Stina Ehrensvard

Google Extends Multi-Factor Options With Prompt

Google yesterday released a third option for its two-step verification, complementing the Google Authenticator phone app and FIDO U2F Security Keys.

Google Prompt is a push app for mobile authentication, similar to two-factor push solutions offered by others like Duo Security. There is no authentication solution that fits everyone’s needs, and Prompt has both advantages and challenges.

Advantages

  • Free software to download/update on a smartphone, no additional device needed
  • Allows moving from two-factor to a true multi-factor offering
  • Much easier than typing a code or PIN from Google Authenticator

Challenges

  • Requires a data connection
  • Does not protect against phishing and man-in-the-middle attacks
  • Does not work with non-Google services
  • Some organizations do not allow users to bring their phone to work
  • Support and backup issues when the user’s phone (a single, expensive authenticator) is lost, broken, or has a dead battery

Currently, users can’t have Security Keys and Google Prompt enabled at the same time. We expect this will change soon, as Prompt is a better phone-based complement to the Security Key than Google Authenticator.

Google has spent the past five years building its strong authentication strategy with Prompt the latest piece of that plan, which also includes multiple protocols, cross-platform support and administrative tools. Prompt is an attempt to match capabilities already available in the identity and access management market such as Okta Verify, Centrify Push, and PingID Swipe.

Google’s ultimate goal is to build an identity-as-a-service (IDaaS) for enterprises, including a host of federation options (SAML, OIDC), and management tools such as mobile device management and provisioning, which is currently being tested by Salesforce, Slack, and Facebook at Work. Google discussed this IDaaS plan in early June at the Cloud Identity Summit with focus on Google IDP, Firebase Auth, and customer facing login.

Management of the identity and authentication ecosystem is an absolute requirement for the enterprise and we applaud Google’s efforts here. Strong authentication isn’t one method used everywhere — it’s a combination of options matched to use cases.  Currently, FIDO U2F Security Keys, including YubiKeys, are proven to offer higher security, a faster login experience, and fewer support calls than any other authentication technology on the market.

YubiKey users can have one single and simple key to access a wide range of IT applications, including computers, servers, networks, leading online services and IAM platforms, as well as to sign and encrypt data.

Updated July 24, 2016 to clarify phishing, man-in-the-middle challenge

Jakob Ehrensvärd

YubiKey, U2F Tracking Bluetooth Maturity

At Yubico, we have been experimenting and innovating for a long time with additional YubiKey interface options, like Bluetooth Classic and Bluetooth Smart. Once the Bluetooth work stream was formed within FIDO U2F, we were active in completing the specification. We have passed the FIDO U2F BLE interoperability tests, and are happy to report that this week FIDO awarded us our BLE certification.

However, Bluetooth comprises several practical challenges that make it tough to incorporate the product design, security lineage and user experience one would expect from a YubiKey. We have tested a few different designs with user groups and are now proud to deploy the latest version of YubiKey BLE into initial pilot projects.

Although we’re both proud and excited about this new wireless solution, we do want to share some of the practicalities we will continue to improve on, both for our own product and within the scope of the FIDO Alliance.

  • Bluetooth pairing is the most critical function from a user experience point of view. Although it is perfectly understandable from an engineering perspective, the pairing can be highly confusing for the user. Whereas USB and NFC devices are “connect by intent” by their very nature, Bluetooth devices can have up to 30 meters of range. Since this is a security product, as a user you want to be certain you are communicating with the correct endpoint.
  • Device and operating system compatibility issues. Bluetooth has evolved over a long period of time, and early versions of iOS and many Android flavors today still have aging BLE implementations with user interface issues. While support in audio and peripherals is common, mobile devices and operating systems embedding Bluetooth have been slow to support security centric protocols and devices. U2F Bluetooth devices rely on the most recent version of the standard, known as Bluetooth Low Energy, a.k.a. BLE, but there are still major platforms that have either inadequate or limited support. Over time this issue goes away, but today it is at the heart of some design and implementation challenges.
  • Battery life. Bluetooth devices require batteries; YubiKeys do not, which is a signature trait of our products and allows for a practically unlimited lifetime and shelf life. The Bluetooth battery requirement provides a number of design challenges around usability and regulatory issues, such as product safety, environmental concerns, disposal, and logistics.
  • Radio regulatory issues. Although Bluetooth works in an open radio spectrum, devices that emit radio frequency do have to pass certain certifications. This is a complex procedure and is unfortunately tied to geographic regions.

In summary, we are selectively releasing the YubiKey BLE into specific pilots. As platform support matures during the second half of 2017, we will increase the pace of our Bluetooth certifications. Stay tuned and once the entire ecosystem is ready for prime-time, we are too.

Klas Lindfors

YubiKey 4 has fresh look, attestation capabilities

The smallest YubiKey 4 is getting a facelift, and both form factors have new trust capabilities that validate device type, manufacturer, and generated key material.

The new YubiKey 4 Nano takes on a “molded” form factor (see above), which makes it impossible to insert the Nano in backwards, and provides a waterproof environment.

The YubiKey 4 and YubiKey 4 Nano firmware have been upgraded to add a “touch-policy cache,” which simplifies and strengthens smart card use in a Microsoft Windows login by adding the touch-policy cache option to augment or replace a PIN.

But perhaps most important, both YubiKey form factors have gained a new Personal Identity Verification (PIV) attestation capability that validates where the cryptographic keys were created and the attestation entity used to attest the key.

For example, when coupled with the PIV protocol, attestation shows where the PIV credential is generated and who attested the credential. With Secure Shell (SSH) login using a key pair generated by a YubiKey 4, attestation is used to sign and validate that a key pair was generated on hardware and that the key was manufactured by Yubico.

These validations are important to establish trust and to bind a user account to a credential on the hardware, and to do so with an easy-to-use device. The need for such operations are gaining popularity in the security community and ecosystem.

The need for higher levels of trust for specific operations means some companies and organizations can’t rely on just a software layer, but instead need a cryptographic device such as a hardware key.

On the YubiKey 4, attestation works via a special key slot called “f9” that comes pre-loaded with the attestation certificate signed by a Yubico CA. The slot can be overwritten by individual users, specifically provisioned for a customer rollout, or granularly provisioned per device.

Keys generated in a normal slot on the YubiKey are then “attested” by the key and certificate in the f9 slot. Attestation features are detailed in our Introduction to PIV Attestation. The YubiKey PIV Tool Command Line Guide explains how the tool interacts with the PIV application on a YubiKey. Similar attestation capabilities are found in Yubico’s implementation of the FIDO Universal 2nd Factor (U2F) protocol.

YubiKey 4 and YubiKey 4 Nano with the new YubiKey 4.3.1 firmware is available now from Amazon and the Yubico Store. Use the YubiKey Personalization Tool to identify the firmware version of your YubiKey.

Klas Lindfors is a Senior Software Developer at Yubico.

Ronnie Manning

Yubico CEO awarded KTH Great Prize

Yubico is proud to announce that our CEO and Founder, Stina Ehrensvärd, has been named the winner of the 2016 KTH Royal Institute of Technology Great Prize.  Founded in 1827, KTH is Sweden’s first polytechnic university and is one of Scandinavia’s largest institutions of higher education in technology.

Kth_logo

Yubico CEO and Founder, Stina Ehrensvärd, awarded 2016 KTH Great Prize

First awarded in 1945, the annual KTH Great Prize was founded and funded from the proceeds of a 1944 anonymous donation.

According to the sponsor of the award, the prize shall be presented to, “A person who, through epoch-making discoveries and the creation of new values and by ingenious applications of findings gained on the practical aspects of life, promotes Sweden’s continued material progress, or a person who by means of scientific research has discovered particularly valuable principles or methods which are useful for applications, which promote the above purpose, or a person who through artistic activities ‘exerts a powerful influence particularly on the spiritual life of her own people.”

“Stina Ehrensvärd is a very worthy recipient of the KTH Great Prize,” said Peter Gudmundson, President of KTH “A combination of innovation and entrepreneurship is key to meeting society’s challenges, for both Stina and for KTH. IT security is absolutely critical in our digitized world, and this is why Stina’s effort is significant.”

Stina is extremely honored and happily surprised by this honor, but stresses that credit for Yubico’s success is not hers alone. “It would not have been possible without my great team at Yubico. And a special thanks to Jakob Ehrensvärd, the company’s CTO, and my husband, whom I would have liked to share this prize with. It has been said that behind every successful man stands a strong woman. In our case it is the opposite, and it’s Jakob who developed most of the technology.”

When asked to give advice to the next generation of innovators, Stina said, “Inspiration and hard work are the secret. Find a solution to a real problem. If it makes you so happy that the idea of devoting several years to implement this solution, product or service makes it hard for you to sit still, then you’re probably on the right track. Surround yourself with a really good team that complements you. Think big. Listen to your gut.”

Stina says that joining a list of KTH Grand Prize honorees is exciting and a little unreal.  Previous winners include: Niklas Zennström, Co-founder of Skype; Daniel Ek, founder of Spotify; Robyn, pop singer and producer; Jan Uddenfeldt, contributor to the GSM standard; Gunilla Pontén, fashion designer; and Assar Gabrielsson, Co-founder of Volvo.

Click to view the full list of KTH Great Prize winners.

Jerrod Chong

Yubico Expands FIPS Security Certification

For the past two years, Yubico has executed on an aggressive strategy to validate its cryptographic devices against established federal standards.

The first YubiKey device was validated in 2014 (NIST cert #2267) and, last week, the YubiKey 4 began the National Institute of Standards and Technology (NIST) validation process for compliance with the Federal Information Processing Standard (FIPS) Publication 140-2.

Our objective is to achieve FIPS 140-2 at Level 2 overall and Level 3 physical security in order to meet the highest level of assurance at Level 4 for the electronic authentication guidelines outlined in NIST special publication 800-63-2.

Cryptography and encryption are important constructs for the security technology industry and its customers. FIPS 140-2 standards set requirements for handling sensitive but unclassified information and are mandated by law. FIPS 140-2 validation is required for US and Canadian government acquisition of products using cryptography, but many governments and commercial entities throughout the world also use this as a basis for selecting vendors and products.

Yubico’s customers requesting this certification include federal governments, state and local governments, healthcare, financial services, and federal contractors who routinely process, store, and transmit sensitive federal information using their own information systems. The protection of sensitive federal information while residing in non-federal information systems and organizations is of paramount importance to federal agencies because it can directly impact their ability to successfully carry out their missions and business operations.

Agencies, organizations, and the general public can review our progress through NIST’s Cryptographic Module Validation Program.

The YubiKey 4 validation is Yubico’s investment in the future of our cryptographic platform so enterprises and organizations can trust our devices and hardware to comply with federal regulations that meet their needs. Given that the YubiKey 4 was launched less than six months ago, we have been very aggressive with getting this device through certification. Our goal is to ensure that any company working with, or within, regulated industries will have full confidence that Yubico’s cryptographic tools meet the security industry’s highest standards.

YubiNews April 2016
Ronnie Manning

Webinar showcases Centrify’s ID platform, YubiKey support

Yubico’s partner Centrify has built one of the best showcases for the YubiKey’s multi-protocol versatility.

With support for Personal Identity Verification (PIV)-based capabilities, one-time passwords (OTP), and mobile authentication, Centrify is the first identity and access management (IAM) platform to support such a deep lineup of protocols using a YubiKey.

Centrify will detail and demo the multi-factor authentication options for its Identity Platform as part of a joint webinar hosted by Yubico. (Listen to replay of May 24, 2016 webinar).

These authentication options are attractive to users and businesses because they’re contained in a single YubiKey that addresses multiple use cases, simplifies user training, and improves security. Centrify’s Identity Platform is the foundation for assigning multi-factor authentication policies across enterprise applications and resources. The platform also adds management features, including enrollment, per-app policies and enforcement, and context-based multi-factor authentication across users, apps and servers.

The YubiKey supports a number of scenarios:

• Smart card Active Directory-based login to Mac OS X or Linux.
• Smart card login to Centrify’s cloud service for Single Sign-On (SSO), secure remote access, or administration.
• OATH-HOTP as a second factor for secure SSO to cloud apps.
• OATH-HOTP for multi-factor authentication (MFA) to privilege elevation on servers.
• Physical NFC token-based MFA for secure access to apps on mobile devices.

To learn more about these scenarios and to see them in action, join us for our joint webinar. Registration is free.

Jakob Ehrensvärd

Secure Hardware vs. Open Source

Recently there have been discussions regarding Yubico’s OpenPGP implementation on the YubiKey 4. While open source and security remains central to our mission, we think some clarifications and context around current OpenPGP support would be beneficial to explain what we are doing, why, and how it reflects our commitment to improved security and open source.

To start off, let me say that Yubico is a strong supporter of free and open source software (FOSS). We use it daily in the development of new products, and a large portion of our software projects are released as open source software — we have close to 100 projects available on GitHub. This includes libraries for interfacing or integrating with our devices, tools used for programming and customization, server software which supports our products, specifications for custom protocols, and many more. We believe strongly that this benefits the community, as well as Yubico.

Some basic facts:

  • The YubiKey hardware with its integral firmware has never been open sourced, whereas almost all of the supporting applications are open source.
  • The YubiKey NEO is a two-chip design. There is one “non-secure” USB interface controller and one secure crypto processor, which runs Java Card (JCOP 2.4.2 R1). There is a clear security boundary between these two chips. This platform is limited to RSA with key lengths up to 2048 bits and ECC up to 320 bits.
  • The YubiKey 4 is a single-chip design without a Java Card/Global Platform environment, featuring RSA with key lengths up to 4096 bits and ECC up to 521 bits.  Yubico has developed the firmware from the ground up. These devices are loaded by Yubico and cannot be updated.
  • The OpenPGP applet for the YubiKey NEO was (and still is) published as open source.
  • When the  YubiKey NEO was released back in 2012, we had open (= known) card manager (CM) keys, allowing for applet management.
  • Since late 2013, we ship all NEOs with randomized card manager keys, which prevents applet management. So although the OpenPGP applet is available, users can’t load it on a NEO.
  • We do have a NEO developer program, where we allow custom applet development and key distribution.

There are quite a few reasons we’ve done it this way, but none of them represent a change in our commitment to a free, open internet. Here’s our thinking:

First, and most important in our decision-making, has been to move away from what we call “non-secure hardware” and into secure elements that are specifically designed for security applications and have passed at least Common Criteria EAL5+ certification.

The reason is simple — we have to provide security hardware that not only implements a cryptographic protocol correctly, but also physically protects key material and protects the cryptographic operations from leakage or modification. Over the past couple of years, many publications have provided evidence of various forms of intrusive and non-intrusive attacks against hardware devices (including the YubiKey 2). Much can be said (and has indeed been said) about this subject, but there is no question that this is a serious matter. Attacks varying from “chip-cloning” and “decapsulation and probing” to fault injection and passive side-channel analysis have shown that a large number of devices are vulnerable.

It’s important to understand what we mean by “secure hardware.” Secure hardware features a secure chip, which has built-in countermeasures to mitigate a long list of attacks. Standard microcontrollers lacks these features. Built-in countermeasures make intrusive- and non-intrusive attacks an order of magnitude more complicated to perform. Secure hardware relies on secure firmware, where additional firmware countermeasures are implemented to further strengthen the device against attacks.

Given these developments, we, as a product company, have taken a clear stand against implementations based on off-the-shelf components and further believe that something like a commercial-grade AVR or ARM controller is unfit to be used in a security product. In most cases, these controllers are easy to attack, from breaking in via a debug/JTAG/TAP port to probing memory contents. Various forms of fault injection and side-channel analysis are possible, sometimes allowing for a complete key recovery in a shockingly short period of time. In this specific context (fault injection and side-channel analysis), an open source strategy would provide little or no remedy to a serious and growing industry problem. One could say it actually works the other way. In fact, the attacker’s job becomes much easier as the code to attack is fully known and the attacker owns the hardware freely. Without any built-in security countermeasures, the attacker can fully profile the behavior in a way that is impossible with a secure chip.

So — why not combine the best of two worlds then, i.e. using secure hardware in an open source design? There are a few problems with that:

  • There is an inverse relationship between making a chip open and achieving security certifications, such as Common Criteria. In order to achieve these higher levels of certifications, certain requirements are put on the final products and their use and available modes.
  • There are, in practice, only two major players providing secure silicon and none of their products/platforms are available on the open market for developers except in very large volumes.
  • Even for large volume orders, there is a highly bureaucratic process to even get started with these suppliers: procedures, non-disclosure agreements, secure access to datasheets, export control, licensing terms, IP, etc.
  • Since there is no debug port, embedded development becomes a matter of having an expensive emulator and special developer licenses, again available only under NDA.
  • Although this does not prevent the source code from being published, without the datasheets, security guidelines, and a platform for performing tests, the outcome is questionable, with little practical value.

Secure elements are still a small market compared with generic bread-and-butter microcontrollers. Given the high costs to achieve and maintain certification and the procedural hassle, it is quite easy to understand the current state of affairs.

Let’s for a moment return to the question of the YubiKey NEO and why we decided to remove the ability to manage the applets. As we began to produce the NEO in larger volumes, we had to make some tough choices:

  • With open card manager keys, the devices are open to potential denial-of-service attacks as well as someone replacing a known applet with a bogus one. What if a bad guy took your new NEO and overwrote the OpenPGP applet with an evil one, thereby providing a key back door? If you’re hardcore about security, you’d immediately set your own CM keys, locking out that possibility, but then how would we control who is capable of this and who we actually expose to a potential threat?
  • Devices with known keys become vulnerable to modifications when in transit.
  • We tried a scheme of randomizing keys and making them available for developers under certain conditions. The practical problems of authenticating users and securely distributing keys plus the paperwork needed made it impossible.
  • Given that the NXP toolchain and extended libraries for JCOP are not free and available, applet development becomes more a theoretical possibility than a practical one.

Although we had initially hoped to take a different approach to applet management, I believe we made the right decisions given our choices. We do provide a developer program, giving access to the full toolchain as well as open CM keys. We don’t charge for it, but given the paperwork required, we need to have a compelling business case in order to justify the effort.

I’d like to bring up another aspect when it comes to providing integrated products. With the YubiKey, we see the firmware being integral with the hardware and we take responsibility for the aggregated functionality. We have made a conscious decision not to provide any means for upgrading the firmware out in the field, in order to eliminate the chance a device could be modified by an attacker.

That means that any device with a security issue is a lost device: if there are any problems, issues come up with returns, support for users moving their keys, destruction of the keys, etc. In a “software-only” open source project, handling a serious issue like that could be as simple as issuing a security bulletin and pushing a fix.

Enterprise customers deploying at million-unit scale have engaged independent third parties to review our firmware source code and algorithm implementations, and we would consider this with others of a similar or larger scale (given the extensive load on our engineering team to support such analysis). Such analysis is restricted to the contracting parties.

The chain of trust for any security product is pivotal to understanding how to implement a secure scheme for the entire lifecycle from production to deployment. Again, using commercial, off-the-shelf components with open designs creates some very hard nuts to crack. What prevents your hardware or chip from being compromised in the first place? What if the bootloader has been compromised, maybe in transit? Moving towards a fully-integrated design, like the YubiKey 4, actually solves a very practical problem. The security boundary includes the initial loader, which is protected by keys.

Consider the following questions and statements:

  • What is the attack scenario you’re most worried about — a backdoor or bug, accessible via the standard interface over the network, someone owning your computer while extracting sensitive information from your security token, or that someone in possession of your key could retrieve such information?
  • If you have to pick only one, is it more important to have the source code available for review or to have a product that includes serious countermeasures for attacks against the integrity of your keys?
  • Although you may feel good about having reviewed the source and loaded the firmware yourself, do you trust and feel comfortable that the very same interface you used for that loading procedure is not a backdoor for extracting the key? Is the bootloader there trustworthy? The memory fuse? The JTAG lock-out feature? Are these properly documented and scrutinized?
  • One has to recognize the hard problem of trust. Considering a utopian scenario with an open-and-fully-transparent-and-proven-secure-ip-less chip, given the complexity and astronomical costs of chip development, who would make it? And if it was available, how would they then provide the proof, making it more trustworthy than anything else already available?
  • Is it more rational to put a large amount of trust in a large monolith like a Java Card OS, while at the same time being highly suspicious of a considerably smaller piece of custom code? This assumes that both have been subject to third-party review in a similar fashion.

In conclusion, we want our customers and community to know that we have made conscious choices to some quite complex questions and that, in the end, we have landed with some sensible compromises. We are no less committed to security. We are no less committed to open source and to the open source community. We are always open to suggestions and could very well make changes if more sensible solutions arise. After all, the trust of our users is the most important asset we have.

If you have comments please visit our YubiKey 4 forum. If you don’t have access to the forum, send us a comment at comments@yubico.com.

– Jakob Ehrensvard is CTO at Yubico

Ronnie Manning

U2F Best Innovation in eGovernment Awarded at EIC 2016

Last night at the European Identity & Cloud Conference 2016 (EIC) Awards Ceremony, Yubico and Digidentity’s submission for “Best Innovation in eGovernment/eCitizen” was awarded to the GOV.UK Verify project! The award was accepted by Adam Cooper, Identity Assurance Programme, Government Digital Service for GOV.UK Verify.

EIC_AWARD__013

Pictured: Jennifer Haas (KuppingerCole), Adam Cooper (GDS) and Mike Small (KuppingerCole)

Beginning in April 2016, GOV.UK Verify began offering beta support for the YubiKey and the FIDO Universal 2nd Factor (U2F) protocol, through Yubico partner Digidentity, one of the original identity providers (IdP) for GOV.UK Verify. Set to launch this month, this is the first government service in the world to make support for a FIDO authenticator based on open standards.

To authenticate to GOV.UK Verify using Digidentity with FIDO U2F, the user inserts a U2F certified YubiKey into the computer’s USB port, and then touches the device. There are no drivers or client software to install. Furthermore, the same U2F YubiKey that works with GOV.UK Verify and Digidentity also works for logging into a growing number of large scale commercial services, including Google, Dropbox, and Dashlane, without any personal data or encryption secrets shared between service providers.

Yubico’s partnership and interoperability with identity provider Digidentity and support for GOV.UK Verify is another example of how Yubico helps secure online identities, and how Yubico innovates to make those identities easier to use and available to everyone.

We thank EIC and conference host KuppingerCole for this recognition and look forward to next year’s conference!

John Fontana

U2F, OpenID Connect Align For Mobile Authentication

A year ago, Yubico described a cord-cutting mobile world where hard-wired ports were not needed to accommodate the security benefits of strong authentication.

Since then, growth in the mobile device market has continued its explosion, including 1.4 billion smartphones shipped worldwide in 2015, according to IDC.

Couple this development with standards work by the FIDO Alliance, Yubico, Google, and the OpenID Foundation and cord-cutters can start to see mobile security options — such as a single sign-on (SSO) experience and strong authentication to secure native apps — on mobile devices.

OpenID Connect and FIDO Universal 2nd Factor (U2F) are capable authentication technologies on their own, but when paired can solve more authentication challenges than either could on their own. For example, Google recently contributed a code project called AppAuth for both Android and iOS to the OpenID Foundation’s Connect Working Group. The code is used to maintain a state on the browser that provides an SSO-like experience to users of native mobile apps. Google’s AppAuth implementation for Android supports strong authentication to an identity provider using the YubiKey NEO, its Near Field Communication (NFC) function, and its U2F support.

A discussion of AppAuth’s capabilities and a demo of its incorporation of YubiKey NEO with NFC can be seen in this video from the March 2016 OpenID Foundation Summit. (Advance to 2:47:29 in the video.)

“[AppAuth] is important as it is the first real chance we have had for a standard to do SSO across native apps, and also make it easier for IdPs to support multi-factor authentication like FIDO without the ISV needing to support app wrapping or producing many customised versions for each deployment,” said John Bradley, an identity expert and officer of the OpenID Foundation.

Yubico’s support for NFC in the YubiKey NEO allows a tap of the key against a smartphone to release a one-time password (OTP) or FIDO U2F-based public key cryptography. Today, you can use YubiKey’s NFC feature with password manager LastPass (OTP) and development platform GitHub (U2F).

In parallel, Yubico engineers and other members of the FIDO Alliance are finalizing specifications and certification testing tools for U2F over Bluetooth transport. Challenges in pairing and security with Bluetooth has delayed progress, but we expect certification testing before June and to see certified U2F-over-Bluetooth authenticators later this year.

While the majority of enterprises will continue to access sensitive applications and resources from hard-wired laptops and desktops, secured mobile computing is the new carrot.

Mobile devices have become a de-facto connecting point, having moved from a demand to an expectation, and they are opening an array of new use cases and security questions. We are committing resources to stay in front of these user cases and minimize security issues.

These efforts are helping drive independent groups working on identity, authentication, and authorization standards to seek richer capabilities by combining their work such as the OpenID Foundation (OpenID Connect), the IETF (OAuth 2.0), and the FIDO Alliance. YubiKey is no stranger to this trend toward open protocols and open standards, given our ongoing commitments in this area.

All this is happening as mobile, protocols, and strong authentication are seeking the benefits of standards work. This convergence will produce the technologies that keep mobile users and their applications safe on their devices.

 

Open Internet blog post
Stina Ehrensvard

An Open Internet Is The Only Way

Many years ago, when I first logged on to the internet, I was struck by something that may be described as a spiritual experience. Here was this place, where we were all connected, containing endless information for all of us to tap into.

Later, I realized that we cannot take this great human experience for granted. As security hacks have increased, some governments and commercial forces have used the security threat as an opportunity to demand control of user data, bandwidth, and privacy, justifying the actions as a way for the “good guys to control the bad.”

But who can determine who is good or bad in the long term? The answer is that nobody can. And therefore, any control must be considered as bad. The internet needs to stay open. It is just how it has to be.

Yubico’s contributions to a future open internet are only smaller components in the bigger ecosystem. But they are not less important. With simple, open, and low-cost authentication and encryption technologies, we encourage individuals and organizations to own and control their own online credentials, including encryption secrets and the personal data tied to their online identity.

We are also honored to have many of the leading non-profit organizations dedicated to an open internet using our products, including Freedom of the Press, EFF, and The ISC Project, which we presented in a recent case study. As the Yubico team is also great supporters of their work, Yubico often donates or discounts YubiKeys to organizations in this field.

Our open internet is experiencing challenges, but there are solutions. We are not letting fraudsters, governments, or commercial interests limit the potential of what the internet is and what it can be!

YubiNews April 2016
Jerrod Chong

Yubico, Centrify Align On Authentication Versatility

Versatility is a theme that has emerged with the YubiKey, whether it’s support for Personal Identity Verification (PIV)-based capabilities, one-time passwords (OTP), or mobile authentication.

These authentication options are attractive to users and businesses because they’re contained in a single YubiKey that solves multiple use cases, simplifies user training, and improves security.

 Our partner Centrify offers the same sort of flexibility and is the first identity and access management (IAM) platform to support smart card PIV, OTPs, and mobile authentication using a YubiKey.

Centrify’s Identity Service offers administrators and users single sign-on (SSO), adaptive authentication, and strong multi-factor authentication options – the newest being support for YubiKey. Centrify adds management features on their end, including enrollment, per-app policies and enforcement, and context-based multi-factor authentication across users, apps and servers. The Identity Service bridges old, new, and cloud systems, along with multiple operating systems.

YubiKey’s support of PIV, a smart card that satisfies identification standards required for federal employees, means the card’s credentials can be loaded on the key, which streamlines them into a new smart card form factor and eliminates the need for cumbersome card readers.

YubiKey PIV-capabilities used for Active Directory-based logins to Mac OS X and Linux platforms also adhere to National Institute of Standards and Technology (NIST) requirements. And the smart card features support login to Centrify’s cloud service for SSO, secure remote access, or administration features.

With YubiKey’s support for Near Field Communication (NFC), a simple tap of the key against an NFC-enabled mobile device authenticates a user to apps and servers. OATH-HOTP support in the Centrify Identity Service lets organizations use a YubiKey configured with an OTP when a smart card-enabled environment is not available.

“Because it is so hard to secure the things that are outside your control like apps, users, and devices, let’s call for multi-factor authentication wherever you need it,” said Ben Rice, Centrify’s Vice President of Worldwide Business Development.

Next month, Yubico and Centrify will host a webinar that goes deeper into the capabilities and possibilities offered by the combination of their technologies. Registration is now open.

YubiNews April 2016
Ronnie Manning

YubiKey Gets SC Magazine Five-Star Recognition

“Weaknesses: None.”  When someone reviews your product, that’s a nice way for the write-up to start.

Earlier this month, SC Magazine gave YubiKey 4 a five-star rating and tagged it a Best Buy in authentication. We don’t spend a lot of time patting ourselves on the back, but this honor recognizes goals we have always strived to achieve: versatility, reliability, ruggedness, low-cost, open source compatibility, ease-of-use.

And for many, it might seem unfair when a reviewer runs over your tech product with their car, but during this review that actually happened in the course of evaluating the key’s durability.  And guess what, the YubiKey brushed off a bit of asphalt and kept on authenticating.

“Every organization considering two-factor authentication should have a very close look at YubiKey” Peter Stephenson wrote in his review. “The YubiKey 4 is slick and, while it has not changed materially over the years, it has added some new features and has become more reliable, if that was possible.”

Stephenson’s review lays out some of what we think are our best qualities. Those that show we have the ability to not only adapt to the security pressures exerted by modern authentication requirements, but to serve a wide-range of use cases and end-user technical abilities.

From static passwords, to OTPs to FIDO U2F support, the YubiKey includes a range of features that also extends to encryption and code-signing. During the coming year, we’ll be adding more new cool features, so stay tuned! Thank you SC Magazine for the recognition! And to the rest of you, check out the full review!

John Fontana

GitHub Verify Feature Strengthens YubiKey Value

Often times, it’s the little things in life that bring the most satisfaction.

For GitHub users, a shiny new “little thing” is available today. New “Verified” checkmarks in the Web interface document that commits are signed with GPG keys, which ensures the integrity of the code. No more downloading code from GitHub to verify commit signatures.

And, as always, those GPG signing operations can be done with a YubiKey 4 or YubiKey NEO in either of the two form factors.

Signing your work has not been a top feature of Git, even though it ensures data is coming from a trusted source.

With code, integrity is everything. And now GitHub is providing visual audit cues to ensure integrity with just a quick glance. Nothing else has changed in the way either GitHub or YubiKey function, but life just got a little easier. Or as our own devs say, “it’s a quality of life improvement.”

Back in October, GitHub added support for the FIDO Alliance’s Universal 2nd Factor, adding yet another option for strong authentication to their platform and bringing YubiKey owners into the fold. Today signals another platform improvement that is immediately available to YubiKey owners.

Need to figure out how to sign your work using Git and a YubiKey?

We have prepared a tutorial of sorts to walk you through the setup, signing, and verifying tags and commits (with a little merge and pushing thrown in).

Lately, we have been using the word versatility to define Yubico’s concept of modern security and strong authentication. And we’ve been proving it with YubiKey support among partners such as Dashlane, Centrify, Docker, Dropbox, Google, Okta, and, most recently, the UK government and Digidentity.

GitHub is another example, offering developers a set of authentication and content signing features. In conjunction, Yubico is offering GitHub users a 20% discount on the YubiKey.

There isn’t a silver bullet for security and strong authentication. Progress is measured in stages, and innovation adds up in tangible increments. Some gains are smaller than others, but to Yubico, they all help us build a stronger and more secure Internet.

John Fontana

UK First Government To Offer U2F-Secured Digital ID

The UK has spent the past five years on a digital transformation that is setting a world standard for how citizens securely interact with government online services.

The UK’s Government Digital Service (GDS), which came online in 2011, will add in a few weeks a new verification service called GOV.UK Verify to this impressive project.

Digidentity is one of the original identity providers (IdP) for GOV.UK Verify and will offer support for the YubiKey and the Universal 2nd Factor (U2F) protocol. UK citizens can now use a YubiKey as a second authentication factor to access their Digidentity accounts, while the country rolls out the first government service in the world to support U2F.

This is an important milestone for both citizens and governments looking to leverage identity data to secure services while safeguarding privacy. The combination of secure authentication and federation/single sign-on is required for digital services to scale.

GOV.UK Verify uses a host of identity providers who validate a citizen’s personal data, store that data, and verify the user is who they say they are when they attempt to access government digital services. The IdPs are part of an identity federation established as part of GDS.

The GOV.UK Verify program has been running in beta for the past 18 months. The program supports 13 services spread over five government departments, but it will have 50 services and 10 departments signed up when GOV.UK Verify goes live in early April. The service will support 90% of the UK’s adult population, according to the UK government.

“UK citizens can easily purchase a FIDO U2F device online and register it with Digidentity,” says Marcel Wendt, Digidentity CTO and co-founder. “With a quick online process, the user’s identity is verified and tied to the U2F device, and the data is encrypted to safeguard a user’s privacy.”

Today, verifying identity is mostly done via manual processes, such as asking people to send identity evidence via snail mail or show ID in-person at a counter service. Those are cumbersome and time-consuming tasks for people needing access to online services using their digital identity credentials.

To authenticate to GOV.UK Verify using Digidentity with FIDO U2F, the user inserts a U2F YubiKey device into their computer’s USB port, and then touches the device. There are no drivers or client software to install. Later this year, U2F authentication via Near Field Communication (NFC) and Bluetooth will be supported by Digidentity for secure login from mobile devices.

Digidentity’s ground-breaking IdP service with strong authentication is another example of how Yubico helps secure online identities and innovates to make those identities easier to use and and available to everyone.

Ronnie Manning

Versatility, Partners Showcased At RSA

Versatility.

It’s a word that defines Yubico’s concept of modern security and strong authentication, which describes one YubiKey for many protocols and applications.

Single-purpose tokens have come and (nearly) gone, replaced by new solutions that support multiple enterprise and consumer devices and use cases, and strengthen access controls. Yubico is at the forefront of this evolution.

At this week’s RSA Conference, we are working with partners Dashlane and Centrify to showcase YubiKey‘s versatility (you can find us at Booth #N4909).

Dashlane is adding strong authentication to its password manager platform based on FIDO’s Universal 2nd Factor (U2F) standard. Dashlane is the first consumer product implementing the protocol in a non-browser environment. This deployment shows the versatility of U2F to adapt to different environments — web, enterprise, and mobile.

Today, U2F is one of the two most popular second-factor YubiKey choices, along with one-time passwords. But there is much more that the YubiKey can do in terms of authentication and security.

Centrify is taking advantage of YubiKey’s ability to support multiple authentication protocols on a single key, addressing enterprise identity management needs across cloud, mobile, and on-premises environments.

Centrify is the first identity management platform to support YubiKey smart card capabilities (PIV) in the cloud and Active Directory-based computer login to Windows, Mac OS X, and Linux. Centrify also supports OATH one-time passwords implemented by YubiKey and plans to add YubiKey’s Near Field Communication (NFC) function to support mobile authentication.

In addition to activities with Dashlane and Centrify, Yubico will demo at RSA a U2F-supported mobile login to GitHub and participate in YubiKey giveaways by our partners Okta, EgoSecure, and Duo Security. Finally, listen for Yubico’s name to be called when the SC Award’s Trust Award for “Best Authentication Solution,”is handed out, and be sure to attend the Non-Profits on the Loose reception that we’re sponsoring on Tuesday night.

Versatile, indeed.

We hope to see you in San Francisco.

John Fontana

Google publishes two-year study on use of FIDO U2F Security Keys

Key words often associated with two-factor authentication focus on simplicity, privacy, and security. Those words, however, are broad terms that need definition in order for consumers and enterprises to form opinions and make educated buying choices.

FIDO Universal Second Factor (U2F) is no different, so Google recently published a research paper titled “Security Keys: Practical Cryptographic Second Factors for the Modern Web” to quantify the benefits the internet giant found in using U2F-based two-factor authentication.

The paper outlines Google’s use of FIDO U2F-based Security Keys, manufactured by Yubico, to harden security, improve user satisfaction, and cut support costs.

This data is far from anecdotal. It represents two years of research. The results, as compared to other two-factor authentication schemes tested by Google, showed the Security Key is simple to implement and deploy, easy to use, preserves privacy, and is secure against attackers.

Here are some eye-opening conclusions from Google’s research on its Security Key rollout:.

  • Users reduced, by nearly two-thirds, the time to authenticate with a Security Key as opposed to an OTP via SMS. Most of that time is based on the efficiency of the user since authentication executes in milliseconds.
  • In Google’s rollout, authentication failures fell to zero. The company’s support department estimates the switch from OTP tokens to Security Keys saved thousands of hours per year in cost. These efficiencies allowed Google to give each employee two Security Keys and still realize overall cost reductions.
  • Security Keys met other Google requirements that mandated simple APIs for developers, no user tracking, no identifiable user information on token as well as  protection against password reuse, phishing and man-in-the-middle attacks.

To date, the devices have been deployed to 50,000 employees, and Google reports “our users have been very happy with the switch: we received many instances of unsolicited positive feedback.”

Other technologies referenced and reviewed by Google included OTPs, mobile phones, smart cards, TLS client certificates, and national ID cards. Their research includes a comparison chart of second-factor options based on a respected usability framework published in 2012 by another group of researchers led by Joseph Bonneau, currently a researcher at the Applied Crypto Group at Stanford University.

The paper also spends a significant number of pages describing the technical underpinnings of Security Keys and how they relate to the larger concepts of simplicity, privacy and security.

Research conclusions point to immediate gain from Security Key deployments, but the findings are being offered as a starting point. “We hope this paper serves as an academic foundation to study and improve Security Keys going forward,” Google wrote.

In addition to those stats, Google has publicly presented other figures that compare Google Authenticator and Security Key. Google studies show the Security Key login process was four times faster compared to Google Authenticator (their mobile authentication app), and that use of U2F and public key crypto results in significant fraud reduction.

Nano OLD body style
John Fontana

YubiKey Flexibility Satisfies Okta Needs

Our partner, Okta, is anticipating that strong authentication adoption in 2016 on its cloud identity platform will eclipse the 40% increase it recorded in 2015. We salute Okta’s hard work and innovation now that it has officially released YubiKey support.

Okta landed on YubiKeys to solve specific accessibility issues for its customers, specifically those who don’t have access or privileges to use mobile devices at work.

This is one important distinction that Yubico identifies when comparing the YubiKey to authentication via a mobile phone. Other significant distinctions of the YubiKey include better security, cost savings, efficiency and durability.

Mobile devices rely on downloaded authentication software, which can be vulnerable to malware. A device that is not connected to the internet always offers superior security. YubiKeys present cost savings over mobile devices by allowing multiple backup devices as opposed to dependency on a single phone. YubiKey authentication is faster because the need to access an app or type in codes is eliminated. And the durable YubiKey works without the need for batteries.

The YubiKey, however, also satisfies pure mobile use cases with support for Near Field Communication (NFC), as well as standards such as U2F over NFC and OTP.

The YubiKey works with Android, Windows, and other devices by just tapping it against the NFC-enabled device. Services that have made support for the NFC-enabled YubiKey include password manager Lastpass (OTP) and GitHub (U2F).

This versatility distinguishes the YubiKey from other hard tokens, and allows for a single YubiKey to support multiple protocols and use cases. This means flexibility for companies wanting to increase security within their enterprise.

From an enterprise and service provider perspective, strong authentication isn’t a one- size-fits-all. There are many use cases and each demands a specific level of security and access. That’s why a YubiKey doesn’t rely on just one protocol or even focus solely on authentication. YubiKey functions such as touch-to-sign provide data integrity and security options beyond pure authentication.

Yubico’s work with Okta exposes just one of the YubiKey’s functions. In fact, LinkedIn was one Okta customer that rolled out the YubiKey using Yubico OTP as a second-factor.

Learn more about YubiKey’s versatility, and our partnership with Okta.

Olivier Sicco

OTP vs. U2F: Strong To Stronger

At Yubico, we are often asked why we are so dedicated to bringing the FIDO U2F open authentication standard  to life when our YubiKeys already support the OATH OTP standard. Our quick answer is that we will always provide multiple authentication options to address multiple use cases. Regarding U2F and OTP, we think both have unique qualities.

OTP

The one-time password (OTP) is a very smart concept. It provides a strong level of protection to hundreds of millions of accounts, and has been implemented for decades. Its popularity comes from its simplicity. On top of a static user name/password credential, a user adds another authentication factor — one that is dynamically generated. By definition, this OTP credential is valid for only one login before it becomes obsolete.

OTPs are delivered in many ways, usually via an object the user carries with him, such as his mobile phone (using SMS or an app), a token with an LCD-display, or a YubiKey. OTP technology is compatible with all major platforms (desktop, laptop, mobile) and legacy environments, making it a very popular choice among second-factor protocols.

As good as it is, traditional OTP has limitations.

  • Users need  to type codes during their login process.
  • Manufacturers often possess the seed value of the tokens.
  • Administrative overhead resulting from having to set up and provision devices for users.
  • The technology requires the storage of secrets on servers, providing a single point of attack.

Yubico’s OTP implementation solves some of those issues.

  • The user never has to type a code instead he just touches a button.
  • Enterprises can configure their own encryption secrets on a YubiKey, which means no one else ever sees those secrets.
  • OTPs generated by a YubiKey are significantly longer than those requiring user input (32 characters vs 6 or 8 characters), which means a higher level of security.  
  • YubiKeys allow enrollment by the user, which reduces administrative overhead.
  • It is easy to implement with any existing website with no client software needed.
  • For the OATH standard, Yubico uniquely offers a token prefix that can be used for identity, simplifying enrollment and user experience.

The remaining issues, however, are phishing and man-in-the-middle attacks, the most  infamous assaults that defeat OTP technology. The theory is quite simple: the hacker sets up a fake website designed to trick visitors into submitting their credentials. When a user falls into the trap and enters his information (user name, password, and even his one-time password), it is immediately intercepted by the hacker and used to access the victim’s account.

It is difficult to pull off, especially against security-aware users who may notice the strange behavior of the fake site, yet it is can be done and is, nowadays, one of the more popular attacks.

FIDO U2F

The increasing sophistication of attacks against OTP schemes was a motivating factor in the development of the FIDO U2F protocol.

The U2F protocol involves the client in the authentication process (for example, when logging in to a web application, the web browser is the client). When a user registers a U2F device with an online service, a public/private key pair is generated.

After registration, when the user attempts to log in, the service provider sends a challenge to the client. The client compiles information about the source of the challenge, among other information. This is signed by the U2F device (using the private key) and sent back to the server (service provider).

Real-time challenge-response schemes like U2F address OTP vulnerabilities such as phishing and various forms of man-in-the-middle attacks. As the legitimate server is issuing the challenge, if a rogue site or middle-man manipulates the flow, the server will detect an abnormality in the response and deny the transaction.

Advantages of U2F include:

  • Strong security from public key cryptography.
  • Easy to use with no codes to re-type and no drivers to install.
  • High privacy so that no personal information is associated with a key.
  • Unlimited usage in that an unlimited number of accounts can be protected by one single device.

With all of these great benefits, why isn’t FIDO U2F implemented in more large scale services beyond Google, Dropbox, and GitHub? One reason is that the Chrome browser is the only available client. We expect Mozilla Firefox support during the Spring and within two more browsers later this year, which will make U2F available to the vast majority of internet users. Also, it takes time to drive new global standards and U2F’s technical specifications were made available just a year ago.

If you are thinking about improving strong authentication for your service, OTP is a good start, but FIDO U2F should definitely be on your radar. Here are a few useful links:

Stina Ehrensvard

YubiKeys Extend Innovation In Education

50% off
trays of 50 YubiKey 4 and YubiKey 4 Nano
while supplies last!

Stoking technology’s fire has historically been a job for the education sector, from universities involved in early ARPANET testing, to the first popular web browser from student Marc Andreessen, and the curious Apple 1 computers that took root in primary and secondary schools.

Today, education faces the same security threats as commercial sectors, with sensitive data being compromised for staff, students, and researchers. As with the enterprise, the most common attack vector is a static password. To mitigate this risk, more than 1,000 schools around the world are using YubiKeys, with 450 of those being higher education institutions.

Many of the schools that have deployed YubiKeys also embrace open standards and open source server software, which is also supported in leading platforms and services.

For example, the smart card/PIV functionality of the YubiKey enables easy and secure login to Microsoft Windows, Linux and Mac OS X computers. Popular authentication and identity services — such as Duo and PING — have added support for YubiKeys, through open source protocols OATH and Yubico OTP. And Dropbox, GitHub, and Google Apps for Education, expected to top 110 million users in the next four years, works immediately out-of-the-box with U2F-powered YubiKeys.

Since 2003, hundreds of universities have secured access controls with Shibboleth, an architecture and open-source implementation for federated identity management and single sign-on based on the Security Assertion Markup Language (SAML). Now, an open source, U2F plug-in for Shibboleth is available on GitHub, promising secure authentication based on U2F public key cryptography.

The future of strong authentication is here today. It’s based on open standards, and leveraged by easy-to-use, affordable devices that users own and control, such as the YubiKey. To further grow adoption among the next generation of leaders, Yubico is offering a limited-time discount for educational institutions on trays of 50 Yubikey 4s or YubiKey 4 Nanos — our latest generation YubiKey.

To learn more about YubiKeys for Education, join our Webinar on Feb. 16.

Stina Ehrensvard

10X Growth With World’s Largest Brands

“The best way to predict the future is to invent it.”

— Alan Kay, American computer scientist

In 2012, shortly after Yubico’s CTO and I had moved from Stockholm to Silicon Valley, we were invited to a meeting at Google’s headquarters. We were nine people, from seven different countries, who had gathered around a conference table to determine if our ideas for simplified public key crypto had merit. None of us was really sure at the time if they did, but we all agreed it was worth trying.  

It is now 2016, and with U2F, the technical details that were discussed in the conference room, have been proven to work at scale. And U2F is just one of many solutions that has unfolded during this time. Four years ago, the YubiKey was basically a one-time password device. Today, it’s the Swiss Army Knife of authentication and cryptographic functions, including Yubico OTP, static password, challenge-response, OATH, PIV, NFC, OpenPGP, PKCS#11, and touch-to-sign — all in one tiny 3-gram device!  

During those four years, Yubico has increased sales ten-fold, earned profits, won eight of the top 10 internet brands and 20% of the Fortune 100 companies as customers. The largest brands and forward-thinking organizations know that it is not a matter of if, but when, their passwords, computing devices, and servers will be hacked. They now also store their encryption secrets locally, not at the security vendor.

Going forward, we see evolution and innovation rooted in three primary areas:

Mobile

Users have, and will continue to combine, computers and mobile devices into a single computing experience. Authentication and encryption solutions need to work across all these devices. So, in addition to USB and NFC, we will be adding Bluetooth support in YubiKeys. U2F crypto will eventually be integrated into security chips in phones and mobile apps, as an alternative security complementary to YubiKeys.

Standards

Building identity and strong authentication to operate at internet scale requires open standards, and the winning solutions will have built-in support in leading platforms and browsers. To help define this path, Yubico is a member of the open standards organizations W3C, OIX, FIDO, and IDESG.

Hardware crypto

Beyond strengthening authentication to resources, companies need to protect the integrity of servers, computer code, and cryptographic secrets — with simple and portable security modules. To eventually serve all users and servers, Yubico will continue to develop cryptographic functions for the YubiKey and YubiHSM.

Stina Ehrensvard

FIDO U2F Now Offers Contactless, Tokenless, Passwordless Mobile Authentication

2016 is the year when FIDO U2F will unfold its promise of a “universal” second factor.

Successfully deployed with Gmail, Dropbox, and GitHub in 2015, the U2F open standard is now expanding to mobile devices. At the ShowStoppers @ CES (Consumer Electronics Show) event in Las Vegas, Yubico is demonstrating the first FIDO U2F-certified, NFC-enabled YubiKey device as well as a software-based U2F mobile client that brings public key cryptography to both consumer and enterprise mobile users with a tokenless and passwordless experience.

Near Field Communication (NFC) was developed as an open standard more than a decade ago, and is today supported in all leading mobile platforms and hundreds of millions of mobile devices. Designed for contactless identification and authentication, NFC has also successfully found its way into mobile payment systems and credit cards.

The YubiKey NEO is now the first device certified for U2F mobile authentication over NFC. GitHub is pioneering support for mobile U2F for their users, combining a username and password with a simple tap of the YubiKey to an NFC-enabled mobile device. And later this year, the first U2F devices with Bluetooth will enter the market, addressing high-security login from iOS devices where NFC capabilities currently are limited to systems owned by Apple.

Also at Showstoppers @ CES, Yubico is demonstrating a software-based U2F mobile client that does not require additional hardware. It’s designed for both iOS and Android, the second factor can be a password or the fingerprint used to unlock the phone, enabling the first tokenless and passwordless user experience for FIDO U2F. While external hardware authenticators, without internet connections, offer the highest level of identity protection, this software-based U2F mobile client does provide a heightened level of security compared to a static username and password login. For example, an online bank that adds supports for U2F allows its mobile users to perform lower-value transactions using the U2F mobile client only, while higher-value transactions would require U2F hardware authentication.

As a co-author and driving contributor to the FIDO U2F open standard, Yubico’s mission is to make secure login easy and available for everyone, while safeguarding privacy. The YubiKey NEO is available today at Amazon and Yubico web store  for $50 in single quantity retail price. During the coming spring, Yubico will be piloting the FIDO U2F mobile client with large-scale service providers.

Want more interesting reading on FIDO U2F?

How journalists and human rights organizations use FIDO U2F to protect their identity
How Google reduced time, support costs, and fraud with FIDO U2F

Yubico Team

2015 Was A Yubico Rocket Ride

Around this time last year, the FIDO Alliance had just released the final draft of the U2F specification, a moment that would greatly impact Yubico’s upcoming year.

Within four months, Google had upped its commitment to U2F, adding support for Yubico’s Security Key in Google for Work. In August, DropBox added support for its user base, and two months later, GitHub joined in with support for U2F strong authentication to protect its users. In just 10 months, the YubiKey was an authentication option for platforms and apps used by tens of millions of people.

U2F, however, was just validation of YubiKey’s pedigree as a modern hardware authentication device.

Next up was a grand introduction of the YubiKey as a security device, including OpenPGP encryption with support for 4096-bit RSA crypto keys, a PKCS#11 library to support PIV functionality, and a relationship with Docker that produced a code signing milestone they dubbed touch-to-sign.

With two strokes, Yubico had revealed its Swiss Army Knife versatility and the value of multiple functions available on a single YubiKey. These milestones injected the YubiKey into the heart of a modern security debate among consumers, enterprises, and governments.

And there was more! Yubico talked online identity protection during a personal meeting with President Obama, explained the ins and outs of cryptography in a multi-part blog series, earned FIDO Certification, forged relationships with the federation players, helped add Bluetooth and NFC transports to U2F that opened mobile devices to the FIDO standard, linked up with LinkedIn, and talked SSH, ECC, and OIDC.

We also had our lighter moments. We met a Princess, had a cameo in a Hollywood movie, detailed the YubiKey’s duties during our work days, and crowned three YubiKings.

We learned to live on less sleep than Buddy the Elf, and that our customers have savvy and knowledge we are glad they openly share with us and others.

Above all, we were humbled by the ruckus the YubiKey caused.

Now, moving into 2016, we are running fast with a new 4th -generation YubiKey, Mozilla’s commitment to add FIDO U2F support to the Firefox browser, and the World Wide Web Consortium’s work to standardize Web APIs and data formats for use with FIDO 2.0.

And, of course, we look forward to the innovations, milestones and surprises we know will illuminate 2016.

Happy New Year!

Alessio Di Mauro

YubiKey 4(096): You Asked, We Delivered

In a previous blog post I talked about RSA key length and argued why a 2048-bit key is still a viable choice today.

However, here at Yubico we do not like to remain idle, twiddling our thumbs. We are constantly improving our products. As a result of these efforts, earlier this month, we launched the YubiKey 4. This 4th generation YubiKey sports several improvements and new functionality, including a more powerful secure element. One notable addition is that YubiKey 4 now supports RSA keys up to 4096 bits!

While cryptography is in transition (more on that later), I believe that today’s YubiKey 4 is an even more powerful tool, giving users the possibility of generating and importing longer OpenPGP keys for decryption, signature, and authentication. You can even load your master key onto a separate YubiKey 4 and use that to sign other people’s keys, without having to take your air-gapped computer out of storage.

Plus, with the addition of “touch-to-sign” providing an extra layer of security, the next attacker model will have to include biochips that can grow a finger and touch your YubiKey.

The new RSA 4096 support comes at a very interesting time. Until recently, the NSA has been promoting the so called Suite B Cryptography, a collection of cryptographic algorithms recommended to protect classified information up to the Top Secret level. What is interesting about Suite B is that RSA is not included, and Elliptic Curve Cryptography (ECC) is instead preferred. However, in August, the NSA had a sudden change of heart and published an article where it stated that we should start to get ready for quantum computers and begin using quantum-resistant algorithms, effectively moving away from ECC.

Before getting there, there is going to be a transition phase, but the adoption of Suite B has henceforth been discouraged. One of the algorithms suggested for key establishment and digital signatures in this transition phase is, surprise surprise, RSA with a 3072-bit key. Why the NSA has decided to move in this direction is open to debate (and speculation), especially considering that there is, more or less, general consensus on the fact that practical quantum computers are still a couple of decades away. I will refrain from opening that can of worms and only point out that an interesting discussion on this decision can be found in this paper.

Cryptography is a complicated topic, both from a technical and practical standpoint. Analyzing and proving the security properties of different schemes and algorithms takes a long time (if at all possible). Adoption and deployment also are time consuming. This is highlighted by the fact that even giant organizations, like the NSA, change their mind as time goes by.

Our creed here at Yubico is to try and be up to speed with the technology involved in these changes, providing our users with as many tools as possible so they are enabled to take whichever choice they believe to be better for their specific use case.

To put it in a different way, we will give your Swiss Army knife as many blades as we can — which ones you choose and how you use them is up to you! 

Read our White Paper: A Question of Key Length.

Yubico Team

YubiKey 4: One Device, Many Functions

One-hundred and eighteen years ago, Karl Elsener developed the first Swiss Army knife, introducing versatility never before seen in a simple knife for soldiers.

Today, Yubico pays homage to Elsener’s ingenuity and commitment to multi-feature versatility. The YubiKey is a single device with a wide selection of security and privacy choices under its rugged, molded-plastic exterior.

To expose all the functions of the YubiKey, we recently held a webinar — One Device, Many Functions: Inside the YubiKey. (The recording is embedded below.)

During the presentation, you’ll hear how the YubiKey defines secure access for armies of enterprises and consumers, including remote access and VPN, password managers, computer login, content management systems, and support for popular online services such as GitHub, Dropbox, Docker, Google for Work, and other Google Accounts.

Functions such as one-time passcodes (OTP) work with many systems including Salesforce, Okta, and Ping. Time- and event-based OATH tokens integrate with internal and customer-facing systems while PIV capabilities include support for Microsoft Windows login on select servers and client desktops. OpenPGP is for storing public/private key pairs for encryption, authentication and signing, and the FIDO Alliance’s Universal 2nd Factor (U2F) protocol gives a single YubiKey the ability to support many online services.

In addition, YubiKey allows owners to load and control their own secrets, with nothing revealed to third-parties, including Yubico.

It all adds up to the versatility we hope Elsener would commend.

November 2015 Newsletter
Stina Ehrensvard

Why YubiKey Wins

When we ask our customers why they chose the YubiKey, the most common answer is ease-of-use.

If you get a job at one of the large internet companies here in Silicon Valley, you are likely to also get a laptop with a YubiKey inside the USB port. But you may not know it’s a YubiKey. I learned that from someone I met at the local train station while waiting for the train to San Francisco. He was carrying his laptop under his arm, and I noticed the rounded golden edge in the USB port. When I thanked him for being a customer, he looked surprised; “Oh, I did not know. I thought it was the new Apple touch feature for the new Mac!” I am sure the YubiKey smiled after these words — there are not many authenticators out there that have been mistaken for an Apple product!

Some time ago, Facebook posted a video on YouTube sharing how they used YubiKeys, and why no other authentication technology matches its simplicity and speed for multiple login sessions.

After Google deployed U2F-powered YubiKeys for all staff, and provided support for Gmail users, their statistics showed that the login process was four times faster compared to Google Authenticator (their mobile authentication app). The process of picking up a phone, opening an app, and re-typing a code — not only is time-consuming but error-prone. With YubiKey, it’s just a simple touch.

However, the main reason Google deployed U2F-powered YubiKeys is security. One in fifty emails that land in your Gmail inbox is a phishing attempt. Although sophisticated spam filters block most of them, it is still difficult to stop individually-customized phishing emails, even with the one-time password from Google Authenticator. With U2F and public key crypto, Google has measured significant fraud reduction.

U2F also enabled Google to cut support by 40% compared to Google Authenticator. There may be a perception that paid hardware is more costly to deploy than free software. But when the industry-average cost for recovery support is approximately $30 per ticket, the reality can be different. With backup YubiKeys on a keychain, in a wallet and the USB port, users submit fewer support tickets and are at lower risk of being locked out than those who rely on a single phone app.

Many of our customers value that we allow them to easily program and fully control their own YubiKey secrets. Others like that one single YubiKey can be used with the range of authentication and cryptographic protocols. All like that YubiKeys are water- and crush-resistant (as demonstrated in the picture above). To learn more about the security, usability, and cost benefits of the YubiKey compared to other authentication technologies, see our  chart: Why YubiKey Wins.

There may not be a silver bullet for strong authentication, but the YubiKey is getting close.

November 2015 Newsletter, Blog
Stina Ehrensvard

W3C Submission Hints At Strong Future For U2F

As with any growing standards organization, the FIDO Alliance is evolving. Today, the organization marks a glimpse of where it’s headed and how U2F will help make secure login easy and available for all internet users.

The FIDO Alliance has submitted to the World Wide Web Consortium (W3C) a set of specifications defining a Web API to enable high-security web applications that offer secure user authentication. This FIDO-built Web API can be seen as a natural evolution and a superset of the FIDO U2F Web API. It is intended to ensure standards-based strong authentication across all web browsers and related web platform infrastructure.  

This is great news for Yubico’s customers as these Web API specifications will end up in all browsers. Our goal is to make the YubiKey ubiquitous, leveraged by universal support in leading platforms and browsers.

A year after the U2F specs were finalized, Google, Dropbox, and GitHub are on our list of large scale services supporting U2F, and many more are on their way. In the same timeframe, the U2F Technology Working Group has developed technical specifications for NFC and Bluetooth transports to address mobile applications. (For a look at the current U2F ecosystem, see our blog post.)

The FIDO 2.0 Technology Working Group was formed in late 2014 to address a wider range of authentication use cases, including the passwordless experience, and platform support for computers, phones, and other devices. This Web API submission to the W3C, from the FIDO 2.0 Technology Working Group, consists of three technical specifications required to define a standard web-based API, and is designed to increase FIDO’s existing desktop, Chrome, Android, and iOS support. The contributed FIDO specifications will be handled by a new group W3C is creating called the Web Authentication Working Group.

The W3C is the steward of the web with its principles of an open, secure, and democratized platform. It develops protocols and guidelines that ensure the long-term growth of the web.

Yubico agrees with the W3C’s principles as they are core to our own philosophy. We are working closely with the FIDO 2.0 Technology Working Group, including Google and Microsoft, with the goal to keep protocols lean and scalable, and offer a seamless evolution and migration path between FIDO U2F and FIDO 2.0.

The FIDO Alliance strategy is that every computing device will have built-in support for FIDO standards, just as we see today with standards like Bluetooth or Wi-Fi. To enable a higher level of security and privacy, users will need simple and portable external FIDO devices, including YubiKeys. These will also be needed as bridges when migrating to a new phone or computer, when any of these devices are broken or lost, with billions of existing computing devices, or to log in from a borrowed device.

For the time being, the bulk of FIDO 2.0 work is still under development at the Alliance, and it will take some time before this superset of U2F is completed. In parallel, we are working with many service providers who are adding support for FIDO U2F today to provide proven, simple and strong authentication now and into the future.

Step-by-step, we are getting closer to our vision of enabling one YubiKey to any number of online services. And, one day, you will walk into your local convenience store, and you will find a YubiKey there, perhaps hanging among the gift cards: the key that allows you to fully own and control your secure online identity.

Stina Ehrensvard

Launching The 4th Generation YubiKey

Today is historic as we launch our 4th generation YubiKey. It is built on high-performance, secure elements, and enables stronger and faster crypto operations. We are also expanding beyond our authentication heritage to code signing: Our new touch-to-sign feature was brought to life with our friends at Docker.

For every generation of YubiKeys, we have added new YubiKey versions with select feature sets. With YubiKey 4 and YubiKey 4 Nano, we are reversing that trend with fewer products, more features, and simplified choices for customers that bring better value.

We are also evolving in other ways. We are complementing our authentication pedigree by improving and adding  specific security features: OpenPGP encryption can now be performed with 4096-bit RSA crypto keys, we have added a PKCS#11 library to support PIV functionality, and, together with Docker, we are introducing container code signing with touch-to-sign and user verification.

Our new YubiKeys are the market’s Swiss Army knife for authentication and encryption. For large volume needs, we will enable customers to order exactly the functions they want. And our unique programming tools allows organizations to program and control their own cryptographic secrets. This security approach is something we are convinced will soon define the market.

The small YubiKey 4 Nano is priced at $50, and the YubiKey 4, the larger keychain version, is $40. Neither includes support for Near Field Communications (NFC), which is now just found in the YubiKey NEO. For those who don’t need NFC, the YubiKey 4 offers faster and stronger crypto at a lower price.

We will introduce a new retail web sales lineup and continue to serve enterprise customers with existing commitments to our former YubiKey products.

Strong authentication is an important part of the identity stack and we are quickly growing market share there. The YubiKey, however, also includes vital encryption functions highlighted by code signing. Both these areas is where we have innovated with YubiKey 4 to provide best-practice security and the simplest user experience. This is truly the start of a new generation.

November 2015 Newsletter, Blog
Jerrod Chong

With a Touch, Yubico, Docker Revolutionize Code Signing

Today we released the YubiKey 4, our next generation product that includes a new function called touch-to-sign, a unique and simple method for code signing that we have brought to life together with Docker, an open platform for distributed applications.

At DockerCon Europe 2015 in Barcelona, Docker and Yubico together unveiled the world’s first touch-to-sign code signing system using the new YubiKey 4. A developer only needs to touch his YubiKey for user presence verification and to digitally sign code, using a private root key stored on the device. This capability is the first hardware signing key to provide content integrity for containers that are part of Docker Content Trust, and it enables secure software lifecycle development for Docker developers, sysadmins, and third-party ISVs. We think it’s slick, and cool, and the future of hardware-backed keys.

As part of YubiKey 4, we also released a new PKCS#11 module that our customers and partners can use with their cryptographic projects. The open standard protocol, PKCS#11, lets applications speak to cryptographic smart card devices, such as the YubiKey 4, and perform cryptographic functions. Docker has integrated the PKCS#11 module into its platform to support touch-to-sign, and we hope this inspires others to develop other cutting-edge security solutions.

This is an important milestone for Yubico and our customers as we complement authentication with another category where the YubiKey excels, strong security with ease-of-use for code signing. Having the root keys stored in the secure element of the YubiKey means attackers cannot duplicate the root key to forge sign operations. Insecure storage of keys, for example in software modules, is often the cause of many of the vulnerabilities found in software packages.

We salute Docker for taking this first major step to help developers secure the creation and on-going maintenance of their code. With Yubikey 4 and touch-to-sign, we hope all Docker users take advantage of this fantastic opportunity to secure their code!

Read Docker’s blog on touch-to-sign. Or watch Docker CTO and Founder Solomon Hykes introduce and demonstrate YubiKey integration with Docker at DockerCon Europe 2015.

 

 

November 2015 Newsletter, Blog
Yubico Team

YubiKey Static Password Offers Up Options

One of the original functions on the YubiKey is a static password for use in the password field of any application. Such an option seems to challenge common misgivings about reusing passwords. And we would agree.

But if you look a little deeper, the static password, which has attracted more users than we thought it might, falls somewhere between pervasive support and strong authentication. It works with any application requiring a password, but it’s not a two-factor solution.

The static password was born from a simple idea —  since the YubiKey can function as a USB keyboard that types out characters with the touch of a button, we figured the capability provided other options in addition to one-time passwords.

Our lead engineer, Dain Nilsson, has written a whitepaper that goes into detail on this YubiKey function, but we’ll give you a preview here.

We originally achieved “static”  by freezing counter values and using crypto functions to provide the same password over and over, rather than creating a new one with each YubiKey button touch. We then added the capability for a user to create a password of their choosing on the YubiKey using scan code mode. Then we moved on to explore ModHex and its 16-character alphabet, and encoding that introduces a measure of “randomness.” That randomness helps create a password that has a tougher resistance to cracking than you might think.

A 32-character ModHex password would take a hacker around five billion years to even get a 1 in 2,158,056,614 chance of a correct guess (yes, that’s two billion!). Even a 16-character ModHex password would take around half a million years to crack given internet bandwidth issues and basic server security.  

The static password is interesting to ponder, and many people use them, but it is a password. We think a second factor provides the kind of strong authentication end-users really need.

That said, you might examine if a static password has value in any of your use cases.

John Fontana

LinkedIn Secures Employees with MFA, Okta, YubiKey

Weak passwords and the employees that use them are the biggest threat to IT security, Raj Nagalingam, Senior Systems Engineer at LinkedIn, told the audience at last week’s Oktane15 conference.

To combat such threats at LinkedIn, Raj has turned to Okta’s multi-factor authentication as one way to protect resources and employees (often times from themselves).

Raj and Jerrod Chong, Vice President of Solutions at Yubico, walked the Oktane15 audience through the YubiKey’s benefits and strengths, and the strategy and tools LinkedIn used to deploy Okta’s cloud-based Adaptive Multi-Factor Authentication with a one-time password (OTP) generated by a YubiKey.

LinkedIn’s user login begins with entering a user name and password into Okta. If valid, Okta pops up a window asking the user to insert and touch the button on their YubiKey. The Okta platform checks to ensure the YubiKey itself is registered to the user before verifying the OTP. Upon successful OTP validation using the Okta validation service, the user is allowed to log in.

Raj stresses that YubiKey’s OTP is harder to phish and is resistant to malware since nothing can be written to the key. And, he added, users are instantly hooked on the ease-of-use.

“If you ask your mom to do this, she can,” he told the audience.

LinkedIn’s current plan is focused on Yubico OTP, but in the near future, the company wants to move to authentication using the FIDO Alliance’s U2F protocol that is based on public key cryptography.

During the session, LinkedIn also reviewed how it used the security and policy framework developed by the Cloud Security Alliance (CSA) to decide how to enforce second-factor authentication for applications. The framework categorizes applications into three levels — Limited, Confidential, and Highly Confidential — each of which define required access controls for apps. 

“We grade every app in our environment and our security team makes decisions based on data classification,” said Raj. “In today’s world, everyone works in cloud apps and they use passwords that are static and weak. I recommend enabling multi-factor authentication.”

And he thinks the YubiKey has the right stuff. “It’s fast and easy. Just insert and touch.”

Yubico Team

One Key, Many Features Is Yubico’s Forte

You may have noticed that Yubico’s support for the Universal 2nd Factor (U2F) strong authentication protocol has made some major news in the industry lately, with the help of millions of Google, Dropbox, and GitHub users.

But the YubiKey isn’t just tuned for the magic of U2F, a protocol we co-created with Google and NXP. YubiKeys boast an impressive array of available options from protecting accounts to public key cryptography (re: U2F) to signing code, with the YubiKey NEO and YubiKey NEO-n as Yubico’s do-everything devices. Our other popular YubiKeys are tuned for specific features.

On December 1, Yubico will present a webinar “One Device, Many Functions: Inside the YubiKey” that will examine the DNA of our versatile hardware security device and give you a peek at all the big-time security power that lives under the small key’s molded plastic. Registration is open now.

What began as a single-purpose OTP device has matured in the shadow of password breaches, enterprise hacks, and end-user anxiety. In this webinar, we’ll detail OTP and other YubiKey security options and introduce how enterprises and consumers are using those to move up to improved security and access controls.

A YubiKey factors in a wide range of secure access scenarios, including remote access and VPN, password managers, computer login, content management systems, and online services.

The YubiKey NEO uniquely supports One-Time Passcodes, smart card functionality (including OpenPGP and PIV), and the emerging FIDO Alliance U2F standard. There is also support for creating a complex and difficult to crack static password.

The webinar will take you through the technical details behind the secure, simple, and scalable solutions that are the hallmarks of the YubiKey. The discussion will conclude with a question and answer session.

Join us at 7 a.m. PST on December 1 for an hour-long look at our versatile YubiKey.

Yubico Team

U2F Webinar: From Concept To Implementation

Note: This webinar was recorded on Oct. 27, 2015. The video recording is embedded at the end of this blog.

Ever wonder what’s under the Universal 2nd Factor (U2F) covers? How to build U2F into your own service or project? Or what’s the extended value of your YubiKey?

Now that U2F is catching fire as the protocol that defines strong authentication, we get a lot of these inquiries.

On Oct. 27, Yubico’s lead engineer, Dain Nilsson, will lay out all you need to know to understand the power of the protocol, the basic concepts for implementation, and the value of any U2F-enabled YubiKey.

The webinar, “Integrating U2F: From Concept to Implementation,” is scheduled from 8am to 9am PDT. This webinar is for those who use a U2F YubiKey but don’t quite know what happens behind the scenes, or for those who want to add U2F into their own service or application.

During the webinar’s demonstrations, Nilsson will take an existing service that relies on usernames and passwords and, using Yubico’s open source libraries in combination with U2F,  will add the protocol’s two defined flows — key registration and strong authentication based on public key cryptography.

Nilsson will feature code samples using Python, which will be made available on GitHub, and outline the steps for implementing U2F. He will provide other practical details around enabling U2F with an existing online service.

Major online services — such as GitHub, Google, and Dropbox — are leading the way to protect their employees and global users with U2F. Millions of YubiKeys are in the hands of users across the globe. But U2F isn’t exclusive to mega services with giant dev teams — it’s straightforward to implement and simple enough not to require user training courses.

Yubico will show you how.

And if you’re a GitHub user and want to increase your YubiKey count prior to the webinar, we have a special offer for 20% off all U2F YubiKeys — including YubiKey NEO and YubiKey NEO-n.

Jerrod Chong

GitHub, Yubico Introduce Millions To U2F

Since 2008, GitHub has grown into one of the largest developer communities in the world. With more than 11 million users working on more than 27 million projects, GitHub supports and encourages security measures — such as two-factor and the emerging open authentication standard, Universal 2nd Factor (U2F) — that keep accounts safe.

Today, GitHub announced U2F support enabling its users to access and protect the integrity of their software code with easy-to-use strong public key cryptography. GitHub’s volume of sensitive data demands proactive efforts to constantly improve security and access controls. Strong authentication, like that provided by U2F, helps protect against modern hacker techniques used in the current breach-filled world.

The YubiKey is a hardware device that implements U2F and works with a simple touch to trigger U2F’s public/private key exchange. The YubiKey simply plugs into a USB port to begin the process of securely authenticating the user.

As co-creators of the FIDO U2F protocol, we are thrilled to help GitHub put U2F-compliant YubiKey devices in the hands of developers currently creating services used by everyone on the internet. After taking a look at the open-source examples of U2F implementations, GitHub was able to build comprehensive support in a short time, taking advantage of the open-source community around U2F that Yubico has nurtured.

On the heels of U2F support added by Google and Dropbox, GitHub — committed to adopting standards-based technology — is stepping up as a strong U2F advocate. The company aims to set an example and help put the ‘U’ in Universal 2nd Factor by making U2F available for every GitHub user, including every GitHub employee. GitHub also plans to push leaders in technology and other industries to support U2F’s ease-of-use along with its promise of better security and privacy.

We are proud to be associated with GitHub and its ecosystem, and we join them in pushing developers, companies, and industries to take action now and put simple, scalable public key cryptography in the hands of millions of internet users.

To the GitHub community, we hope you enjoy your YubiKey!  

(Attn: GitHub users — For a limited time, you are now eligible for a 20% discount.)

 

GitHub Supports Universal 2nd Factor Authentication from Yubico on Vimeo.

 

Also see:

730x260
Yubico Team

Versatility, Scale, Innovation Define YubiKeys

Depending on the numbers you consult, there are nearly three billion people on the internet, mostly protected by usernames and passwords, and nearly 100 million servers with limited or no protection.

They are joined by an untold number of hackers feasting on this reality.

This week, Yubico took on that scenario in a live webinar focused on YubiKeys, Google, Dropbox, and U2F. The webinar is available for playback at the bottom of this blog.

Yubico CEO Stina Ehrensvard opened the discussion by introducing the YubiKey and the YubiHSM “as simple and secure hardware devices to protect users and servers at scale.”

Ehrensvard, and Yubico Product Manager Kevin Casey then laid out YubiKey’s benefits and simplicity, including multiple protocol support in a single device, public key crypto that thwarts phishing and man-in-the-middle attacks, and the ability for users and organizations alike to own and control their identity. YubiHSM offers this same class of protection to servers.

The highlight is a live demo that shows how to activate YubiKey’s FIDO Universal 2nd Factor (U2F) cryptographic authentication for web-based applications (Gmail  and Dropbox) without need for codes, client software, or phone apps.

Ehrensvard and Casey describe the high-level of authentication offered by the YubiKey, support for multiple online services from a single key, the elimination of a central identity provider, the unique touch sensor to verify user presence, and the key’s durability.

The webinar also outlines where other authentication technologies show weakness when trying to achieve YubiKey’s scale and ubiquity: smart cards that were too complex and costly to scale beyond government use and sensitive apps; OTPs that don’t protect against phishing; biometrics that have so far failed to answer privacy, security and revocation concerns; and mobile phones whose constant internet connectivity makes their resident software vulnerable to malware.

The final 15-minutes takes on audience questions that range from iPhone support,  SSH, Yubico’s Bluetooth and NFC features, financial services adoption, and FIDO browser support.

 

Nano OLD body style
Jakob Ehrensvärd

U2F Thriving; YubiKey Nano Sales Retiring

It’s no secret Yubico is making a big investment in the FIDO Alliance’s U2F protocol, which we believe will significantly strengthen security on the internet. We are co-authors of the specification and no less than nine Yubico employees help steer the evolution of FIDO and U2F.

Recently, we joined with Google and Dropbox to support U2F strong authentication for hundreds of millions of users.

Over the past months, we’ve made U2F a base capability in our YubiKeys with the idea that all devices should support our internet commitment to deliver one key for many services. The public key cryptographic pedigree of the U2F protocol ensures security, privacy, and ease-of-use.

As part of this commitment, we will discontinue selling our YubiKey Nano as of March 16, 2016 and replace it with the YubiKey Edge-n, which has all the features of the Nano plus U2F.

This decision has little or no impact on current YubiKey Nano owners, who can continue to use the device as always for as long into the future as they like. Yubico will provide support for two years after March 16, 2016 for those with valid support contracts. (See the full set of policies on our website).

One of the most important security features of a YubiKey is that they cannot be upgraded. If you can’t write to the key neither can hackers, which means no chance of malware or stolen secrets. As alternatives, YubiKey Nano owners can complement their device with a U2F-only Security Key. Or they can opt for the YubiKey Edge-n. The  YubiKey Nano then becomes a backup for all of its supported features — YubiKey one-time password, OATH time- and event-based OTPs, and static passwords. Or, we’re happy for you to just be happy with the YubiKey Nano you have.

So please don’t dwell on the industry standard, and ominous sounding, “End-Of-Life” term used in official announcements. We are not burying existing YubiKey Nano devices. Please use them and try to wear out the military-grade gold. The YubiKey will withstand your washing machine, your dog’s insatiable appetite, a winter spent in the snow, and being run over by just about anything.

The versatility of the YubiKey product lineup also remains, which includes support on various devices for other strong authentication options, services and features such as a PIV-compliant smart card, OpenPGP, and a secure element.

We are building a path to an internet future we think is paved with U2F support for all online services. We believe we have a clear vision of where strong authentication is headed and our goal remains delivering our customers to that destination.

Jakob Ehrensvärd is CTO at Yubico

Jerrod Chong

YubiKey to Secure Okta Adaptive MFA

There is a trend developing in identity management focused intently on security that incorporates strong two-factor authentication.

Today, we provide more proof of that trend by announcing our partnership with Okta to integrate YubiKeys into their cloud identity ecosystem. Okta has achieved the status of being the only solution among its peers to occupy the leaders’ quadrant in Gartner’s Magic Quadrant for Identity and Access Management as a Service (IDaaS). Inclusion into Okta’s platform reaffirms the reputation of the YubiKey as a highly sought after authentication technology by many leading software providers and services.

YubiKeys will soon be an option for stronger authentication as part of Okta’s just-released Adaptive Multi-Factor Authentication (MFA)With this service, users will be able to securely and easily authenticate with the YubiKey to Okta’s platform, which lets users authenticate once and access any number of applications.

The YubiKey is a hardware device that plugs into a USB port and works with a simple touch to trigger a one-time passcode (OTP) that securely authenticates the user. This single touch to activate a second factor makes YubiKey the preferred choice for users logging in from any device with a USB port.

YubiKeys supporting the upcoming Okta integration include the YubiKey Standard and Nano, YubiKey Edge and Edge-n, and the YubiKey NEO and NEO-n.

In addition, Okta also announced it has joined the FIDO Alliance, which develops open protocols for strong authentication, including the Universal 2nd Factor (U2F) specification. Both OTP and FIDO U2F features are natively supported in a single YubiKey.

Being the co-creators of the FIDO U2F protocol, we are excited that Okta has joined the Alliance. The FIDO protocol uses public key cryptography and is engineered specifically to address phishing and man-in-the-middle (MiTM) attacks.

The YubiKey Edge and YubiKey NEO support FIDO Alliance’s U2F protocol mode together with OTP. In addition, YubiKey NEO and YubiKey NEO-n have other capabilities such as a PIV-compliant CCID smart card and OpenPGP (SSH login, code signing, and more).

John Fontana

Secure Shell, Standards, And The YubiKey

In new entries added recently to the white paper section of our website, we’re detailing Secure Shell options using a YubiKey, and emerging standards that combine to solve online identity challenges.

These white papers are a nice place to uncover some lesser-known YubiKey gems, learn a little more about our crypto strategy, or dive deeper into topics that offer leading-edge security choices.

Those who use their YubiKey NEO or NEO-n in conjunction with Secure Shell (SSH) love the feature, but it lives in the shadow of other, more popular, YubiKey NEO services.

For the uninitiated, you can use a YubiKey NEO with SSH to establish secure connections with remote servers.

Author Alessio di Mauro, a Yubico software engineer, explains what SSH is and why you want to use it with a YubiKey. There are many advantages to using a YubiKey with SSH. The private key is stored within the YubiKey’s secure element, and your master key stays safe as you use only an authentication subkey. In addition, if your YubiKey falls into rogue hands, the attacker only has three very slim chances to authenticate as you before the key locks down.

Once you configure your computer to use SSH keys from a YubiKey, you are set to use them with your personal server or with one of the many services that allow public key authentication such as GitHub or Bitbucket.

Alessio’s white paper takes you through all the benefits.

Also new to our white paper section is a peek at some interesting standards-based identity and authentication options fostered by the intersection of FIDO Universal 2nd Factor (U2F) and OpenID Connect. Each has its own important qualities, but also soft spots. Used together, they present new security possibilities that are explored by guest author Justin Richer, a standards advocate and consultant at Bespoke Engineering.

Also in the white paper section is Alessio’s original three-part crypto key length discussion now available as one document available for download (and sharing).

Our white paper section is a growing resource, so we hope you’ll visit now to learn more, and return in the future to find in-depth looks at a flourishing ecosystem that includes the YubiKey, FIDO U2F, security and the future of strong authentication.

John Fontana

Time Flies When Trying To Secure The Internet

A year ago, I joined Yubico and wrote a blog with the headline “Welcome to the Future, It’s About to Get Really Interesting.”

On reflection, perhaps that was an understatement.

The past 12 months have seen unprecedented hacks on industry and government that have resulted in more than a billion stolen passwords and personal records. The carnage created enough of a pain point to move security and two-factor authentication from an afterthought to an active, mainstream conversation topic.

It was a wake up call to the weakest factor in security – the human factor.  

Eyes popped out when Apple was hacked and celebrity nude pics were stolen. President Obama signed an executive order requiring the use of multi-factor authentication in federal agencies. Red Hat and Microsoft announced multi-factor authentication plans, New York State banking regulators added two-factor authentication to their definition of a secure environment, and the US Postal Service added two-factor authentication to its post-hack remediation efforts.

Then the Cavalry started to round up its horses.

In October 2014, Google announced the first application support for the FIDO Universal 2nd Factor protocol and gave Gmail (and eventually Google for Work) users strong authentication backed by simple-to-use public key cryptography in the form of a Yubico Security Key.

At Yubico, we grew to keep up with the changing security landscape. We developed a two-factor login app for Salesforce.com users, sweetened our YubiKey portfolio with U2F support, offered our Security Key as a complement to Google’s launch, continued to bring on handfuls of enterprise customers looking to secure authentication, and helped finalize and offer to the world the FIDO U2F specification we co-invented.

And that was all before the end-of-year holidays. (Oh yeah, and we brightened the holidays with an array of colorful YubiKeys).

In January, the FIDO U2F ecosystem was active and buzzing with chipmakers, biometric devices, YubiKeys, mobile apps/clients, wireless connectivity development, cloud services, open source software, and other goodies.

Our CEO talked internet security with President Obama at a cybersecurity summit in Palo Alto, and recruited Salesforce CEO Marc Benioff as an investor and advisor.

We drew crowds eagerly seeking two-factor authentication as a silver lining at conferences such as Showstoppers, RSA, Cloud Identity Summit and Black Hat.

We released the world’s smallest HSM, debated cryptographic key sizes, announced the YubiKey Edge with OTP and U2F support, earned FIDO Certification, contributed to the release of Bluetooth and NFC support for U2F, crowned three YubiKings, and saw Dropbox become the first non-FIDO online service to adopt U2F supported by the YubiKey.

We also met with Victoria, Crown Princess of Sweden, and her husband, Prince Daniel, in California and introduced them to the YubiKey. And we went Hollywood with the YubiKey’s good-guy cameo in the dramatic film “Blackhat.”

But among all that change, we had constants: our commitment to open source and standards; our faith in one key for many apps; our belief in the right to internet privacy; our integrity; our focus on secure authentication for computers, servers, and internet accounts; and on providing the world’s enterprises with simple and secure authentication.

The next 12 months are lining up to be even more energetic, so you can count on one additional constant: more to come from Yubico (soon!) and our continued presence at the forefront of strong authentication.

blog
Stina Ehrensvard

Dropbox Adds Support For FIDO U2F, YubiKeys

Today, cloud storage giant Dropbox announced to its more than 400 million users that it now supports FIDO U2F for strong two-factor authentication.

On the company’s blog, Dropbox said users now can protect their files with U2F-powered devices in addition to the current feature of a one-time code sent to a mobile phone. Those U2F devices include YubiKeys, which enable high-security, public key cryptography to protect against advanced malware, phishing, and man-in-the-middle attacks. 

FIDO U2F removes cost and complexity from traditional public key and smart card technology. U2F-powered YubiKeys can be purchased from the Yubico store or at Amazon.com, and one single U2F device can access Google, Dropbox, WordPress and any number of U2F-compliant services. No client software or third-party services are needed, and no encryption secrets or information about users are shared between service providers.

The emerging open authentication U2F standards initiative was co-created by Yubico, Google and NXP, and turned over to the 200-member strong FIDO Alliance. Dropbox is the first major non-FIDO member to recognize the security advantages of FIDO U2F and offer those benefits to its customer base. FIDO membership is not a requirement for adopting FIDO U2F. The standards specifications for USB form-factor keys have been publicly available since December 2014, and the server code is free. Recently the FIDO U2F Technical Working group published specifications for NFC and Bluetooth transports for secure authentication mobile platforms. In addition, the FIDO Alliance announced today its latest round of products that have achieved FIDO certification. All U2F-compliant YubiKeys have earned the FIDO Certified designation. 

Today, trillions of dollars are lost, and billions of internet users risk getting their online accounts hacked because of compromised static credentials. It’s encouraging that some great large-scale service providers are adopting technologies that represent the future of authentication — simple, open and secure, yet safeguarding your privacy.

The Yubico lineup that supports FIDO U2F, and works out-of-the-box with Dropbox and Gmail, includes YubiKey Edge and Edge-n, YubiKey NEO and NEO-n and Yubico FIDO U2F Security Key. In addition to FIDO U2F, YubiKeys can support OATH One-Time Password, OpenPGP, and smart card (PIV) capabilities. For more information, see the YubiKey feature comparison chart.

On our Web site we have posted instructions on how to register a U2F-compliant YubiKey with your Dropbox account.

Justin Richer

U2F, OIDC mix widens authentication options

The Universal Second Factor (U2F) protocol from the FIDO Alliance is an interesting authentication story on its own, but even more so when coupled with another emerging standard called OpenID Connect. With the pair, you can solve more authentication challenges than either could on their own.

U2F provides a way for users to authenticate to sites using a hardware cryptographic device. It does this by using public key cryptography, but without the problematic infrastructure of legacy PKI systems. A new key pair is generated for every service that the user connects to, offering a secure and privacy-preserving authentication system. U2F support is included on all but one version of Yubico’s Yubikeys.

However, this isn’t quite the whole story. The U2F protocol on its own doesn’t actually identify any particular user, it merely proves  someone has the device with control over a registered key. The user’s identity is intentionally left out of the U2F process, and it must always be bound to some kind of user account for it to represent a person.

OpenID Connect (OIDC), on the other hand, is an identity federation protocol that is in use across the internet. Built on OAuth 2.0, OIDC lets users log into a website using an Identity Provider (IdP) service. This approach lets users leverage one account across a multitude of sites across the web and gives people control over which attributes of their identity are asserted and to whom in a secure and privacy-controlled fashion.

However, this isn’t quite the whole story either. The OIDC protocol doesn’t authenticate the user but rather conveys that authentication across the network. OIDC still requires that the user authenticate at the IdP, somehow. This could happen with a username and password, a certificate, a hardware token, or any number of other things.

So we’ve ostensibly got two authentication protocols, but authentication is a many-faceted thing. Each of these protocols addresses a slightly different take on authentication, intentionally leaving gaps to be filled by other technologies and components. The good news is we can combine U2F and OIDC to solve an even wider array of challenges than either can address alone.

For instance, an OIDC IdP could use a U2F device as part of its primary authentication mechanism for its users. This approach allows the user to strongly protect the primary identity they use all over the web. Alternatively, or even additionally, the OIDC and U2F protocols can be used in parallel. With this option, OIDC acts as a user’s primary login to a service, but a U2F device is registered on top of this federated login for additional protections that the service itself can check.

Want more details? We’ve put together a whitepaper that compares and contrasts U2F and OIDC, and gives more information on how they could be used together, both today and in the future. This whitepaper is freely available for download under a Creative Commons license.

Justin Richer is a guest blogger. He is a consultant at Bespoke Engineering, a disruptive technologist, and open source and standards advocate.

Yubico Team

We’re Headed to Black Hat

Yubico is going where it has never (officially) been before – this week’s Black Hat conference in Las Vegas. (Although we were once featured in a movie called Blackhat.)

After 18 editions of Black Hat USA, some may consider us late to the party (of course, we were only founded in 2007), but we have some exciting tools to bring into the security conversation. (You can talk with us in Booth 964).

We’ll be showing off our YubiKey lineup designed to strengthen authentication and security with everything from OTPs to OpenPGP. It’s a versatile hardware device that has an amazing range of capabilities.

At Black Hat, the focus is on the YubiKey’s support of the FIDO Alliance’s Universal 2nd Factor (U2F) protocol (Yubico is a co-author), integration with single sign-on software from our partner Ping Identity, support for Near Field Communication (NFC) that brings strong authentication to mobile devices, and added security for Windows login via the YubiKey.

Of course, we’ll have some fun odds-and-ends to make you smile and that you can bring home.

In addition, we’ll have details on the winners in our recent 2015 YubiKing Virtual Hackathon.

Black Hat’s main event runs August 5th and 6th and includes over 100 independently-selected sessions, a business hall, Arsenal (tool/demo “weapons” area), Pwnie Awards (9th annual), and more. Yubico’s booth is open Wednesday from 10 a.m. until 7 p.m., and Thursday from 10 a.m. until 5 p.m.

If you’re at the show, we’d love to walk you through the benefits of the YubiKey, which makes your accounts safe from hackers and data breaches. If you are in Vegas, or live there, we welcome you to come talk to us  about hacks, breaches, authentication, privacy and security.

Stina Ehrensvard

A Milestone for Wireless U2F

The FIDO Universal 2nd Factor (U2F) protocol passed a significant milestone last month, adding new transport protocols that emphatically answer questions about support for mobile devices.

Yubico is a leading contributor to the U2F specs, including the USB transport and the new specs for Bluetooth and Near Field Communication (NFC). We are now excited to see the recently completed Bluetooth and NFC transports published, enabling strong public key authentication to expand across computers, tablets and smartphones.

Despite the rapid growth of mobile devices, the majority of high-security applications will continue to be accessed from computers as long as those devices provide more computing power, user-friendly screens and full-sized keyboards. However, as more users and sophisticated applications move to smartphones and other Internet-connected gadgets, they have become a fast-growing target for hackers and malware. Wireless U2F will help ensure that the mobile device does not become the weakest link in a security system.

To understand the significance of strong authentication coupled with wireless communication via Bluetooth and NFC consider these facts: The Bluetooth Special Interest Group says there are more than eight billion Bluetooth enabled devices in use today and over 10 billion are projected to ship in the next three years. The NFC Forum says there are more than 500 million NFC-enabled devices in the market today. Analyst firm IDC predicts that from 2015 through 2017, that nearly six billion mobile phones will ship. That compares to fewer than one billion PCs in the same timeframe. Add to those numbers Cisco’s prediction of 50 billion Internet of Things devices and objects that will connect to the Internet in five years.

The new NFC spec for U2F has been successfully proven in enterprise deployments, and now all YubiKey NEOs that are running version 3.4 or later of our firmware (introduced in early-February) will work for NFC U2F authentication once relying parties incorporate support. And later this year, Yubico plans to launch a Bluetooth U2F device.

The wireless U2F specs published on June 30 are a major milestone for authentication that is secure, easy and available for everyone.

Yubico Team

Yubico Webinar: Google Talks Security Key, Apps

Google is doubling down on authentication with a strong commitment to FIDO’s Universal Second Factor (U2F) protocol and Yubico’s Security Key as part of an expanding emphasis on security.

The cloud computing giant joined Yubico on a live Webinar to continue a conversation entitled “Google for Work, FIDO U2F, and YubiKeys.” A recording of the webinar is now available for playback online.

Julien Blanchez, marketing lead for Google for Work, outlined where the Security Key fits into Google’s security strategy. He cited three security trends — increased risk, more complex security, and new work environments — as proof that the cloud is the right response for Google to address all three.

“We are not facing teenagers in basements anymore, we are facing armies targeting large organizations and individuals,” he said.

He cited Google’s innovation, size, and agility as top weapons in its arsenal. “Google can see things in a comprehensive way,” he said. Blanchez  tagged authentication as the most important security issue today, saying three-quarters of 2014’s hacks were linked to the theft of login credentials.

Yubico and Google co-invented the U2F protocol. Yubico invented the Yubikey, including the Security Key, and has focused on U2F support. These U2F-based keys can now protect all Google services with two-step verification. Currently Google has a special offer for a 50% discount on Security Keys for Google for Work customers in the US, Canada, and EU. (It should be noted that FIDO U2F Security Key, YubiKey NEO, and YubiKey Edge all support U2F but only Security Key is part of the offer.)

In addition, Google is actively adding Security Key management controls to its cloud services, including Google for Work, Google Apps Unlimited and Google for Education. “In the coming months we will become stronger and stronger advocates for these Security Keys,” Blanchez said.

Yubico continued the discussion with an in-depth look at the YubiKey, its place on the authentication landscape, its range of authentication options, support for U2F, and how its unique one-touch user interface is solving one of cryptography’s major complexity issues.

A live demo shows how to register a YubiKey in the Chrome browser with three brief steps. The benefits are phishing protection, privacy, affordability and the ability to use one key to authenticate to many services.

A glimpse is given of the differences and complementary relationship of the YubiKey and smartphones-as-authenticators. The wrap-up features answers to a range of audience questions from browser-based U2F support to lost YubiKeys.

Yubico’s Kevin Casey, senior solutions engineer, and Sue Heim, information development, host the webinar.

John Fontana

Innovative Projects Topped with YubiKing Crowns

Break out the trumpets. Lower the drawbridge. The YubiKings are here to claim their thrones!

Today, Yubico is announcing the three winners of the months-long YubiKing contest, designed to discover who had mad enough skills to build the most innovative, creative and compelling solution around the YubiKey.

We received and evaluated a pile of fantastic entries. It was hard to cut them to a reasonable number before deciding on the three winning teams, each of which had incorporated a number of Yubico and open source elements into their YubiKing projects.

Congratulations to the leaders and team members of the victorious projects:

Each team will receive a $3,000 prize and special-edition etched “YubiKing” keys. YubiKing Key Blog

And we need to have a well-deserved virtual cheer for all those who took their best ideas and spent time working them into tangible solutions over the past months.

YubiKing Buckell and his team of four added support for YubiKey protocols ­— OTP, OATH and FIDO’s U2F — to the two versions of their MFAStack platform, that include two-factor authentication (2FA) support, IdP capabilities, and standards-based single sign-on. The YubiKey supports two-factor authentication to access the admin console, and a Yubico OTP is also used to approve changes to user settings, such as revoking keys.

But it’s the integration with U2F that gives users private key cryptography capabilities. In essence, it is strong authentication to protect an end-user’s single sign-on account. Buckell’s development team also included Nikola Bursac, Dominik Trupčević, Marko Bencek and Domagoj Paljug.

YubiKing Qvist and his teammate, Michael Bisbjerg, built CSIS Enrollment Station, an application that lets IT departments easily deploy and manage certificates and YubiKeys (PIV support, enrollment, pin reset, revocation) on behalf of Microsoft Windows users. This was not possible previously because the YubiKey does not have native write support with Microsoft’s Base Smart Card Crypto Provider. So the team used Yubico’s PIV tool and a YubiKey PIV library .dll to generate a private key directly on the YubiKey and then generate a Certificate Signing Request. The request is read by their program as PKCS#7 and then packaged in a Certificate Management Message over CMS (CMC). The package is then sent to the Windows Certificate Authority. For good measure, Qvist and his team added the ability to generate a Pin Unlock Code and management keys by interfacing with Yubico HSM’s random number generator.

Not to be outdone, YubiKing Schürmann and his teammate, Vincent Breitmoser, went mobile with OpenKeychain for Android, which provides OpenPGP encryption, decryption and digital signatures to protect messages on an Android smartphone. Schürmann’s team added support for the OpenPGP feature of YubiKey NEO and its Near Field Communication (NFC) option. By separating the key mechanism from the device, OpenKeychain dramatically increases the security of the device. The application integrates with K-9 Mail and Conversations.

Thank you, everyone, for the wonderful submissions and for contributing to a successful contest. Don’t forget to look up Yubico at the Black Hat conference next month in Las Vegas at Booth #964. We can talk a little YubiKing.

See you next year!

John Fontana

Yubico CEO to EU: Open Standards Nurture Trust

Trust has to be a cornerstone in order to protect the online identities of 500 million people doing business across borders, Yubico’s CEO and Founder, Stina Ehrensvard, told an exclusive crowd of 500 EU digital policy makers and industry representatives last week at Digital Assembly 2015 in Riga, Latvia.

She held up a single YubiKey and told the audience how its support of “new open internet security standards can help us to reinforce the trust for our internet. “

A who’s who of invited guests from across the EU were gathered at the request of the Latvian Presidency of the Council of the European Union to attend workshops and hear from six hand-picked inspirational speakers.

The Council of the European Union is an essential decision-making body that works together with the European Parliament to adopt legislation and coordinate EU policies.

The Digital Single Market Strategy for Europe, published by the European Commission early last month, framed the proceedings. The strategy aims to open up digital opportunities for people and business and enhance Europe’s position as a world leader in the digital economy.

Yubico’s Ehrensvard was the first inspirational speaker to take the stage (video below). She led the audience back fifty plus years to the invention of the three-point seat belt by her Swedish countryman Nils Bohlin, highlighting that its success was based on simplicity, unobtrusiveness and one-handed ease-of-use. It went on to become an open, global standard.

Fast-forward to today’s digital world, where she applied the same trio of traits to the YubiKey (although ease of use is accomplished with just one finger). She highlighted the weaknesses of other technologies: smart cards (complex), OTP devices (single purpose) and phones (vulnerable to attack).

She said standards are essential such as the FIDO Alliance’s Universal 2nd Factor (U2F) protocol for strong authentication, which is supported in Yubico’s YubiKey.  This emerging standard provides a way to share an authentication device across multiple services while maintaining respect for privacy, she said.

Her vision of the near future included the ability for anyone to buy a secure online identity based on U2F at a local convenience store from the same rack where the gift cards hang. Banks, governments, email sites, and healthcare organizations are among providers who would honor the secure identity.

She told the audience, “to realize the vision of a digital single market, the cornerstone is that we can trust the Internet.”

See the full talk below.

 

*Image courtesy of EU2015.LV

John Fontana

Cloud ID Summit Sharpens Focus on Future

One common theme across the talks at last week’s Cloud Identity Summit (CIS) revealed a desire to simplify and unify existing identity and access management technologies and standards to build a pragmatic approach to modern identity.

For years, authentication, authorization, single sign-on (SSO), federation, governance, risk, compliance, standards, etc., etc. have all been pointing toward their own identity-based and secured Nirvana. With each one sporting a unique and clearly articulated picture of a future void of complexity and inadequacies. (Oh, if we could only move to that address yesterday.)

But here’s what I heard last week in San Diego.

More than at any previous time, the intersections of these discrete technologies and standards are now closer, clearer, and capable of a scale that is significant to enterprises and consumers. These intersections are beginning to define the possibilities of a common identity and access management stack that can potentially address a large number of use cases while simplifying the number of edge cases.

Is it around the corner? Nope. Are we in the last mile? Perhaps. Does it have promise? Absolutely.

Let me start from a Yubico perspective, the multi-factor authentication and single sign-on integration unveiled last week between Yubico and Ping Identity highlights advantages when authentication hardware is paired with software-based federation and  SSO. This combination moves security and convenience closer to being on the same side of the ledger.

And there are other pieces arriving at intersections.

Standards such as OAuth, OpenID Connect (OIDC), Security Assertion Markup Language (SAML), System for Cross-Domain Identity Management (SCIM), Fast Identity Online (FIDO), and User Managed Access (UMA) provide a view into managing modern identity users, authentication, applications, and services. Emerging standards for authentication and SSO (to mobile devices and applications) are evolving within FIDO (Bluetooth and NFC support) and the OpenID Foundation (Native Application SSO).

The result could add up to an infrastructure that begins to define security, levels of assurance, and user control across enterprise and consumer services accessed from desktops, laptops, and mobile devices.

Organizations like the Open Identity Exchange and the Kantara Initiative are adding trust models and certifications. The vetting of IAM systems will eventually look at the whole infrastructure and not the piece parts, which should come to the table already validated.

Add to the mix efforts underway in global governments including the National Strategy for Trusted Identities in Cyberspace (NSTIC) and the United Kingdom’s Office of the Cabinet. These programs are already proving out models that incorporate technologies constructed with the building blocks displayed at CIS.

The qualifier, however, is that integration of identity and security on such a scale does not handle weakness well. Mastering these integrations initially won’t be for the faint of heart. Failures could be epic fireballs.

Vendors will have to partner and defer to customer needs rather than push their checkbox implementations of their competitors’ strengths. Standards in many ways will deflect some of that conflict.

Major vendors at CIS lined up and vowed to work together and push the adoption of standards. Alex Simons, director of program management for Active Directory at Microsoft, said he now has 1,000 engineers in the security and identity business, and “we are here to be your partner.” Google’s Eric Sachs, product management director for Identity, said in his keynote, “We’ve blocked almost all password access to our APIs by default. You have to use OAuth.” And Ian Glazer, senior director of Identity at Salesforce, laid down the gauntlet, saying companies that continue to manage user names and passwords are “toxic waste farmers.”

Color this analysis optimistic. Argue over timelines. Wrestle with cynicism. But don’t underestimate progress made over the past years regardless of the amount of hope crushed along the way. There is a better identity and access management model. It’s more attainable perhaps than ever before, and with better pieces that reduce complexity and improve usability.

It’s time to jump on and follow this arc of progress.

 

Photo credit: Brian Campbell

Jerrod Chong

Hello, SSO. It’s Me, Authentication

There’s a secret that single sign-on (SSO) never talks about. It’s called authentication.

The SSO conversation starts without mentioning the assumption that the user is already logged in. A login that requires a password. Instead, SSO is quickly positioned to triumph over the dangers of weak and reused passwords.

Many times, however, those same suspect passwords are the ones used for the initial authentication into the SSO environment.

Authentication is actually SSO’s most critical gatekeeper for a user’s identity. If the authentication password is stolen, all the user’s identities associated with that federated service are exposed.

Password policies, crazy character composition guidelines, and x-day expiration dates are the techniques enterprises typically use ﹘ with varying degrees of success ﹘ to get users to create passwords deemed strong enough for authentication to the SSO environment.

It’s within this scenario that Yubico has entered into a partnership with Ping Identity, a leader in the SSO and federation ecosystem, to create strong two-factor authentication for those critical and initial logins.

The one-time password (OTP) functionality of the YubiKey is integrated into PingID, a multi-factor authentication engine within the company’s flagship cloud identity service, PingOne.

So even if a user’s password is phished or stolen, a hacker is unable to access the user’s SSO environment without also having the user’s physical YubiKey. In addition, the Yubikey is not vulnerable to man-in-the-middle attacks that plague SMS phone-code solutions.

PingOne users now have the option to add hardware-based, two-factor authentication to secure primary logins to Ping Identity’s cloud SSO environment. There are plans to integrate YubiKeys with other components of Ping Identity’s recently unveiled Identity Defined Platform, which includes PingFederate and PingAccess. Soon privileged accounts in the Ping Identity environment also will be covered under this OTP security blanket, further protecting specific enterprise accounts.

The USB-based YubiKey is one-touch protection for all applications protected by SSO and federation. It’s a hardware authenticator that doesn’t require a battery or the installation of any client software. By design, nothing can be written to the YubiKey, so malware can’t be loaded onto it.

Support for OTP is included on the YubiKey Standard and Nano, YubiKey Edge and Edge-n, and the YubiKey NEO and NEO-n.

In addition, the YubiKey is not a single purpose device. Both the YubiKey Edge and YubiKey NEO offer support for multiple authentication options, including the FIDO Alliance’s U2F protocol. The YubiKey NEO and YubiKey NEO-n have other capabilities such as a PIV-compliant CCID smart card and OpenPGP (for code signing, etc.). The YubiKey NEO also supports NFC for logging on to mobile applications.

John Fontana

Ode to Backup

A few weeks ago, I was in my hotel and reached into my pocket to get my YubiKey. Without it, I can’t log into certain email, CMS or other systems without going through an involved IT administrative process.

The key was gone.

That is an instantaneous bad feeling, wiped away only by the backup key I carry and store in a separate location.

Earlier, at a gathering of identity and authentication geeks, I was one of three Yubico employees walking people through the registration and use of the YubiKey with various apps.

Afterward, I left my computer with colleagues to go have a side conversation for a few minutes. YubiKey in plastic sleeve

Unbeknownst to me, my diligent co-worker was cleaning up and collecting keys that had not been used or handed out. He saw a key inserted into my computer, and thinking it was part of the demonstration, removed it, tucked it back into its plastic sleeve and tossed it in a bag with 50 or so other keys.

(In his defense, he was unaware that I use the plastic package sleeve to protect against inadvertent key taps. What? You throw the sleeve away!)

The next day, my colleague unknowingly handed the key out to a random person who had requested a sample. My key was gone. Never to be seen again.

(I only learned that part of the story after telling him the next day about how I had lost my key but had been saved by a backup.)

So when I discovered in the hotel that my key was missing, my immediate reaction was “where is it?” and I spent a few moments searching for it. But I knew I had my backup YubiKey cleverly concealed in the room.

I retrieved the backup key and got right to work, having full access to my complement of applications and services.

This scenario is the answer to a common question Yubico hears: “What happens if I lose my YubiKey?” If you are prepared, the answer is nothing happens. It’s the same answer for “What if my hard drive crashes?” The real question is how important is my data/security and how do I protect and preserve it.

Given the YubiKey’s design, I didn’t need to worry about my main key in the hands of a stranger. The key has no data about the owner so I was undiscoverable. In addition, I was able to delete my YubiKey registrations from each one of my apps.

On the (very) off chance the stranger with my key located my computer and me; the key was worthless (even without deleting registrations, an attacker would also need my username and password for each app). I was able to pick right up with a new key. The only thing I had to do was establish a new backup key.

I did that after I was done working just to get a taste of what it feels like to live on security’s edge for a few hours. The feeling of having a backup is much more comfortable.

John Fontana

YubiKeys Earn FIDO Certified Label

Interoperability is king and today the FIDO Alliance announced its FIDO Certified program and a list of 31 products that have passed conformance and interoperability testing.

The three YubiKeys that support FIDO’s Universal 2nd Factor (U2F) protocol ­­– NEO, Edge and Security Key – are now certified and part of this important maturation in FIDO’s design.

“FIDO Certified” means that any FIDO U2F product earning that designation will work with any other U2F product that is certified. The same goes for FIDO’s UAF protocol. The two-step testing requires products survive a gauntlet of test tools that examine validation and conformance to FIDO 1.0 specifications. The second phase is interoperability testing among products at an event overseen by FIDO.

Certification brings a level of confidence to FIDO products that are quickly moving into deployment phases among consumers and enterprises alike. The Yubico strategy around U2F centers on having one key that will access many services secured by a proven public key cryptography design. We think certification is a concept fundamental to this goal.

Certification signals that the Alliance is building an ecosystem that not only protects the value Yubico builds into the YubiKey but the investment customers put into FIDO and its range of security products.

This certification program also helps non-FIDO members build products that preserve the pedigree of the FIDO brand, ensuring a plug-and-play environment.

We will update our website and packaging to highlight our FIDO Certified designation. And we will highlight our partners that have followed us down this necessary path and we will encourage enterprises and consumers to always buy FIDO Certified.

Yubico Team

U2F, Google, Yubico Lead Authentication Makeover

The authentication landscape has been altered and evidence of that can be seen among a trio of front runners: FIDO U2F, Google and Yubico.

This week, Yubico laid out the details during a live webinar entitled “FIDO U2F, Google Drive for Work and YubiKey,” that is now available for playback online.

The in-depth discussion starts with the YubiKey, its place on the authentication landscape, its range of authentication options, and how its unique one-touch user interface is solving one of cryptography’s major complexity issues.

From there, the focus hones in on YubiKey’s implementation of the FIDO Alliance’s Universal 2nd Factor protocol, which Yubico helped invent.

A live demo shows how to add a YubiKey to Google Drive for Work using three brief steps for activating U2F’s cryptographic authentication and strengthening Google’s existing username and password login. No codes or phone apps needed.

The themes here are phishing protection, privacy, affordability and the ability to use one key to authenticate to many services.

In addition, Google’s new U2F key management tools for its Drive for Work administrative console are discussed. Now, for the first time with U2F, enterprises have backend management tools, standard clients (Google Chrome) and hardened security devices (Yubikeys).

In addition, listeners are given a behind-the-scenes understanding of key registration and how authentication is secured at a relying party using the U2F protocol.

A glimpse is given of the exploding ecosystem of U2F authenticators, services, chips, enterprise servers, open source options, and mobile apps. Finally, the conclusion examines the differences and complementary relationship of the YubiKey and smartphones-as-authenticators.

The wrap-up features the answers to 15 minutes of questions received from the audience.

Yubico CEO Stina Ehrensvard hosts the Webinar and is joined by two of her colleagues, industry veteran John Haggard, Yubico’s chief business officer, and Jerrod Chong, vice president of solutions engineering.

 

David Maples

YubiKey NEO OpenPGP Security Bug

Yubico recently learned of a security issue with the OpenPGP Card applet project that is used in the YubiKey NEO. If you are not using OpenPGP, or have the OpenPGP applet version 1.0.10 or later, this vulnerability does not apply to you.

The OpenPGP Card applet defect was inherited from the open-source software project “javacardopenpgp.” The technical details are available in a security advisory posted on our website. This issue only affects the OpenPGP applet and does not impact the security of the YubiKey or its other functions.

While we continue to believe that the practical impact for the majority of users is not critical, Yubico aspires to exceed expectations related to security incident handling. Therefore, we have developed a policy on replacing affected YubiKey NEOs.

Note that moving usage of an OpenPGP key to a new YubiKey NEO requires that you have saved a backup copy of the private key on the card as there is no way to retrieve the private key from any YubiKey, including the YubiKey NEO. If you did not save a backup copy of the private key when you initially generated the key, you will need to revoke the existing key and create a new key. Therefore, we urge you to consider whether you are truly affected by the security issue before proceeding.

If you are using the YubiKey NEO with the OpenPGP Card applet and want to replace your YubiKey, go to yubi.co/support to log a support ticket. Include the output from ‘gpg –card-status’ on your YubiKey NEO (masking out personal information) together with your order number in the ticket you submit. We will give you a coupon code so you can order a replacement YubiKey NEO.

3 x 1 Image
Yubico Team

Google Tools Boost Value of YubiKeys, FIDO U2F

Deploying enterprise software or services that lack a management console is comparable to jumping out of a plane without a parachute. It’s just not done without damaging consequences.

Today, Google delivered a parachute to all high-flying enterprises seeking managed two-factor authentication for their Google Drive for Work deployments. The company updated the Drive for Work Admin console to include tools for managing Yubico’s U2F-compliant keys, which are essential to Google’s two-step verification (2SV) security protection.

Compatible Yubico keys — U2F Security Key, YubiKey NEO or YubiKey Edgegive end-users strong authentication while Google’s Admin console provides administrators the tools for deploying, monitoring and managing, at scale, keys based on the FIDO Alliance’s Universal 2nd Factor (U2F) protocol. YubiKeys support the U2F protocol that Yubico co-created and that works with Gmail and other U2F compatible services.

This milestone tracks on Yubico’s vision for U2F and a world where one key can authenticate to many services. And it signals a powerful evolution of the enterprise value in Yubico’s lineup of FIDO-compliant keys, and the emerging scalable, open authentication FIDO standard. Enterprises and organizations now have a richer package including the backend management infrastructure, a universal client (Chrome), and a hardened security device in U2F-compliant keys.

A Yubico U2F authenticator is easily enrolled by the end-user, who inserts it into a USB port and touches the button when prompted (see video below).The U2F protocol uses public key cryptography and is specifically designed to protect against man-in-the-middle and phishing attacks and preserve privacy. In addition, YubiKeys are resistant to malware because nothing can be written to them, and their secrets are protected by a secure element.

Coupled with Google Drive for Work, which offers data storage and collaboration tools, YubiKeys shut out hackers, phishers, and other virtual ne’er-do-wells. Even with your username and password, the bad guys can’t get into your account without also having stolen your physical YubiKey.

With this model, end-users, partners and contractors can bring their own security device and control their identity while the enterprise can control access not by assigning passwords, but by activating or deactivating U2F-compliant keys — without ever needing to collect and store the end-user’s secrets.

Security for Google Drive for Work has been defined by username and password. And previous 2SV options all required the addition of unmanaged codes delivered via SMS, mobile apps or printouts, which have their own vulnerabilities to man-in-the-middle attacks and increase friction for end-user adoption.

Google’s 2SV management tools come to Drive for Work without the need to install any additional software because the tools are embedded in the existing Admin console.

With new administrative features for YubiKeys, organizations now have the management piece they need to implement and control 2SV rollouts. This relegates passwords to nothing more than an identifier, thus eliminating it as a form of account protection. (Expel your sigh of relief here).

For enterprises, this is the strong authentication parachute they should be demanding.

John Fontana

An Edge over the Bad Guys

The one thing end-users don’t seem to have over hackers these days is an edge.

Yubico is changing that.

Today, we introduce a new key we’ve dubbed the YubiKey Edge. The goal is a cost-effective key with a collection of second-factor authentication options that guard against attacks on your accounts either via malware, phishing and other techniques. YubiKey Edge also includes an option to create a strong static password for use with apps and services that require a login but do not support one-time passwords.

YubiKey Edge, which comes in both the Standard and Nano format, includes the one-time password (OTP) features that are the foundation of YubiKeys, including Yubico OTP, OATH, and Challenge-Response. The OTP provides a secure 128-bit AES encrypted single-use password. The features work with apps such as Salesforce and LastPass.

In addition, we’ve added support for the FIDO Alliance’s Universal 2nd Factor (U2F) protocol, which provides easy-to-use public key cryptography.

YubiKey Edge shows itself as a USB keyboard when used in an OTP mode. There are two configuration “slots” on the key that are active at one time, which in essence turns the key into two keys in one. (A longer touch to the key activates the configuration in the second slot.)

For example, Slot 1 could be configured to provide a complex static password that replaces your traditional password. In Slot 1, the static password is activated with a quick touch to the key. Slot 2 could be configured with a second-factor OTP activated with a longer, multi-second touch of the key.

This configuration is easily achieved with a personalization tool available free from Yubico.

The static password can be used to replace your current password (just change your password using the “change password” feature of your app or service and when needed the Yubikey will enter the password you have configured).

This is only one example, the slots on the Yubikey can be a combination of any of the OTP or static password options.

On the U2F side, the key presents itself as an HID (Human Interface Device), similar to mice, game controllers and display devices that plug into USB ports. U2F works via the browser, with Google Chrome offering initial support and Mozilla’s Firefox under development. Gmail and other applications such as WordPress are supported, and additional U2F-compliant apps and services are in the queue for release by various vendors in the coming months.

U2F does not require any client software or drivers, and is available on every version of Yubikey except the YubiKey Standard and YubiKey Nano.

As part of the YubiKey Edge introduction, Yubico has released a new version of its NEO Manager that supports YubiKey Edge.

John Fontana

YubiKey, YubiHSM: Secret Weapons to Guard Secrets

U.S. intelligence officials in 2013 said they planned to significantly reduce the number of individuals within their network with system administrator privileges. Those privileges gave administrators rights to view and move around any document.

“U.S. intelligence has invited so many people into the secret realm,” an official told NBC News, that it left the organization overly exposed to threats of compromise.

The question is how many people need to know a secret before it isn’t a secret anymore?

Yubico hears from many organizations and enterprises asking this very question. The idea is they want to tightly manage and shrink the circumference of their security circles. Smaller is safer (not foolproof) and easier to control and monitor.

Enterprises with high-assurance needs often look to eliminate third-party contractors from their security efforts, drastically reduce or eliminate reliance on identity service providers, and produce and protect their own secret keys. And where possible, reduce the number of internal privileged access accounts.

To help achieve these high-assurance goals, Yubico today released YubiHSM 1.5. It sits elegantly inside the USB-port of a standard server to secure encryption secrets and passwords from both remote and physical attacks. And high-assurance is why we helped create the FIDO Alliance’s Universal Second Factor protocol and why we built our U2F Security Key. Together, the keys are a one-two security punch for client machines and servers.

The original YubiHSM (Hardware Security Module) was developed by Yubico engineers five years ago to protect the company’s own hosted servers, including the YubiCloud. Yubico needed to protect YubiKey authentication secrets stored on multiple servers across three continents and  found the HSMs available on the market too complex and costly for its needs. As customers heard what Yubico was doing, they requested access to the product. Today, the YubiHSM is deployed by hundreds of companies around the world, including leading cloud companies, financial services and U.S Department of Defense contractors.

YubiHSM can store Yubico OTP secrets for validating one-time passcodes, and it offers encryption choices including HMAC-SHA1 hashing of a variable length input, symmetric encryption using AES ECB, and cryptographically secure random number generation.

While the main functions of YubiHSM 1.5 are symmetric key operations, Yubico is looking to extend capabilities in the future to address asymmetric key operations.

The YubiHSM follows the same “Trust-No-One” approach like all of Yubico’s inventions and co-creations, including the YubiKey and the FIDO U2F Security Key. This allows Yubico customers to control their own authentication servers and secrets. These capabilities are a hallmark for Yubico’s suite of Yubikey functions including one-time passwords, smartcard capabilities, and data encryption capabilities.

On the device side, FIDO U2F Security Key gives enterprises high-security public-key cryptography and privacy without having to widen their security circles: No third-party service providers or certificate authorities are required. For the Yubico OTP, customers are allowed to load their own secrets and easily reprogram any YubiKey they buy without the need for special hardware or need to contact Yubico. In addition, all protocols implemented on our keys are open source. What this means is that enterprises can have strong authentication literally without having to trust anyone outside their organization, including Yubico.

All these features are foundational to Yubico’s philosophy. A secure identity that enterprises, organizations and individuals can own and control.  And these features are how Yubico helps customers shrink security circles, even down to a single person who can use a YubiKey to protect their anonymity.

 

1x3
Dain Nilsson

Memoirs of a YubiKing

While I’ve been an employee with Yubico for a little more than two years now, my history with the company dates back a bit further. And the YubiKing contest we announced today to discover the next innovative use of the YubiKey transports me back to that time. Before I was an employee, I was a winner in the initial YubiKing contest.

The first time I heard of the YubiKey was on an episode of the Security Now podcast back in 2008. An enthusiastic Stina Ehrensvard (CEO and founder of Yubico) was being interviewed, and the details of how the YubiKey worked were being explained down to a very technical level. I remember later trying to explain how it worked to my then girlfriend (now wife), who didn’t quite share my excitement for the device. Nonetheless, I was smitten.

YubiKing is your opportunity to create the next innovative use for a YubiKey. Enter your project in the YubiKing Virtual Hackathon today to become eligible to win great prizes!

A while afterward, the first YubiKing competition was announced in a follow-up episode. This was the perfect excuse for me to get a YubiKey and play around with it. The rules were pretty simple: Create something that uses the YubiKey and submit it to the competition. I had what I considered a pretty neat idea for a hack, but with several companies entering the competition I saw little hope of actually winning. Still, the promise of a YubiKey for entrants was there. I had no excuse not to give it a shot.

At the time, very few web sites offered two-factor authentication. We’ve come a long way since then (with an even longer way to go, still), but I had an idea to immediately start using a YubiKey with more sites. My solution was a very basic password manager of sorts, which used Yubico OTPs for authentication.

It worked like this: You would store passwords for different sites, and the YubiKey would protect access to your passwords. A small browser plugin would then hook into password fields on third-party sites, detecting if an OTP was entered instead of a password. When it saw an OTP, it would query the server for your password and seamlessly replace the OTP with your actual password before submitting the field and logging you in. Boom, instant YubiKey support for any site!

My submission lacked polish and was mostly thrown together over the course of a weekend. But it worked, and the idea was novel enough that it earned me one of the coveted YubiKing titles awarded that year. This contest began my relationship with Yubico and eventually led me to a new job working with the technologies I’m passionate about.

Now we’re running another YubiKing contest, and I’m very excited to see what kind of new innovations will pop up this time around.

John Fontana

Yubikey and the Emerging Wireless World

Wireless has become the de-facto connecting point for consumers today and even among enterprises, where employees expect to leave behind desktop Ethernet connections for wireless connectivity in board rooms, conference rooms and common areas.

Apple makes this point emphatically with its new MacBook where the message is everything should be done without wires via technology such as Wi-Fi, Bluetooth, AirDrop, etc. Only a charging port is left and a set of adapters for those with cord-cutting anxiety.

And strong authentication is moving in the same direction so as to avoid being limited to a hard-wired port to accommodate its security benefits.

As the driving contributor to the FIDO 1.0 U2F USB-specifications, our Yubico engineers are now deeply involved in developing extensions for U2F that support Bluetooth and NFC.

Today, our NFC-enabled YubiKey NEO works with Android devices, and eventually Apple products when the company opens its NFC implementation to developers. (See some ideas on using NEO without a USB port).

Both the Bluetooth and NFC authenticators perform in a similar way as today’s USB-based YubiKeys, but do it without plugging anything into a port. The NFC YubiKey is simply tapped to an NFC-enabled device. A Bluetooth version will hang on your key-chain or sit in your pocket and you touch it for generating authentications that are completed wirelessly. The addressable market for these wireless options includes smart phones, tablets, devices, and yes, future laptops that may be pruning ports.

Though wireless come with great benefits, such as eliminating messy and unsightly cables, physical connectors do have many other benefits. The USB YubiKey will always be fastest and easiest to use with the millions of current and future computers equipped with classic USB-ports. And Yubico will judge the viability of a USB-c YubiKey if and when the market demands one.

Photo ©Jeroen van Oostrom/FreeDigitalPhotos.net

John Salter

My Work Day Reflects YubiKey’s Flexibility

I work as a developer at Yubico. Like a lot of developers these days I’m empowered to not only develop software, but to publish it and configure the servers it runs on. This means that I have access to many systems, to which I authenticate using different keys.

DSC_2168
The Key to Henrik’s Day
YubiKey NEO Feature Authentication uses
OTP Salesforce, Yubico Forums, WordPress
U2F Gmail
PGP Signing code changes
SSH (via PGP) Servers
NFC (+ OTP) Unlocking office door
NFC (+TOTP) Facebook, GitHub
Mifare Classic ID (+ code) Unlocking door to office building

I store these keys on my YubiKey NEO, from which they can never leave, and let it do all authentication and signing. This means I am assured no one accesses systems in my name, even if they’ve stolen my laptop or have my passwords.

To make this more concrete, I have documented a regular workday.

Morning:

Entering the office building

The office building doors are unlocked using plastic fobs. Fobs are identified using their ID (Mifare Classic UID). Since my YubiKey NEO supports Mifare, I use it instead.

The office

A few minutes later I swipe my NEO again to unlock the door to the Yubico Stockholm office. This lock (sold by KEYnTO) is more secure since it uses YubiKey One-Time Passwords.

Reading e-mail

Yubico, like many other companies, uses Google for e-mail, calendar and documents. Google encourages you to use a Security Key (U2F device) to protect your account.

gmail

Google’ s U2F Second-Factor Verification

Needless to say (since Yubico is a driving force behind U2F), I use my YubiKey for this as well.

Checking the forum

Yubico’s forum runs PhpBB and uses YubiKey One-Time Passwords as a second factor for authentication.

Afternoon:

Checking Facebook during lunch

I’ve configured Facebook to “keep me logged in” on trusted devices. But when I login to Facebook (and Dropbox, GitHub, etc.) from untrusted devices, I’m asked to enter a 6 digit time-based code. To get the code, I just tap my NEO to my phone (the code is transferred using NFC). This has a couple of advantages:

  • The secrets used to generate the codes never leaves my YubiKey, so I don’t have to worry about phone malware or securely wiping the phone when selling it.
  • I’m not tied to a single phone. I can even use a friends phone if mine is out of battery.

Pushing code to Gitssh

Today, I’m working on our developer portal, developers.yubico.com. After a few hours of coding, I’ve got something that I’m ready to publish. I type “git push” in the terminal, enter my YubiKey’s PIN and let it authenticate me to GitHub. My private SSH key never leaves the YubiKey.

Connecting to a server via SSH

My new code isn’t working as expected, so I SSH into the web server hosting developers.yubico.com to have a look in the logs. Once again, my YubiKey does the authentication.

Signing released software

I spent the afternoon adding some features to our U2F library for Java. In order to publish the release, I have to sign the artifacts using OpenPGP. Luckily, the build system (Maven) has a plugin for this. All I have to do is to type “mvn deploy -P release” and the YubiKey will sign the files using my PGP key.

Things I didn’t do today

I use my YubiKey for even more things. Here are some of the things that I didn’t do today:

  • Logging into Yubico’s website that’s running WordPress, using FIDO U2F.
  • Logging into Yubico’s Salesforce instance, using a YubiKey One-Time Password.

 

Alessio Di Mauro

The Big Debate, 2048 vs. 4096, Yubico’s Position

In Part 2, we got a better understanding of what an algorithm like RSA does and what the length of a key entails.

Now, in Part 3, we can talk about the elephant in the room. Are 2048-bit keys useless? And are your documents completely insecure if you are using them? What are the pros and cons of one key length versus the other?crypto bug

As I showed in my last installment, RSA-2048 still has fifteen years of life left before it is considered obsolete. Plenty of time not to be worried now. Just imagine where technology was fifteen years ago!

While it is true that a longer key provides better security, we have shown that by doubling the length of the key from 2048 to 4096, the increase in bits of security is only 18, a mere 16%. Moreover, besides requiring more storage, longer keys also translate into increased CPU usage and higher power consumption.

While this might not seem much on a modern computer where we measure things in the order of gigabytes and hundreds of watts, it is still a valid concern for the ever-increasing low-power embedded devices where CPU frequency is measured in kilohertz and power consumption in milliwatts and microwatts.

In these cases using a longer key means longer time to compute the result and shorter battery life on devices.

The real advantage of using a 4096-bit key nowadays is future proofing, but even that is not so strong an argument. By the time that RSA 2048 is declared dead, hopefully Elliptic Curve Cryptography (ECC) will have taken over, or even better, new and wonderful encryption algorithms will have been discovered.

What about ECC

So what about Elliptic Curve Cryptography? These encryption schemes are an alternative to RSA and are based on a completely different mathematical problem. Apart from that, however, they are just normal asymmetric encryption algorithms.

On the other hand, when it comes to speed and memory, ECC considerably outperforms RSA (with the notable exception of signature verification, where RSA is faster), even on embedded system and smaller microcontrollers.

Key lengths for these kinds of algorithms are considerably smaller. According to NIST, 112 and 128 bits of security, (equivalent to RSA-2048 and RSA-4096) correspond to 255-bit and 383-bit long ECC keys (worst case, even less on some specific curves).

So why are we not using this everywhere? Although the math behind them has been known for a while, ECC is a relatively new concept in cryptography, an inherently slow-changing and conservative field.

New implementations and new “fast reduction” curves that make computation significantly quicker are still under study and it takes time. As if that was not enough, some curves and implementations are behind patent walls.

Support for these kinds of encryption algorithms in OpenPGP has been proposed, and the first implementations are slowly starting to appear. Implementing cryptography, however, is an error-prone procedure and a fine art in and of itself.

Blindly implementing an algorithm is usually not enough to plug all the potential security holes, and be impervious to side-channel attacks and the like.

It is clear that once the issues are resolved and more implementations start coming around, ECC is the way forward.

Where does Yubico stand

Both the NEO and the NEO-n implement OpenPGP and support RSA up to 2048 bits. This is not a constraint from Yubico, but rather a hardware limitation of the NXP A700x chip used within the YubiKeys.

While the chip also supports ECC, it cannot be easily implemented without using some proprietary extensions, making it troublesome to comply with the license used by OpenPGP (GNU GPL). Moreover, as stated before, implementing crypto is a difficult process and although we have an initial version available on github, this still requires more thorough testing before it is considered production-ready.

A best practice is to determine how long you plan to use a specific key and then select a key length based on that decision. Everyday smartcards are fine at 2048 bits because they get changed out at regular intervals and will naturally migrate to longer key lengths over time. Long-term keys, like your master OpenPGP key that isn’t on a smartcard or used everyday, could be viable for the next 30 years if you pick longer key lengths today.

All in all, we believe that the security of the asymmetric cryptography provided by the YubiKey NEO and NEO-n is adequate for the time being. However, we are constantly working to keep ourselves ahead of the curve (no pun intended) and we will make sure to provide new solutions when the time (and the technology) is right.

Part 1: Does Key Size Really Matter in Cryptography?
Part 2: Comparing Asymmetric Encryption Algorithms

Alessio Di Mauro

Comparing Asymmetric Encryption Algorithms

In Part 1 of our crypto blog, I briefly introduced the concept of asymmetric encryption algorithms and the general rule that the longer the key the better. Let’s take a deeper look at that logic here in Part 2.

There are many asymmetric encryption algorithms, but lets focus on RSA, which is one of the most popular and is supported by YubiKey NEO and NEO-n. What is a suitable key length to use with RSA and why not just use the longest key possible?crypto bug

RSA was first introduced in the ‘70s but since it is based on a mathematically hard problem as discussed in Part 1, we are still able to use it with some adaptations.

Historically, a common starting point for a key length has been 1024 bits. Despite the fact that attacks on this key length are very sophisticated and targeted to specific platforms, 1024-bit keys are generally considered not secure enough and their use is highly discouraged.

In 2012, the National Institute of Standards and Technology (NIST), a U.S. agency that promotes technological advancements, published this document, which contains the following table (Table 4 on page 67).

Security Strength 2011 – 2013 2014 – 2030 2031 – beyond
80 Applying Deprecated Disallowed
Processing Legacy use
112 Applying Acceptable Acceptable Disallowed
Processing Legacy use
128 Applying/ Processing Acceptable Acceptable Acceptable
192 Acceptable Acceptable Acceptable
256 Acceptable Acceptable Acceptable

The column “Security Strength”, or more colloquially “Bits of Security” is an estimation of the amount of work required to defeat a cryptographic algorithm, and therefore the higher the value, the better.

The keywords “Applying” and “Processing” refer to encryption and decryption operations respectively.

A Security Strength of 80 bits is currently “Disallowed” which translates to “an algorithm or key length [that] shall not be used for applying cryptographic protection.” Now, if you were guessing that 80 bits of security are approximately equivalent to RSA-1024, you have guessed right. This is mentioned in the same NIST document (Table 2, page 64).

Similar results can also be found in a yearly report (Tables 7.2 and 7.3 on page 30) from ECRYPT II, the second incarnation of ECRYPT, the European Network of Excellence in Cryptography. For clarity, in the following text we will use the data from the NIST publication.

The next relevant value in the table is 112 bits of security, which roughly corresponds to RSA with a key length of 2048 bits. At the moment this value is considered “Acceptable,” which means that it is not known to be insecure and it is deemed to be so until 2030.

Now comes the interesting bit. Although there is no requirement to use RSA keys with a length that is a power of two, depending on the implementation there might be some advantages in terms of speed.

For this reason we take into account a length of 4096. Unfortunately, this value is not on the table above. However, with a bit of exponential regression and assuming that the “Security Strength” function is continuous (or better, derivable) between the data points provided in the table above, we get the following plot:

As you can see, a 4096-bit RSA key clocks in at around 129 bits of security.

This value is marginally better than a key length of 3072 bits, and considered acceptable beyond year 2030. (Also see this key length calculator).

 

Part 1: Does Key Size Really Matter in Cryptography?
Part 3: The big debate, 2048 vs 4096, Yubico’s stand

 

 

Alessio Di Mauro

Does Key Size Really Matter in Cryptography?

One of the most interesting and useful aspects of the YubiKey NEO and NEO-n is that they can act as a smart card and come pre-loaded with a bunch of interesting applications, such as an implementation of OpenPGP Card.

Many end-users like this functionality, but some question the key lengths. It’s an expected cryptographic question and is worth examining in some detail. I will walk you through it with a series of three blogs I will publish this week. Today is the first installment.crypto bug

OpenPGP is a standard that allows users to encrypt, decrypt, sign and authenticate data. It is an open standardized variant of PGP, available as a FOSS implementation in the form GNU Privacy Guard (GPG) and is most notably used for email encryption and authentication. Independent of the actual implementation, OpenPGP (and PGP) supports both symmetric and asymmetric cryptography. Today we will focus on the latter.

Simplified cryptography primer

To better understand what follows, a few very basic concepts of cryptography are required. In asymmetric or public-key encryption there are two main players: the encryption algorithm itself (RSA, ECC, ElGamal, …) and a cryptographic key pair. (There are also encryption/signature schemes such as PKCS#1, ECDSA and ECDH, but that is another discussion).

Each encryption algorithm is based on a computationally-hard problem. The mathematical transformation constitutes the operation that the encryption scheme can perform,  encrypt/decrypt, whereas the keys provide the additional data. A similar statement can be made for signature algorithms where the operations are sign/ verify.

The two keys of a same key pair are strongly interconnected, this is a fundamental property of asymmetric cryptography. The keys must be used together to achieve different properties such as confidentiality, authenticity and integrity.

Confidentiality is a guarantee the message is received only by the intended recipients. Authenticity guarantees the identity of the author, and integrity confirms both confidentiality and authenticity by ensuring that a message has not been modified in transit. (Click here for a brief introduction to cryptography)

On to PGP

All this can be achieved if, and only if, the secret key of a user remains uncompromised. However, not all keys are created equal.

In computer security, the length of a cryptographic key is defined by its length measured in number of bits, rather than being connected to the number and shape of its ridges and notches like in a physical key (say for your car). Provided that an encryption algorithm actually supports different key lengths, the general rule is that the longer the key, the better.

In the next installment, we’ll look at suitable key lengths and how they compare. In a third installment, we will take on the 2048 vs 4096 key length debate then examine chip-based characteristics that define today’s YubiKey cryptography. And then wrap-up by looking at what Yubico has in the lab and how we plan to move forward. See you tomorrow.

Part 2: Comparing Asymmetric Encryption Algorithms
Part 3: The big debate, 2048 vs. 4096, Yubico’s stand

Alessio Di Mauro

A Crash Course in Cryptography

To better understand asymmetric cryptography, you need knowledge of some basic concepts.

For those that are not familiar with public-key cryptography, I will provide here a brief, stripped-down introduction to the topic.

In asymmetric or public-key encryption there are two main players: the encryption algorithm itself (RSA, ECC, ElGamal, …) and a cryptographic key pair (there are also encryption/signature schemes such as PKCS#1, ECDSA and ECDH, but that is another discussion). The former is something that is (or should be…) publicly available. It tells us what are the steps to follow in order to encrypt and decrypt messages. crypto bug

A public/private key pair on the other hand is part of the input to the encryption algorithm and provides two things: the information necessary to uniquely identify a user (public key), and a connected secret required to make the scheme secure (private key).

How does this work all together? Each encryption algorithm is normally based on a computationally hard problem. That is, some kind of mathematical operation that can be performed and inverted relatively easily provided that some information is available. The mathematical transformation constitutes the operation that the encryption scheme can perform, encrypt/decrypt, whereas the keys provide the additional data.

The two keys of a same key pair are strongly interconnected. If the public key is used as part of a message transformation, only the private key can be used to invert it and obtain the same data back. This is a fundamental property of asymmetric cryptography and, depending on how the transformations are applied, and as long as the private key remains so, it allows us to achieve different properties such as confidentiality, authenticity and integrity.

Confidentiality is the guarantee a message will only be received (in a meaningful state) by its intended recipients. This is achieved by encrypting the message with the public key of the recipient, so that only she will be able to decrypt it with her private key.

Authenticity, on the other hand, guarantees the identity of the author and can be achieved by signing a message with the private key of the author and verifying it with his public key.

Finally, integrity is a somewhat orthogonal property, necessary for both confidentiality and authenticity to be upheld. It can guarantee that a message has reached a recipient (intended or not) unmodified. A typical way of providing integrity is through message authentication codes (MACs).

See Part 1 of our 3-part blog series on cryptographic key length, and Yubikey NEO/NEO-n.

 

Stina Ehrensvard

Yubico Meets President Obama

Last Friday I biked to Stanford to discuss online identity protection with the President of the United States.

President Obama is a man passionate about the Internet and dedicated to helping secure it. After our short one-on-one conversation about Yubico solutions, he took the stage at the Stanford Memorial Auditorium. In front of him he had CEOs and CISOs from the leading companies in the financial and tech industries, who were also invited as speakers during the day-long White House Cybersecurity Summit.

In an afternoon session with a group of tech CISOs, the highlight was FIDO and second-factor authentication, and implementations that work today to secure online identities. And when one of the CISOs held up a small USB-key in his hand someone from the audience called out; “That’s a YubiKey!”

In a panel entitled “Authentication Beyond Passwords”, I was one of three speakers advocating for open standards, including representatives from FIDO and NSTIC (National Strategy for Trusted Identities in Cyberspace). We agreed that the world does not need to wait; there are real-world deployments for open, secure, easy-to-use, affordable, and high-privacy online identity protection.

It was a beautiful, warm and sunny afternoon when I headed back home to Palo Alto; a 15 minute bike ride from the Stanford campus. I chose to live here for the same reasons the White House chose to host the event here; to work closely with the Internet thought leaders to solve real problems that cannot be solved alone by governments or tech giants.

While such cooperation is needed to achieve identity protections, Yubico is not blind to the current debate around government surveillance and the very public boycott of Obama’s Summit by some tech giants.

Since the NSA breach, leading tech companies are building encryption into their products that they themselves cannot break into. This effort eliminates the ability to disclose customer information even if ordered by a court. Both the British and the U.S. government have tried to stop this. The New York Times summarizes the issue well.

At Yubico, we are committed to help Internet citizens take control over their online identities. We believe that your secure online identity should not be owned or controlled by tech giants, governments, banks – or by Yubico. We believe in an open and secure Internet where users can have multiple identities, even anonymous, and hide information if they need to and want to, a topic I highlighted in my previous blog on global dissidents using YubiKeys: https://www.yubico.com/2014/11/fido-u2f-designed-protect-privacy/

See Obama’s opening remarks from the Summit (video):
www.WhiteHouse.gov/CyberSummit

Ronnie Manning

We Love Third-Party Validation!

It’s always rewarding when you see third-party validation of your company’s product, and that is why today started off so well.

In separate articles published today, Yubico’s YubiKey was highlighted for its tight security and ease of use by authors Don Sambandaraksa at TelecomAsia.net, which is aimed at the telecom market, and Greg Harvey, co-founder and director at Code Enigma, which offers secure Linux hosting.

Both articles not only speak to the crypto power of the YubiKey, but its flexibility in terms of strong authentication options (including eating the key, really! but please don’t try this at home!) and Yubico’s commitment to open source software and the possibilities it provides.

Sambandaraksa’s article focuses on YubiKey’s OpenPGP support, how a private key is protected and YubiKey’s ability to solve “the usability / security trade-off that has hampered widespread PGP adoption on mobile devices.”

Harvey focuses on YubiKey’s one-time password capability to help protect access to production servers at Code Enigma, including how it is hack-proof, how the key can be certified, and the use of open-source YubiCloud software. Harvey also includes a great tutorial video: Using YubiKeys to secure Debian Linux.

Want to know who else has covered Yubico and YubiKeys lately? see our In the News section.

(image courtesy of Code Enigma

Stina Ehrensvard

The Key and the Princess

After Silicon Valley, Sweden is considered one of the world’s more interesting tech innovation hubs, giving birth to global brands such as Skype, MySQL, Spotify, King – and the rising Yubico!

The growing and fruitful cross-pollinization between Silicon Valley and Sweden is the reason Victoria, Crown Princess of Sweden, and her husband, Prince Daniel, this week visited the Bay Area (pictured above left in photo with Yubico CEO Stina Ehrensvard, center, and Chief Business Officer John Haggard, right).

I had the honor of meeting the Royal couple during a private event at the Computer History Museum, and participating on a panel of Nordic tech-entrepreneurs that shared stories of building successful companies in this magic place in the world.

“Nowadays every road leads to the Bay Area,” Barbro Osher, the Honorary Consul General of Sweden, said during the event. “They felt they’ve been here before, but they haven’t been down to the Valley and it was time to learn about the innovations.”

Princess Victoria, heir apparent of King Carl XVI Gustaf, is a cool, authentic and modern woman asking intelligent questions.
Educated at Yale, she married a successful entrepreneur and gym owner who at the time was also her personal trainer.

In case the Princess by chance finds this blog, I hope you continue to encourage entrepreneurship and to be yourself; a shining representative for Sweden. Meanwhile, my team at Yubico will do its best to help protect people across any country border, driving new open security standards for all Internet citizens.

John Fontana

YubiKey’s Hollywood Cameo Trips up Bad Guys

The YubiKey made it into Hollywood’s spotlight last weekend, taking on a plot-turning cameo appearance in the movie Blackhat. (Cue the suspenseful music).

When it was all said and done, the YubiKey showed some of the power of two-factor authentication – not in terms of fingering (pun intended) the suspect, but narrowing the field of potential culprits to whomever had physical access and touched the key.

In a cinematic trick, the YubiKey took the role of a biometric device, something it is not in real life.

Blackhat’s plot involves the pursuit of a hacker who has attacked a Hong Kong nuclear plant, causing an explosion. He then moves on to Chicago’s Mercantile Trade Exchange, causing pricing chaos.

The Hollywood twists and turns include little you’d find in a server room or the day-in-the-life of a developer including a bad boy convict, international security teams, globe hopping, car chases, hand guns, heavy artillery, grief, triumph and romance. Ok, maybe heavy (video game) artillery.

As the search for the perpetrator begins, it is quickly narrowed down by a hot lead provided indirectly by the YubiKey.  The key allows the good guys to ascertain the sophisticated hack began as an inside job, since whomever infiltrated the systems had to have touched the key to access sensitive data.

Ah, the power of touch. At least the film got that right.

The touch of YubiKey’s capacitive sensor is a key feature, proving physical user presence – something a hacker or a Trojan can’t do over the network.

Other hacker movies may want to consider the YubiKey in any number of other whitehat roles.

In real life, YubiKeys are used for physical access to offices, logging into servers, or accessing Gmail or Salesforce or GitHub, or WordPress or many other apps. Options include Mifare Classic, OTP, TOTP, U2F, NFC, Windows login/RDP with PIV, and SSH via PGP.

Now there’s a blockbuster lineup of good actors.

Perhaps we need a sequel. (Actually, while the cybersecurity scenes were fairly realistic and believable, Blackhat overall isn’t up to a sequel).

Here’s a look at the YubiKey’s cameo – don’t blink at 00:43 seconds.

John Fontana

FIDO U2F Ecosystem Coming Alive

Update: New entries added to Enterprise Software list; new section, Governments, added; April 13, 2016

FIDO U2F (Universal 2nd Factor) is, as the name implies, a universal protocol that supports a wide range of modalities and use cases. Many people forget this fact given the current popularity of the USB form factor. But evidence is mounting including biometric, software,  server-side implementations and adoption by relying parties that shows U2F has valuable versatility.

Yubico, as a leading contributor to the U2F specification, has always envisioned that U2F would cover a wide-range of authenticators each taking advantage of the open protocol.

It’s with great excitement we now see this vision becoming a reality. After the public release of the U2F technical specification in early Dec. 2014, we see almost daily reports about new U2F authenticators, clients and servers, including those listed below. There are now dozens of FIDO Certified U2F products available in the market.

And remember, each U2F device is indeed “universal” and works across all implementations while preserving privacy for users and integrity for web application owners. The value of U2F is that a single authenticator works with all U2F-enabled services. We also posted a blog that walks through a side-by-side examination of U2F and one-time passwords (OTP).

Here are some of the ways U2F is growing:

  • Biometrics
    The myris handheld USB biometric iris scanner by Eyelock, which was named a 2015 CES Innovations Awards Honoree, is paving the way for U2F powered biometrics such as fingerprints, voice and facial recognition. Biometric scans prove presence and validate the user without the data ever leaving the device. U2F powers the public key cryptography authentication. Sonavation has released a biometric IDKey, which uses a fingerprint scan and supports U2F.
  • Mobile Apps and Clients (formerly phone-based software implementations)
    Entersekt and Bluink offer mobile software solutions where the phone acts as the U2F authenticator. Google and Android are adding mobile clients. At the 2016 Computer Electronics Show, Yubico demonstrated a software-based U2F mobile client.
  • Chip providers
    Leading chip providers have stepped in, including NXP, Infineon and ST-Microelectronics, offering device manufactures U2F reference designs. ARM, a FIDO board member, supports FIDO in its ARM TrustZone technology-based Trusted Execution Environment.
  • USB devices
    Yubico was the first to offer U2F powered USB authentication keys. YubiKeys are available in different form factors and features, they are available on Amazon, and were named among the top 10 product to watch at CES. NeoWave (France), Happlink (France) and  HyperSecu (Canada) have all introduced U2F devices.
  • NFC & Bluetooth devices
    On June 30, 2015, the FIDO Alliance released extensions to the U2F protocol to support both Bluetooth and Near Field Communication (NFC) transport over U2F.  The YubiKey NEO has earned a FIDO Certified designation for its support of U2F over NFC. Products supporting U2F over Bluetooth are scheduled to appear in 2016 from Yubico and other vendors.
  • Cloud services
    Google has launched wide-spread support for U2F on its platform. In August 2015, Dropbox added support for U2F, and in Oct. 2015 GitHub incorporated U2F strong authentication into its platform.  These roll-outs were significant as the two vendors were the first non-FIDO members to recognize the value of  U2F and offer it to their users. PushCoin, also not a FIDO member, added in early 2015 U2F support to its in-school sales systems that lets kids buy lunches and supplies.
  • Governments
    In early 2016, Gov.UK Verify became the first government service in the world to add support for U2F. GOV.UK Verify uses a host of identity providers, including Digidentity which supports U2F, to validate a citizen’s personal data, store that data, and verify the user is who they say they are when they attempt to access government digital services.
  • Open source servers and applications
    Google and Yubico offer free software libraries, and U2F software and documentation that has received positive feedback from developers worldwide. An open source U2F plug-in for the SAML-based Shibboleth identity federation platform is available on GitHub. In early 2016, WSO2 announced U2F support in its Identity Server. Other applications include a WordPress plugin and a Ruby on Rails U2F implementation (and here). In addition, the open source Gluu Server, an identity and access management suite, now supports U2F.
  • Enterprise software providers
    In addition to open source, there are commercial software packages, including from Duo Security and SurePassID. In early 2016, EgoSecure added U2F support to its Data Protection disk encryption platform. Nok Nok Labs supports U2F in its Multifactor Authentication Server. Entersekt and StrongAuth are playing here and RCDevs is offering U2F support in its commercial and free versions of its OpenOTP Server. Authasas supports U2F in its Advanced Authentication solution for cloud and enterprise. Dashlane added support in early 2016 for U2F in its Dashlane Password Manager.
  • Browsers
    Starting with Chrome, native browser support enables U2F to perform high-security public key cryptography from any computer without installing  client software. A group of Mozilla developers are working with goal to add U2F support in Firefox in the first second half of 2016.
  • Coming next…More cool U2F implementations are on the way this year. Stay tuned by subscribing to our blog feed or follow us on Twitter @yubico. Or on Facebook.

 

U2F support for Google and WordPress will be demonstrated at CES ShowStoppers
Ronnie Manning

Yubico at CES ShowStoppers

Today, Yubico is demonstrating how to protect Google and WordPress accounts with YubiKey and U2F open standard at the ShowStoppers event (booth A-13) at CES 2015 (Consumer Electronics Show).

With the mission to make secure login easy and available for everyone, Yubico serves as a FIDO Alliance board member and is co-author and key driver of the FIDO U2F (Universal 2nd Factor) protocol. The YubiKey NEO and U2F Security Key are the first devices to support the public deployment of U2F-enabled Google Accounts and WordPress.

“CES highlights tomorrow’s consumer and business technologies, such as wearable computing, and Connected Homes. Secure user authentication will play a critical role as these products continue to become part of our daily lives. Yubico believes that U2F is the beginning of an entirely new generation of strong authentication — simple enough to scale to consumers, yet strong enough to protect against advanced hackers.” – Stina Ehrensvard, CEO and Founder, Yubico, Inc.

Main differentiators between Yubico U2F keys and traditional smart card- and hardware-based authentication devices include:

  • No need for drivers, client software and middleware – Uses native drivers and support built into the browser. No installation, no configuration – they just work! No certificate authority needed and open source reference software is available for integrations.
  • Highly scalable while protecting your privacy – Generates a new set of encryption keys for every service. The keys are only stored on the specific service being accessed. With this approach, no secrets are shared among service providers and YubiKeys support any number of services.
  • Great user experience – All it takes to register and authenticate is a simple touch of a button! Authentication can be owned and controlled by users, who connect directly to a service provider without a third-party software or service provider.

YubiKey NEO and FIDO U2F Security Key work across Windows, Mac, Linux and are currently available via Amazon.com and the Yubico store.

Stina Ehrensvard

U2F, WordPress and Security for the People

Only a few weeks after Google announced U2F support and the protocol’s technical specifications were published, a U2F plugin for WordPress popped up and proved that U2F is the simple and open authentication protocol we envisioned it to be. High-security, public key hardware is no longer limited to a few enterprises and government services, but available today for everyone.

Today, we live in a world where both security and speed are critical for working on the Internet. If you are afraid that strong authentication will delay your login process, give the U2F Security Key for your Gmail account a try – you will be surprised how easy it is.

Once you have linked the U2F Security Key with your Google account, the account password and a touch of your U2F device is all you need for strong authentication. Google can remember your password and key for a month at a time, which allows you to click the Gmail shortcut on your desktop or smartphone for instant secure login to your email. Just press your email icon and you are in! How much easier can it be? (There is also an option to require the key be touched before each login).

As a driving U2F contributor, Yubico welcomes the U2F WordPress plugin developed by Daisuke Takahashi and available on GitHub. If you are a developer and considering implementing U2F authentication for your software or service, the Yubico team is happy to help. We offer free and open source U2F reference code, a U2F Technical Forum and U2F powered YubiKeys.

U2F is here to support high speed, high security, high privacy and lower-cost trust models for the Internet. It’s Universal 2nd Factor and security for the people.

John Fontana

Authentication: More Maturity, Choices in 2015

The past 12 months have been stressful given breaches and privacy violations and countries blocking all or part of their citizens’ access to the Internet (which by the way turned 25 in May).

As the calendar turns to 2015, there is unprecedented power and pitfalls harnessed in computing devices and digital life.

All this connectivity puts pressure on authentication, identity and access management to provide protections and reasonable peace of mind. I gathered a few of my colleagues to help sketch out some predictions on how that all looks in 2015, a year that will inherit the responsibility to fix 2014’s sins. In no particular order, here are our predictions: 

Deepening security concerns fuel new authentication methods.
Consider authentication’s importance as hacks ratchet up security needs while the number of connected devices explodes. Strong authentication is paramount as reliance shrinks on passwords as a security boundary. Adoption accelerates with help from vendors and organizations like the Fast Identity Online (FIDO) Alliance. Second factors will mature but watch out for new attacks, especially on mobile apps and SMS that leave a man-in-the-middle vulnerability. Old security trust models will give way to distribute and user-controlled trust models.

Privacy violations raise awareness against unchecked data collection.
Personally identifiable information (PII) has value and requires protection. PII is currency for free online services and retail discounts, but also bait to snare users into compromising positions or grave risk. A backlash against unchecked collection will arise as privacy missteps make headlines. Already the Pew Research Center shows more than 90 percent of adults feel a loss of control over how their personal information is collected and used by companies.

Innovation around devices and home automation give rise to more authentication options.
Who wears the pants in the family may not change, but who does the dirty work will. Wearables, smart devices, and the Internet of Things begin to handle the daily chores and processes of life. Most of these products arrive with little or no concept of a larger security context. Look for better protection on devices, or collections of devices, provided by contactless authenticators be it Bluetooth or Near Field Communications.

Encryption for the masses that’s simple and secure hits mainstream.
The past 12 months were about HTTPS, which had consumers encrypting most things on the move [even if they didn’t know it].  In 2015, we will start to care more about data at rest.  What if your cloud storage provider gets hacked?  Your login credentials go missing? There are bleeding edge options out there – these will become more refined with one or two emerging as leaders.  They will use Public Key cryptography deployed in a “Trust No One” [thanks, Steve Gibson for coining this] mode – where the secret keys never leave your control. Ideally those are generated on, and never leave, a Secure Element based authenticator.

Browsers vie to become the next password managers.
Browser sophistication is on the rise and that means new innovation. The second attempt at managing passwords via the browser will show marked improvement over the previous attempt that was picked apart by the security community. Capabilities will focus on frequently used sites, those that don’t involve financial transactions or as assistants for managing external authenticators.

Phishing attacks in the enterprise grow by 10X.
Give a man a phish and he hacks for a day, teach a man to phish and all hell breaks loose.  2014 demonstrated many corporate attacks are started by phishing someone inside the organization.  In 2015, best practice in the enterprise will include giving every employee authentication that has a strong resistance to phishing. FIDO specifications already address this scenario.  It will become an arms race — closing all the phishing doors before damage is done.

Do you have any predictions for the coming year that relate to security, authentication, identity or access control? If so add them to the comments below.

My colleagues Jerrod Chong, John Haggard, Ronnie Manning and John Salter contributed to this blog.

Image: Stuart Miles/ FreeDigitalPhotos.net

John Fontana

FIDO Aims at Standardized Strong Authentication

In the early 1990s, a company called Softswitch found itself at a strategic crossroads in that it held the key to integrating disparate electronic messaging systems.

So strategic, in fact, that Lotus Software paid $62 million to acquire the company and send a ripple of fear through its main email competitor Microsoft.

In a story on the acquisition, the New York Times described Softswitch as the maker of “switches that allow corporate users of electronic mail to send and receive mail from other systems. So someone in an office in San Francisco could send a note to someone with a different sort of computer, word-processing software and E-mail message system in New York.”

By today’s messaging norms, the need for such switches is laughable.

Companies providing integration of email systems have disappeared, made obsolete by standards such as SMTP, POP3 and IMAP that scaled email to its current state as a global backbone of electronic communication.

Standards are how the Internet scales to service a global community; numbering systems (IP), naming systems (DNS), protocols, and coding to highlight a few. Bodies such as the IETF and NIST are some of the most well-known standards organizations.

These global-scale benefits provided by standardization are what the FIDO Alliance hopes to achieve with the release last week of its 1.0 strong authentication specifications. While not yet standards, the hope is to create an Internet layer of authentication that reduces the reliance on passwords and aligns with the traditional stack of identity and access management tools, themselves going through a standardization transformation.

Standards will allow the largest collection of vendors, enterprises and consumers to adopt and integrate strong authenticators into their computer systems, which are under attack at an unprecedented scale.

For 2015, Gartner says “all roads to the digital future will lead through security.” But it won’t be a magic bullet or a monolithic defense that defines the norm. Security will be defined in the marriage of technologies. “Security-aware application design, dynamic and static application security testing, and runtime application self-protection combined with active context-aware and adaptive access controls are all needed in today’s dangerous digital world,” according to Gartner.

And when security is assembled, it shouldn’t need specialized middleware to hold it all together like email of the 1990s. That task will be accomplished with standard APIs and standard protocols that add scale and subtract as much complexity as possible.

One of FIDO’s stated goals since its inception two years ago has been to turn over to a standards body its work on both the Universal Authentication Framework (UAF) and Universal Second Factor (U2F) specifications. Standardization of FIDO specifications, either de facto or by traditional means, is where FIDO will mark its work as finished.

Proof of initial success isn’t just in the 1.0 specifications, but in products and services available today from a number of FIDO members including Yubico with U2F support in FIDO U2F Security Key and NEO YubiKey. These keys are further simplified by not requiring drivers or client software, and providing a user identity independent of a third-party service.

Last week was an important milestone for FIDO, the next steps should be important for consumers and enterprises, and the final steps should deliver the connecting tissue needed to support strong authentication as a key tenet of future Internet security.

Today, we are one step closer to that reality.

John Salter

A Safer Internet for the Holidays!

There is a belief that colors have a profound effect on humans. Perhaps this is true.

Colored YubiKeys are often requested by our customers to help them organize their YubiKeys. In October, our blue Security Key received rave reviews. So we’ve decided that one of our holiday offers should come in living color: the Limited Edition Happy New Year pack.

The three-key bundle includes Red, White and Green YubiKeys, which support OTP and U2F exclusively. And the button is marked with a distinct ‘+’ sign. We also have a second offer of four traditional black YubiKey Standards paired with two LastPass password manager subscriptions.

Here’s what we have in our store for you:

  • Happy New Year:  $79 + free basic shipping*
    We have minted a limited edition run of three festive colors for a special YubiKey that exclusively supports the two most used YubiKey protocols – U2F (for Google Accounts) and One-Time Password (for a host of other services).
    (Note: This device is not a YubiKey NEO and has no support for CCID applications or NFC capability).
  • Happy Holidays: $59 + free basic shipping*
    Secured passwords for two. Do you want to manage your passwords with LastPass and secure them with a Yubikey? This special holiday bundle has four YubiKeys AND two LastPass Premium Subscription licenses. Holiday price is nearly 50% off regular pricing.

*where available

Stina Ehrensvard

Salesforce CEO Benioff Invests in Yubico, Ram Shriram Joins Board

We are excited to announce that Ram Shriram, founding board member of Google, has joined Yubico’s board of directors. In addition, Marc Benioff, founder of Salesforce.com, and Ori Eisen, renowned fraud protection entrepreneur, have joined as Yubico investors.

“I invest in people; great entrepreneurs and engineers solving real problems,” said Shriram. “Yubico has an opportunity to make a significant mark in the Internet security industry with the YubiKey, a device elegant in its simplicity.”

Shriram is a former executive at Amazon.com, founding board member of Google and the founder of Sherpalo Ventures. Benioff founded Salesforce.com in 1999 with the motto “The End of Software” and proceeded to grow the company into a juggernaut, while defining the current cloud computing model.

Eisen, founder of 41st Parameter, which develops online fraud intervention solutions and was recently acquired by Experian, is highly regarded as a fraud-prevention expert in the information and payment technologies industry. The trio of Shriram, Benioff and Eisen are aligning with Yubico at a time when trust across the Internet is severely challenged by identity theft and account hijacking.

Yubico’s vision is to enable all Internet users instant secure access across unlimited services using their YubiKeys; an innovative USB/NFC authentication key that works with a simple touch and with no additional client software needed. To help achieve this goal, Yubico is a board member, driving contributor and a leading device provider for FIDO U2F, an emerging open authentication standard today supported in the Chrome browser and Google Accounts. Recently, Salesforce offered support for Yubico’s flagship product, the YubiKey Standard, enabling their customers to login easily and securely to the Salesforce.com platform.

Jerrod Chong

NEO Supports U2F +OTP; Same Key at Same Time

Today, we whizz past another milestone. NEO keys built on our 3.3 firmware will support both U2F and OTP running on the same key at the same time. In fact, the configuration will support those two along with CCID.

We heard loud and clear during our launch of U2F support in October that a multi-function key that included the FIDO Alliance U2F protocol was on the must-have list for many Yubico customers.

We could not solve this immediately even though our multi-function capability was already resident on the NEO (as many of you theorized), but the FIDO client (browser side) needed the necessary plumbing in order to complete the experience.

With yesterday’s release of Version 39 of Google’s Chrome browser all the pieces are now in place.

If you have a NEO or NEO-n key (3.3 firmware) use the newly released NEO Manager for your platform (Windows, Mac, Linux) to configure the key.

What are the benefits of this multi-function key? Many people say they are using Gmail (U2F) and LastPass (OTP) or WordPress (OTP) to bolster security across their applications using just one YubiKey. You can also use the OpenPGP capabilities (CCID mode) in conjunction with U2F and OTP without needing to reconfigure the device for different protocols. And there are other combinations you can hear about from your peers on our Twitter feed @Yubico.

This is just one milestone we have been working on. There are others out there and they are just as interesting. Stay tuned. And enjoy the security.

Here are some relevant links to help get you started:

Ronnie Manning

Yubico CEO and Founder wins Gold Stevie Award for Female Executive of the Year

We are proud to announce that Stina Ehrensvard, CEO and Founder of Yubico has been named the Gold Stevie Award winner for Female Executive of the Year – Business Products. The Stevie Awards for Women in Business were announced Friday, November 14. The awards shine a spotlight on women executives, entrepreneurs, and organizations run by women.

“Yubico has seen a tremendous 2014!” said Ehrensvard. “Our technology has been adopted by the leading Internet companies, and as a driving contributor of FIDO U2F we are defining new global standards for simple and secure login. This award speaks very highly, and is a clear result of amazing work from all members of the Yubico team”

The Stevie, the Greek word for “crowned,”  is widely considered to be the world’s premier business award, and the 2014 awards received entries from 22 nations and territories. The awards presentations were broadcast live across the U.S.A., and simulcast around the world by Biz Talk Radio. The ceremony will be featured in a television special on Biz TV in January.

More than 160 executives worldwide who participated in the judging process this year selected the Stevie Award winners. Details about the Stevie Awards for Women in Business and the list of Stevie Award winners are available at www.StevieAwards.com/Women.

Dain Nilsson

Yubico’s Take on U2F Key Wrapping

How does Yubico’s implementation of U2F claim to be able to support any number of services with unique key pairs when we have limited storage? And do this in a way that is secure and respects your privacy?

First off, a refresher on how this is described in the U2F specification: “U2F tokens might not store private key material, and instead might export a wrapped private key as part of the key handle” (from the implementation considerations document).

What does exporting a wrapped private key mean? Basically this (somewhat simplified): When a U2F device is registered, an elliptic curve key-pair (using the secp256r1 curve, as specified in the U2F standard) is generated on the device itself. The private key is then encrypted using a device master secret, forming the key handle, which is then sent together with the public key to be stored on the RP (Relying Party) server. To authenticate, the RP sends a challenge together with the key handle, and the U2F device decrypts the private key to be able to produce a valid signature for the challenge.

Now this is a sound approach, and is secure when done correctly. It does have its drawbacks, however. One is that it feels less secure, as even though the private key is encrypted, it does leave the device. In practice as long as the encryption used for the wrapping is strong, this isn’t a problem. Another issue is that it introduces additional complexity to the protocol, as we now have a new cryptographic primitive (encryption), with possible pitfalls.

Rather than dealing with these issues, we at Yubico chose to use the following approach (still fully compliant with the U2F specs): instead of randomly generating the key-pair and then encrypting the private key, we deterministically generate a key-pair based on several inputs, so that we can re-create the same key later on when it’s needed, without needing to store it anywhere.

This is how we achieve it (slightly simplified):

When a user registers one of our U2F devices with a new service, the service provides an AppID (this is tied to the URL of the site and prevents phishing). The U2F device generates a random Nonce. We then take the AppID and the Nonce and run them through HMAC-SHA256 (a one-way keyed function), using a device-specific secret as the key. This device-specific key is generated on-chip at the time of manufacturing (just like the master key would be, if we were using regular key wrapping). The output of the hash function becomes the private key, and the Nonce value, together with a MAC (message authentication code), becomes our key handle. During authentication, the MAC helps to ensure that a key handle is only valid for the particular combination of device and AppID that it was created for during registration.

From the outside these two approaches are indistinguishable from each other, and for practical purposes either should be fine. However, we think that our approach offers some benefits: most obviously, the private keys never leave the U2F device, in any form. And since we’re re-using the SHA256 primitive that is already used elsewhere in the U2F protocol, we avoid introducing another cryptographic algorithm into the system. Fewer algorithms means lower potential for mistakes.

Key derivation during registration

Stina Ehrensvard

Why FIDO U2F Was Designed to Protect Your Privacy

If you are not a dictator, you probably love the Internet.

During the Arab Spring protests, social media played an important role in helping people to connect and organize protests against non-democratic governments. Inevitably, this created a backlash against such sites, intimidating them to provide information about individuals. In a discussion with a security engineer at one of the leading providers in this field, I really understood the concerns and the moral dilemma – you provide the tools, but also expose your user base, ultimately leading to punishment and death. One way it was phrased was “There have been times when we wished we didn’t have any personal data about our users. Arab Spring was one of those events.”

This highlights a key problem – do social media sites and e-mail providers themselves have a responsibility to ensure the integrity of their user base and their accounts? Even if a service is provided for free and on a best-effort basis?

Account integrity has been one of the main drivers for myself and Yubico. With this in mind, we’ve been one of the main contributors behind FIDO U2F (Universal Second Factor);  a high-security authentication technology designed to protect your online privacy. Two weeks ago, Google Accounts enabled support for FIDO U2F, and since then we have donated a large amount of blue Security Keys to global dissidents to help them protect their online identities from assaults by non-democratic forces.

The FIDO U2F Security Key is designed to be anonymous, a key without any publicly available serial number or central authority. The device is not tied to a user’s computer, phone, credit card, fingerprint or any means of a real identity. Every time you register a device to a new service, it generates a new set of cryptographic secrets that are only stored with the specific service, leaving no footprints. No personal data nor secrets are shared among service providers, making it impossible to track the user across multiple web sites.

Another aspect is openness and transparency; the technology behind U2F is public and documented. Anyone can implement and review, the are no hidden secrets. Yubico is actively contributing with open-source code to allow third-parties to make their own implementations. It is available to be used for good guys and for bad ones, but that is the way it has to be. Any organization that has tried to own and control online identity has failed.

YubiKeys and Security Keys supporting U2F are now available for anyone to order from our store and Amazon. In the future, you will walk into a retail store, and hanging among the gift cards,  any number of real and hidden secure online identities will be available for you.

In the picture above, a young Egyptian man paints civic-minded messages on a wall in downtown Alexandria, February 2011. The top line of the message he is painting reads, “I am Egyptian.” The message in blue on the far right reads,” I will throw the litter in the trash can.” And the second one from right reads, “I will respect the traffic lights.”

p.s. To learn more about Internet privacy from the advocates and experts in the field, join me at Pii, the Privacy Internet Identity conference, starting today in Palo Alto, CA. And read John Fontana’s blog on ZDNet on privacy.

Ronnie Manning

Yubico Grabs 2014 Innovation Award

Swedish business journal Veckans Affärer has awarded Yubico its 2014 Swedish Innovation Award along with a $15,000 prize.

The eigth-annual award recognizes Swedish companies that have made an extraordinary mark in the business world. Yubico’s chairman of the board Mats Wenneberg (third from right in picture) accepted the prize during a gala ceremony held in Stockholm.

Yubico recently released its Security Key, a device designed to work with the FIDO U2F protocol support Google recently added to its Chrome browser.

The Security Key is the first security device aimed at supplying two-factor authentication protection for every online application using just a single key.

CEO Stina Ehrensvard told Veckans Affäre, “Gmail has 1 billion users. If we get 1% percent of these customers within a year, I am satisfied.”

Ehrensvard founded the privately-held company in 2007. Yubico’s Yubikeys are used in 140 countries around the world and by seven of the Top 10 Internet companies.

Previous winners of the award include online music streaming service Spotify and ABB, which develops power and automation technology.

The 2014 winner of the Student Innovation Award was Johan Heden Hultgren.

This year’s awards jury consisted of Anders Snell, ÅForsk; Jonas Wiström, President ÅF; Jessica Nilsson, Investment Manager North Zone; Staffan Helgesson, Creandum partner; Annika Steiber, Ph.D. and founder Innoway; and Jill Bederoff, Business Week reporter.

 

Stina Ehrensvard

Google Unveils FIDO U2F Security Key Support

Google today announced on its security blog an extra layer of security for Google Accounts based on the emerging strong authentication standard; Universal 2nd Factor or U2F.

This is a good day for the Internet.

As a driving contributor to FIDO U2F specifications, Yubico celebrates this big day by releasing a new blue campaign version of our YubiKey that is designed to work with U2F support Google has added to Chrome. This U2F-only Security Key, as well as our multi-technology YubiKey NEO, pioneers the market for U2F devices.

This U2F support is a milestone in a standards journey that began a couple of years ago. Along with Internet thought leaders, we recognized the advantages of high-security, public key cryptography for scalability and for protecting against advanced Trojans, phishing and man-in-the-middle attacks. With a mission to make great security available for every Internet user, we decided to focus on the essential; to keep it really lean.

Below is a short summary of the main differentiators between U2F security keys and traditional smart card- and hardware-based authentication devices:

  • No need for drivers, client software and middleware – Uses native drivers and built-in support directly into the browser. No installation, no configuration – just works !
  • Highly scalable while protecting your privacy – Generates a new set of encryption keys for every service, that is only stored on the specific service it connects to. With this approach no secrets are shared among service providers, and even low-cost security keys can support any number of services.
  • Great user experience – To register and authenticate, all it takes is a simple touch of a button!

In January 2013 Wired Magazine first wrote about the U2F project. As a response to all the inquiries Yubico received, we published a blog summarizing our vision of a single key for securing access to all Internet. Since then, U2F has continued to develop within the FIDO Alliance open standards consortium.

And now our vision has been turned into reality.

You can get your own FIDO U2F Security Key today at Amazon.com. A key that you own and control allowing you to securely login into your Google Account, which lets you access services such as Gmail. The same is true for any number of service providers who choose to adopt simple and strong Universal 2nd Factor authentication.

A special thanks to everyone in the FIDO Alliance working groups for making this happen!

Learn more about the new FIDO U2F Security Key by Yubico

John Salter

YubiKey NEO & FIDO U2F: One Key for All Apps

I’ve been in this business for a long time and watched a lot of promise collapse and a fair number of snake oil salesmen flourish.

Strong authentication is one of those technology conundrums that always seems to be partially solved. The drawbacks of traditional one-time passcodes are well understood and we’ve always truly known their shelf life was limited.

I have been searching for something that would be more appropriate in today’s Internet, that would move past “partially solved” and would blossom into elegant simplicity spanning the technology, the plumbing and the user.

My eyes were opened to the answer while watching a room full of engineers work with their code — checking out, checking in, deploying live —and authenticating each time as they supported a massive cloud service that counts billions of users around the globe.

To cross each virtual security boundary the engineers simply press a small flashing Yubico YubiKey tucked into their USB ports to activate strong authentication. They were taking advantage of their body’s ability to hold an electrical charge and trigger a capacitance sensor.

A few years ago when I first saw this technology, I underestimated the capacitive touch. I did not think it had the needed security properties, but what I missed was how important it was to the end-user.

Once I realized that error, I began adding in the significance of the hermetically sealed, driverless YubiKey that is impervious to viruses and malware. I thought about its improvements over second-factor mobile devices that hackers can compromise, and over single sign-on, where conventional wisdom says authentication should happen as infrequently as possible then shared across domains boundaries.

I now understand security isn’t about limiting authentications but making hundreds, even thousands of them per day as easy as pushing another key on a computer keyboard. It’s a user-experience that requires zero training, even for technology’s bellwether grandmothers.

In addition, a previously missing piece is coming into focus with the FIDO Alliance’s Universal Second Factor (U2F) protocol, adding the standards-layer to enable one key to authenticate to all applications in our ecosystems while maintaining trust and end-user privacy.

Today, Yubico is releasing its YubiKey NEO with support for U2F and delivering it in two form-factors. This key will hold the promise of a significantly more secure online consumer experience, and a dramatic increase in enterprise security and ease-of-use.

This combination of all these factors (pun intended) leads me to believe we have our device and our extended shelf life for a proper “what you have” factor from a multi-factor authentication perspective.

And it has been a powerful enough epiphany for me after 30 years promoting and advancing strong authentication that I have joined Yubico as Chief Business Officer to explore this innovation and see it through to what I believe will be its rightful place in the security landscape.

As you will see in the coming weeks, my faith in these advancements will be validated by some of the most successful and influential Internet companies with arguably the largest end-user populations on the planet.

We can now challenge conventional wisdom around authenticating once then propagating credentials. I am a firm believer in SSO technology for gluing together computing across boundaries and would argue our SSO engines should play the primary role in directing identity traffic. They are, and will remain, essential in modern web architectures.

But, I argue fresh primary credentials trump older secondary credentials every time.  Application designers have never thought of a world where it is possible or desirable to verify primary credentials not just one time but many times. That world is coming into focus and I’m exited to have a front row seat, again.

John Haggard is Chief Business Officer at Yubico

Stina Ehrensvard

Growing Bigger, Stronger…

We are growing! The authentication market is locking into its stride, and there has never been another period when computer experts and novices have spent so much time, effort and debate on what has mostly been the silent corner of the Internet – security.

To keep up, Yubico has added horsepower by hiring new people and we are looking for more.

What’s driving growth? Ask the millions of people who have had their passwords stolen in the past 16 months. Ask enterprise security chiefs and corporate executives in industries such as banking, healthcare, and retail what keeps them up at night.

They need help in fighting an unprecedented blitz on their security.

Our Yubico team is lean and powerful like our YubiKey, a small, hermetically-sealed USB and NFC key. With a simple touch it generates trusted credentials. Loved by users in 140 countries, including 7 of the top 10 Internet companies.

In the past month, we have welcomed three industry veterans to our team: John Haggard, former crypto developer and President at VASCO Data Security; John Fontana, online identity evangelist with his own column at ZDNet.com; and security specialist Kevin Casey, formerly with the US Army, RightNow Technologies and Alcatel.

But now we are on the lookout for a supply chain manager, support engineer, system admin and perhaps a marketing guru. If you have the drive and enthusiasm to keep up with a company small in number but big in influence — give us a shout.

It’s time for Yubico to expand! Join us as a customer. Consider being a colleague.

John Fontana

Danish Experts Tap YubiKey Security

When security consultant Ian Qvist talks about YubiKeys, he does so with a knowing grin and the knowledge he’s tightening security without adding complexity.

Qvist works with customers such as government agencies and Danish banks whose IT teams are looking for answers to specialized security needs.

“We use YubiKeys in a lot of places,” says Qvist, an eCrime senior consultant for CSIS Security Group A/S in Denmark. “They are so flexible we use it wherever we want to.”

The YubiKey is a simple USB-key that looks like a keyboard to your computer, and with a simple touch delivers two-factor authentication to secure logins.

Qvist says CSIS, which stands for Cyber Security and Intelligence Services, discovered the power of YubiKeys when he rolled out LastPass password manager internally to the company’s employees. Being security minded, the employees were concerned that all their passwords were in one place. Qvist quieted concerns by strengthening authentication to the password manager with a YubiKey.

Ian-Qvist-CSIS

Jens Christensen, security researcher at CSIS Security Group A/S in Denmark, holds up a Yubikey. While small, it is giving his business and customers a big assist on security.

“LastPass was the first place we used YubiKey,” he said. “Insert the key, touch it and it is setup, anyone can do that.”

Ever since, the 10-year-old company has been finding spots where the YubiKey can boost security and protect end-users, systems and digital resources. And now the YubiKey is an important element in the security services CSIS offers clients.

Today, YubiKeys also are used at CSIS to bolster security for other services including Microsoft’s Remote Desktop Protocol, VPNs and domain passwords.

“Because the YubiKey can be configured, we use them for many different applications,” Qvist said. “That is amazing for us. And we are coming up with new ways to use them.” YubiKeys can be set up for  a long static password or the open authentication OATH standard.

He says from a security perspective the ease of use and configuration options are what make the YubiKey so valuable.

CSIS uses Yubico’s personalization tool to deploy YubiKey security with many different authentication methods.

YubiKeys have support for Yubico one-time passcodes, Open Authentication (OATH) including HOTP and TOTP , Challenge-Response and Static Passwords. The YubiKey NEO also supports Near-Field Communication (NFC) for using YubiKey with mobile devices, smart card functionality, including PIV and Open PGP, and later this fall the FIDO Alliance’s Universal Second Factor (U2F) protocol.

CSIS uses both the YubiKey Nano form-factor, which tucks inside a USB port and can be left in the computer, and the Standard form-factor, a small, hermetically-sealed device that can attach to a keychain.

YubiKeys don’t require any software installation, drivers or batteries to operate. But customers like CSIS do use Yubico’s free open source software to customize keys and create their own backend validation servers and services. The Yubico open source tools are also used to program and control YubiKey encryption secrets, or add a ModHex Calculator among other options.

Qvist only began using YubiKeys a year ago, which means he has gotten to warp speed very quickly. Now they are part of everyday operations.

“Our different departments have different patterns of work and we don’t have to disturb those patterns,” he says.

Qvist says one particular customer had a large IT department with a few security guys who scrutinized everything. “When we gave them YubiKey, they saw how it worked and how [it applied] to their use cases. That got ideas rolling around in their heads,” he says.

Enough ideas in fact to fuel more knowing smiles from Qvist.

John Fontana is the Identity Evangelist at Yubico. Also follow his Identity Matters column on ZDNet

John Fontana

When Will NEO Work with iPhone 6 NFC?

Yubico has heard this question a lot over the past days since the iPhone 6 was released with NFC support.

The answer would be “now” if Apple had an open ecosystem, but that likely won’t be the case for another 12-16 months. But put a pushpin on your roadmap, the YubiKey NEO will be a multi-factor authentication option, based on its current NFC support, for iPhone users once Apple opens it to developers.

And if Apple decides to join the FIDO Alliance, the Yubico promise of one authentication key for many services could get support from another heavyweight in the FIDO standardization effort.

It’s not far-fetched to envision Apple as part of FIDO given that Apple’s Touch ID is built from technology acquired when it bought AuthenTec – which applied for the original trademark on the FIDO name. (The company left FIDO the day it was acquired by Apple).

Apple showed its new willingness to work in international standards settings two weeks ago when it joined the GlobalPlatform, which creates specifications that address standardized infrastructure for securing multiple apps on smart chip technology.

The group has three areas of focus: secure elements, trusted execution environments and messaging that holds it all together. And it adds in security, interoperability, responsibilities, provisioning and a common language to exchange information.

Or as Global Platforms puts it, we’re “a cross industry, non-profit association that identifies, develops and publishes specifications that promote the secure and interoperable deployment and management of multiple applications on secure chip technology. “

Now that’s a mouthful, but what’s important is in a world where standards are the only way to reach Internet scale, it appears Apple is coming out to play.

Bravo Apple!

You can read more about the Apple/GlobalPlatform alliance on my Identity Matters blog on ZDNet.

Jerrod Chong

YubiKey powers Salesforce 2FA platform

In the next three weeks, Salesforce will add a second major piece within the past year to its identity and access management capabilities. At its annual Dreamforce conference, Salesforce will unveil the Winter 15 edition, including a new feature called Login Flows that allows Salesforce admins to customize the login experience for their users.

On Day One of Dreamforce, I’ll take the stage with Salesforce engineers to show off Yubikey for Salesforce. This is an application that integrates with Login Flows, and the small YubiKey device that provides a one touch, two-factor authentication experience for logging into a Salesforce account.

The hardware-based Yubikey defines ease-of-use and helps prevent replay and brute force attacks that have defined recent password hacks. Because the YubiKey identifies itself to your computer as an external keyboard, there are no drivers to install and it ‘s compatible with any platform. In addition, there isn’t a battery to replace and malware cannot infect the firmware, a needed improvement over software-based authentication tokens.

Last year, Salesforce modernized its authentication platform with the introduction of Salesforce Identity, a set of Open APIs to support identity protocols such as SAML, OAuth, OpenID Connect and SCIM for single sign-on and federation.

This year, Salesforce is adding Login Flows to its platform in order to answer customer requests for the ability to add extra security and features to end-user authentication. Yubico is adding YubiKey for Salesforce into that environment.

The solution is comprised of the YubiKey USB key and an application to validate Yubico one-time passwords against the YubiCloud service. The app also includes a console for IT to manage YubiKeys, including the ability to deal with lost YubiKeys, and an option for users to self-provision YubiKeys.

The end-user experience begins after the user enters their regular Salesforce username and password. Next, the user simply touches the lighted gold contact on the Yubikey inserted in their computer’s USB port – that’s it.  The touch produces a unique, one-time 44-character code that is passed to the computer as a second factor of authentication.

In addition, users with existing YubiKeys running under their default configuration will be able to use those keys with the YubiKey for Salesforce app.

We believe this stealth hardware device is the wave of the future — easy-to-use, simple, and secure.

 

For more information, see our YubiKey for Salesforce page

John Salter

Our Plans for YubiKey NEO & U2F

This is a common question for Yubico these days as media and end-users discuss recent password breaches and explore the promise of two-factor authentication combined with the standard Universal 2nd Factor (U2F) protocol from the FIDO Alliance.

Well I can tell you that the light you see at the end of the strong authentication tunnel is most definitely YubiKey NEO with U2F support. This is a powerful combination that begins to prove the viability and power of FIDO’s U2F protocol and the important role YubiKeys claim with support of the standard. We are truly moving toward one authentication key that can support 2FA to many services.

We are nearly ready for release except for some last minute issue resolution and Q&A reviews. Or said another way, we are close enough to spill some of the details. I can tell you what we have developed is a NEO update (version 3.3) that supports the latest U2F v2 review specification, including the USB protocol. Specifically, we have support for U2F over (raw) HID (human interface device). Version 3.3 also continues support for OTP and CCID modes (from version 3.2), or any combination of those two and U2F.

For the implementer, we are publishing software that allows you to build your own U2F ready authentication server. This will include Python-libraries for talking to U2F devices and Python-libraries for doing the U2F server-side crypto. We are releasing C and Java libraries as well, since that can be integrated in many environments. In addition, our demo service will be expanded to include U2F demo capabilities. When Chrome v38 goes into production, it will have support for YubiKey NEO v3.3.

We also will upgrade the YubiKey NEO Manager GUI to support mode-switching between OTP/CCID/U2F modes. We have already released new versions of the YubiKey Personalization library/tools, YubiKey NEO Manager library/tools, and YubiKey Cross-platform Personalization, and they all support the new 3.3 NEO version.

When will this be available? Our estimated time of arrival is by the end of October. Keep in mind, however, there are outside dependencies that could shift this timeframe, but I can assure you that the arrival of 3.3 will be a good day. We truly believe that U2F support will be the opening salvo on an entirely new generation of strong authentication — one that is simple to use and secure enough for a range of use cases across any enterprise.

John Fontana

Welcome to the Future, It’s about to Get Really Interesting…

This week ushered in my start with Yubico and I couldn’t be happier to be a part of what is going on here. The challenge in any new job is that while your colleagues are at a full-on run, you’re still learning how to walk. But after five days, I do know I better catch up to them soon because the advancements and opportunities related to authentication technology are poised to come forward fast and furious.

Apple’s iPhone event next week is a hint at security and usability improvements that will spread across the industry. While Apple is initially focused on electronic payment transactions, you could easily swap in the word “authentication” for “payment” and get a picture of where things are going.

The new iPhone 6 by all accounts will show up with NFC support, which is sweet music to the electronic payment system folks. Why, because they can insert new levels of security and fraud protection leveraging the chip technology infrastructure without upsetting the familiar end-user experience of using the card. And they can do it without passing through software susceptible to malware.

They can provision shared secrets, thus protecting real credit card numbers throughout the transaction process and thwarting hackers via a scheme known as issuer tokenization.

“Now if someone steals transaction records from Home Depot, they get one-time numbers that are useless, it totally kills all these breaches,” said Steve Sidner, an independent security and payments consultant based in Omaha, Neb.

Chip-and-pin cards, well known in Europe and coming by mandate to the U.S. next year, are proof that the system works. (The devil in the details is the cost for swapping out current technology in POS systems and issuing new cards).

But the real sweet music to security wonks; there is virtually zero convenience/security trade off, which has always been the barrier to end-user entry.

That is a win for customers and vendors.

Take that same scenario, but think about an authentication transaction rather than a financial transaction. It works in a similar way but with a different flow. Think of a simple yet elegant hardware-based way to exchange public keys and private secrets, think of no software installs, think of a contactless device that wakes up your phone and announces it is there for a private conversation around strong user authentication.

Think of that same scenario with other contactless technologies.  Think of form factors from earrings to watches to clothing.

Major companies with a significant stake in online services and applications are certainly thinking about all that.  And they are poised to roll out first phases, not next year, but by the end of this one.

The FIDO Alliance is thinking about it and how to run it over a standard set of protocols — and, of course, the Alliance contains some of the same card issuers salivating over Apple joining the NFC device party with rival Android.

And I have been thinking about all this. That is one reason I am at Yubico trying to help get the message out about the potential for a major shift and a run at finally gaining a significant share of end-user acceptance for stronger security.

I wrote about this yesterday on my blog Identity Matters that runs on the technology web site ZDNet.

Pay attention to what happens next week within Apple’s initial limited NFC scope, but keep in mind the bulk of the benefits are more wide-spread and still to come.

I think the YubiKey is poised to fuel this market with its one-touch strong authentication.

The one thing that jumped out at me is when you insert the key into a USB port it looks like an external keyboard to your computer. So in essence strong authentication is added to your computer by including just one additional key to the 78 or so that are already on a typical computer keyboard.

Strong authentication delivered with a keystroke, likely one of the oldest and most understood end-user experience in computing. As just one example, the strong authentication experience is already familiar to scores of engineering teams, who securely log-in hundreds or thousands of times a day just by touching the one extra key.

That is cool. I’m really interested to see where all this can go.

Jakob Ehrensvärd

YubiKey & BadUSB

Updated Oct. 22, 2014 to include information on Security Key

We have received a few questions with regards to “BadUSB” concept, presented at BlackHat 2014. This was picked up by wired.com, where the problem domain is somewhat expanded into a claim that the “Security of USB Is Fundamentally Broken”.

Although there are a few different (and known) issues presented, the main claim here is the possibility to turn a legitimate USB device into an evil one by replacing its genuine firmware with a malign image. The authors describes USB devices, but this general concept applies to almost all types of devices having the capability to upgrade the firmware in the field, a process known as Device Firmware Upgrade (DFU).

The concept of creating “hardware Trojans” is interesting (and scary) and gained quite some attention in the early 1990s when the first field-upgradeable flash BIOSes for PCs became available. It was then shown that by replacing a legitimate BIOS with a hacked image, malign functionality could be implanted deep into the functionality of a PC, beyond reach of anti-virus software.

However, although conceptually feasible, such attacks are not that easy to execute practically and to make them widespread. There are quite a few reasons for that.

  1. Many low-end USB devices do not support DFU, either because the firmware is factory-programmed in a non-alterable mask ROM, one-time-programmable ROM or simply because there is no DFU mechanism implemented. Supporting DFU adds cost and complexity and therefore makes little sense for low-cost mass-market devices, such as thumb drives, card readers, keyboards and mice.
  2. To perform DFU, often some active (and usually quite awkward) sequence has to be performed by the user, such as holding a button while the device is power cycled. Then, a specific executable has to be run in the computer where the device is connected to perform the actual firmware upgrade. This is not something that is likely to happen without the user actively initiating it.
  3. An attack of this kind has to be targeted on a per device model basis, and then requires extensive knowledge of the particular implementation, including reverse-engineering. An attack that works for a specific device will only work for that particular version of the device. Making a blast to a large number of users and try to fool them to upgrade with a malign image seems somewhat unlikely to get more than a marginal impact.
  4. Many low-end USB devices have limited memory capabilities which cannot be upgraded with a firmware that can do anything really evil while maintaining their intended function. So, if the device is infected, it won’t be able to perform what it was designed to do. High-end devices, such as MP3-players, cameras and phones are a different story, but there the problem can be mitigated by code signing.

There are probably quite a few devices out there that do not implement basic countermeasures against what has been listed above, but probably the biggest issue with DFU is that the user accidentally bricks a device when an update fails or stalls before it has been completed. This is an implementation issue and should be seen as a design flaw by the vendor rather than a system-wide problem.

One can wonder if low-end USB devices, such as thumb drives are in fact the scariest targets for malign firmware and also why these would implement or require DFU? Phones, network routers and gateways with extensive memory and processing capabilities together with constant network and power connection seems to be more obvious and attractive in this respect. Here, the number of vendors is less and DFU is supported on a more general scale.

Seen from a different angle, one can ask if this is really a USB problem or the fact that devices (above the complexity of a thumb drive) are nowadays frequently (and very fundamentally) updated. Replacing the operating system in a tablet, firmware image in a printer, phone or a network router does not require USB – it is done directly via the network connection. The scalability and harm of such attacks is probably orders of magnitude worse than what can be accomplished on a per-device basis via USB.

The question then inevitably becomes – so how does this all affect current Yubico products, which obviously are USB devices?

With regards to the FIDO U2F Security Key by Yubico and DFU…
– There is not a DFU mechanism in the Security Key and hence it cannot be updated.

With regards to the YubiKey Standard and DFU…
– The firmware is in non-alterable ROM and hence cannot be updated.

With regards to the YubiKey NEO and DFU…
– The YubiKey NEO technically does support DFU, but requires the new firmware image to be signed by us. Yubico does not endorse nor support use of DFU for users.

With regards to the YubiHSM and DFU…
– The device does not implement DFU and hence cannot be updated.

With regards to a USB device being a carrier for malign files…
– The YubiKey or YubiHSM do not support Mass Storage Device (MSD), so they cannot carry infected files or data.

David Maples

The Future of Online Authentication

Last week, Yubico delivered a glimpse into the future of online authentication with a presentation at Mozilla. If you missed the live talk about FIDO Alliance Universal 2nd Factor (U2F) and in-the-browser authentication for the mass market, please watch the archived video below.

In the 60 minute presentation, Yubico discusses the motivation behind U2F, provides a demo of U2F in action, explains the user privacy and security issues that are addressed, highlights the importance of browser support for U2F and dives into some key details about the protocol.

FIDO Alliance U2F is a new, open authentication standard focused on adding public-key cryptography to existing password authentication mechanisms, offering high security with friction-less user experience. U2F represents a crucial step in driving the rapid adoption of strong authentication technology, where the user will be able to use a simple password/passcode, which even if compromised, does not compromise the user’s identity. The elegance of the protocol lies in the fact that the user in possession of the authenticator can authenticate to any number of web-based services using only one device, without the need to install any drivers or client software. The added benefit of U2F also lies in the simplicity of how this protocol can be easily integrated into an existing password authentication model.

For more background on Yubico’s work with the FIDO Alliance and the future YubiKey NEO with U2F, please visit here.

Simon

YubiKey NEO Updates

UPDATE: YubiKeys with serial numbers 2624253 to 2624449 and 2624801 to 2625499 are also not configured with fixed card manager keys.

Our YubiKey NEO, is a JavaCard-based product, which has a set of card manager keys that allows you to delete/add/update the software “applets” running on the NEO, through the Global Platform interface.

We launched the YubiKey NEO as a “Developer Edition”, and as such, the card manager keys were set to a single value to facilitate development.

For production use we don’t recommend this, since anything you can do is also something an attacker can do, thus potentially achieving a denial of service of your NEO by (for example) removing all applets on it. (Note that the card manager keys does not give anyone the ability to extract secrets, that’s by design never possible.) As the Yubico applets have now reached a reasonable level of maturity, we are proactively changing our processes around card manager keys. The YubiKey NEOs that have shipped from July 1st 2014, starting with serial number 3,000,000, are no longer configured with the fixed card manager keys.

What does this mean if you are an existing YubiKey NEO customer? If you are concerned with someone else modifying the software on your NEO we recommend that you change the card manager keys. Global Platform can be used to change the card manager keys.

Initially we targeted YubiKey NEO towards early adopters and developers; now the majority of our customers are moving to production deployment and require production devices. What does this mean if you want to develop applets for the YubiKey NEO? We are setting up a YubiKey NEO Developers program for you to order YubiKey NEO “Developer Edition” that come with the known card manager keys, so you can load and delete applets as you wish, and services for Yubico to load your applets onto production YubiKey NEO for your customers. We will announce the launch of the YubiKey NEO Developer program here and on our social media channels.

We are improving the way we set-up the OpenPGP applet on YubiKey NEO; from shipments made today, we now set the card serial number to be the same as the YubiKey laser etched serial number; that’s important if you have multiple YubiKey NEO. Secondly, we are shipping version 1.0.6 of the OpenPGP applet that works with GnuPG version 2.0.22+ and supports import of secret keys – for some informal hints see my personal blog post on GnuPG and NEO usage.

Ronnie Manning

Meet Yubico at Cloud Identity Summit

Yubico is invited to showcase the YubiKey and FIDO U2F ready devices at the upcoming Cloud Identity Summit, in Monterey, California. On Saturday, July 19, you can meet our team at the FIDO Alliance interoperability showcase and demo at the Bonsai II room from 1:30-4:30 p.m. On July 20-22, we welcome you to the Yubico booth #TT8. To schedule a meeting, please email us at press@yubico.com.

Simon

Lost YubiKey Best Practices

We hope that you will not lose your YubiKey, but for larger deployments and serious use, establishing processes around lost YubiKeys is an important and challenging aspect. Yubico has offered the YubiRevoke service to help with this aspect, which is a centralized way to disable YubiKeys validated through the YubiCloud. Initially we thought this was a natural part of a YubiCloud service. The more we have worked with customers to establish and recommend practices around use and deployment of YubiKeys, though, we have come to reconsider this recommendation. We have realized that a centralized service for revoking a YubiKey often leads to deployments that are ineffective to use for administrators, and it introduces a new set of security considerations for deployments.

For systems that use YubiKeys validated through the YubiCloud, the standard pattern is to setup a service that performs authentication using username, usually a password, and a Yubico OTP. These systems usually have an administrative interface, of varying level of sophistication, for managing users. Technically the system performs authentication by validating the username and password, and then validates the Yubico OTP against the YubiCloud to achieve two-factor authentication. For example, the system may be as simple as a WordPress blog with the YubiKey plugin, or Unix (typically Mac or GNU/Linux) login using the PAM module. The WordPress system has its user management interface, and Unix has its own user management and configuration interface. When a YubiKey is lost, to regain access to the system, the administrator has to provide a mechanism for users to associate a new YubiKey, or at least temporarily disable two-factor authentication. When YubiRevoke is used, customers sometimes end up implementing procedures for administrators to disable the YubiKey in both systems, which is inefficient.

A centralized revocation system for YubiKeys also introduces security considerations for deployments. Our revocation system depends on good authentication, and with access to an admin account, you can disable a YubiKey immediately. For larger deployments, having an attacker gain access to the administrator password/OTP could lead to situations which are difficult to recover from — consider for example if the attacker (maybe a disgruntled employee) changes the YubiRevoke password and disables all your YubiKeys. Implementing proper social recovery mechanisms on our side is not cost effective, and there will always be room for doubt. There is also a risk for Yubico to host a service that is using username/password authentication, since that will become a target of attacks.

For the reasons above, Yubico is planning to decomission our YubiRevoke service on the 1st of October 2014. We advise customers to simplify their processes around revocation to not involve the YubiRevoke service. We will disable new YubiRevoke account registration on June 13th 2014, and disable adding new Yubikeys to existing accounts on the 1st of August 2014. Please find below a quick FAQ around this.

Q: If I lose my YubiKey what should I do?
A: You should login to the sites where you used the YubiKey on and change the account settings to use your replacement YubiKey instead.

Q: What if I can’t login to the site to change my settings?
A: Use the service’s authentication recovery method.

Stina Ehrensvard

The Internet of Trust

Over the last year, news headlines of compromised passwords and system vulnerabilities have continued to dent our trust in our Internet-connected computers, smart phones, networks, Certificate Authorities and software providers. A month ago, when the Heartbleed vulnerability was identified, some people claimed that this was the end of the great human experience called the Internet.

But great inventions don’t die just because security mistakes have been made. We trust seatbelts in cars and with new trust models we can build an even more powerful and secure Internet.

It begins with accepting that the static username and password for identification and authentication is not enough. And that networks, software and devices will never be free from hackers, backdoors and malware. Then we can then move our trust and login credentials to a small key, which we carry in our key-chain, and which is not connected to the Internet. Instead of trying to rely on vulnerable infrastructure, we set up a direct and secure link between the key and the application we want to connect to. And let the key change our user credentials every time we login.

In parallel, we are creating a new user centric trust model. Instead of relying on a single party for authentication to multiple services, we’re turning the model upside-down, where multiple services can rely on a single device. This concept of true end-point authentication is also the core idea behind FIDO Universal 2nd Factor.

Once you can purchase you secure online identity online or at your local store, and free and open source U2F libraries are published for any service to easily implement, the Internet will be a safer place. New, distributed, disruptive and lower cost trust models will evolve, empowered by billions of users.

Stina Ehrensvard

Silicon Valley Veteran Backs Yubico

Ram Shriram, founding board member of Google, and former executive at Amazon.com joins the strong authentication innovator Yubico as investor and advisor.

“At a time when Internet passwords are being hacked at scale, the Yubico team continues to excel at protecting digital identities in a very elegant manner. To win the mass market of Internet users, great security needs to be simple. The YubiKey user experience with no client software, a simple PIN and a touch – delivers on this promise!  says Ram Shriram, CEO & Founder, Sherpalo Ventures.

With offices in Palo Alto, Stockholm and London, Yubico has built a profitable business internationally. The Yubikey, the company’s flagship product, is an innovative and disruptive multi-factor authentication solution built strong enough for the largest enterprises while remaining simple enough to use for consumers. Trusted by 7 of the top 10 Internet companies, Yubikeys have been used for protecting digital identities for over 40,000 customers in over 130 countries.

Over the last few years the Internet has seen a growing wave of attacks and breaches that have highlighted the limitations of traditional authentication solutions. Weekly headlines of major password leaks, the Snowden/NSA publications and the recent Heartbleed vulnerability have significantly raised global awareness around secure Internet identity and privacy. While just usernames and passwords are not secure anymore, existing multi-factor authentication technologies, such as smart cards and one-time password hardware tokens have not yet scaled for the mass market. These solutions remain complicated to deploy and manage in addition to being expensive. Also, while smart phones and tablets have been rapidly adopted, mobile authentication software technologies have been exposed for malware, and have become a target attack for hackers into users’ accounts and enterprises.

The YubiKey is a strong authentication hardware solution that works instantly with computers and mobile devices for a range of Internet and enterprise applications. Enterprises can ensure that they have full control over their encryption secrets by leveraging Yubico’s trust-no-one deployment model offered as on-premise software or as a cloud service. Yubico’s vision is to enable Internet users to have secure access across unlimited services using their Yubikeys. To realize this dream, Yubico is a board member and a key contributor to the FIDO alliance, an open standards strong authentication consortium, along with leading Internet and financial services companies.

To accelerate its growth and make the YubiKeys ubiquitous, Yubico is proud to welcome Ram Shriram as an investor and advisor. Ram leads Sherpalo, his own Venture Capital firm, investing in promising new disruptive technologies. Ram continues to serve on the board of Google and has previously been an officer of Amazon.com.

 

 

Stina Ehrensvard

The Yubico Entrepreneur Journey

Earlier this month, I was invited to deliver a keynote at STING Day, an annual event for an audience of over 500 attendees, including the top European tech start-ups and investors. The event is hosted by STING (Stockholm Innovation and Growth), the leading tech incubator in Stockholm, where Yubico began.

For the talk, I was asked to share some key events from Yubico’s journey and what I have learned from them. Condensing seven years into a 15 minute keynote was not an easy task, and I’m generally reluctant in giving advice, knowing that all entrepreneurs have their own DNA and paths to travel. However, I accepted the challenge, and shared several Yubico stories, including how the YubiKey was invented and why part of the team moved from Stockholm to Silicon Valley to help develop FIDO U2F; the new and disruptive open authentication standard.

On the same topic, I want to comment on an article I read some time ago which focused on the personalities of entrepreneurs. According to the article, “the majority of all entrepreneurs have a slightly warped self image, being over confident with their own abilities”. After reading that quote, it was clear that it was not an entrepreneur or innovator who had chosen those words. We are more humble… about the fact that our number one asset is our passion for our ideas, and our confidence that we will accomplish them!

We also know that very few people succeed alone. I am here today thanks to all of the hard work given from the amazing individuals that have joined Yubico and to those whose paths I have crossed on this journey.

So, to all of you who carry a big dream, don’t let anyone define what you can or cannot do. Trust your gut – and do it!

STING Day 2014 from Yubico on Vimeo.

Watch above video for a 15 minutes summary of Yubico’s journey and lessons learned.

Simon

Improving YubiKey Physical Security

Yubico has been working with world-renowed cryptographers at the Ruhr-Universität Bochum to improve resistance against physical attacks directed at the YubiKey. This has been ongoing process over the last year. The results were made public at the RAID2013 conference, and have also been presented at 30C3. To follow our principles of openness and transparency, we will describe below, at high level, what we did over the last year to address the issues presented in their study. Our general philosophy around security is to tell you what we are doing, to ensure you stay informed.

First, let’s recap some basic things about physical attacks and the YubiKey. The YubiKey Standard was designed to combat security threats where someone spends a small amount of effort to attack a large number of YubiKeys. This is the kind of “asymmetric” threats usually found on the Internet. For example, a software trojan that manages to infect many machines (which is common) will not be able to generate One-Time Passwords (OTPs) because someone has to physically trigger the YubiKey touch button. Attacks where someone gets physical access to your YubiKey has been outside of our threat model, and we have urged users to use common sense to prevent such attacks, such as keeping your YubiKey on your person on in a secured location, instead of leaving it in a publicly accessed computer – essentially the same measures used for the key to the front door of a home or office.

For most environments, and we recommend this as a general rule, you should combine multiple factors to authenticate a user. Usually the YubiKey is used in a way where you combine something you know (a password) with something you have (a YubiKey). This means that temporary loss of a YubiKey is not a disaster — the attacker would still need to acquire the password. To acquire the password and temporarily borrow your YubiKey is still feasible, but it has a higher cost to the attacker compared to just acquiring passwords. Further, it provides the legitimate owner of the YubiKey time to contact the services they were using it with to disable it, preventing that YubiKey from having any access to secure sites or services.

The novel attack demonstrated last year was on how to extract the AES key from a YubiKey (version 2.3 and eariler) using a “side-channel” attack. Side channel attacks work via other channels into a system, such as power consumption, elctromagnetic emission, computation time, or audio information. Preventing this class of attacks is more challenging than preventing the direct attacks, since you must be aware of the attack vector before being able to build a defense against it. Some side channels, like time and power analysis, have been around for a couple of years now so that some common defense mechanisms have been established. For example, one way to deal with side-channel time analysis is to implement the software so that computations take a constant amount of time regardless of inputs.

The attack uses power and electromagnetic analysis of the YubiKey, and requires physical access to the YubiKey for an extended period of time; a typical attack would require access to the YubiKey over-night. The setup requires the YubiKey to be mounted in a special rig to measure power consumption, EM emission, and to fake YubiKey touch button presses. With this setup, and custom-built post-processing software, the researchers were able to extract the AES key used to generate OTPs from a YubiKey. In a sense, the YubiKey was “leaking” some information that could be used to calculate the AES key after many YubiKey touch button presses.

Yubico was informed of this research early last year. While the YubiKey Standard was not intended to resist physical attacks, we aspire to exceed expectations. So we worked with the researchers to produce an updated version of the firmware. The new firmware was tested by the researchers, and they confirmed that the attack was prevented, and also that they were unable to find another attack vector. This firmware was called version 2.4 and started to ship during May 2013 for the black YubiKey Standard, and incrementally rolled out for all form factors and colours, before the research was made public.

Q: What YubiKey products are affected?
A: Only the YubiKey Standard and YubiKey Nano with firmware before version 2.4. The YubiKey NEO is NOT affected.

Q: I’m using the YubiKey Standard in OATH or challenge response mode, am I affected?
A: No. Only the Yubico OTP mode.

Q: How do I find out what firmware version my YubiKey has?
A: You may use our Personalization tools. If you use a recent version of Debian/Ubuntu, the tools are part of that operating system.

Q: Should I be concerned about this attack?
A: Not really. Even if someone has physically access to your YubiKey, the attack requires sophisticated tools to extract the encryption keys, making it practically impossible for most people. Also, the majority of systems using YubiKey requires a second factor, such as a PIN or password.

References:

David Maples

Bank of America Joins FIDO Alliance

Today, Bank of America, has joined the FIDO Alliance and been appointed to the Board of Directors. Among the world’s leading financial institutions, Bank of America is committing to FIDO standards for strong authentication, along with other leaders in the financial sector, including Discover Financial Services, MasterCard and Goldman Sachs.

“Historically, strong two factor hardware authentication has been too costly and complicated to scale for mass markets,” said Stina Ehrensvard, CEO and founder of Yubico. “We are pleased to see an ever-increasing number of large online services and financial institutions joining the FIDO Alliance and addressing the issues. FIDO certified devices offer better security and a greatly improved user experience over traditional software-and-hardware based authentication technologies.”

FIDO Alliance members commit to share technology and collaborate to deliver open specifications for universal strong authentication that enables FIDO-compliant authentication methods to be interoperable, more secure and private, and easier-to-use. The YubiKey NEO is the industry’s first FIDO Universal 2nd Factor (U2F) Ready device and is currently being demonstrated at RSA 2014 at the NXP booth. (* Please note – as of May 21, 2015, Yubico FIDO Ready™ products became official FIDO Certified™ products.  Read more here).

“Providing our customers with a convenient, secure digital banking experience is a top priority for us,” said Dave Godsman, Bank of America Digital Banking Solutions & Operations Executive. “As the world rapidly changes, our involvement in the FIDO Alliance will help ensure we continue to provide the convenient and secure solutions our customers want.”

“Bank of America is counted among the world’s leaders in financial services. As an institution responsible to secure high-value interests and relationships across consumer, government, enterprise, and business, Bank of America is among a select few ‘Relying Parties’ ideally positioned to drive adoption of FIDO standards at Internet scale,” said Michael Barrett, president of the FIDO Alliance. “We welcome Bank of America to our Board of Directors at a pivotal point in FIDO Alliance history. With our review draft specifications just publicly released, and the marketplace poised to deploy ‘FIDO Ready’ certified solutions in 2014, both users and those who serve them are eager to embrace simpler, stronger FIDO authentication.”

To find out more and to read the release in its entirety, please visit FIDOAlliance.org

Ronnie Manning

See Yubico at RSA 2014

NXP booth #1341 in the South Expo Hall

Throughout the conference, Yubico will be demoing the YubiKey NEO and the industry’s first FIDO Universal 2nd Factor (U2F) Ready device at the NXP booth (Though successfully deployed inside cloud companies, FIDO enabled YubiKeys are not yet for sale for the public). We will also present the simplicity of two-factor authentication for other YubiKey NEO use cases, including Windows login, PIV, PKCS11, OpenPGP, password managers, and for leading cloud services with support for OATH TOTP.

FIDO Ready Showcase – Moscone North, Room 110

Additionally, on Wednesday, February 26, from 1:00 PM to 5:00 PM, Yubico will be participating in the FIDO Ready Showcase. The Showcase will feature a FIDO Alliance member panel, FIDO Ready live product demonstrations, and a chance to meet and interact in one-to-one meetings.

FIDO Alliance Member Panels – Moscone North, Room 110

Yubico is honored to be participating on two panel discussions during the FIDO Ready Showcase.  Read more about the FIDO Alliance.

Date and Times: Wednesday, February 26, 2014. 1:00 PM and 3:00 PM

  • 1:00 PM – Business Drivers for the FIDO Solution
    Moderator – Brett McDowell, PayPal
    Participants – Stina Ehrensvard, Yubico, Michael Barrett, FIDO Alliance and Kayvan Alikhani, RSA
  • 3:00 PM – FIDO Technology: a Primer
    Moderator – Brett McDowell, PayPal
    Participants – Jerrod Chong, Yubico (U2F) and Davit Baghdasaryan, Nok Nok Labs (UAF)

Schedule a meeting with the Yubico team

If you would like to set up a meeting at RSA, please email Ronnie@Yubico.com. Looking forward to seeing you at the show!

David Maples

CERN Research Secured with YubiKey

Read about how CERN is using YubiKeys in eWeek

CERN, the European Organization for Nuclear Research, pioneers of the World Wide Web and one of the world’s leading scientific research centers, uses YubiKeys for securing critical services.

“The YubiKey meets all our requirements thanks to its simplicity of use, its open algorithm and the available open-source software support. Moverover, YubiKey require no drivers, meaning that it is compatible with all our operating systems, which is a big advantage in a heterogeneous academic environment. The absence of a battery is yet another plus, limiting the maintenance costs to a strict minimum”

Remi Mollon, Computer Security Analyst, CERN

To case study

S. American Bank Deploys YubiKeys

Financial transactions and banking are top targets for online criminals and one simple stolen password can wreak havoc on one’s online identity. Yubico and SwissBytes are proud to announce that Bolivia-based Banco Ganadero has successfully implemented and deployed SwissBytes Virtual Box (SB-VBOX) with integrated YubiKey second-factor authentication to secure online banking services for its customers.

Banco Ganadero needed an easy-to-use and highly effective solution to secure their home banking portal ‘GanaNet’.  Banco Ganadero looked to SwissBytes and Yubico to address this need, while keeping the security of its customer’s accounts and data at utmost importance.  The companies worked together to develop a unique solution for GanaNet — SB-VBOX — which consists of two components, the authentication service and a web application called the ‘YubiKey Control Center’.

Since implementation, GanaNet users have a secure and fast way to access their accounts with the YubiKey from any computer. In the near future the customers will have the ability to log on to their online accounts from mobile devices across popular operating systems such as iOS, Android and Blackberry.

Banking and financial institutions can now add high security to their online services in a fast and affordable way. For more information, please visit www.yubico.com or www.swissbytes.ch.

David Maples

Yubico at CES

Yubico had an amazing time at the ShowStoppers event at CES yesterday evening. It was a night of rapid interviews with print and broadcast media, as Yubico spoke with more than 55 journalists! Such great conversations, demonstrations and interactions – Thank you to all who spent time with us!

Are you looking for more of Yubico at CES? Find us at the NXP booth! And be sure to see our CEO, Stina Ehrensvard, on this evening’s (1/8/14) ‘Why Security Matters’ happy hour panel discussion from 5:30-6:30 PM inside the NXP Booth at CES: Central Plaza #9. To register for the panel discussion, please visit NXP.

We hope to see you at the show!

Simon

YubiX: Reference Auth Software

Yubico is happy to introduce a project that combines several of our server-side software packages: YubiX. YubiX is intended as a reference architecture software stack to demonstrate how to build robust and secure authentication systems that utilizes the YubiKey and YubiHSM hardware. While YubiX may be run directly as-is, it is not intended as a “product”; rather it is intended as inspiration for customers and partners to adapt and build their own solution from. We encourage people to take parts of YubiX and put them into products or their own system designs. All the software in YubiX is free and open source software.

The current functionality includes a web service interface and a RADIUS interface for validating username, password and Yubico OTPs, together with related administrative interfaces. However the YubiX project goal is to generally showcase different technology options that can use Yubico OTPs; so expect it to go in any direction that new technology takes it. Yubico is committed to support our own components that make up YubiX and will engage with the community through GitHub using a issue tracker and source code development tools. However Yubico does not provide system-level support on external parts, such as the core Debian/Ubuntu operating system or components like FreeRADIUS: those are already well service by their own communities.

To focus our resources on YubiX, we are now retiring our old product YubiRADIUS including its components such as YubiApp. Yubico is not recommending any single migration strategy for YubiRADIUS, instead we encourage all existing YubiRADIUS users to evaluate different options. If you have technical know-how we believe the components that makes up YubiX will allow you to build something better and more robust going forward. If you prefer to take an off-the-shelf product, there are options like DuoSecurityLinOTP, OpenOTP, AuthAnvil and others. By partnering up with someone external, you can also create a custom solution for you based on YubiX components and components built by a partner. Of course, finally, if you are happy with YubiRADIUS, there is no reason to stop using it except that it will not be maintained or supported by Yubico going forward.

For more information, please see our page about YubiX. For discussion, we invite comments on our forum.