quite complex questions and that, in the end, we have landed with some sensible compromises. We are no less committed to security. We are no less committed to open source and to the open source community. We are always open to suggestions and could very well make changes if more sensible solutions arise. After all, the trust of our users is the most important asset we have.

If you have comments please visit our YubiKey 4 forum. If you don’t have access to the forum, send us a comment at comments@yubico.com.

– Jakob Ehrensvard is CTO at Yubico

Ronnie Manning

U2F Best Innovation in eGovernment Awarded at EIC 2016

Last night at the European Identity & Cloud Conference 2016 (EIC) Awards Ceremony, Yubico and Digidentity’s submission for “Best Innovation in eGovernment/eCitizen” was awarded to the GOV.UK Verify project! The award was accepted by Adam Cooper, Identity Assurance Programme, Government Digital Service for GOV.UK Verify.

EIC_AWARD__013

Pictured: Jennifer Haas (KuppingerCole), Adam Cooper (GDS) and Mike Small (KuppingerCole)

Beginning in April 2016, GOV.UK Verify began offering beta support for the YubiKey and the FIDO Universal 2nd Factor (U2F) protocol, through Yubico partner Digidentity, one of the original identity providers (IdP) for GOV.UK Verify. Set to launch this month, this is the first government service in the world to make support for a FIDO authenticator based on open standards.

To authenticate to GOV.UK Verify using Digidentity with FIDO U2F, the user inserts a U2F certified YubiKey into the computer’s USB port, and then touches the device. There are no drivers or client software to install. Furthermore, the same U2F YubiKey that works with GOV.UK Verify and Digidentity also works for logging into a growing number of large scale commercial services, including Google, Dropbox, and Dashlane, without any personal data or encryption secrets shared between service providers.

Yubico’s partnership and interoperability with identity provider Digidentity and support for GOV.UK Verify is another example of how Yubico helps secure online identities, and how Yubico innovates to make those identities easier to use and available to everyone.

We thank EIC and conference host KuppingerCole for this recognition and look forward to next year’s conference!

John Fontana

U2F, OpenID Connect Align For Mobile Authentication

A year ago, Yubico described a cord-cutting mobile world where hard-wired ports were not needed to accommodate the security benefits of strong authentication.

Since then, growth in the mobile device market has continued its explosion, including 1.4 billion smartphones shipped worldwide in 2015, according to IDC.

Couple this development with standards work by the FIDO Alliance, Yubico, Google, and the OpenID Foundation and cord-cutters can start to see mobile security options — such as a single sign-on (SSO) experience and strong authentication to secure native apps — on mobile devices.

OpenID Connect and FIDO Universal 2nd Factor (U2F) are capable authentication technologies on their own, but when paired can solve more authentication challenges than either could on their own. For example, Google recently contributed a code project called AppAuth for both Android and iOS to the OpenID Foundation’s Connect Working Group. The code is used to maintain a state on the browser that provides an SSO-like experience to users of native mobile apps. Google’s AppAuth implementation for Android supports strong authentication to an identity provider using the YubiKey NEO, its Near Field Communication (NFC) function, and its U2F support.

A discussion of AppAuth’s capabilities and a demo of its incorporation of YubiKey NEO with NFC can be seen in this video from the March 2016 OpenID Foundation Summit. (Advance to 2:47:29 in the video.)

“[AppAuth] is important as it is the first real chance we have had for a standard to do SSO across native apps, and also make it easier for IdPs to support multi-factor authentication like FIDO without the ISV needing to support app wrapping or producing many customised versions for each deployment,” said John Bradley, an identity expert and officer of the OpenID Foundation.

Yubico’s support for NFC in the YubiKey NEO allows a tap of the key against a smartphone to release a one-time password (OTP) or FIDO U2F-based public key cryptography. Today, you can use YubiKey’s NFC feature with password manager LastPass (OTP) and development platform GitHub (U2F).

In parallel, Yubico engineers and other members of the FIDO Alliance are finalizing specifications and certification testing tools for U2F over Bluetooth transport. Challenges in pairing and security with Bluetooth has delayed progress, but we expect certification testing before June and to see certified U2F-over-Bluetooth authenticators later this year.

While the majority of enterprises will continue to access sensitive applications and resources from hard-wired laptops and desktops, secured mobile computing is the new carrot.

Mobile devices have become a de-facto connecting point, having moved from a demand to an expectation, and they are opening an array of new use cases and security questions. We are committing resources to stay in front of these user cases and minimize security issues.

These efforts are helping drive independent groups working on identity, authentication, and authorization standards to seek richer capabilities by combining their work such as the OpenID Foundation (OpenID Connect), the IETF (OAuth 2.0), and the FIDO Alliance. YubiKey is no stranger to this trend toward open protocols and open standards, given our ongoing commitments in this area.

All this is happening as mobile, protocols, and strong authentication are seeking the benefits of standards work. This convergence will produce the technologies that keep mobile users and their applications safe on their devices.

 

Open Internet blog post
Stina Ehrensvard

An Open Internet Is The Only Way

Many years ago, when I first logged on to the internet, I was struck by something that may be described as a spiritual experience. Here was this place, where we were all connected, containing endless information for all of us to tap into.

Later, I realized that we cannot take this great human experience for granted. As security hacks have increased, some governments and commercial forces have used the security threat as an opportunity to demand control of user data, bandwidth, and privacy, justifying the actions as a way for the “good guys to control the bad.”

But who can determine who is good or bad in the long term? The answer is that nobody can. And therefore, any control must be considered as bad. The internet needs to stay open. It is just how it has to be.

Yubico’s contributions to a future open internet are only smaller components in the bigger ecosystem. But they are not less important. With simple, open, and low-cost authentication and encryption technologies, we encourage individuals and organizations to own and control their own online credentials, including encryption secrets and the personal data tied to their online identity.

We are also honored to have many of the leading non-profit organizations dedicated to an open internet using our products, including Freedom of the Press, EFF, and The ISC Project, which we presented in a recent case study. As the Yubico team is also great supporters of their work, Yubico often donates or discounts YubiKeys to organizations in this field.

Our open internet is experiencing challenges, but there are solutions. We are not letting fraudsters, governments, or commercial interests limit the potential of what the internet is and what it can be!

YubiNews April 2016
Jerrod Chong

Yubico, Centrify Align On Authentication Versatility

Versatility is a theme that has emerged with the YubiKey, whether it’s support for Personal Identity Verification (PIV)-based capabilities, one-time passwords (OTP), or mobile authentication.

These authentication options are attractive to users and businesses because they’re contained in a single YubiKey that solves multiple use cases, simplifies user training, and improves security.

 Our partner Centrify offers the same sort of flexibility and is the first identity and access management (IAM) platform to support smart card PIV, OTPs, and mobile authentication using a YubiKey.

Centrify’s Identity Service offers administrators and users single sign-on (SSO), adaptive authentication, and strong multi-factor authentication options – the newest being support for YubiKey. Centrify adds management features on their end, including enrollment, per-app policies and enforcement, and context-based multi-factor authentication across users, apps and servers. The Identity Service bridges old, new, and cloud systems, along with multiple operating systems.

YubiKey’s support of PIV, a smart card that satisfies identification standards required for federal employees, means the card’s credentials can be loaded on the key, which streamlines them into a new smart card form factor and eliminates the need for cumbersome card readers.

YubiKey PIV-capabilities used for Active Directory-based logins to Mac OS X and Linux platforms also adhere to National Institute of Standards and Technology (NIST) requirements. And the smart card features support login to Centrify’s cloud service for SSO, secure remote access, or administration features.

With YubiKey’s support for Near Field Communication (NFC), a simple tap of the key against an NFC-enabled mobile device authenticates a user to apps and servers. OATH-HOTP support in the Centrify Identity Service lets organizations use a YubiKey configured with an OTP when a smart card-enabled environment is not available.

“Because it is so hard to secure the things that are outside your control like apps, users, and devices, let’s call for multi-factor authentication wherever you need it,” said Ben Rice, Centrify’s Vice President of Worldwide Business Development.

Next month, Yubico and Centrify will host a webinar that goes deeper into the capabilities and possibilities offered by the combination of their technologies. Registration is now open.

YubiNews April 2016
Ronnie Manning

YubiKey Gets SC Magazine Five-Star Recognition

“Weaknesses: None.”  When someone reviews your product, that’s a nice way for the write-up to start.

Earlier this month, SC Magazine gave YubiKey 4 a five-star rating and tagged it a Best Buy in authentication. We don’t spend a lot of time patting ourselves on the back, but this honor recognizes goals we have always strived to achieve: versatility, reliability, ruggedness, low-cost, open source compatibility, ease-of-use.

And for many, it might seem unfair when a reviewer runs over your tech product with their car, but during this review that actually happened in the course of evaluating the key’s durability.  And guess what, the YubiKey brushed off a bit of asphalt and kept on authenticating.

“Every organization considering two-factor authentication should have a very close look at YubiKey” Peter Stephenson wrote in his review. “The YubiKey 4 is slick and, while it has not changed materially over the years, it has added some new features and has become more reliable, if that was possible.”

Stephenson’s review lays out some of what we think are our best qualities. Those that show we have the ability to not only adapt to the security pressures exerted by modern authentication requirements, but to serve a wide-range of use cases and end-user technical abilities.

From static passwords, to OTPs to FIDO U2F support, the YubiKey includes a range of features that also extends to encryption and code-signing. During the coming year, we’ll be adding more new cool features, so stay tuned! Thank you SC Magazine for the recognition! And to the rest of you, check out the full review!

John Fontana

GitHub Verify Feature Strengthens YubiKey Value

Often times, it’s the little things in life that bring the most satisfaction.

For GitHub users, a shiny new “little thing” is available today. New “Verified” checkmarks in the Web interface document that commits are signed with GPG keys, which ensures the integrity of the code. No more downloading code from GitHub to verify commit signatures.

And, as always, those GPG signing operations can be done with a YubiKey 4 or YubiKey NEO in either of the two form factors.

Signing your work has not been a top feature of Git, even though it ensures data is coming from a trusted source.

With code, integrity is everything. And now GitHub is providing visual audit cues to ensure integrity with just a quick glance. Nothing else has changed in the way either GitHub or YubiKey function, but life just got a little easier. Or as our own devs say, “it’s a quality of life improvement.”

Back in October, GitHub added support for the FIDO Alliance’s Universal 2nd Factor, adding yet another option for strong authentication to their platform and bringing YubiKey owners into the fold. Today signals another platform improvement that is immediately available to YubiKey owners.

Need to figure out how to sign your work using Git and a YubiKey?

We have prepared a tutorial of sorts to walk you through the setup, signing, and verifying tags and commits (with a little merge and pushing thrown in).

Lately, we have been using the word versatility to define Yubico’s concept of modern security and strong authentication. And we’ve been proving it with YubiKey support among partners such as Dashlane, Centrify, Docker, Dropbox, Google, Okta, and, most recently, the UK government and Digidentity.

GitHub is another example, offering developers a set of authentication and content signing features. In conjunction, Yubico is offering GitHub users a 20% discount on the YubiKey.

There isn’t a silver bullet for security and strong authentication. Progress is measured in stages, and innovation adds up in tangible increments. Some gains are smaller than others, but to Yubico, they all help us build a stronger and more secure Internet.

John Fontana

UK First Government To Offer U2F-Secured Digital ID

The UK has spent the past five years on a digital transformation that is setting a world standard for how citizens securely interact with government online services.

The UK’s Government Digital Service (GDS), which came online in 2011, will add in a few weeks a new verification service called GOV.UK Verify to this impressive project.

Digidentity is one of the original identity providers (IdP) for GOV.UK Verify and will offer support for the YubiKey and the Universal 2nd Factor (U2F) protocol. UK citizens can now use a YubiKey as a second authentication factor to access their Digidentity accounts, while the country rolls out the first government service in the world to support U2F.

This is an important milestone for both citizens and governments looking to leverage identity data to secure services while safeguarding privacy. The combination of secure authentication and federation/single sign-on is required for digital services to scale.

GOV.UK Verify uses a host of identity providers who validate a citizen’s personal data, store that data, and verify the user is who they say they are when they attempt to access government digital services. The IdPs are part of an identity federation established as part of GDS.

The GOV.UK Verify program has been running in beta for the past 18 months. The program supports 13 services spread over five government departments, but it will have 50 services and 10 departments signed up when GOV.UK Verify goes live in early April. The service will support 90% of the UK’s adult population, according to the UK government.

“UK citizens can easily purchase a FIDO U2F device online and register it with Digidentity,” says Marcel Wendt, Digidentity CTO and co-founder. “With a quick online process, the user’s identity is verified and tied to the U2F device, and the data is encrypted to safeguard a user’s privacy.”

Today, verifying identity is mostly done via manual processes, such as asking people to send identity evidence via snail mail or show ID in-person at a counter service. Those are cumbersome and time-consuming tasks for people needing access to online services using their digital identity credentials.

To authenticate to GOV.UK Verify using Digidentity with FIDO U2F, the user inserts a U2F YubiKey device into their computer’s USB port, and then touches the device. There are no drivers or client software to install. Later this year, U2F authentication via Near Field Communication (NFC) and Bluetooth will be supported by Digidentity for secure login from mobile devices.

Digidentity’s ground-breaking IdP service with strong authentication is another example of how Yubico helps secure online identities and innovates to make those identities easier to use and and available to everyone.

Ronnie Manning

Versatility, Partners Showcased At RSA

Versatility.

It’s a word that defines Yubico’s concept of modern security and strong authentication, which describes one YubiKey for many protocols and applications.

Single-purpose tokens have come and (nearly) gone, replaced by new solutions that support multiple enterprise and consumer devices and use cases, and strengthen access controls. Yubico is at the forefront of this evolution.

At this week’s RSA Conference, we are working with partners Dashlane and Centrify to showcase YubiKey‘s versatility (you can find us at Booth #N4909).

Dashlane is adding strong authentication to its password manager platform based on FIDO’s Universal 2nd Factor (U2F) standard. Dashlane is the first consumer product implementing the protocol in a non-browser environment. This deployment shows the versatility of U2F to adapt to different environments — web, enterprise, and mobile.

Today, U2F is one of the two most popular second-factor YubiKey choices, along with one-time passwords. But there is much more that the YubiKey can do in terms of authentication and security.

Centrify is taking advantage of YubiKey’s ability to support multiple authentication protocols on a single key, addressing enterprise identity management needs across cloud, mobile, and on-premises environments.

Centrify is the first identity management platform to support YubiKey smart card capabilities (PIV) in the cloud and Active Directory-based computer login to Windows, Mac OS X, and Linux. Centrify also supports OATH one-time passwords implemented by YubiKey and plans to add YubiKey’s Near Field Communication (NFC) function to support mobile authentication.

In addition to activities with Dashlane and Centrify, Yubico will demo at RSA a U2F-supported mobile login to GitHub and participate in YubiKey giveaways by our partners Okta, EgoSecure, and Duo Security. Finally, listen for Yubico’s name to be called when the SC Award’s Trust Award for “Best Authentication Solution,”is handed out, and be sure to attend the Non-Profits on the Loose reception that we’re sponsoring on Tuesday night.

Versatile, indeed.

We hope to see you in San Francisco.

John Fontana

Google publishes two-year study on use of FIDO U2F Security Keys

Key words often associated with two-factor authentication focus on simplicity, privacy, and security. Those words, however, are broad terms that need definition in order for consumers and enterprises to form opinions and make educated buying choices.

FIDO Universal Second Factor (U2F) is no different, so Google recently published a research paper titled “Security Keys: Practical Cryptographic Second Factors for the Modern Web” to quantify the benefits the internet giant found in using U2F-based two-factor authentication.

The paper outlines Google’s use of FIDO U2F-based Security Keys, manufactured by Yubico, to harden security, improve user satisfaction, and cut support costs.

This data is far from anecdotal. It represents two years of research. The results, as compared to other two-factor authentication schemes tested by Google, showed the Security Key is simple to implement and deploy, easy to use, preserves privacy, and is secure against attackers.

Here are some eye-opening conclusions from Google’s research on its Security Key rollout:.

  • Users reduced, by nearly two-thirds, the time to authenticate with a Security Key as opposed to an OTP via SMS. Most of that time is based on the efficiency of the user since authentication executes in milliseconds.
  • In Google’s rollout, authentication failures fell to zero. The company’s support department estimates the switch from OTP tokens to Security Keys saved thousands of hours per year in cost. These efficiencies allowed Google to give each employee two Security Keys and still realize overall cost reductions.
  • Security Keys met other Google requirements that mandated simple APIs for developers, no user tracking, no identifiable user information on token as well as  protection against password reuse, phishing and man-in-the-middle attacks.

To date, the devices have been deployed to 50,000 employees, and Google reports “our users have been very happy with the switch: we received many instances of unsolicited positive feedback.”

Other technologies referenced and reviewed by Google included OTPs, mobile phones, smart cards, TLS client certificates, and national ID cards. Their research includes a comparison chart of second-factor options based on a respected usability framework published in 2012 by another group of researchers led by Joseph Bonneau, currently a researcher at the Applied Crypto Group at Stanford University.

The paper also spends a significant number of pages describing the technical underpinnings of Security Keys and how they relate to the larger concepts of simplicity, privacy and security.

Research conclusions point to immediate gain from Security Key deployments, but the findings are being offered as a starting point. “We hope this paper serves as an academic foundation to study and improve Security Keys going forward,” Google wrote.

In addition to those stats, Google has publicly presented other figures that compare Google Authenticator and Security Key. Google studies show the Security Key login process was four times faster compared to Google Authenticator (their mobile authentication app), and that use of U2F and public key crypto results in significant fraud reduction.

Nano OLD body style
John Fontana

YubiKey Flexibility Satisfies Okta Needs

Our partner, Okta, is anticipating that strong authentication adoption in 2016 on its cloud identity platform will eclipse the 40% increase it recorded in 2015. We salute Okta’s hard work and innovation now that it has officially released YubiKey support.

Okta landed on YubiKeys to solve specific accessibility issues for its customers, specifically those who don’t have access or privileges to use mobile devices at work.

This is one important distinction that Yubico identifies when comparing the YubiKey to authentication via a mobile phone. Other significant distinctions of the YubiKey include better security, cost savings, efficiency and durability.

Mobile devices rely on downloaded authentication software, which can be vulnerable to malware. A device that is not connected to the internet always offers superior security. YubiKeys present cost savings over mobile devices by allowing multiple backup devices as opposed to dependency on a single phone. YubiKey authentication is faster because the need to access an app or type in codes is eliminated. And the durable YubiKey works without the need for batteries.

The YubiKey, however, also satisfies pure mobile use cases with support for Near Field Communication (NFC), as well as standards such as U2F over NFC and OTP.

The YubiKey works with Android, Windows, and other devices by just tapping it against the NFC-enabled device. Services that have made support for the NFC-enabled YubiKey include password manager Lastpass (OTP) and GitHub (U2F).

This versatility distinguishes the YubiKey from other hard tokens, and allows for a single YubiKey to support multiple protocols and use cases. This means flexibility for companies wanting to increase security within their enterprise.

From an enterprise and service provider perspective, strong authentication isn’t a one- size-fits-all. There are many use cases and each demands a specific level of security and access. That’s why a YubiKey doesn’t rely on just one protocol or even focus solely on authentication. YubiKey functions such as touch-to-sign provide data integrity and security options beyond pure authentication.

Yubico’s work with Okta exposes just one of the YubiKey’s functions. In fact, LinkedIn was one Okta customer that rolled out the YubiKey using Yubico OTP as a second-factor.

Learn more about YubiKey’s versatility, and our partnership with Okta.

Olivier Sicco

OTP vs. U2F: Strong To Stronger

At Yubico, we are often asked why we are so dedicated to bringing the FIDO U2F open authentication standard  to life when our YubiKeys already support the OATH OTP standard. Our quick answer is that we will always provide multiple authentication options to address multiple use cases. Regarding U2F and OTP, we think both have unique qualities.

OTP

The one-time password (OTP) is a very smart concept. It provides a strong level of protection to hundreds of millions of accounts, and has been implemented for decades. Its popularity comes from its simplicity. On top of a static user name/password credential, a user adds another authentication factor — one that is dynamically generated. By definition, this OTP credential is valid for only one login before it becomes obsolete.

OTPs are delivered in many ways, usually via an object the user carries with him, such as his mobile phone (using SMS or an app), a token with an LCD-display, or a YubiKey. OTP technology is compatible with all major platforms (desktop, laptop, mobile) and legacy environments, making it a very popular choice among second-factor protocols.

As good as it is, traditional OTP has limitations.

  • Users need  to type codes during their login process.
  • Manufacturers often possess the seed value of the tokens.
  • Administrative overhead resulting from having to set up and provision devices for users.
  • The technology requires the storage of secrets on servers, providing a single point of attack.

Yubico’s OTP implementation solves some of those issues.

  • The user never has to type a code instead he just touches a button.
  • Enterprises can configure their own encryption secrets on a YubiKey, which means no one else ever sees those secrets.
  • OTPs generated by a YubiKey are significantly longer than those requiring user input (32 characters vs 6 or 8 characters), which means a higher level of security.  
  • YubiKeys allow enrollment by the user, which reduces administrative overhead.
  • It is easy to implement with any existing website with no client software needed.
  • For the OATH standard, Yubico uniquely offers a token prefix that can be used for identity, simplifying enrollment and user experience.

The remaining issues, however, are phishing and man-in-the-middle attacks, the most  infamous assaults that defeat OTP technology. The theory is quite simple: the hacker sets up a fake website designed to trick visitors into submitting their credentials. When a user falls into the trap and enters his information (user name, password, and even his one-time password), it is immediately intercepted by the hacker and used to access the victim’s account.

It is difficult to pull off, especially against security-aware users who may notice the strange behavior of the fake site, yet it is can be done and is, nowadays, one of the more popular attacks.

FIDO U2F

The increasing sophistication of attacks against OTP schemes was a motivating factor in the development of the FIDO U2F protocol.

The U2F protocol involves the client in the authentication process (for example, when logging in to a web application, the web browser is the client). When a user registers a U2F device with an online service, a public/private key pair is generated.

After registration, when the user attempts to log in, the service provider sends a challenge to the client. The client compiles information about the source of the challenge, among other information. This is signed by the U2F device (using the private key) and sent back to the server (service provider).

Real-time challenge-response schemes like U2F address OTP vulnerabilities such as phishing and various forms of man-in-the-middle attacks. As the legitimate server is issuing the challenge, if a rogue site or middle-man manipulates the flow, the server will detect an abnormality in the response and deny the transaction.

Advantages of U2F include:

  • Strong security from public key cryptography.
  • Easy to use with no codes to re-type and no drivers to install.
  • High privacy so that no personal information is associated with a key.
  • Unlimited usage in that an unlimited number of accounts can be protected by one single device.

With all of these great benefits, why isn’t FIDO U2F implemented in more large scale services beyond Google, Dropbox, and GitHub? One reason is that the Chrome browser is the only available client. We expect Mozilla Firefox support during the Spring and within two more browsers later this year, which will make U2F available to the vast majority of internet users. Also, it takes time to drive new global standards and U2F’s technical specifications were made available just a year ago.

If you are thinking about improving strong authentication for your service, OTP is a good start, but FIDO U2F should definitely be on your radar. Here are a few useful links:

Stina Ehrensvard

YubiKeys Extend Innovation In Education

50% off
trays of 50 YubiKey 4 and YubiKey 4 Nano
while supplies last!

Stoking technology’s fire has historically been a job for the education sector, from universities involved in early ARPANET testing, to the first popular web browser from student Marc Andreessen, and the curious Apple 1 computers that took root in primary and secondary schools.

Today, education faces the same security threats as commercial sectors, with sensitive data being compromised for staff, students, and researchers. As with the enterprise, the most common attack vector is a static password. To mitigate this risk, more than 1,000 schools around the world are using YubiKeys, with 450 of those being higher education institutions.

Many of the schools that have deployed YubiKeys also embrace open standards and open source server software, which is also supported in leading platforms and services.

For example, the smart card/PIV functionality of the YubiKey enables easy and secure login to Microsoft Windows, Linux and Mac OS X computers. Popular authentication and identity services — such as Duo and PING — have added support for YubiKeys, through open source protocols OATH and Yubico OTP. And Dropbox, GitHub, and Google Apps for Education, expected to top 110 million users in the next four years, works immediately out-of-the-box with U2F-powered YubiKeys.

Since 2003, hundreds of universities have secured access controls with Shibboleth, an architecture and open-source implementation for federated identity management and single sign-on based on the Security Assertion Markup Language (SAML). Now, an open source, U2F plug-in for Shibboleth is available on GitHub, promising secure authentication based on U2F public key cryptography.

The future of strong authentication is here today. It’s based on open standards, and leveraged by easy-to-use, affordable devices that users own and control, such as the YubiKey. To further grow adoption among the next generation of leaders, Yubico is offering a limited-time discount for educational institutions on trays of 50 Yubikey 4s or YubiKey 4 Nanos — our latest generation YubiKey.

To learn more about YubiKeys for Education, join our Webinar on Feb. 16.