Flexible Modern Authentication blog crown
David Maples

Flexible Modern Authentication with the Multi-Protocol YubiKey

Most organizations work with multiple services and applications, and thus different authentication protocols, to meet all their security needs. Oftentimes, the protocol is predetermined by the application or service provider. However, in other cases, a business or systems integrator has some flexibility on which integration approach or third party to use. When it comes to authentication choices, there is typically no such thing as a silver bullet. The YubiKey was designed with this in mind to support multiple methods for authentication, enabling users and integrators to utilize the best method for each solution.

YubiKeys have multiple authentication protocols, spanning One-Time Passwords (OTP), CCID (smart card), and Universal 2nd Factor (U2F). Each protocol has support for different services and apps, much like a toolbox, allowing the user to select the correct tool for the task at hand.

OTP supports protocols where a single use code is entered to provide authentication. These protocols tend to be older and more widely supported in legacy applications. The YubiKey communicates via the HID keyboard interface, sending output as a series of keystrokes. This means OTP protocols can work across all OS/Environments that support USB keyboards, as well as with any app that can accept keyboard input. Some common services that use OTPs are network devices like VPNs and local authentication services with user login, as support for OTPs tend to be the most straightforward to integrate.

CCID, or smart cards as their interface is more commonly called, is another supported protocol on the YubiKey. The YubiKey identifies itself as a smart card reader with a smart card plugged in, so it will work with most common smart card drivers. Windows has native support, Linux has the OpenSC project, and macOS has support for smart cards natively on Sierra (10.12) and higher. The YubiKey allows 3 different CCID protocols to be used simultaneously – PIV, as defined by the NIST standard for authentication; OpenPGP for encryption, decryption, and signing; and OATH, for client apps like Yubico Authenticator and Windows Hello. The open source nature of the supported smart card protocols make them ideal for integrating with existing environments, such as Windows Authentication, Active Directory Federated Services, SSH or OpenPGP, and derived services.

FIDO U2F is the newest protocol supported by the YubiKey. Developed by Yubico and Google, the U2F protocol provides strong authentication without requiring a complex backend or framework to support it. Turning traditional authentication on its head, FIDO U2F makes the authentication device (like the YubiKey) the authentication provider. It issues unique keys to the services it is authenticating against, ensures each service does not have any information about the others, and removes the need for a central authentication service. With FIDO 2.0, the specification is growing to meet evolving industry needs, while ensuring that the previous generation is not rendered obsolete. The security built into the U2F protocol makes it ideal for web applications or customer-facing apps, which may be exposed to attacks on the information in transit between the user client and server.

Each protocol has strengths and weaknesses, restricting the situations where each one is most effective. However, the YubiKey resolves this limitation by supporting all of the different protocols on a single device, all at the same time. Like a carpenter using the right tool in his toolbox for the job at hand, users and integrators are able to secure their applications and services with the YubiKey using the appropriate protocol for each environment.

To learn more about the protocols supported by the YubiKey, please refer to our Developer site.

Photo of Stina with Female Executive of the Year award
Yubico Team

Yubico CEO Wins ‘Female Executive of the Year’ Award

June has been a busy and exciting month for us here at Yubico. We have been on the road speaking and exhibiting at multiple conferences, were named ‘Best Multifactor Solution’ by SC Magazine Awards Europe, and revealed two new integrations for our YubiKeys. And we’re not done yet!

Yesterday, Yubico CEO and founder Stina Ehrensvard was named Female Executive of the Year by the Women World Awards. This category honors women executives worldwide from all types of organizations and industries. Nominees were evaluated based on important and notable accomplishments within the past 12 months, as well as organizational impact.

“These achievements are not my own,” said Stina. “I could not have brought the company to where it is without the amazing team we have on board. I am proud to lead such an incredible, bright, and committed group of people; and in moments like this, I consider these accomplishments to be for all of us.”

Indeed, we are all honored to receive such an award. Stina’s thoughtful and strategic leadership has been paramount to the company’s success, leading us to a $30M investment and company expansion across four continents. With her direction, Yubico secures 9 of the top 10 internet companies and millions of users in 160 countries.

“I didn’t start this company to make money,” said Stina. “I started it to make a secure internet accessible for everyone.” Yubico is driven by passion, and we’ve felt it every step of the way!

To hear more, listen to Stina talk about her entrepreneurial journey with Yubico.

NIST Special Publication 800-63.3
Jerrod Chong

NIST publishes new authentication standards, FIDO U2F achieves AAL3

After a year of review, the National Institute for Science and Technology (NIST) today released version 3 of its latest digital identity guidelines, outlining a number of updates that play to the multi-protocol functionality of the YubiKey.

NIST Special Publication 800-63 Revision 3 covers guidelines on identity proofing and authentication of users, such as employees, contractors, private individuals, and commercial entities, working with government IT systems over open networks. These guidelines are used as part of the risk assessment and implementation of federal agencies’ digital services.

Three notable changes outlined in the document are the separation of identity assurance from authenticator assurance, the deprecation of short message service (SMS) as one-time password (OTP) authentication, and the recognition of technologies like FIDO U2F within the highest level — Authenticator Assurance Level 3 (AAL3).

The first major change we want to highlight is the decoupling of user identity assurance from the strength of the authentication method used. This enables organizations to make quantifiable security improvements by offering alternative feature-compatible devices that act like a smart card, or providing FIDO authentication for all users. The previous model had the unintended consequence of lowering the authentication security for users where the identity proofing was not needed at Identity Assurance Level 3 (IAL3). In this new model (see table 6-2 Acceptable Combinations of IAL and AAL in section 6.4), a higher Authenticator Assurance Level can be paired with a lower Identity Assurance Level to meet an acceptable combination.

Another change worth noting is NIST’s update on the framework for quantifying authenticator security, particularly for guidance on using SMS as a form of OTP authentication. In July 2016, NIST put out a blog deprecating the process for delivering an OTP over SMS. This position is bolstered by the updated classification of authenticators allowing OTP to be used in lower security systems. Additionally, the YubiKey’s OTP capabilities do not fall under NIST’s deprecation of SMS/OTP out-of-band authenticators.

Lastly, the guidelines recognize technologies like FIDO U2F at AAL3. This opens the door for FIDO U2F and classifies the protocol as a strong credential option, as it meets government guidelines for asymmetric, public-key (PK) cryptography for authentication. With FIDO U2F’s ease of use and quick deployments, the number of services implementing FIDO U2F integrations is steadily growing. Federal agencies now have more options to deploy strong authentication for cloud applications.

The YubiKey meets all these tenets in its versatility and flexibility as a multi-protocol authentication device that combines three of the permitted authenticator types in one physical device.

Single-factor OTP device = OTP

  • The YubiKey spans various OTP capabilities, including Yubico OTP, HOTP, TOTP, and communicates via the HID keyboard interface, allowing the OTP protocol to work across all OS/Environments that support USB keyboards

Single-factor cryptographic device = FIDO U2F

  • Developed by Yubico and Google, FIDO U2F is the newest protocol supported by the YubiKey. This protocol allows the YubiKey to work securely and instantly with hundreds of applications, and with no secrets shared across separate services

Multi-factor cryptographic device =Smart card / PIV-compatible / OpenPGP

  • The YubiKey identifies itself as a smart card reader with a smart card plugged in, and will work with most common smart card drivers.

“While the guidelines themselves are final, we strongly believe that work on this document isn’t truly complete until, like open standards, it has been implemented to tease out bugs and complexities,” said Paul Grassi, one of the 800-63 authors, in a blog post. “Our ability to predict and respond to changes in the market and technology needs to match the speed of innovation, as well as threats.” He added, “Over time, NIST wants the [guidelines] to be adaptive to innovations in the market so anyone, public or private, can better serve their users.”

We celebrate this historic release of NIST SP 800-63-3, as it ushers in a bright future for the YubiKey, FIDO U2F, and federal agencies here in the US and abroad. With this latest revision, the overwhelming response of over 1,400 contributor submissions from within and outside the US validates NIST SP 800-63-3 as a leading resource for global digital identity.

Microsoft demoing FIDO 2 at CIS 2017
Jerrod Chong

Future of FIDO Authentication demonstrated by Microsoft at CIS

Microsoft unveiled a major FIDO milestone today at the Cloud Identity Summit (CIS) by demonstrating an early implementation of a FIDO 2-based passwordless login on a Microsoft Windows 10 computer through Azure Active Directory (AAD) using a YubiKey.  

For the demonstrated login flow, the user inserted and touched the YubiKey, using AAD to instantly authenticate the user, while simultaneously signing into the Windows environment, and allowing access to all integrated business applications. All of this done without the need to type in a username/password.

Under the covers, the login relied on the forthcoming FIDO 2 Client to Authenticator Protocol (CTAP), which will ramp up the YubiKey’s value on the Microsoft platform. While this was a demo of future functionality, YubiKey users can look forward to native support in the Windows 10 OS environment. This is a massive leap forward in the global adoption of FIDO open standards, and a future integration into one of the world’s largest computer operating systems.

Alex Simons, Microsoft’s Director of Product Management for Microsoft Identity Division, and Nitika Gupta, Product Manager for Microsoft Identity Security and Services, delivered the demonstration during the keynote “Open standards: The key to a world of secure clouds & secure devices”. This keynote provided insight into the increasingly critical role of open standards for the future of identity.  

While there is no immediate date on availability, stop by booth #425 at CIS and talk to us about this game changing demonstration. To learn more about how your organization can benefit from the authentication power of multi-protocol YubiKeys, visit https://www.yubico.com/why-yubico/for-businesses/.

Blog crown for Yubico at CIS 2017 featuring the Chicago skyline and a YubiKey
Yubico Team

Yubico at CIS: FIDO, Mobile, ID Proofing. We’ll cover it all!

Today kicks off the annual Cloud Identity Summit (CIS) at the Sheraton Grand Chicago, where the brightest minds across the identity and security industry convene to discuss intelligent identity. Yubico will exhibit at the event (Booth #425) and contribute to several speaking sessions regarding FIDO, Federation, ID Proofing, Intelligent Identity, and Mobile SSO. Below are sessions we find particularly interesting.  

We kick off CIS on Monday (June 19) with Derek Hanson, Director of Solutions Architecture and Standards at Yubico, taking part in the FIDO Workshop from 9am-12pm CT, in the Sheraton Ballroom II. At 10:50am, Derek will deliver a case study on FIDO, Federation, and Facebook social login. Websites can eliminate account takeover through phishing by leveraging U2F-supported Facebook social login, which is easy to implement and already in wide global use.

On Tuesday (June 20), in the ‘New Move in Authentication’ track, Jerrod Chong, VP of Solutions Engineering at Yubico, will deliver a presentation on FIDO, Federation, and ID Proofing. You can attend this session in the Sheraton Ballroom III from 2:30-2:55 pm CT. Jerrod will discuss how identity proofing and strong authentication are often at odds when it comes to privacy — and that it doesn’t need to be that way. Diving deeper, he will provide a look at how three building blocks can work together to create a robust identity ecosystem. The solution is a three-fold component-based architecture for remote identity proofing to create a privacy-preserving credential, an identity proofing engine using OpenID Connect, and strong authentication using FIDO protocols.

David Treece, Senior Solutions Architect at Yubico, will participate in a separate panel discussion on Tuesday. David will speak on the ‘Intelligent Identity Architecture’ panel from 4:20-5:20 pm CT in the Sheraton Ballroom 1. With the dynamically changing nature of business and ever-increasing security risk, identity access management (IAM) systems struggle to keep up. IAM systems are complex, inflexible, and difficult to change. Instead, these systems need to be intelligent enough to understand context and new entities, interpret risk, and deliver a simple user experience. This panel will reveal — from the trenches — how to move an IAM program forward to implement intelligent capabilities while dealing with the realities of budgets, existing infrastructure, and competing priorities.

With all of the fantastic upcoming content at CIS, we also want to highlight the following sessions, which we are excited to be part of:

Monday – June 19

  • 10:35 AM – 11:15 AM Workshop: NCCoE mobile application single sign on for public safety and first responders
    Location: Sheraton Ballroom I
  • 5:25 PM  –  5:50 PM Panel: Mobile – who do you trust?
    Location: Michigan

Wednesday – June 21

  • 8:15 AM  –  8:45 AM Keynote: Open standards: The key to a world of secure clouds & secure devices!
    Location: Ballroom

Thursday – June 22

  • 11:15 AM  –  11:40 AM Panel: The mobile identity user experience
    Location: Chicago Ballroom VIII

If you are attending CIS, come see us at some of our sessions, and stop by booth #425 to explore all that the YubiKey has to offer.  

To learn more about how your organization can benefit from the authentication power of multi-protocol YubiKeys, visit https://www.yubico.com/why-yubico/for-businesses/.

Keeper login screen with a YubiKey in a Microsoft Surface.
Yubico Team

Find us this week at the Gartner and AFCEA events in Maryland!

We have a busy week ahead! Come watch us show off our award-winning YubiKeys at two Maryland events: Gartner Security & Risk Management Summit (National Harbor) on June 12 to 15 and AFCEA’s Defensive Cyber Operations Symposium (Baltimore Convention Center) on June 13 to 15.  

New U2F integration with Keeper Security

We are excited to showcase our latest FIDO Universal 2nd Factor (U2F) integration with password manager and secure digital vault Keeper Security. As part of Keeper’s core offering, U2F and YubiKey support is immediately available as a new, free feature to its 11 million individual users and enterprise accounts. With our mission to make the internet secure for everyone, we couldn’t be more thrilled that Keeper now delivers the highest level of security with FIDO U2F and YubiKey two-factor authentication (2FA) to their customers.

“More than 81% of data breaches are due to weak or poor password management,” said Darren Guccione, CEO and co-founder of Keeper Security, Inc. “Our highest priority is to protect our customers from cyber theft, and this integration of Yubikeys will drastically reduce the impact of a stolen or leaked password.”

Experience the 2FA power of YubiKeys

In addition to demoing our YubiKeys for Keeper sign-on at both events, we will feature some of our top U2F integrations with Google, Dropbox, and Facebook, support for leading identity access management platforms (IAMs), as well as PIV smart card functionality. We will also present other capabilities to showcase the ease-of-use and simplicity of one-touch secure login with YubiKey.

If you are attending these shows, please stop by Booth #744 at the Gartner Security & Risk Management Summit and Booth #566 at AFCEA’s Defensive Cyber Operations Symposium, and discover why our YubiKey 4 Series was recognized as SC Awards’ ‘Best Multifactor Solution’.

To learn more about how your organization can benefit from the authentication power of multi-protocol YubiKeys, visit https://www.yubico.com/why-yubico/for-businesses/.

Global map showing Yubico
Stina Ehrensvard

Yubico scales up with new investors, expands across four continents

Today, I am happy to announce that new investors are joining Yubico’s mission to create a safer internet for everyone by securing all logins and secrets on servers.

$30M in combined new and secondary shares has been invested in the company. Our new investors include NEA, one of the largest and most active global venture capital firms, leading Swedish growth equity firm Bure, and young Silicon Valley-based venture capitalist The Valley Fund.

Today, half of the privately held company is owned by the Yubico founders and team members, and the remaining shares are evenly split across US and Swedish investors. Existing investors include renowned Silicon Valley entrepreneurs Marc Benioff, CEO of Salesforce, and Ram Shriram, Yubico Chairman and Google founding board member. All Yubico shareholders enjoy common shares and a democratic shareholder agreement. The combined total assets for all investors in Yubico exceeds $30 billion.

Since our start in Sweden in 2007 with modest funds of $4.5M from angel investors, we have grown organically into a global security leader with four consecutive years of profit. YubiKeys are the authenticator of choice for thousands of business customers and millions of users in 160 countries. As the Yubico team continues to grow, we take great pride in being a multinational and multicultural company. We are now established in four continents with employees in the US, Sweden, Germany, UK, Australia, and Singapore.

“With nine of the top ten internet companies as YubiKey users, Yubico has built a strong foundation as an innovator of new global authentication standards,” said Pete Sonsini, General Partner, NEA. “In a time when software does not offer sufficient protection for online accounts and sensitive data on servers, Yubico’s hardware backed keys are proven at scale.”

Funds from new investments will be used to expand the Yubico hardware platform beyond authentication to more advanced software, services, and use cases, including IoT and server encryption.

SC Awards Europe 2017 Winner blog crown
Yubico Team

We Won! YubiKey 4 Series Recognized as SC Awards ‘Best Multifactor Solution’

Today, at InfoSecurity Europe in London, Yubico graciously received the SC Awards Europe 2017 Excellence Award for Best Multifactor Solution. The YubiKey 4 won in the category of Threat Solutions.

“As a contender among four other established and well regarded authentication technologies, the recognition of our YubiKey 4 Series is a great honor,” said Stina Ehrensvard, CEO and Founder, Yubico.

“We’ve worked hard to create one simple, cost-effective hardware technology that affords enterprises secure access to computers, networks, and online platforms. The YubiKey 4 Series was put in front of a wide range of security experts, and received a resounding stamp of approval; we are extremely grateful. This is a true testament to the value, market share, and high-level security that the YubiKey provides.”


Yubico accepts the SC Awards Europe 2017 Excellence Award for Best Multifactor Solution at InfoSecurity Europe in London

Every year, some of Europe’s most elite security leaders — hailing from private and public sectors, academia, end-user companies, consulting communities, and analyst firms — gather to evaluate hundreds of SC Magazine Europe Award nominations. This panel of judges decides which products, professionals, and services best enhance various aspects of enterprise security. The Multifactor Solution category acknowledges products that provide enhanced security to end users by offering credentials for access to an authenticator or authentication server. Not only are judges advised to review the submission materials, but they are also asked to consider additional information such as analyst reports and/or product reviews.

The YubiKey 4 Series comes in three different form factors, all supporting the same multiple authentication protocols, to meet the needs of every enterprise and individual. To learn more about the award-winning YubiKey 4 Series, read more here. To see YubiKeys in action, come meet us at InfoSecurity Europe at stand #M110.

Image: How millions of accounts can eliminate phishing blog crown
Alex Yakubov

How Millions of Websites Can Eliminate Account Takeover from Phishing

Creating accounts online just got a whole lot easier. Now anyone can log in to or register a new account using their existing credentials from social networking services, such as Facebook and Google. With social logins, users won’t have to rack their brain for another password, saving time and securely authenticating their identity.

Websites that use social login move the responsibility of maintaining cutting-edge data security, identity protection, and login support away from themselves and onto the infrastructures of social networking sites. During the second quarter of 2016, research revealed that 53.1% of social logins went through a Facebook account, with Google accounts pulling 44.8%.

Facebook and Google are among thousands of online services that support FIDO Universal 2nd Factor (U2F). U2F protects against well-known attacks, such as phishing and man-in-the-middle, and other online threats on the horizon. Additionally, all websites supporting U2F work seamlessly with the two-factor authentication (2FA) provided by YubiKeys.

SMS is another commonly used 2FA option, but it is susceptible to both man-in-the-middle and phishing attacks (which we saw in the recent SS7 protocol SMS hack). This is validated by the National Institute of Standards and Technology (NIST), which no longer recommends SMS for 2FA, as highlighted in section in the latest draft of its Digital Authentication Guidelines.

Other websites use push notification-based applications as a second step in the login process. However, much like SMS, push apps do not typically prevent phishing or man-in-the-middle attacks. These can even mislead the freshly phished user into believing that they accessed a legitimate site because they receive the confirmation push message at the same instant that the attacker attempts to log in using their credentials. Most websites also limit the overall effectiveness of 2FA by keeping SMS and/or One-Time Password (OTP) enabled for usability and account recovery. For an in-depth look at credential abuse mitigations, read our Internet Credential Theft white paper here.

So why is social login with U2F and hardware security keys better? Even if an attacker has a user’s password, the attacker won’t be able to access the account. U2F is based on public-key cryptography: when a YubiKey is registered with a U2F service like Google or Facebook, it creates a unique asymmetric key pair with each website. The private key resides on the YubiKey, and the public key on the service.

Think of it as a handshake. When the YubiKey is touched, the public and private keys instantly confirm they are the correct pair, and only that registered YubiKey will allow access. There is no need to re-register the YubiKey. U2F even protects privacy because it was designed to be anonymous, which means no personal data or secrets are shared among service providers, making it impossible to track a user across multiple web sites.That’s it – using the same YubiKey, users get simple and highly secure access to an unlimited number of websites.

Let’s walk through a typical login flow with a U2F- and YubiKey-protected account using Spotify with Facebook social login as an example.


Upon entering a Facebook username and password, the user is prompted to touch their registered YubiKey to authenticate their identity. Just like that, the user is logged in.


This provides not only a best-in-class authentication experience (all the user has to do is touch the button), but also the peace of mind knowing that the YubiKey ensures user accounts are accessed only by the users themselves.

Now, millions of online stores, games, and applications around the world can eliminate account takeover through phishing by leveraging social login. As more websites and online services do this, our vision of having one device to secure all your online accounts is quickly becoming a reality. To learn more about how to implement social login to websites completely free of charge, visit Google and Facebook for their instructions and code.

Yubico Team

10 Easy Ways to Protect Your Identity Online

This week, the Oslo Freedom Forum is hosting its ninth annual conference, bringing together a global community of activists, tech entrepreneurs, and thought leaders sharing the vision of a freer and safer world, including the Internet.

Yubico was invited to the event to share how you can use YubiKeys and FIDO U2F (Universal 2nd Factor) to protect your online identity. We have compiled a list of actions–in addition to strong two-factor authentication–that you can take to ensure your identity stays safe online with the highest level of privacy.

1. Properly manage your passwords

Usernames and passwords are the first line of defense to accessing your personal information online. As such, it’s important to be as diligent as possible in creating the strongest passwords and securely managing these passwords.

  • Ideally, strong passwords should be randomly generated. At a minimum, avoid using information about yourself or your friends and family, such as birthdays, sports teams, pet names, etc.
  • Never reuse passwords between sites. Yes, this means that you will need a different password for each account you have. According to a report, the average person has 90 online accounts, so that’s a lot of passwords to remember!
  • To help with this process, we recommend using a password manager to generate passwords and store them securely for you.
  • Once your password manager is set, make sure you protect it with two-factor authentication, like a security key, to make it even more secure. Examples of password managers are KeePass, LastPass, and Dashlane, all of which offer two-factor authentication. Additionally, Dashlane supports U2F.

2. When possible, use two-factor authentication

Having the strongest usernames and passwords isn’t a failsafe method. If they are compromised, a hacker can easily access your accounts. To prevent this, always enable two-factor authentication and ensure that another form of identity is required to access your account.

Hardware security keys supported over U2F are the most secure form of two-factor authentication and are always recommended when available for use. Many common services support these keys, such as DashLane, Google, Facebook, and Dropbox.

If you are not able to secure your account with a security key or a YubiKey, we recommend that you use another method, such as an authenticator application like Google Authenticator.

Whatever you do, do not enable SMS codes as your second form of authentication. NIST recently rendered these highly ineffective. While some services require using SMS to initially set up 2FA, you can choose to disable SMS after setting up other factors, such as security keys.

3. Always update! 

Most software systems have built-in security functionality to help catch and prevent attacks before they happen. They often enhance these features over time.

To ensure you have the latest and greatest security across all technologies, always update:

  • Computer and phone operating system software
  • Any anti-virus programs
  • Mobile apps
  • Web browsers

4. Verify email validity before clicking on a link or downloading an attachment

Phishing/malicious emails can often look like credible emails, and may even come from one of your known contacts. To ensure it’s legitimate, ask yourself the following:

  • Do you recognize the email address?
    Phishing emails can come from a random email–in which case, you should never open–or from a known contact. If it’s coming from a known contact, check to see if the email address is an exact match. If so, proceed to verify the rest of the email, as an exact email match still doesn’t qualify for safety.
  • Are there spelling errors in the email?
    Hackers can purposefully include spelling errors to make the email appear more human and evade spam detectors.
  • Does the link or attachment make sense?
    Is there a reason why this contact would be sending you this email? Does it make sense based on the context of your discussions and/or relationship? When in doubt, pick up the phone to ask.

5. Check the plugins and addons connected to your email inbox

Each email platform has an option to view what third-party services and applications have access to your account. If you notice an application you have not authorized, immediately remove the permission for its access. You should also remove authorization for applications that you are no longer using.

6. Check for HTTPS security on any website you enter

HTTPS indicates that the web page you are on is secure and can be trusted. If you are not on a web page secured with HTTPS, it is best to not enter any sensitive information while on that site.

HTTPS can easily be identified in the URL bar of your browser. It will be listed in the URL itself. The bar will also display a small green lock that says “secure” next to it.

7. Utilize browser extensions to help protect your online activity

Browser extensions help you access the best parts of the internet without having to worry about your safety and security. With today’s sophisticated technology, it’s easy for third-parties to track your online activity and access your information. It’s even easier for you to suddenly find yourself on an unsafe domain. Simply put, these addons will do the thinking for you, and will help keep people out of your business and keep you away from unsafe territory.

A few tools we recommend include:

  • Privacy badger
    This extension prevents tracking and cookies, so your data and browsing history are kept safe from unwanted advertisers and other third-parties.
  • Adblock Plus
    This extension will block banner ads, pop-up ads, rollover ads, and more. It stops you from visiting known malware-hosting domains, and also disables third-party tracking cookies and scripts.
  • HTTPS Everywhere
    This addon enforces you to always access sites over HTTPS, if they support it.
  • Panopticlick
    If you’re unsure how safe your browser is, you can test it here.

8. Don’t divulge sensitive information

Any additional piece of PII (personally identifiable information) can make a hacker’s job easier.

This is more of a concern in the day and age of social media. If you wouldn’t want a stranger having access to a piece of information about you (phone number, address), don’t put this on your public profiles (Twitter, LinkedIn, Facebook, WordPress blogs, personal websites, etc).

If possible, update your privacy settings to only allow friends and family access to your profile. Frequently revisit these settings as well to ensure nothing was disabled.

9. Be cautious of public Wi-Fi

Public Wi-Fi doesn’t qualify as a secure network, and therefore, gives hackers a greater advantage at stealing information or pushing malicious attacks.

If you must use public Wi-Fi, stick to sites that don’t deal with sensitive information. In other words, don’t maintain your bank account or anything of this nature on public Wi-Fi.

When possible, always avoid public Wi-Fi and use other solutions such as a secured personal hotspot or VPN solution. A VPN will make it difficult for third-parties to determine your identity or location. There are many free options available.

10. Stay informed!

Most major data breaches are covered in the news, so this is often a good place to keep a pulse on any attacks that could have compromised your personal information.

If you think you’re a target or have already been compromised, start by changing all of your passwords. Then, go through this list to ensure you have all the necessary security measures in place.

YK4 with 5 star review on Amazon Prime
Yubico Team

Ready, Set, Earn: Become a Yubico Affiliate through Amazon

We have great news for Yubico ambassadors! We’ve found a program that carries on the values of our now-retired Yubico Affiliate Program while empowering affiliates to profit from products they choose to advocate.

Amazon’s widely successful Amazon Associates program is booming for a reason. The program gives everyone a chance to earn up to 10% commission on completed orders of qualifying products by promoting the items online. With YubiKeys in the product roster, you can earn extra cash and help raise awareness on account protection at the same time. How awesome is that?

Another great thing about this program is that you will earn commission on a shopper’s entire order on Amazon. If a shopper completes a purchase with a YubiKey plus any other qualifying product, you’ll earn commission on all of those items.

All you need to do now is sign up for the Amazon Associates program then share a link to the YubiKeys’ product pages with your audience on your website, blog, or social media accounts. Signing up is free and easy to do.

We’re moving closer towards our vision of making the internet a safer space for everyone across the globe. Now you can help us make that a reality by simply posting a link. For more information about the Amazon Associates program, visit this page. For updates on special promotions or Yubico product launches on Amazon, subscribe here.

If you are interested in collaborating with Yubico as an official reseller, please reach out to our team at yubi.co/sales.

Crown image with Star Wars fan fiction blog title
Yubico Team

Episode Y: The Rise of 2FA

The security revolution has begun. In a final act of resistance against the dark might of the enemy, the brave heroes have deployed their ultimate weapon, a powerful layer of defense beyond the strength of the password known as 2FA, to a vast group of web sites throughout the universe.

As 2FA spreads, a group of security jedis have used the 4C to establish an impenetrable shield around their users’ accounts. The effort has brought forth a great victory, with users avoiding data breaches, identity threats, and phishing attacks.

Meanwhile on the remote planet Wilhacku, the YubiKey fleet, led by Lieutenant Stinasvard, has fought bravely against evil malware droids, successfully destroying the last of the Empire’s hacker army.

With the Empire defeated, peace has finally been restored across the galaxy. Billions of websites can now harness the power of 2FA, and under its protection, people are trusting the internet once again.


We at Yubico are HUGE fans of Star Wars. To celebrate May 4th, we have fun Star Wars-themed social posts coming your way on Twitter, Facebook, Instagram, and LinkedIn. Stay tuned, and May the 4th be with you!

OLD YubiKey 4C body
Jeff Wallace

Leave Nothing to Chance: Have a Backup and Recovery Plan

A backup and recovery process is an indispensable component of every security solutions strategy, and is something to think carefully about as you develop a plan to integrate YubiKeys into yours. Having a proper backup and recovery process keeps employees productive without them having to worry about losing their YubiKey or losing access to systems and accounts. More importantly, your backup and recovery process must be secure and should not diminish the overall security in place. Remember, your security is only as good as its weakest link.

The most secure plan is for each user to have two YubiKeys. Establishing a backup YubiKey ensures that the user can effortlessly access all of their accounts if they accidentally misplace their primary YubiKey. We strongly recommend this approach to all customers as a general best practice, as it guarantees that all users have a recovery solution easily accessible to them at any time. Having a backup YubiKey gives users peace of mind and eliminates the need for them to go through complicated, time-consuming processes to access their accounts. While other backup and recovery options are available, they come with a variety of pros and cons.

Other Backup and Recovery Options

One such alternative is having a Service Desk team issue a secondary temporary key on demand. This is the next best approach to having a backup YubiKey for all users, as it supplies a physical device registered with the same authentication system to the user at the time of need. With the YubiKey at its core, this approach removes many areas of risk that come with alternate solutions, and can serve as an extension of the two YubiKey approach if a user loses both keys. However, this option requires additional time, processes, and personnel, as the Service Desk must always be open to the user should they have an immediate need for a key.

Another popular backup alternative is having a mobile authenticator. Using an app like Google Authenticator provides a valid backup method by issuing a temporary passcode to users. However, mobile authenticators are often based on older technology, and do not provide the same protection that the YubiKey delivers, as the secrets used to generate the passcodes can be deciphered if enough codes are intercepted. Should you decide to use a mobile authenticator as a backup option, we encourage you to use it sparingly to avoid the risk of security breaches.

Beyond these, you can establish other backup methods, but they will not be as secure or as stable as a multi-key approach. SMS and email, for example, are the least secure backup and recovery methods, as they are susceptible to man in the middle and phishing attacks. In fact, section of the NIST 800-63-3 guidelines, which will soon be published, recommends deprecating SMS due to security limitations. Additionally, a phone can run out of battery, be lost, stolen or broken, get infected by malware, or have storage retrieved by a connected computer. Conversely, the YubiKey is not vulnerable to most of these concerns.

While we understand that cost plays a key role in restricting organizations’ options for secure backup and recovery solutions, we do not recommend processes that could allow remote access to a corporate resource or introduce social engineering risk, reducing the initial security that our YubiKey solution was designed to protect against. Security always comes first! This is precisely why we urge all customers to consider using the two YubiKey approach as a best practice.

YubiHSM 2 inserted into server
Yubico Team

YubiHSM 2 open beta launched!

With IT security breaches becoming a staple in daily news reports, organizations big and small alike need to ramp up their defense. More than 95% of all IT breaches happen when a user credential or server gets hacked. While the YubiKey protects user accounts from remote hijacking, millions of servers storing sensitive data still lack physical security.

Hardware security modules (HSMs) offer the physical protection of servers, but are historically limited by its cost, size, and performance. The YubiHSM 2 breaks that mold with its extensive range of use cases. Applications include protecting data centers, cloud server infrastructures, manufacturing and industrial products and services, and many more.

The YubiHSM 2 delivers practical security to a wide variety of server environments with unrivaled affordability, convenience, and ultra-portability (it sits inside a USB-A port!). Moving beyond the features of the first generation YubiHSM, the YubiHSM 2 adds asymmetric cryptography and more to its list of capabilities.

After holding a successful closed beta for YubiHSM 2, we were thrilled to see great feedback from our participants, which include the world’s leading online services, software companies, and research institutions. Today, we are excited to announce that we are running an open beta for the YubiHSM 2, and we invite everyone to apply for a slot (spaces are limited)!

Learn more about the YubiHSM 2 or submit your application to participate in the open beta here. We look forward to hearing your feedback!

User authenticates to Facebook using YubiKey NEO with their mobile device
Yubico Team

Tour d’Europe: Identity, Mobile, and YubiKey NEO

Mobile World Congress 2017 Today, Yubico joins the FIDO Alliance and thousands of people from around the globe in Barcelona for the GSMA’s Mobile World Congress (MWC) 2017. Find us at the FIDO Pavilion 2UP.40 #4! No one can deny it. User acquisition is king! To acquire users as quickly and cheaply as possible, mobile app and online service providers frequently sacrifice strong authentication security in favor of fast and easy access. With YubiKey NEO and FIDO U2F, businesses needn't compromise. No longer must developers complicate mobile login or frustrate users in order to protect customers, because security based on FIDO U2F changes the game. YubiKey NEO YubiKey NEO (US $50) is an innovative USB device featuring NFC (near-field communication, a wireless communication method). With a tap of their YubiKey NEO to an NFC-enabled Android device, users can quickly and easily authenticate themselves to supported services. YubiKey NEO gives mobile online security a better user experience while providing stronger security and reducing risks. Stop by the FIDO Pavilion, 2UP.40 #4 at MWC 2017, to see a demo and chat with a Yubico security expert. Next week, find us in London at the Gartner Identity and Access Management Summit EMEA 2017 at booth S14 (6-7 March). Then, follow us to Disneyland® Paris for the IT Partners fair (7-8 March). Visit our booth to see how YubiKeys can help you and your customers reduce risks, increase employee productivity, and unlock additional revenue potential. You can buy a Key NEO from our web store, on Amazon, or through any authorized reseller.
RSA 2017
Yubico Team

Yubico at RSA 2017 – Our Hardware Beats Your Malware

It’s that time of year again! We’re heading back to the RSA Conference in San Francisco to show off our latest and greatest at booth #N4421.

Keeping online data, accounts, and identities protected is a challenge, and it’s abundantly clear that usernames and passwords are the weakest defense. Daily breaches, hacks, and evolving phishing techniques have taught us that two-factor authentication (2FA) is no longer a nice-to-have, but a must-have if you’re taking security seriously. The elegance of the YubiKey is in its ease of use and security, which adds a physical defense to your accounts that is activated with a simple touch to authenticate.

At the RSA Conference, we are launching a new YubiKey design (which is a top user request). We’re also demonstrating a massive FIDO U2F implementation that expands the reach of the YubiKey far beyond organizations and enterprises and into the global mass of social media.

USB-A and USB-C ports

Illustration: USB-A and USB-C

Available for purchase today*, the YubiKey 4C is the world’s first multi-protocol USB-C authentication device. The YubiKey 4C contains the same proven firmware and functionality as the YubiKey 4. The YubiKey 4 family, which is now comprised of the original YubiKey 4, the YubiKey 4 Nano, and YubiKey 4C, all perform FIDO U2F, Yubico OTP, OATH, OpenPGP (up to RSA 4096), as well as PIV smart card (up to RSA 2048 and up to ECC P384). The YubiKey 4C is perfect for new laptops, such as the MacBook Pro and HP Spectre, which feature only USB-C ports.

Recently Facebook announced support for FIDO U2F and YubiKey security keys to its 1.8 billion users. Facebook now joins dozens of other online services that have integrated U2F. We are demonstrating how a single YubiKey or FIDO U2F Security Key is used to secure the growing list of services supporting U2F, including Google, Dropbox, GitHub and many more. Whether with the YubiKey 4 (USB-A), YubiKey 4C (USB-C), YubiKey NEO (NFC), or FIDO U2F Security Key, Facebook business and personal users can now protect their accounts with unphishable 2FA.

If you are at the RSA Conference, there will be quite a few of us around and about – be on the lookout for the big Yubico logos and stop by our booth, #N4421. Say hi, ask us what’s new, and feel free to show us your YubiKey!

YubiKey 4C

YubiKey 4C | US$50


YubiKey 4C - Sold Out! We feel the love! Due to high demand, YubiKey 4C is temporarily out of stock. Sign up to be notified when it is available again. Notify me

Image of Facebook Security Settings
Stina Ehrensvard

YubiKey & FIDO U2F Protect Facebook Users… Like!

Many say that if it didn’t happen on Facebook, then it didn’t really happen.

Well, today, a HUGE thumbs up has happened — Facebook has upgraded the login security for its 1.8 billion users by integrating the unphishable protection of the FIDO U2F Security Key into its social platform.

Simply put, this means that Facebook users, from individuals to the largest organizations, can have peace-of-mind knowing their account is safe with a simple touch of a Security Key, like the YubiKey. Picture it: you have a physical key to your car and home, and now you have a physical key protecting your Facebook. This also means all the services that you access with Facebook login are protected too. And the same Security Key can also be used for the growing list of services supporting U2F, including Google, Dropbox, and many more.

The need for two-factor authentication (logging in with something you have and something you know) grows daily as we hear about new breaches and hacked passwords. However, recent security threats have shown that mobile push apps and SMS do not offer enough protection against phishing and man-in-the-middle attacks.

If you currently have a U2F-enabled YubiKey and a Facebook account, you can go into your Facebook security settings and set it up now! You can buy a FIDO U2F Security Key or YubiKey here (or two, as we recommend having a backup). Once a U2F Security Key or YubiKey is registered and authenticated with your Facebook account, you will not need to use your key again to log in on that device until you clear your browser’s cache. Facebook considers your device as “trusted” for convenience. Which means if a hacker attempts to log in to your account from another device, they will be blocked unless they also have your password and your physical Security Key.

With a Security Key, you can remove SMS which will raise your security for all mobile devices. To achieve the strongest level of security for mobile, you can use a YubiKey NEO on Android phones with NFC.

“We’re excited to offer security keys as an additional option to make login to Facebook even more secure. We’re grateful to Yubico for the support and feedback they’ve provided.” said Brad Hill, Facebook Security Engineer.

Yubico and Google co-created U2F with the vision to scale easy-to-use, strong, public key cryptography for all internet users. Yubico developed the first FIDO U2F authenticator, published free and open source code for clients and servers, and we continue to drive this work within open standards organizations, including the FIDO Alliance, and W3C.

A study on internal and external Security Key usage by Google validates that U2F is one of the most secure, easy to use, and cost-efficient authentication technologies. And as users can have multiple affordable backup keys, support calls are greatly reduced compared to phone authenticators.

Historically, strong authentication has been tied to users’ real identities or a central service provider. During the U2F development work, Yubico’s CTO, Jakob Ehrensvard, introduced the concept of an authenticator that works across any number of services with no shared secrets. This allows users to be anonymous, and have multiple, yet secure identities. Today, U2F and YubiKeys are used to protect the privacy of individuals and organizations in 160 countries, including journalists and dissidents at risk.

In a time when security breaches have become a serious threat to our trust in the internet, FIDO U2F offers a secure link between the user and the services we connect to. It’s an open standard, not controlled by governments or corporations — but a simple way for users to take control over their own security and privacy.

Today’s support in Facebook is an important milestone for making the internet safer for everyone.

P.S. It was fun playing the bad guy in the short video above.

Yubico Founder and CEO plays hacker in Facebook video

Implementing FIDO U2F
Alex Yakubov

3 Top Things to Consider When Implementing FIDO U2F With Your Service

Now more than ever, security must be built into everything. By leveraging open standards, instead of building security protocols from the ground up, organizations can provide strong authentication faster than ever before.

We created the Universal 2nd Factor (U2F) protocol together with Google several years ago and offered it the world for free along with open source clients and server libraries. After years of working with the majority of service providers who have made support for the U2F standard, we have learned a lot about what makes a successful implementation.

Here are 3 of the top things to consider when implementing FIDO U2F with your service:

1. Backup and Recovery

Just as your users often forget their passwords today, it is possible that the methods they use for two-factor authentication will not always be available. Phones run out of battery, can be lost, stolen, or broken. Hardware-backed keys, such as the YubiKey, and other tokens like RSA SecurID, can be left at home, lost, or stolen. We highly recommend encouraging users to register at least two FIDO U2F security keys for backup, as this is the most secure and affordable option available. Other methods, such as backup codes and email, have their weaknesses and usability challenges.

You need to provide a backup two-factor method but bear in mind that security is never stronger than its weakest link. Some of the most commonly-used backup options are still susceptible to man-in-the-middle and phishing attacks. SMS, for instance, is no longer recommended by the National Institute of Standards and Technology (NIST), section in the latest draft of its Digital Authentication Guidelines.

Providing flexibility for users to select various backup options will substantially reduce the need to perform a full account recovery, which often involves the user calling your customer service help desk. A new technique used by leading services is social recovery (asking a number of friends to authorize the recovery). We do not recommend email as a recovery method since it is common for the user seeking recovery to have lost or forgotten their email credentials as well.

2. Mobile User Experience

If your service is accessible on mobile devices, it is imperative that you take the mobile user experience into account.

Today, both Google and Dropbox services require verification codes as the second factor when accessing from a mobile device. Google will also generate a unique app password for each native application for account access. For example, Google sets a specific password for native apps such as Mail on an iPhone or Mac, or Outlook on a Windows PC when accessing Gmail.

Soon, services will be able to use two wireless transport methods, Near Field Communications (NFC) and Bluetooth Low Energy (BLE), for U2F authentication on mobile devices. Here are some considerations for each of them.

NFC - At this time, we are most confident in NFC as a secure, and reliable contactless U2F communication method. Android mobile devices featuring NFC will soon allow users to authenticate with a tap of an NFC-capable U2F security key as the second factor. However, for iOS devices, Apple only recently added NFC capabilities to their mobile platform but continues to restrict the NFC stack to their applications, such as Apple Pay. Therefore, external U2F authenticators will not work on all mobile devices over NFC.

BLE - For iOS, BLE is a transport option, but the user experience is not optimal. BLE-capable U2F security keys must be paired with each mobile device before registration can occur. This additional pairing process adds friction for users as it is made more difficult in high-density environments where there are many Bluetooth devices in a small area. BLE-capable security keys also require batteries, bringing with them the possibility of running out of power and resulting in shipping and handling regulations as it pertains to dangerous and hazardous goods.

Alternatively, the FIDO ecosystem is currently exploring using a U2F USB security key in conjunction with a mobile app for accessing services on mobile devices. This approach is similar to what is today deployed by several European online services, which combine smart card devices with mobile applications. For the highest level of security, some of these services require a user to first register a smart card device with the service from a computer before allowing the user to then download and use the mobile app. In this scenario, we recommend leveraging U2F device attestation to identify the kind of U2F authenticator during registration (hardware, software, certified, and so on), and implementing assurance policies.

3. Support

You are likely thinking about how the first two considerations will impact your support team. (If you are not, then you should be!) Case studies show dramatic decreases in support costs after implementing U2F security keys. The keys to success are having clear, concise documentation for self-help, and allowing your users to provision more than one U2F security key. For instance, when Google switched employees to FIDO U2F Security Keys by Yubico, support calls and costs were cut in half compared to using mobile phone authenticators. An important part of that success is also due to the user's ability to register backup keys.

In conclusion, you are not alone in your journey to implement FIDO U2F. More than a dozen organizations (both consumer-facing and B2B) have already rolled it out to their end-users, and countless others are in the process today. We are committed to the success of U2F and will continue to share best practices. And we applaud you for considering FIDO U2F for your service!


Yubico Team

Can Two-Factor Protect Democracy?

Millions of people use YubiKeys all across the globe, and our customers often share how they use YubiKeys at work and for their personal accounts. Now and then we hear a unique story from a new perspective that catches our attention.

Today’s youth is growing up online, always connected, and used to having their personal identities sync directly with their online personas. We are happy to see that even at the youngest of ages, the importance of two-factor authentication (2FA) is making its way into their lives.

We received the story below from a customer who was proud to tell us that his son, Matt, recently won first place at his school's science fair. His project, “So you think you can Phish?” is the first we have heard of including YubiKeys in a high school science fair!

Science Fair Project Display

Matt's Winning Science Fair Project

In his project, Matt identifies the importance of 2FA, specifically the use of YubiKey and the FIDO Universal 2nd Factor (U2F) authentication standard, and illustrates how this simple added step could have prevented a recent, highly publicized phishing attack.

In Matt’s conclusion, he states that even though John Podesta fell for a phishing attack, the former chairman of the 2016 Hillary Clinton presidential campaign could have protected his email account against unauthorized access had he enabled 2FA with a YubiKey. Ultimately, Podesta could have eliminated any potential for leaked emails. Which leaves many people wondering, could this have affected the recent election? Some say yes, some say no, but what it makes clear is that usernames and passwords simply are not enough.

Spreading the value of 2FA cannot be understated, and students like Matt are helping to not only inform their peers but their educators as well. We wish Matt the best of luck at regionals and potentially nationals!

We love to hear new stories and uses from our customers. Please email us at press@yubico.com if you have any that you would like to share.

The NEW YubiKey 4C available February 2017
Ronnie Manning

We hope to USB-C you at CES!

Each year the Consumer Electronics Show (CES) ushers in the new year by revealing the latest in tech, and we’re excited to take part. This year, our CEO is speaking on a security panel, and we’re showing off our new YubiKey 4C with a USB-C design!

Yes, Apple fans! We heard your lament over absent HDMI and USB 3.0 ports, and your transition to USB-C on the newest MacBook Pro.

YubiKey trio

The YubiKey 4C (pictured middle) will be available in the Yubico store for US$50 beginning February 13, 2017

The YubiKey 4C, the world’s first multi-protocol USB-C authentication device, will be previewed at ShowStoppers @ CES, 6-10 PM, at the Wynn Las Vegas. You have asked, and we have listened to your requests for a USB-C form factor. We are extremely proud of the upcoming YubiKey 4C, which will be available for purchase in the Yubico store for US$50 beginning February 13, 2017.

And kicking off the day on January 5, 2017, at the CES Cybersecurity Forum 2017, our CEO and Founder Stina Ehrensvard is speaking in a panel discussion, "Battening Down the Hatches: Data and Devices." The panel will dive into the tools needed to keep connected devices safe and secure, highlighting endpoint protection, secure browsers, and apps protection. The panel begins at 9:15 AM in Room Lando 4301 on Level 4 of The Venetian Las Vegas.

Built on the proven foundation of the YubiKey 4, the YubiKey 4C also supports multiple protocols including Yubico OTP, OATH, FIDO Universal 2nd Factor (U2F), up to RSA 4096 for the OpenPGP function, as well as up to RSA 2048 and up to ECC P384 for the PIV smart card function. This lineup of functionality is contained in a new keychain design for laptops, such as the MacBook Pro, which rely solely on USB-C ports.

We are working on an additional smaller YubiKey form factor with a USB-C design akin to the YubiKey 4 Nano, but do not yet have a time frame for availability.

Secure login for everyone - woman taking a selfie in Times Square, NYC
Stina Ehrensvard

Secure login for everyone

In early 2016, a major enterprise (that at the time was not yet a Yubico customer) asked us two great questions. Why does Yubico exist? And how come 9 of the top 10 internet companies trust a company with less than 100 employees? In this, our first blog of the year, we will share the answers to these questions.

Yubico was founded with the mission to make secure login easy and available for everyone. And our vision was to enable a single key to access any number of services. To make that happen, we decided to work in close collaboration with the internet giants on the assumption that, by carefully listening to their requirements, our technology would have the opportunity to reach all computing devices, platforms, and services.

We won the trust of the world’s leading internet brands, not by selling to them, but by offering our top innovation capabilities and focusing on open standards. To simplify the use of OATH one-time passwords, we removed the need to retype codes from one device to another. For systems requiring a long and complicated static password, we created a way to generate the code in a simple touch. To prevent trojans from hacking a PIV smart card device, we added user presence, touch-to-sign, and device attestation. And to take strong public key crypto to all internet users, we invented the concept of an authenticator that can work with any number of services, with no shared secrets -- which is the core innovation and foundation behind FIDO standards.

We won the trust of the internet giants with exactly the right team, and size to be agile, innovative, and humble. During 2017, billions of people will be safer online because of our past and future contributions to open standards. And that is also the answer to why Yubico exists.

To quote American anthropologist and author Margaret Mead, “Never doubt that a small group of thoughtful, committed citizens can change the world. Indeed, it is the only thing that ever has.”

U2F Security Keys by Yubico
Yubico Team

U2F Security Key Cuts Google AdWords Fraud

After a successful deployment of FIDO U2F enabled YubiKeys for all its staff, Google is now seeing the benefits of offering the technology to its customers with AdWords accounts.

Hijacking of online advertising accounts not only costs customers whose accounts get bumped offline, but Google loses revenue when those accounts are dormant. The Association of National Advertisers estimates that $7.2 billion will be lost to digital ad fraud in 2016.

As the world's leading digital advertising network, Google is fighting back. In a recently published blog, the company highlights how two digital marketing agencies, Jellyfish and iProspect, protect their AdWords accounts, customers, and revenue using FIDO U2F Security Keys by Yubico.

AdWords users were trained in the simple three-step process to register the FIDO U2F Security Key with their Google accounts. On subsequent use, users only need to touch the key in order to securely log in. Jellyfish rolled out FIDO U2F Security Keys by Yubico to all team members in the UK and South Africa, and iProspect says the security key provides peace of mind that Google accounts are safe.

One of the most important features of the FIDO U2F protocol is the ability to defeat rapidly increasing phishing and man-in-the-middle security attacks. Google’s 2-Step Verification mobile technologies do not offer the same level of protection against these attacks.

Historically, great security has come with high cost and complexity. Yubico changes the equation. Check out the short video Google produced to explain the importance and simplicity of using 2-Step Verification with FIDO U2F Security Keys by Yubico.

Additionally, Google will be having a live broadcast "How to Protect Your AdWords Account" on Thursday, February 16th at 4:00 PM GMT / 11:00 AM EDT / 8:00 AM PDT.  The Online Safety Series will cover key topics in online safety, such as account hijacking prevention, recognizing bad websites, adherence to Google policies, and online privacy. RSVP for this Google Advertiser Community Event!

holiday ornaments made out of a YubiKey 4, imitation Christmas tree, toy train, and Star of David
Yubico Team

Give the Gift Security Geeks Love to Get

'Tis the season to be jolly and reflect on everything we're thankful for. It's been an incredible year at Yubico, and we're delighted YubiKeys continue to make news this gift giving season. 

We've compiled our favorite gift guides because these are just too awesome not to share. And yes, we’re on each of them!

US and EU Shoppers: Hoping to receive your order before December 25? Unfortunately, we cannot guarantee shipping times at this time of year. We recommend that you place your order at yubico.com/store by Friday, December 16. You can also buy YubiKeys on Amazon (Pro tip: Amazon has guaranteed shipping times)!

Note: Yubico Store shipping times can vary depending on your country of origin, weather, and other unforeseen obstacles for which we cannot plan.

Photo: Markus Spiske

YubiKey 4 Limited Edition White

YubiKey 4 - Limited Edition White $40
Great stocking stuffer! We’ve produced a limited edition white YubiKey 4 to celebrate the return of smart card support for Macs, available in the Yubico Store. Quantities are limited, so order today!

YubiKey in Smart Card Mode with Windows Remote Desktop Protocol
Yubico Team

Computer Login with YubiKey in Smart Card Mode

The humble smart card dates back to the 1970s, but the mature technology is not without innovation in a world of new-fangled authentication.

Personal Identity Verification (PIV) smart cards, best known as staples in government agencies, incorporate standards developed by the National Institute of Standards and Technology (NIST).

Yubico’s recent webinar, “YubiKey Smart Code Mode for Computer Login,” walks viewers through PIV support on operating systems from Microsoft, Apple, and various Linux distributions. A recording of the webinar is embedded at the bottom of this blog. Yubico’s PIV implementation also supports PKCS#11 and open source tools such as OpenSC.

The YubiKey 4, YubiKey 4 Nano, and YubiKey NEO all incorporate the NIST standards and put ease-of-use innovation into the technology by eliminating the need for a card reader, middleware, extra software, and additional drivers on Microsoft and Apple operating systems. Login and code signing operations are just some of the functions that require only a touch of the YubiKey to activate.

The webinar includes demos using YubiKeys as a smart card to log in on macOS Sierra, Windows domains, remote desktops, and the new Windows Hello authentication platform.

Presenter David Maples, a Yubico Senior Solutions Engineer, details all the platform configurations needed to support the YubiKey and PIV.

He also highlights the YubiKey’s versatility with features and integrations that support additional protocols, such as FIDO’s U2F, using the same YubiKey that provides PIV smart card features.

The webinar opens with a brief introduction to Yubico and the Yubikey.

Webinar: YubiKey Smart Card Mode for Computer Login from Yubico on Vimeo.

Ronnie Manning

Where to find Yubico this week

We are kicking off the week at the O’Reilly Security Conference on Tuesday in New York with sponsored events, and exhibitions in Booth #405 where we will showcase the broad functionality of the YubiKey (U2F, OTP, PIV) across many of our integrations.

Additionally, at O’Reilly Security, you won’t want to miss our CEO and Founder, Stina Ehrensvard’s speaking session “The Future of Strong Online Identities – Simple, Open, and Mobile” on the first day of the conference at 4:45pm in room Rendezvous Trianon.

On Wednesday, at 10:00 a.m. PDT, join us virtually for a live webinar on the YubiKey as a smart card for computer login. The session will include demos on Windows, Mac, and Linux machines, as well as Windows and Citrix remote desktops. Register here

Finally, we will close out the week at Black Hat Europe 2016 in London, starting on Thursday, Nov. 3rd where we will demonstrate YubiKey two-factor authentication technology to Europe’s top security experts. Find us at Booth #104 to see what all the buzz is about.

There’s lots of activity this week, and we hope to see you at some of these events! (And even more in the future!)

YubiKey now works with Salesforce U2F
Ronnie Manning

Dreamforce 2016 – FIDO U2F YubiKey Log In to Salesforce

Momentum is the motion of a moving body, measured as a product of its mass and velocity. Today, we see the mass and velocity of the world’s largest cloud ecosystem get behind FIDO Universal 2nd Factor (U2F) strong authentication.

At this week’s Dreamforce 2016, conference attendees will get the first look at new native support of U2F in the Salesforce Winter ’17 release. Once enabled by an organization’s Salesforce administrator, end users can authenticate with any YubiKey that supports U2F to securely log in to their Salesforce accounts with superior security and unmatched simplicity. Furthermore, that same YubiKey can be used to authenticate to the ever-growing list of services that support U2F.  

After a Salesforce user registers their YubiKey with their account, they log on as usual with their username and password. But before they are granted access, they are prompted to insert their YubiKey into their computer’s USB port and touch the device’s button. This  completes a strong authentication based on public key cryptography, that thwarts phishing and man-in-the-middle attacks that plague other solutions such as one-time codes sent via SMS.  

Users can register both a YubiKey and the Salesforce Phone App with their Salesforce account so they always have a backup authenticator. If their phone is dead a user can use their YubiKey. Or if they don’t have their YubiKey, they can use the phone app.

To learn more about U2F, YubiKey, and the Salesforce integration, sign up to attend a joint webinar hosted by Yubico and Salesforce on Oct. 20 (sign up here!). Together, we will demonstrate how easy it is to activate U2F on the Salesforce platform. We will also dive into the growing importance of the FIDO Alliance protocol, and discuss the cost savings achieved with YubiKey as a second factor for authentication.

Salesforce’s U2F integration comes on the heels of more than a dozen online services that have made support for U2F beginning with Google, Github, Dropbox, and most recently Okta, Gitlab, Dashlane, and Bitbucket. As we read daily about new password and data breaches, companies are moving to strong, open authentication built on U2F. Google tracked the authentication habits of 50,000 employees using U2F within the company over a two-year period. The results showed that compared against Google’s own authenticator phone app, U2F was faster, more secure, and reduced support costs by thousands of hours per year.

We hope to see you in San Francisco. Stop by our Dreamforce Booth #345 in Moscone South Hall. We are demoing the YubiKey with Salesforce Winter ’17, along with other slick U2F-based services.

Lock Down Your Login with YubiKey
Alex Yakubov

Lock Down Your Login with YubiKey

“78 percent [of Americans] strongly or somewhat agree it is important that companies, government entities and other stakeholders work together to find new ways of securing accounts beyond the use of passwords.”
- National Cyber Security Alliance (NCSA) Strong Authentication Survey, July 2016

Research is clear -- the world needs new and better ways of securing their accounts beyond passwords. That’s why we are participating in the National Cyber Security Alliance’s internet safety and security initiative.

At Yubico, we’re passionate about making it easy for anyone to protect their data and privacy online. Although our security experts have created an affordable and easy-to-use security key, that’s only one piece of the puzzle.

Today, we announce our commitment to the National Cyber Security Alliance’s “Lock Down Your Login” internet safety and security initiative to empower Americans to better protect their online accounts by moving beyond passwords. The campaign, which was announced by the White House in February 2016 as part of its Cybersecurity National Action Plan, calls for all Americans to secure their online accounts by moving beyond just passwords and adding an extra layer of authentication.

Over 40 businesses (including Google, Microsoft, MasterCard, and PayPal) have taken up this initiative. However, many service providers still do not offer strong authentication and rely only on passwords, which are often weak or reused across accounts.

Hundreds of companies have already integrated support for YubiKeys, including popular consumer services like Google Apps and Dropbox, as well as the most popular password managers such as Dashlane and LastPass. They’ve done so because YubiKeys are easy, safe, affordable, and scalable.

As participants in this campaign, we are developing free resources (including Yubico’s Best Practices eGuides) for those businesses that want to introduce stronger authentication but aren’t quite sure how to get started. For details, click here and sign up to receive a notification as resources are released. Educating businesses and individuals is a tall order. Help us reach more people by sharing this with others!

To kick things off, we’ll be offering a 22% discount on the purchase of 2 YubiKeys for 24 hours (12:00AM - 11:59PM PST), on October 4, in the Yubico Store (because it’s best practice to have a backup just in case you misplace your YubiKey). Mark your calendar!

2FACTOR22 Coupon
Derek Hanson

YubiKey Works With Windows Hello

With Windows 10, Microsoft is introducing its most complete authentication platform ever. The Anniversary Edition of the operating system includes expanded user verification options, standards-based authentication, and diverse management controls grouped under the name Windows Hello. YubiKey now works with this ecosystem.

Microsoft is spreading Windows Hello to enterprises and consumers, and across its platforms including desktops, mobile devices, Active Directory, Azure AD (which lives in the cloud), and independent cloud service providers that support modern FIDO Alliance protocols. The list of authentication methods include built-in biometrics, external companion devices, and smart cards/PKI.

This expanded list of authentication possibilities lands right in Yubico’s wheelhouse. YubiKey and its support for multiple protocols helps usher in the era of FIDO for Windows.

In Windows 10 language, Microsoft will support both key-based and certificate-based authentication. Key-based authentications are equal to the FIDO model of public key cryptography; while certificate-based authentication relates to smart cards and PKI. Enterprises that don’t use PKI, or want to minimize reliance on certificates, are prime converts for key-based Windows 10 authentication credentials. With a design focused on ease-of-use, it’s a natural place for end users to finally duck behind the protection of strong authentication.

The YubiKey is a versatile authentication device that is built for this environment. Our strategy around strong authentication includes supporting many standards-based authentication protocols for host-based and cloud-based services. Today, users of services such as Google, Dropbox, and GitHub have access to FIDO-based strong authentication with the YubiKey.

Initially, we have built a simple, single-function app called YubiKey for Windows Hello, which is now one of many options in Windows 10 for unlocking a computer. The app, built on the Windows Companion Device Framework, is available now in the Windows Store. To learn more about YubiKey for Windows Hello and see it in action, watch our video (below). Microsoft introduced Yubico’s app today during its annual Windows Ignite conference.

The Windows Hello platform will create many options, and Yubico will be ready to support them with a simple touch of the YubiKey.

YubiKey now works with macOS Sierra!
Jerrod Chong

YubiKey Smart Card Support For macOS Sierra

Have you ever wanted to use your YubiKey to protect your Mac? Starting today, PIV-enabled YubiKeys can be used to log in to your Mac and your Keychain on macOS Sierra without complex configurations or software.

Up until the release of Mac OS X Lion (10.7) in July 2011, Apple included native support for login using smart cards. Since that feature was removed, users have found it more challenging to make smart cards work with Mac OS X. The release of macOS Sierra 10.12 marks a new beginning for smart card users, as Apple has taken a step towards support for PIV compatible smart cards without requiring any vendor software or drivers to be installed.

At Yubico we want to make it easy for our customers to use best-of-breed security solutions like smart cards, so we added PIV smart card support to the YubiKey starting with the YubiKey NEO in Fall 2013. Today, PIV smart card support also is available on the YubiKey 4. We’ve also enhanced the YubiKey PIV Manager app running on Sierra with a simple self-provisioning wizard that allows non-enterprise users to easily create macOS-compatible PIV credentials on any PIV-enabled YubiKey.

Enterprises already know that PIV-enabled YubiKeys work great with Microsoft Windows environments, and now they can use the same YubiKey to login to Windows and macOS.

With Apple, smart cards are making a comeback, and we are making sure they do it with YubiKey style. To celebrate this significant milestone, Yubico is offering a limited-edition white YubiKey available only in the Yubico Store.

If you have a Mac that only supports USB-C, you can use a USB-C adapter to join in Apple’s smart card revival.

Watch our video that introduces YubiKey to macOS Sierra.


Yubico awarded NSTIC grant
Stina Ehrensvard

Yubico awarded NSTIC grant

Yubico was awarded a $2.27 million grant today to develop and deploy a pilot program enabling US citizens to securely access state and local government services. The grant comes through the US Department of Commerce’s National Institute of Standards and Technology (NIST) as part of the White House initiative National Strategy for Trusted Identities in Cyberspace (NSTIC), and is one of six pilots that were awarded today.

The pilot program will focus on providing secure online identities for citizens in Wisconsin and Colorado. In both states, we will deploy FIDO Alliance Universal 2nd Second Factor (U2F)-based YubiKeys and use the OpenID Connect protocol to develop an “identity toolkit” – with the goal of making the solution simple to deploy and use.

FIDO U2F is an open authentication standard, enabling public key cryptography to secure transactions and prevent phishing attacks that hackers use to steal a user’s credentials. OpenID Connect, also an open standard, allows all types of clients, including browser-based and native mobile apps, to support sign-in flows and receive verifiable claims about the identity of signed-in users.

The NSTIC National Program Office, which is run by the US National Institute of Standards and Technology (NIST), has been awarding cooperative agreements as part of their pilot program since 2012. The program office works to improve online identity for individuals and organizations. Their vision is to enable individuals and organizations to utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.

John Fontana

Over A Dozen Services Supporting FIDO U2F

Updated Oct. 10, 2016 to include U2F support added to Opera browser, Salesforce

Standards creation is hard work that only sweetens when the market starts to arrive and validate the effort with real world deployments.

On June 22, Bitbucket, GitLab, and Sentry all released support for FIDO U2F strong authentication in their cloud-based products. None of these companies are members of the FIDO Alliance or had an investment in developing U2F. Their sole motivation was finding and adopting the best authentication technology to help users protect their accounts. U2F’s public key crypto topped the list.

A month earlier, Compose, an IBM company offering hosted databases, also added U2F to its security feature list. This week, FastMail ushered its users into the U2F strong authentication revolution.

Again, neither had an investment in FIDO’s creation, but both recognize what’s become obvious to Dropbox, GitHub, Dashlane, Salesforce.com (adopted Oct. 2016), and Digidentity/UK Government (the UK recently joined FIDO, but the others are not members). U2F provides an environment for strong authentication that thwarts man-in-the-middle-attacks, can’t be phished, and is easy-to-use.

Yubico is delighted, of course, that all these organizations are using U2F-compliant YubiKeys. There is also free and open source server code that Yubico and Google make available on GitHub (Google reference code, Yubico Server Libraries). But more important, these companies are validating FIDO Alliance protocols and the value of open, strong second-factor authentication.

These companies are not the only ones joining the U2F ecosystem. In fact, we first outlined an initial surge in U2F adoption 18 months ago.

Today, the market has taken on a new vibrancy as companies recognize that strong authentication provides security that counters the fallout from the unprecedented swell of password breaches. U2F authentication is a key security component for consumer-facing Web applications and existing identity and access management environments within enterprises. These traits are coupled with adopters who find implementation requires less than a day’s worth of work.

Here is a list of the key platforms for U2F:

Browser support:
Google’s Chrome browser has long been the lone platform for U2F, but that has changed. The Opera browser (version 40) began supporting U2F in late September 2016. In addition, Mozilla hopes to wrap up in late 2016 U2F support in the Firefox browser with features on parity with Google’s U2F implementation. In fact, the two have been consulting on this work with each other and the Yubico engineering team. In addition, Mozilla plans to eventually support the WebAuthn APIs being developed by the World Wide Web Consortium (W3C) for secure browser log in. Those APIs also factor into a more complete FIDO strong authentication ecosystem. Microsoft’s Edge browser also will support those APIs when they are finalized (projected early 2017). Edge plays a pivotal role in the company’s Windows 10 Hello authentication system, which accepts a number of strong authentication types including U2F authenticators.

Cloud services:
Google added U2F support in the fall of 2014, and was followed by Dropbox, PushCoin, and GitHub in 2015. Dashlane, Bitbucket, GitLab, Salesforce, Sentry, Compose, and FastMail added support in 2016. For a detailed list, check the Yubico U2F page.

IAM software and services:
In 2015, StrongAuth, Gluu, and RCDevs added U2F support in their platforms. Digidentity added U2F in 2016 as part of its partnership with GOV.UK Verify.

What’s next
FIDO is far from finished innovating. The Alliance donated a set of FIDO Web APIs to the W3C in late 2015 for formal standardization, which should be completed early next year. The APIs, coupled with forthcoming FIDO 2.0 features, improve Web-based security, add native platform support (Windows, Android, etc.), and include capabilities such as device-to-device authentication that uses FIDO’s public key cryptography. There are a host of new efforts developing in 2016, including FIDO coupled with identity federation to secure native applications on desktops and devices.

July 2016 Newsletter
Stina Ehrensvard

The Future of Secure Online Identities

Since I started my journey as a hardware authentication innovator, I have heard people say that the future of authentication is software. Or TPMs. Or biometrics. Or invisible data intelligence that will silently protect us all. Today, it is fair to say that all these predictions were right – when they are combined into a comprehensive strategy.

But in order for secure online identities to scale to all services and users, open standards “plumbing“ is necessary. And it includes open authentication and identity standards that are natively supported in leading platforms and browsers, enabling strong crypto between a range of authenticators and the services they protect.

In 2013, when Wired published the first article on U2F, Yubico received many valid questions on this new authentication protocol. We shared our response in a Future of Authentication FAQ blog. The content is still valid, so if you did not read it then, we welcome you to do so now.

A couple of months ago, Yubico was invited to a panel discussion at the European Identity & Cloud Conference with the topic, “The Future of Authentication – Killing the Password.” Identity experts from Microsoft, Salesforce.com and NRI all agreed that the “plumbing” must be open standards, and that there is no silver bullet for the multi-factor options we add as an extra layer of user verification. The YubiKey did, however, get high marks – Salesforce mentioned that it took only two days to deploy YubiKeys for 17,000 employees, and Microsoft disclosed that Windows Hello will eventually accept external hardware authenticators. Until biometrics have proven to be more robust, passwords are actually not that bad. Or to quote the warning message that the latest Nexus phone presents when setting up a biometric login: “Using your fingerprint to unlock your device may be less secure than a strong password, PIN, or pattern.” (Watch the EIC panel presentation.)

Those same identity experts agreed on one more important trend: authentication and identity will be separated. FIDO U2F is one of the open standards protocols that makes that separation possible. It lets you have assorted identities, including a real identity tied to your driver’s license, a temporary identity for your work, and an identity that allows you to be “secure, yet anonymous”. This can be life critical for dissidents and journalists, and will help safeguard internet privacy for the rest of us.

P.S. The picture above is an example of the latter. I once showed up at the office disguised as the famous fictional hacker Lisbeth Salander, and no one recognized me.

NASA image acquired April 18 - October 23, 2012

This new image of the Earth at night is a composite assembled from data acquired by the Suomi National Polar-orbiting Partnership (Suomi NPP) satellite over nine days in April 2012 and thirteen days in October 2012. It took 312 orbits and 2.5 terabytes of data to get a clear shot of every parcel of Earth’s land surface and islands.

The nighttime view of Earth in visible light was made possible by the “day-night band” of the Visible Infrared Imaging Radiometer Suite. VIIRS detects light in a range of wavelengths from green to near-infrared and uses filtering techniques to observe dim signals such as gas flares, auroras, wildfires, city lights, and reflected moonlight. In this case, auroras, fires, and other stray light have been removed to emphasize the city lights.

Named for satellite meteorology pioneer Verner Suomi, NPP flies over any given point on Earth’s surface twice each day at roughly 1:30 a.m. and 1:30 p.m. The spacecraft flies 824 kilometers (512 miles) above the surface in a polar orbit, circling the planet about 14 times a day. Suomi NPP sends its data once per orbit to a ground station in Svalbard, Norway, and continuously to local direct broadcast users distributed around the world. The mission is managed by NASA with operational support from NOAA and its Joint Polar Satellite System, which manages the satellite
Yubico Team

U2F, OIDC Team Up For Strong Authentication, Federation

The New York Times sits elegantly secured behind authentication technology that combines a U2F-enabled YubiKey and standardized identity federation built on OpenID Connect (OIDC).

It’s a colorful twist for a newspaper first published in 1851 and famously known as The Gray Lady. But linked with Google and Yubico, the trio is part of an identity federation that relies on strong authentication to protect access to the online version of the newspaper.

Identity federation is the process of logging in to a single identity provider (in this case, Google) and then navigating to other sites (for example, The New York Times) without having to log in again. The YubiKey and FIDO U2F secure the identity provider login using public key cryptography, while OIDC takes care of the trusted and federated relationship between Google and The New York Times.

OIDC is an identity federation standard that we profiled along with FIDO U2F last year to show how the pair solves a wider range of authentication challenges than either technology could on its own. Yubico is also a member of the OpenID Foundation, which is the creator of OIDC, and is actively exploring how U2F plays with other standardized identity technology.

Watch this video to see federated identity with a YubiKey in action. It’s impossible to see identity federation working under the covers in this scenario, but the simplicity and security should be clearly evident. And really, that’s the desired user experience.

How to: Login with FIDO U2F and OpenID Connect from Yubico on Vimeo.

Josh Kellerman

YubiKey And The Route To USB-C

The USB-C standard has caused a lot of chatter among Apple users, some concerning the elegance of fewer wires but mostly from those that miss absent ports, such as HDMI and USB 3.0, on newer MacBooks.

Yubico has received requests to join the USB-C evolution and release a USB-C compatible YubiKey. We have built a prototype with a nifty design, but until we see strong market demand it is not ready for the mass market.

YubiKey, USB-C Adapter bundle now featured in the Yubico Store

In the meantime, however, we have tested a number of USB-C adapters, available off-the-shelf or via Amazon, that allow the YubiKey to work with the MacBook and other devices, tablets and phones with a USB-C port (see picture above).

Either YubiKey form-factor will work, but the most elegant configuration is to insert the YubiKey 4 Nano into the adapter and attach the YubiKey to a lanyard hanging from a keychain.usb c dongle keychain Check to see that the YubiKey is snug within the USB-C adapter. To avoid unintentional activation of the YubiKey, we recommend a thin, non-metal lanyard cord. Without a lanyard, tweezers or a small tool may be needed to remove the YubiKey. The functionality of the YubiKey is in no way altered by using it with a USB-C adapter.

The USB-C standard is a multi-function evolution that combines both connectivity and power. For a wireless world, a single MacBook USB-C port bumps all other accessories to a wireless connection in the absence of an adapter.

When, or if, Apple opens its Near Field Communication (NFC) environment to developers, we think NFC will be the prevailing contactless connection point for the YubiKey, outdistancing Bluetooth in most use cases on all platforms.

Until then, we’re experimenting with how we might align the YubiKey design with the changing tides in USB evolution.

Stina Ehrensvard

Google Extends Multi-Factor Options With Prompt

Google yesterday released a third option for its two-step verification, complementing the Google Authenticator phone app and FIDO U2F Security Keys.

Google Prompt is a push app for mobile authentication, similar to two-factor push solutions offered by others like Duo Security. There is no authentication solution that fits everyone’s needs, and Prompt has both advantages and challenges.


  • Free software to download/update on a smartphone, no additional device needed
  • Allows moving from two-factor to a true multi-factor offering
  • Much easier than typing a code or PIN from Google Authenticator


  • Requires a data connection
  • Does not protect against phishing and man-in-the-middle attacks
  • Does not work with non-Google services
  • Some organizations do not allow users to bring their phone to work
  • Support and backup issues when the user’s phone (a single, expensive authenticator) is lost, broken, or has a dead battery

Currently, users can’t have Security Keys and Google Prompt enabled at the same time. We expect this will change soon, as Prompt is a better phone-based complement to the Security Key than Google Authenticator.

Google has spent the past five years building its strong authentication strategy with Prompt the latest piece of that plan, which also includes multiple protocols, cross-platform support and administrative tools. Prompt is an attempt to match capabilities already available in the identity and access management market such as Okta Verify, Centrify Push, and PingID Swipe.

Google’s ultimate goal is to build an identity-as-a-service (IDaaS) for enterprises, including a host of federation options (SAML, OIDC), and management tools such as mobile device management and provisioning, which is currently being tested by Salesforce, Slack, and Facebook at Work. Google discussed this IDaaS plan in early June at the Cloud Identity Summit with focus on Google IDP, Firebase Auth, and customer facing login.

Management of the identity and authentication ecosystem is an absolute requirement for the enterprise and we applaud Google’s efforts here. Strong authentication isn’t one method used everywhere — it’s a combination of options matched to use cases.  Currently, FIDO U2F Security Keys, including YubiKeys, are proven to offer higher security, a faster login experience, and fewer support calls than any other authentication technology on the market.

YubiKey users can have one single and simple key to access a wide range of IT applications, including computers, servers, networks, leading online services and IAM platforms, as well as to sign and encrypt data.

Updated July 24, 2016 to clarify phishing, man-in-the-middle challenge

Jakob Ehrensvärd

YubiKey, U2F Tracking Bluetooth Maturity

At Yubico, we have been experimenting and innovating for a long time with additional YubiKey interface options, like Bluetooth Classic and Bluetooth Smart. Once the Bluetooth work stream was formed within FIDO U2F, we were active in completing the specification. We have passed the FIDO U2F BLE interoperability tests, and are happy to report that this week FIDO awarded us our BLE certification.

However, Bluetooth comprises several practical challenges that make it tough to incorporate the product design, security lineage and user experience one would expect from a YubiKey. We have tested a few different designs with user groups and are now proud to deploy the latest version of YubiKey BLE into initial pilot projects.

Although we’re both proud and excited about this new wireless solution, we do want to share some of the practicalities we will continue to improve on, both for our own product and within the scope of the FIDO Alliance.

  • Bluetooth pairing is the most critical function from a user experience point of view. Although it is perfectly understandable from an engineering perspective, the pairing can be highly confusing for the user. Whereas USB and NFC devices are “connect by intent” by their very nature, Bluetooth devices can have up to 30 meters of range. Since this is a security product, as a user you want to be certain you are communicating with the correct endpoint.
  • Device and operating system compatibility issues. Bluetooth has evolved over a long period of time, and early versions of iOS and many Android flavors today still have aging BLE implementations with user interface issues. While support in audio and peripherals is common, mobile devices and operating systems embedding Bluetooth have been slow to support security centric protocols and devices. U2F Bluetooth devices rely on the most recent version of the standard, known as Bluetooth Low Energy, a.k.a. BLE, but there are still major platforms that have either inadequate or limited support. Over time this issue goes away, but today it is at the heart of some design and implementation challenges.
  • Battery life. Bluetooth devices require batteries; YubiKeys do not, which is a signature trait of our products and allows for a practically unlimited lifetime and shelf life. The Bluetooth battery requirement provides a number of design challenges around usability and regulatory issues, such as product safety, environmental concerns, disposal, and logistics.
  • Radio regulatory issues. Although Bluetooth works in an open radio spectrum, devices that emit radio frequency do have to pass certain certifications. This is a complex procedure and is unfortunately tied to geographic regions.

In summary, we are selectively releasing the YubiKey BLE into specific pilots. As platform support matures during the second half of 2017, we will increase the pace of our Bluetooth certifications. Stay tuned and once the entire ecosystem is ready for prime-time, we are too.

Klas Lindfors

YubiKey 4 has fresh look, attestation capabilities

The smallest YubiKey 4 is getting a facelift, and both form factors have new trust capabilities that validate device type, manufacturer, and generated key material.

The new YubiKey 4 Nano takes on a “molded” form factor (see above), which makes it impossible to insert the Nano in backwards, and provides a waterproof environment.

The YubiKey 4 and YubiKey 4 Nano firmware have been upgraded to add a “touch-policy cache,” which simplifies and strengthens smart card use in a Microsoft Windows login by adding the touch-policy cache option to augment or replace a PIN.

But perhaps most important, both YubiKey form factors have gained a new Personal Identity Verification (PIV) attestation capability that validates where the cryptographic keys were created and the attestation entity used to attest the key.

For example, when coupled with the PIV protocol, attestation shows where the PIV credential is generated and who attested the credential. With Secure Shell (SSH) login using a key pair generated by a YubiKey 4, attestation is used to sign and validate that a key pair was generated on hardware and that the key was manufactured by Yubico.

These validations are important to establish trust and to bind a user account to a credential on the hardware, and to do so with an easy-to-use device. The need for such operations are gaining popularity in the security community and ecosystem.

The need for higher levels of trust for specific operations means some companies and organizations can’t rely on just a software layer, but instead need a cryptographic device such as a hardware key.

On the YubiKey 4, attestation works via a special key slot called “f9” that comes pre-loaded with the attestation certificate signed by a Yubico CA. The slot can be overwritten by individual users, specifically provisioned for a customer rollout, or granularly provisioned per device.

Keys generated in a normal slot on the YubiKey are then “attested” by the key and certificate in the f9 slot. Attestation features are detailed in our Introduction to PIV Attestation. The YubiKey PIV Tool Command Line Guide explains how the tool interacts with the PIV application on a YubiKey. Similar attestation capabilities are found in Yubico’s implementation of the FIDO Universal 2nd Factor (U2F) protocol.

YubiKey 4 and YubiKey 4 Nano with the new YubiKey 4.3.1 firmware is available now from Amazon and the Yubico Store. Use the YubiKey Personalization Tool to identify the firmware version of your YubiKey.

Klas Lindfors is a Senior Software Developer at Yubico.

Ronnie Manning

Yubico CEO awarded KTH Great Prize

Yubico is proud to announce that our CEO and Founder, Stina Ehrensvärd, has been named the winner of the 2016 KTH Royal Institute of Technology Great Prize.  Founded in 1827, KTH is Sweden’s first polytechnic university and is one of Scandinavia’s largest institutions of higher education in technology.


Yubico CEO and Founder, Stina Ehrensvärd, awarded 2016 KTH Great Prize

First awarded in 1945, the annual KTH Great Prize was founded and funded from the proceeds of a 1944 anonymous donation.

According to the sponsor of the award, the prize shall be presented to, “A person who, through epoch-making discoveries and the creation of new values and by ingenious applications of findings gained on the practical aspects of life, promotes Sweden’s continued material progress, or a person who by means of scientific research has discovered particularly valuable principles or methods which are useful for applications, which promote the above purpose, or a person who through artistic activities ‘exerts a powerful influence particularly on the spiritual life of her own people.”

“Stina Ehrensvärd is a very worthy recipient of the KTH Great Prize,” said Peter Gudmundson, President of KTH “A combination of innovation and entrepreneurship is key to meeting society’s challenges, for both Stina and for KTH. IT security is absolutely critical in our digitized world, and this is why Stina’s effort is significant.”

Stina is extremely honored and happily surprised by this honor, but stresses that credit for Yubico’s success is not hers alone. “It would not have been possible without my great team at Yubico. And a special thanks to Jakob Ehrensvärd, the company’s CTO, and my husband, whom I would have liked to share this prize with. It has been said that behind every successful man stands a strong woman. In our case it is the opposite, and it’s Jakob who developed most of the technology.”

When asked to give advice to the next generation of innovators, Stina said, “Inspiration and hard work are the secret. Find a solution to a real problem. If it makes you so happy that the idea of devoting several years to implement this solution, product or service makes it hard for you to sit still, then you’re probably on the right track. Surround yourself with a really good team that complements you. Think big. Listen to your gut.”

Stina says that joining a list of KTH Grand Prize honorees is exciting and a little unreal.  Previous winners include: Niklas Zennström, Co-founder of Skype; Daniel Ek, founder of Spotify; Robyn, pop singer and producer; Jan Uddenfeldt, contributor to the GSM standard; Gunilla Pontén, fashion designer; and Assar Gabrielsson, Co-founder of Volvo.

Click to view the full list of KTH Great Prize winners.

Jerrod Chong

Yubico Expands FIPS Security Certification

For the past two years, Yubico has executed on an aggressive strategy to validate its cryptographic devices against established federal standards.

The first YubiKey device was validated in 2014 (NIST cert #2267) and, last week, the YubiKey 4 began the National Institute of Standards and Technology (NIST) validation process for compliance with the Federal Information Processing Standard (FIPS) Publication 140-2.

Our objective is to achieve FIPS 140-2 at Level 2 overall and Level 3 physical security in order to meet the highest level of assurance at Level 4 for the electronic authentication guidelines outlined in NIST special publication 800-63-2.

Cryptography and encryption are important constructs for the security technology industry and its customers. FIPS 140-2 standards set requirements for handling sensitive but unclassified information and are mandated by law. FIPS 140-2 validation is required for US and Canadian government acquisition of products using cryptography, but many governments and commercial entities throughout the world also use this as a basis for selecting vendors and products.

Yubico’s customers requesting this certification include federal governments, state and local governments, healthcare, financial services, and federal contractors who routinely process, store, and transmit sensitive federal information using their own information systems. The protection of sensitive federal information while residing in non-federal information systems and organizations is of paramount importance to federal agencies because it can directly impact their ability to successfully carry out their missions and business operations.

Agencies, organizations, and the general public can review our progress through NIST’s Cryptographic Module Validation Program.

The YubiKey 4 validation is Yubico’s investment in the future of our cryptographic platform so enterprises and organizations can trust our devices and hardware to comply with federal regulations that meet their needs. Given that the YubiKey 4 was launched less than six months ago, we have been very aggressive with getting this device through certification. Our goal is to ensure that any company working with, or within, regulated industries will have full confidence that Yubico’s cryptographic tools meet the security industry’s highest standards.

YubiNews April 2016
Ronnie Manning

Webinar showcases Centrify’s ID platform, YubiKey support

Yubico’s partner Centrify has built one of the best showcases for the YubiKey’s multi-protocol versatility.

With support for Personal Identity Verification (PIV)-based capabilities, one-time passwords (OTP), and mobile authentication, Centrify is the first identity and access management (IAM) platform to support such a deep lineup of protocols using a YubiKey.

Centrify will detail and demo the multi-factor authentication options for its Identity Platform as part of a joint webinar hosted by Yubico. (Listen to replay of May 24, 2016 webinar).

These authentication options are attractive to users and businesses because they’re contained in a single YubiKey that addresses multiple use cases, simplifies user training, and improves security. Centrify’s Identity Platform is the foundation for assigning multi-factor authentication policies across enterprise applications and resources. The platform also adds management features, including enrollment, per-app policies and enforcement, and context-based multi-factor authentication across users, apps and servers.

The YubiKey supports a number of scenarios:

• Smart card Active Directory-based login to Mac OS X or Linux.
• Smart card login to Centrify’s cloud service for Single Sign-On (SSO), secure remote access, or administration.
• OATH-HOTP as a second factor for secure SSO to cloud apps.
• OATH-HOTP for multi-factor authentication (MFA) to privilege elevation on servers.
• Physical NFC token-based MFA for secure access to apps on mobile devices.

To learn more about these scenarios and to see them in action, join us for our joint webinar. Registration is free.

Jakob Ehrensvärd

Secure Hardware vs. Open Source

Recently there have been discussions regarding Yubico’s OpenPGP implementation on the YubiKey 4. While open source and security remains central to our mission, we think some clarifications and context around current OpenPGP support would be beneficial to explain what we are doing, why, and how it reflects our commitment to improved security and open source.

To start off, let me say that Yubico is a strong supporter of free and open source software (FOSS). We use it daily in the development of new products, and a large portion of our software projects are released as open source software — we have close to 100 projects available on GitHub. This includes libraries for interfacing or integrating with our devices, tools used for programming and customization, server software which supports our products, specifications for custom protocols, and many more. We believe strongly that this benefits the community, as well as Yubico.

Some basic facts:

  • The YubiKey hardware with its integral firmware has never been open sourced, whereas almost all of the supporting applications are open source.
  • The YubiKey NEO is a two-chip design. There is one “non-secure” USB interface controller and one secure crypto processor, which runs Java Card (JCOP 2.4.2 R1). There is a clear security boundary between these two chips. This platform is limited to RSA with key lengths up to 2048 bits and ECC up to 320 bits.
  • The YubiKey 4 is a single-chip design without a Java Card/Global Platform environment, featuring RSA with key lengths up to 4096 bits and ECC up to 521 bits.  Yubico has developed the firmware from the ground up. These devices are loaded by Yubico and cannot be updated.
  • The OpenPGP applet for the YubiKey NEO was (and still is) published as open source.
  • When the  YubiKey NEO was released back in 2012, we had open (= known) card manager (CM) keys, allowing for applet management.
  • Since late 2013, we ship all NEOs with randomized card manager keys, which prevents applet management. So although the OpenPGP applet is available, users can’t load it on a NEO.
  • We do have a NEO developer program, where we allow custom applet development and key distribution.

There are quite a few reasons we’ve done it this way, but none of them represent a change in our commitment to a free, open internet. Here’s our thinking:

First, and most important in our decision-making, has been to move away from what we call “non-secure hardware” and into secure elements that are specifically designed for security applications and have passed at least Common Criteria EAL5+ certification.

The reason is simple — we have to provide security hardware that not only implements a cryptographic protocol correctly, but also physically protects key material and protects the cryptographic operations from leakage or modification. Over the past couple of years, many publications have provided evidence of various forms of intrusive and non-intrusive attacks against hardware devices (including the YubiKey 2). Much can be said (and has indeed been said) about this subject, but there is no question that this is a serious matter. Attacks varying from “chip-cloning” and “decapsulation and probing” to fault injection and passive side-channel analysis have shown that a large number of devices are vulnerable.

It’s important to understand what we mean by “secure hardware.” Secure hardware features a secure chip, which has built-in countermeasures to mitigate a long list of attacks. Standard microcontrollers lacks these features. Built-in countermeasures make intrusive- and non-intrusive attacks an order of magnitude more complicated to perform. Secure hardware relies on secure firmware, where additional firmware countermeasures are implemented to further strengthen the device against attacks.

Given these developments, we, as a product company, have taken a clear stand against implementations based on off-the-shelf components and further believe that something like a commercial-grade AVR or ARM controller is unfit to be used in a security product. In most cases, these controllers are easy to attack, from breaking in via a debug/JTAG/TAP port to probing memory contents. Various forms of fault injection and side-channel analysis are possible, sometimes allowing for a complete key recovery in a shockingly short period of time. In this specific context (fault injection and side-channel analysis), an open source strategy would provide little or no remedy to a serious and growing industry problem. One could say it actually works the other way. In fact, the attacker’s job becomes much easier as the code to attack is fully known and the attacker owns the hardware freely. Without any built-in security countermeasures, the attacker can fully profile the behavior in a way that is impossible with a secure chip.

So — why not combine the best of two worlds then, i.e. using secure hardware in an open source design? There are a few problems with that:

  • There is an inverse relationship between making a chip open and achieving security certifications, such as Common Criteria. In order to achieve these higher levels of certifications, certain requirements are put on the final products and their use and available modes.
  • There are, in practice, only two major players providing secure silicon and none of their products/platforms are available on the open market for developers except in very large volumes.
  • Even for large volume orders, there is a highly bureaucratic process to even get started with these suppliers: procedures, non-disclosure agreements, secure access to datasheets, export control, licensing terms, IP, etc.
  • Since there is no debug port, embedded development becomes a matter of having an expensive emulator and special developer licenses, again available only under NDA.
  • Although this does not prevent the source code from being published, without the datasheets, security guidelines, and a platform for performing tests, the outcome is questionable, with little practical value.

Secure elements are still a small market compared with generic bread-and-butter microcontrollers. Given the high costs to achieve and maintain certification and the procedural hassle, it is quite easy to understand the current state of affairs.

Let’s for a moment return to the question of the YubiKey NEO and why we decided to remove the ability to manage the applets. As we began to produce the NEO in larger volumes, we had to make some tough choices:

  • With open card manager keys, the devices are open to potential denial-of-service attacks as well as someone replacing a known applet with a bogus one. What if a bad guy took your new NEO and overwrote the OpenPGP applet with an evil one, thereby providing a key back door? If you’re hardcore about security, you’d immediately set your own CM keys, locking out that possibility, but then how would we control who is capable of this and who we actually expose to a potential threat?
  • Devices with known keys become vulnerable to modifications when in transit.
  • We tried a scheme of randomizing keys and making them available for developers under certain conditions. The practical problems of authenticating users and securely distributing keys plus the paperwork needed made it impossible.
  • Given that the NXP toolchain and extended libraries for JCOP are not free and available, applet development becomes more a theoretical possibility than a practical one.

Although we had initially hoped to take a different approach to applet management, I believe we made the right decisions given our choices. We do provide a developer program, giving access to the full toolchain as well as open CM keys. We don’t charge for it, but given the paperwork required, we need to have a compelling business case in order to justify the effort.

I’d like to bring up another aspect when it comes to providing integrated products. With the YubiKey, we see the firmware being integral with the hardware and we take responsibility for the aggregated functionality. We have made a conscious decision not to provide any means for upgrading the firmware out in the field, in order to eliminate the chance a device could be modified by an attacker.

That means that any device with a security issue is a lost device: if there are any problems, issues come up with returns, support for users moving their keys, destruction of the keys, etc. In a “software-only” open source project, handling a serious issue like that could be as simple as issuing a security bulletin and pushing a fix.

Enterprise customers deploying at million-unit scale have engaged independent third parties to review our firmware source code and algorithm implementations, and we would consider this with others of a similar or larger scale (given the extensive load on our engineering team to support such analysis). Such analysis is restricted to the contracting parties.

The chain of trust for any security product is pivotal to understanding how to implement a secure scheme for the entire lifecycle from production to deployment. Again, using commercial, off-the-shelf components with open designs creates some very hard nuts to crack. What prevents your hardware or chip from being compromised in the first place? What if the bootloader has been compromised, maybe in transit? Moving towards a fully-integrated design, like the YubiKey 4, actually solves a very practical problem. The security boundary includes the initial loader, which is protected by keys.

Consider the following questions and statements:

  • What is the attack scenario you’re most worried about — a backdoor or bug, accessible via the standard interface over the network, someone owning your computer while extracting sensitive information from your security token, or that someone in possession of your key could retrieve such information?
  • If you have to pick only one, is it more important to have the source code available for review or to have a product that includes serious countermeasures for attacks against the integrity of your keys?
  • Although you may feel good about having reviewed the source and loaded the firmware yourself, do you trust and feel comfortable that the very same interface you used for that loading procedure is not a backdoor for extracting the key? Is the bootloader there trustworthy? The memory fuse? The JTAG lock-out feature? Are these properly documented and scrutinized?
  • One has to recognize the hard problem of trust. Considering a utopian scenario with an open-and-fully-transparent-and-proven-secure-ip-less chip, given the complexity and astronomical costs of chip development, who would make it? And if it was available, how would they then provide the proof, making it more trustworthy than anything else already available?
  • Is it more rational to put a large amount of trust in a large monolith like a Java Card OS, while at the same time being highly suspicious of a considerably smaller piece of custom code? This assumes that both have been subject to third-party review in a similar fashion.

In conclusion, we want our customers and community to know that we have made conscious choices to some quite complex questions and that, in the end, we have landed with some sensible compromises. We are no less committed to security. We are no less committed to open source and to the open source community. We are always open to suggestions and could very well make changes if more sensible solutions arise. After all, the trust of our users is the most important asset we have.

If you have comments please visit our YubiKey 4 forum. If you don’t have access to the forum, send us a comment at comments@yubico.com.

– Jakob Ehrensvard is CTO at Yubico

Ronnie Manning

U2F Best Innovation in eGovernment Awarded at EIC 2016

Last night at the European Identity & Cloud Conference 2016 (EIC) Awards Ceremony, Yubico and Digidentity’s submission for “Best Innovation in eGovernment/eCitizen” was awarded to the GOV.UK Verify project! The award was accepted by Adam Cooper, Identity Assurance Programme, Government Digital Service for GOV.UK Verify.


Pictured: Jennifer Haas (KuppingerCole), Adam Cooper (GDS) and Mike Small (KuppingerCole)

Beginning in April 2016, GOV.UK Verify began offering beta support for the YubiKey and the FIDO Universal 2nd Factor (U2F) protocol, through Yubico partner Digidentity, one of the original identity providers (IdP) for GOV.UK Verify. Set to launch this month, this is the first government service in the world to make support for a FIDO authenticator based on open standards.

To authenticate to GOV.UK Verify using Digidentity with FIDO U2F, the user inserts a U2F certified YubiKey into the computer’s USB port, and then touches the device. There are no drivers or client software to install. Furthermore, the same U2F YubiKey that works with GOV.UK Verify and Digidentity also works for logging into a growing number of large scale commercial services, including Google, Dropbox, and Dashlane, without any personal data or encryption secrets shared between service providers.

Yubico’s partnership and interoperability with identity provider Digidentity and support for GOV.UK Verify is another example of how Yubico helps secure online identities, and how Yubico innovates to make those identities easier to use and available to everyone.

We thank EIC and conference host KuppingerCole for this recognition and look forward to next year’s conference!

John Fontana

U2F, OpenID Connect Align For Mobile Authentication

A year ago, Yubico described a cord-cutting mobile world where hard-wired ports were not needed to accommodate the security benefits of strong authentication.

Since then, growth in the mobile device market has continued its explosion, including 1.4 billion smartphones shipped worldwide in 2015, according to IDC.

Couple this development with standards work by the FIDO Alliance, Yubico, Google, and the OpenID Foundation and cord-cutters can start to see mobile security options — such as a single sign-on (SSO) experience and strong authentication to secure native apps — on mobile devices.

OpenID Connect and FIDO Universal 2nd Factor (U2F) are capable authentication technologies on their own, but when paired can solve more authentication challenges than either could on their own. For example, Google recently contributed a code project called AppAuth for both Android and iOS to the OpenID Foundation’s Connect Working Group. The code is used to maintain a state on the browser that provides an SSO-like experience to users of native mobile apps. Google’s AppAuth implementation for Android supports strong authentication to an identity provider using the YubiKey NEO, its Near Field Communication (NFC) function, and its U2F support.

A discussion of AppAuth’s capabilities and a demo of its incorporation of YubiKey NEO with NFC can be seen in this video from the March 2016 OpenID Foundation Summit. (Advance to 2:47:29 in the video.)

“[AppAuth] is important as it is the first real chance we have had for a standard to do SSO across native apps, and also make it easier for IdPs to support multi-factor authentication like FIDO without the ISV needing to support app wrapping or producing many customised versions for each deployment,” said John Bradley, an identity expert and officer of the OpenID Foundation.

Yubico’s support for NFC in the YubiKey NEO allows a tap of the key against a smartphone to release a one-time password (OTP) or FIDO U2F-based public key cryptography. Today, you can use YubiKey’s NFC feature with password manager LastPass (OTP) and development platform GitHub (U2F).

In parallel, Yubico engineers and other members of the FIDO Alliance are finalizing specifications and certification testing tools for U2F over Bluetooth transport. Challenges in pairing and security with Bluetooth has delayed progress, but we expect certification testing before June and to see certified U2F-over-Bluetooth authenticators later this year.

While the majority of enterprises will continue to access sensitive applications and resources from hard-wired laptops and desktops, secured mobile computing is the new carrot.

Mobile devices have become a de-facto connecting point, having moved from a demand to an expectation, and they are opening an array of new use cases and security questions. We are committing resources to stay in front of these user cases and minimize security issues.

These efforts are helping drive independent groups working on identity, authentication, and authorization standards to seek richer capabilities by combining their work such as the OpenID Foundation (OpenID Connect), the IETF (OAuth 2.0), and the FIDO Alliance. YubiKey is no stranger to this trend toward open protocols and open standards, given our ongoing commitments in this area.

All this is happening as mobile, protocols, and strong authentication are seeking the benefits of standards work. This convergence will produce the technologies that keep mobile users and their applications safe on their devices.


Open Internet blog post
Stina Ehrensvard

An Open Internet Is The Only Way

Many years ago, when I first logged on to the internet, I was struck by something that may be described as a spiritual experience. Here was this place, where we were all connected, containing endless information for all of us to tap into.

Later, I realized that we cannot take this great human experience for granted. As security hacks have increased, some governments and commercial forces have used the security threat as an opportunity to demand control of user data, bandwidth, and privacy, justifying the actions as a way for the “good guys to control the bad.”

But who can determine who is good or bad in the long term? The answer is that nobody can. And therefore, any control must be considered as bad. The internet needs to stay open. It is just how it has to be.

Yubico’s contributions to a future open internet are only smaller components in the bigger ecosystem. But they are not less important. With simple, open, and low-cost authentication and encryption technologies, we encourage individuals and organizations to own and control their own online credentials, including encryption secrets and the personal data tied to their online identity.

We are also honored to have many of the leading non-profit organizations dedicated to an open internet using our products, including Freedom of the Press, EFF, and The ISC Project, which we presented in a recent case study. As the Yubico team is also great supporters of their work, Yubico often donates or discounts YubiKeys to organizations in this field.

Our open internet is experiencing challenges, but there are solutions. We are not letting fraudsters, governments, or commercial interests limit the potential of what the internet is and what it can be!

YubiNews April 2016
Jerrod Chong

Yubico, Centrify Align On Authentication Versatility

Versatility is a theme that has emerged with the YubiKey, whether it’s support for Personal Identity Verification (PIV)-based capabilities, one-time passwords (OTP), or mobile authentication.

These authentication options are attractive to users and businesses because they’re contained in a single YubiKey that solves multiple use cases, simplifies user training, and improves security.

 Our partner Centrify offers the same sort of flexibility and is the first identity and access management (IAM) platform to support smart card PIV, OTPs, and mobile authentication using a YubiKey.

Centrify’s Identity Service offers administrators and users single sign-on (SSO), adaptive authentication, and strong multi-factor authentication options – the newest being support for YubiKey. Centrify adds management features on their end, including enrollment, per-app policies and enforcement, and context-based multi-factor authentication across users, apps and servers. The Identity Service bridges old, new, and cloud systems, along with multiple operating systems.

YubiKey’s support of PIV, a smart card that satisfies identification standards required for federal employees, means the card’s credentials can be loaded on the key, which streamlines them into a new smart card form factor and eliminates the need for cumbersome card readers.

YubiKey PIV-capabilities used for Active Directory-based logins to Mac OS X and Linux platforms also adhere to National Institute of Standards and Technology (NIST) requirements. And the smart card features support login to Centrify’s cloud service for SSO, secure remote access, or administration features.

With YubiKey’s support for Near Field Communication (NFC), a simple tap of the key against an NFC-enabled mobile device authenticates a user to apps and servers. OATH-HOTP support in the Centrify Identity Service lets organizations use a YubiKey configured with an OTP when a smart card-enabled environment is not available.

“Because it is so hard to secure the things that are outside your control like apps, users, and devices, let’s call for multi-factor authentication wherever you need it,” said Ben Rice, Centrify’s Vice President of Worldwide Business Development.

Next month, Yubico and Centrify will host a webinar that goes deeper into the capabilities and possibilities offered by the combination of their technologies. Registration is now open.

YubiNews April 2016
Ronnie Manning

YubiKey Gets SC Magazine Five-Star Recognition

“Weaknesses: None.”  When someone reviews your product, that’s a nice way for the write-up to start.

Earlier this month, SC Magazine gave YubiKey 4 a five-star rating and tagged it a Best Buy in authentication. We don’t spend a lot of time patting ourselves on the back, but this honor recognizes goals we have always strived to achieve: versatility, reliability, ruggedness, low-cost, open source compatibility, ease-of-use.

And for many, it might seem unfair when a reviewer runs over your tech product with their car, but during this review that actually happened in the course of evaluating the key’s durability.  And guess what, the YubiKey brushed off a bit of asphalt and kept on authenticating.

“Every organization considering two-factor authentication should have a very close look at YubiKey” Peter Stephenson wrote in his review. “The YubiKey 4 is slick and, while it has not changed materially over the years, it has added some new features and has become more reliable, if that was possible.”

Stephenson’s review lays out some of what we think are our best qualities. Those that show we have the ability to not only adapt to the security pressures exerted by modern authentication requirements, but to serve a wide-range of use cases and end-user technical abilities.

From static passwords, to OTPs to FIDO U2F support, the YubiKey includes a range of features that also extends to encryption and code-signing. During the coming year, we’ll be adding more new cool features, so stay tuned! Thank you SC Magazine for the recognition! And to the rest of you, check out the full review!

John Fontana

GitHub Verify Feature Strengthens YubiKey Value

Often times, it’s the little things in life that bring the most satisfaction.

For GitHub users, a shiny new “little thing” is available today. New “Verified” checkmarks in the Web interface document that commits are signed with GPG keys, which ensures the integrity of the code. No more downloading code from GitHub to verify commit signatures.

And, as always, those GPG signing operations can be done with a YubiKey 4 or YubiKey NEO in either of the two form factors.

Signing your work has not been a top feature of Git, even though it ensures data is coming from a trusted source.

With code, integrity is everything. And now GitHub is providing visual audit cues to ensure integrity with just a quick glance. Nothing else has changed in the way either GitHub or YubiKey function, but life just got a little easier. Or as our own devs say, “it’s a quality of life improvement.”

Back in October, GitHub added support for the FIDO Alliance’s Universal 2nd Factor, adding yet another option for strong authentication to their platform and bringing YubiKey owners into the fold. Today signals another platform improvement that is immediately available to YubiKey owners.

Need to figure out how to sign your work using Git and a YubiKey?

We have prepared a tutorial of sorts to walk you through the setup, signing, and verifying tags and commits (with a little merge and pushing thrown in).

Lately, we have been using the word versatility to define Yubico’s concept of modern security and strong authentication. And we’ve been proving it with YubiKey support among partners such as Dashlane, Centrify, Docker, Dropbox, Google, Okta, and, most recently, the UK government and Digidentity.

GitHub is another example, offering developers a set of authentication and content signing features. In conjunction, Yubico is offering GitHub users a 20% discount on the YubiKey.

There isn’t a silver bullet for security and strong authentication. Progress is measured in stages, and innovation adds up in tangible increments. Some gains are smaller than others, but to Yubico, they all help us build a stronger and more secure Internet.

John Fontana

UK First Government To Offer U2F-Secured Digital ID

The UK has spent the past five years on a digital transformation that is setting a world standard for how citizens securely interact with government online services.

The UK’s Government Digital Service (GDS), which came online in 2011, will add in a few weeks a new verification service called GOV.UK Verify to this impressive project.

Digidentity is one of the original identity providers (IdP) for GOV.UK Verify and will offer support for the YubiKey and the Universal 2nd Factor (U2F) protocol. UK citizens can now use a YubiKey as a second authentication factor to access their Digidentity accounts, while the country rolls out the first government service in the world to support U2F.

This is an important milestone for both citizens and governments looking to leverage identity data to secure services while safeguarding privacy. The combination of secure authentication and federation/single sign-on is required for digital services to scale.

GOV.UK Verify uses a host of identity providers who validate a citizen’s personal data, store that data, and verify the user is who they say they are when they attempt to access government digital services. The IdPs are part of an identity federation established as part of GDS.

The GOV.UK Verify program has been running in beta for the past 18 months. The program supports 13 services spread over five government departments, but it will have 50 services and 10 departments signed up when GOV.UK Verify goes live in early April. The service will support 90% of the UK’s adult population, according to the UK government.

“UK citizens can easily purchase a FIDO U2F device online and register it with Digidentity,” says Marcel Wendt, Digidentity CTO and co-founder. “With a quick online process, the user’s identity is verified and tied to the U2F device, and the data is encrypted to safeguard a user’s privacy.”

Today, verifying identity is mostly done via manual processes, such as asking people to send identity evidence via snail mail or show ID in-person at a counter service. Those are cumbersome and time-consuming tasks for people needing access to online services using their digital identity credentials.

To authenticate to GOV.UK Verify using Digidentity with FIDO U2F, the user inserts a U2F YubiKey device into their computer’s USB port, and then touches the device. There are no drivers or client software to install. Later this year, U2F authentication via Near Field Communication (NFC) and Bluetooth will be supported by Digidentity for secure login from mobile devices.

Digidentity’s ground-breaking IdP service with strong authentication is another example of how Yubico helps secure online identities and innovates to make those identities easier to use and and available to everyone.

Ronnie Manning

Versatility, Partners Showcased At RSA


It’s a word that defines Yubico’s concept of modern security and strong authentication, which describes one YubiKey for many protocols and applications.

Single-purpose tokens have come and (nearly) gone, replaced by new solutions that support multiple enterprise and consumer devices and use cases, and strengthen access controls. Yubico is at the forefront of this evolution.

At this week’s RSA Conference, we are working with partners Dashlane and Centrify to showcase YubiKey‘s versatility (you can find us at Booth #N4909).

Dashlane is adding strong authentication to its password manager platform based on FIDO’s Universal 2nd Factor (U2F) standard. Dashlane is the first consumer product implementing the protocol in a non-browser environment. This deployment shows the versatility of U2F to adapt to different environments — web, enterprise, and mobile.

Today, U2F is one of the two most popular second-factor YubiKey choices, along with one-time passwords. But there is much more that the YubiKey can do in terms of authentication and security.

Centrify is taking advantage of YubiKey’s ability to support multiple authentication protocols on a single key, addressing enterprise identity management needs across cloud, mobile, and on-premises environments.

Centrify is the first identity management platform to support YubiKey smart card capabilities (PIV) in the cloud and Active Directory-based computer login to Windows, Mac OS X, and Linux. Centrify also supports OATH one-time passwords implemented by YubiKey and plans to add YubiKey’s Near Field Communication (NFC) function to support mobile authentication.

In addition to activities with Dashlane and Centrify, Yubico will demo at RSA a U2F-supported mobile login to GitHub and participate in YubiKey giveaways by our partners Okta, EgoSecure, and Duo Security. Finally, listen for Yubico’s name to be called when the SC Award’s Trust Award for “Best Authentication Solution,”is handed out, and be sure to attend the Non-Profits on the Loose reception that we’re sponsoring on Tuesday night.

Versatile, indeed.

We hope to see you in San Francisco.

John Fontana

Google publishes two-year study on use of FIDO U2F Security Keys

Key words often associated with two-factor authentication focus on simplicity, privacy, and security. Those words, however, are broad terms that need definition in order for consumers and enterprises to form opinions and make educated buying choices.

FIDO Universal Second Factor (U2F) is no different, so Google recently published a research paper titled “Security Keys: Practical Cryptographic Second Factors for the Modern Web” to quantify the benefits the internet giant found in using U2F-based two-factor authentication.

The paper outlines Google’s use of FIDO U2F-based Security Keys, manufactured by Yubico, to harden security, improve user satisfaction, and cut support costs.

This data is far from anecdotal. It represents two years of research. The results, as compared to other two-factor authentication schemes tested by Google, showed the Security Key is simple to implement and deploy, easy to use, preserves privacy, and is secure against attackers.

Here are some eye-opening conclusions from Google’s research on its Security Key rollout:.

  • Users reduced, by nearly two-thirds, the time to authenticate with a Security Key as opposed to an OTP via SMS. Most of that time is based on the efficiency of the user since authentication executes in milliseconds.
  • In Google’s rollout, authentication failures fell to zero. The company’s support department estimates the switch from OTP tokens to Security Keys saved thousands of hours per year in cost. These efficiencies allowed Google to give each employee two Security Keys and still realize overall cost reductions.
  • Security Keys met other Google requirements that mandated simple APIs for developers, no user tracking, no identifiable user information on token as well as  protection against password reuse, phishing and man-in-the-middle attacks.

To date, the devices have been deployed to 50,000 employees, and Google reports “our users have been very happy with the switch: we received many instances of unsolicited positive feedback.”

Other technologies referenced and reviewed by Google included OTPs, mobile phones, smart cards, TLS client certificates, and national ID cards. Their research includes a comparison chart of second-factor options based on a respected usability framework published in 2012 by another group of researchers led by Joseph Bonneau, currently a researcher at the Applied Crypto Group at Stanford University.

The paper also spends a significant number of pages describing the technical underpinnings of Security Keys and how they relate to the larger concepts of simplicity, privacy and security.

Research conclusions point to immediate gain from Security Key deployments, but the findings are being offered as a starting point. “We hope this paper serves as an academic foundation to study and improve Security Keys going forward,” Google wrote.

In addition to those stats, Google has publicly presented other figures that compare Google Authenticator and Security Key. Google studies show the Security Key login process was four times faster compared to Google Authenticator (their mobile authentication app), and that use of U2F and public key crypto results in significant fraud reduction.

Nano OLD body style
John Fontana

YubiKey Flexibility Satisfies Okta Needs

Our partner, Okta, is anticipating that strong authentication adoption in 2016 on its cloud identity platform will eclipse the 40% increase it recorded in 2015. We salute Okta’s hard work and innovation now that it has officially released YubiKey support.

Okta landed on YubiKeys to solve specific accessibility issues for its customers, specifically those who don’t have access or privileges to use mobile devices at work.

This is one important distinction that Yubico identifies when comparing the YubiKey to authentication via a mobile phone. Other significant distinctions of the YubiKey include better security, cost savings, efficiency and durability.

Mobile devices rely on downloaded authentication software, which can be vulnerable to malware. A device that is not connected to the internet always offers superior security. YubiKeys present cost savings over mobile devices by allowing multiple backup devices as opposed to dependency on a single phone. YubiKey authentication is faster because the need to access an app or type in codes is eliminated. And the durable YubiKey works without the need for batteries.

The YubiKey, however, also satisfies pure mobile use cases with support for Near Field Communication (NFC), as well as standards such as U2F over NFC and OTP.

The YubiKey works with Android, Windows, and other devices by just tapping it against the NFC-enabled device. Services that have made support for the NFC-enabled YubiKey include password manager Lastpass (OTP) and GitHub (U2F).

This versatility distinguishes the YubiKey from other hard tokens, and allows for a single YubiKey to support multiple protocols and use cases. This means flexibility for companies wanting to increase security within their enterprise.

From an enterprise and service provider perspective, strong authentication isn’t a one- size-fits-all. There are many use cases and each demands a specific level of security and access. That’s why a YubiKey doesn’t rely on just one protocol or even focus solely on authentication. YubiKey functions such as touch-to-sign provide data integrity and security options beyond pure authentication.

Yubico’s work with Okta exposes just one of the YubiKey’s functions. In fact, LinkedIn was one Okta customer that rolled out the YubiKey using Yubico OTP as a second-factor.

Learn more about YubiKey’s versatility, and our partnership with Okta.

Olivier Sicco

OTP vs. U2F: Strong To Stronger

At Yubico, we are often asked why we are so dedicated to bringing the FIDO U2F open authentication standard  to life when our YubiKeys already support the OATH OTP standard. Our quick answer is that we will always provide multiple authentication options to address multiple use cases. Regarding U2F and OTP, we think both have unique qualities.


The one-time password (OTP) is a very smart concept. It provides a strong level of protection to hundreds of millions of accounts, and has been implemented for decades. Its popularity comes from its simplicity. On top of a static user name/password credential, a user adds another authentication factor — one that is dynamically generated. By definition, this OTP credential is valid for only one login before it becomes obsolete.

OTPs are delivered in many ways, usually via an object the user carries with him, such as his mobile phone (using SMS or an app), a token with an LCD-display, or a YubiKey. OTP technology is compatible with all major platforms (desktop, laptop, mobile) and legacy environments, making it a very popular choice among second-factor protocols.

As good as it is, traditional OTP has limitations.

  • Users need  to type codes during their login process.
  • Manufacturers often possess the seed value of the tokens.
  • Administrative overhead resulting from having to set up and provision devices for users.
  • The technology requires the storage of secrets on servers, providing a single point of attack.

Yubico’s OTP implementation solves some of those issues.

  • The user never has to type a code instead he just touches a button.
  • Enterprises can configure their own encryption secrets on a YubiKey, which means no one else ever sees those secrets.
  • OTPs generated by a YubiKey are significantly longer than those requiring user input (32 characters vs 6 or 8 characters), which means a higher level of security.  
  • YubiKeys allow enrollment by the user, which reduces administrative overhead.
  • It is easy to implement with any existing website with no client software needed.
  • For the OATH standard, Yubico uniquely offers a token prefix that can be used for identity, simplifying enrollment and user experience.

The remaining issues, however, are phishing and man-in-the-middle attacks, the most  infamous assaults that defeat OTP technology. The theory is quite simple: the hacker sets up a fake website designed to trick visitors into submitting their credentials. When a user falls into the trap and enters his information (user name, password, and even his one-time password), it is immediately intercepted by the hacker and used to access the victim’s account.

It is difficult to pull off, especially against security-aware users who may notice the strange behavior of the fake site, yet it is can be done and is, nowadays, one of the more popular attacks.


The increasing sophistication of attacks against OTP schemes was a motivating factor in the development of the FIDO U2F protocol.

The U2F protocol involves the client in the authentication process (for example, when logging in to a web application, the web browser is the client). When a user registers a U2F device with an online service, a public/private key pair is generated.

After registration, when the user attempts to log in, the service provider sends a challenge to the client. The client compiles information about the source of the challenge, among other information. This is signed by the U2F device (using the private key) and sent back to the server (service provider).

Real-time challenge-response schemes like U2F address OTP vulnerabilities such as phishing and various forms of man-in-the-middle attacks. As the legitimate server is issuing the challenge, if a rogue site or middle-man manipulates the flow, the server will detect an abnormality in the response and deny the transaction.

Advantages of U2F include:

  • Strong security from public key cryptography.
  • Easy to use with no codes to re-type and no drivers to install.
  • High privacy so that no personal information is associated with a key.
  • Unlimited usage in that an unlimited number of accounts can be protected by one single device.

With all of these great benefits, why isn’t FIDO U2F implemented in more large scale services beyond Google, Dropbox, and GitHub? One reason is that the Chrome browser is the only available client. We expect Mozilla Firefox support during the Spring and within two more browsers later this year, which will make U2F available to the vast majority of internet users. Also, it takes time to drive new global standards and U2F’s technical specifications were made available just a year ago.

If you are thinking about improving strong authentication for your service, OTP is a good start, but FIDO U2F should definitely be on your radar. Here are a few useful links:

Stina Ehrensvard

YubiKeys Extend Innovation In Education

50% off
trays of 50 YubiKey 4 and YubiKey 4 Nano
while supplies last!

Stoking technology’s fire has historically been a job for the education sector, from universities involved in early ARPANET testing, to the first popular web browser from student Marc Andreessen, and the curious Apple 1 computers that took root in primary and secondary schools.

Today, education faces the same security threats as commercial sectors, with sensitive data being compromised for staff, students, and researchers. As with the enterprise, the most common attack vector is a static password. To mitigate this risk, more than 1,000 schools around the world are using YubiKeys, with 450 of those being higher education institutions.

Many of the schools that have deployed YubiKeys also embrace open standards and open source server software, which is also supported in leading platforms and services.

For example, the smart card/PIV functionality of the YubiKey enables easy and secure login to Microsoft Windows, Linux and Mac OS X computers. Popular authentication and identity services — such as Duo and PING — have added support for YubiKeys, through open source protocols OATH and Yubico OTP. And Dropbox, GitHub, and Google Apps for Education, expected to top 110 million users in the next four years, works immediately out-of-the-box with U2F-powered YubiKeys.

Since 2003, hundreds of universities have secured access controls with Shibboleth, an architecture and open-source implementation for federated identity management and single sign-on based on the Security Assertion Markup Language (SAML). Now, an open source, U2F plug-in for Shibboleth is available on GitHub, promising secure authentication based on U2F public key cryptography.

The future of strong authentication is here today. It’s based on open standards, and leveraged by easy-to-use, affordable devices that users own and control, such as the YubiKey. To further grow adoption among the next generation of leaders, Yubico is offering a limited-time discount for educational institutions on trays of 50 Yubikey 4s or YubiKey 4 Nanos — our latest generation YubiKey.

To learn more about YubiKeys for Education, join our Webinar on Feb. 16.

Stina Ehrensvard

10X Growth With World’s Largest Brands

“The best way to predict the future is to invent it.”

— Alan Kay, American computer scientist

In 2012, shortly after Yubico’s CTO and I had moved from Stockholm to Silicon Valley, we were invited to a meeting at Google’s headquarters. We were nine people, from seven different countries, who had gathered around a conference table to determine if our ideas for simplified public key crypto had merit. None of us was really sure at the time if they did, but we all agreed it was worth trying.  

It is now 2016, and with U2F, the technical details that were discussed in the conference room, have been proven to work at scale. And U2F is just one of many solutions that has unfolded during this time. Four years ago, the YubiKey was basically a one-time password device. Today, it’s the Swiss Army Knife of authentication and cryptographic functions, including Yubico OTP, static password, challenge-response, OATH, PIV, NFC, OpenPGP, PKCS#11, and touch-to-sign — all in one tiny 3-gram device!  

During those four years, Yubico has increased sales ten-fold, earned profits, won eight of the top 10 internet brands and 20% of the Fortune 100 companies as customers. The largest brands and forward-thinking organizations know that it is not a matter of if, but when, their passwords, computing devices, and servers will be hacked. They now also store their encryption secrets locally, not at the security vendor.

Going forward, we see evolution and innovation rooted in three primary areas:


Users have, and will continue to combine, computers and mobile devices into a single computing experience. Authentication and encryption solutions need to work across all these devices. So, in addition to USB and NFC, we will be adding Bluetooth support in YubiKeys. U2F crypto will eventually be integrated into security chips in phones and mobile apps, as an alternative security complementary to YubiKeys.


Building identity and strong authentication to operate at internet scale requires open standards, and the winning solutions will have built-in support in leading platforms and browsers. To help define this path, Yubico is a member of the open standards organizations W3C, OIX, FIDO, and IDESG.

Hardware crypto

Beyond strengthening authentication to resources, companies need to protect the integrity of servers, computer code, and cryptographic secrets — with simple and portable security modules. To eventually serve all users and servers, Yubico will continue to develop cryptographic functions for the YubiKey and YubiHSM.

Stina Ehrensvard

FIDO U2F Now Offers Contactless, Tokenless, Passwordless Mobile Authentication

2016 is the year when FIDO U2F will unfold its promise of a “universal” second factor.

Successfully deployed with Gmail, Dropbox, and GitHub in 2015, the U2F open standard is now expanding to mobile devices. At the ShowStoppers @ CES (Consumer Electronics Show) event in Las Vegas, Yubico is demonstrating the first FIDO U2F-certified, NFC-enabled YubiKey device as well as a software-based U2F mobile client that brings public key cryptography to both consumer and enterprise mobile users with a tokenless and passwordless experience.

Near Field Communication (NFC) was developed as an open standard more than a decade ago, and is today supported in all leading mobile platforms and hundreds of millions of mobile devices. Designed for contactless identification and authentication, NFC has also successfully found its way into mobile payment systems and credit cards.

The YubiKey NEO is now the first device certified for U2F mobile authentication over NFC. GitHub is pioneering support for mobile U2F for their users, combining a username and password with a simple tap of the YubiKey to an NFC-enabled mobile device. And later this year, the first U2F devices with Bluetooth will enter the market, addressing high-security login from iOS devices where NFC capabilities currently are limited to systems owned by Apple.

Also at Showstoppers @ CES, Yubico is demonstrating a software-based U2F mobile client that does not require additional hardware. It’s designed for both iOS and Android, the second factor can be a password or the fingerprint used to unlock the phone, enabling the first tokenless and passwordless user experience for FIDO U2F. While external hardware authenticators, without internet connections, offer the highest level of identity protection, this software-based U2F mobile client does provide a heightened level of security compared to a static username and password login. For example, an online bank that adds supports for U2F allows its mobile users to perform lower-value transactions using the U2F mobile client only, while higher-value transactions would require U2F hardware authentication.

As a co-author and driving contributor to the FIDO U2F open standard, Yubico’s mission is to make secure login easy and available for everyone, while safeguarding privacy. The YubiKey NEO is available today at Amazon and Yubico web store  for $50 in single quantity retail price. During the coming spring, Yubico will be piloting the FIDO U2F mobile client with large-scale service providers.

Want more interesting reading on FIDO U2F?

How journalists and human rights organizations use FIDO U2F to protect their identity
How Google reduced time, support costs, and fraud with FIDO U2F

Yubico Team

2015 Was A Yubico Rocket Ride

Around this time last year, the FIDO Alliance had just released the final draft of the U2F specification, a moment that would greatly impact Yubico’s upcoming year.

Within four months, Google had upped its commitment to U2F, adding support for Yubico’s Security Key in Google for Work. In August, DropBox added support for its user base, and two months later, GitHub joined in with support for U2F strong authentication to protect its users. In just 10 months, the YubiKey was an authentication option for platforms and apps used by tens of millions of people.

U2F, however, was just validation of YubiKey’s pedigree as a modern hardware authentication device.

Next up was a grand introduction of the YubiKey as a security device, including OpenPGP encryption with support for 4096-bit RSA crypto keys, a PKCS#11 library to support PIV functionality, and a relationship with Docker that produced a code signing milestone they dubbed touch-to-sign.

With two strokes, Yubico had revealed its Swiss Army Knife versatility and the value of multiple functions available on a single YubiKey. These milestones injected the YubiKey into the heart of a modern security debate among consumers, enterprises, and governments.

And there was more! Yubico talked online identity protection during a personal meeting with President Obama, explained the ins and outs of cryptography in a multi-part blog series, earned FIDO Certification, forged relationships with the federation players, helped add Bluetooth and NFC transports to U2F that opened mobile devices to the FIDO standard, linked up with LinkedIn, and talked SSH, ECC, and OIDC.

We also had our lighter moments. We met a Princess, had a cameo in a Hollywood movie, detailed the YubiKey’s duties during our work days, and crowned three YubiKings.

We learned to live on less sleep than Buddy the Elf, and that our customers have savvy and knowledge we are glad they openly share with us and others.

Above all, we were humbled by the ruckus the YubiKey caused.

Now, moving into 2016, we are running fast with a new 4th -generation YubiKey, Mozilla’s commitment to add FIDO U2F support to the Firefox browser, and the World Wide Web Consortium’s work to standardize Web APIs and data formats for use with FIDO 2.0.

And, of course, we look forward to the innovations, milestones and surprises we know will illuminate 2016.

Happy New Year!

Alessio Di Mauro

YubiKey 4(096): You Asked, We Delivered

In a previous blog post I talked about RSA key length and argued why a 2048-bit key is still a viable choice today.

However, here at Yubico we do not like to remain idle, twiddling our thumbs. We are constantly improving our products. As a result of these efforts, earlier this month, we launched the YubiKey 4. This 4th generation YubiKey sports several improvements and new functionality, including a more powerful secure element. One notable addition is that YubiKey 4 now supports RSA keys up to 4096 bits!

While cryptography is in transition (more on that later), I believe that today’s YubiKey 4 is an even more powerful tool, giving users the possibility of generating and importing longer OpenPGP keys for decryption, signature, and authentication. You can even load your master key onto a separate YubiKey 4 and use that to sign other people’s keys, without having to take your air-gapped computer out of storage.

Plus, with the addition of “touch-to-sign” providing an extra layer of security, the next attacker model will have to include biochips that can grow a finger and touch your YubiKey.

The new RSA 4096 support comes at a very interesting time. Until recently, the NSA has been promoting the so called Suite B Cryptography, a collection of cryptographic algorithms recommended to protect classified information up to the Top Secret level. What is interesting about Suite B is that RSA is not included, and Elliptic Curve Cryptography (ECC) is instead preferred. However, in August, the NSA had a sudden change of heart and published an article where it stated that we should start to get ready for quantum computers and begin using quantum-resistant algorithms, effectively moving away from ECC.

Before getting there, there is going to be a transition phase, but the adoption of Suite B has henceforth been discouraged. One of the algorithms suggested for key establishment and digital signatures in this transition phase is, surprise surprise, RSA with a 3072-bit key. Why the NSA has decided to move in this direction is open to debate (and speculation), especially considering that there is, more or less, general consensus on the fact that practical quantum computers are still a couple of decades away. I will refrain from opening that can of worms and only point out that an interesting discussion on this decision can be found in this paper.

Cryptography is a complicated topic, both from a technical and practical standpoint. Analyzing and proving the security properties of different schemes and algorithms takes a long time (if at all possible). Adoption and deployment also are time consuming. This is highlighted by the fact that even giant organizations, like the NSA, change their mind as time goes by.

Our creed here at Yubico is to try and be up to speed with the technology involved in these changes, providing our users with as many tools as possible so they are enabled to take whichever choice they believe to be better for their specific use case.

To put it in a different way, we will give your Swiss Army knife as many blades as we can — which ones you choose and how you use them is up to you! 

Read our White Paper: A Question of Key Length.

Yubico Team

YubiKey 4: One Device, Many Functions

One-hundred and eighteen years ago, Karl Elsener developed the first Swiss Army knife, introducing versatility never before seen in a simple knife for soldiers.

Today, Yubico pays homage to Elsener’s ingenuity and commitment to multi-feature versatility. The YubiKey is a single device with a wide selection of security and privacy choices under its rugged, molded-plastic exterior.

To expose all the functions of the YubiKey, we recently held a webinar — One Device, Many Functions: Inside the YubiKey. (The recording is embedded below.)

During the presentation, you’ll hear how the YubiKey defines secure access for armies of enterprises and consumers, including remote access and VPN, password managers, computer login, content management systems, and support for popular online services such as GitHub, Dropbox, Docker, Google for Work, and other Google Accounts.

Functions such as one-time passcodes (OTP) work with many systems including Salesforce, Okta, and Ping. Time- and event-based OATH tokens integrate with internal and customer-facing systems while PIV capabilities include support for Microsoft Windows login on select servers and client desktops. OpenPGP is for storing public/private key pairs for encryption, authentication and signing, and the FIDO Alliance’s Universal 2nd Factor (U2F) protocol gives a single YubiKey the ability to support many online services.

In addition, YubiKey allows owners to load and control their own secrets, with nothing revealed to third-parties, including Yubico.

It all adds up to the versatility we hope Elsener would commend.

November 2015 Newsletter
Stina Ehrensvard

Why YubiKey Wins

When we ask our customers why they chose the YubiKey, the most common answer is ease-of-use.

If you get a job at one of the large internet companies here in Silicon Valley, you are likely to also get a laptop with a YubiKey inside the USB port. But you may not know it’s a YubiKey. I learned that from someone I met at the local train station while waiting for the train to San Francisco. He was carrying his laptop under his arm, and I noticed the rounded golden edge in the USB port. When I thanked him for being a customer, he looked surprised; “Oh, I did not know. I thought it was the new Apple touch feature for the new Mac!” I am sure the YubiKey smiled after these words — there are not many authenticators out there that have been mistaken for an Apple product!

Some time ago, Facebook posted a video on YouTube sharing how they used YubiKeys, and why no other authentication technology matches its simplicity and speed for multiple login sessions.

After Google deployed U2F-powered YubiKeys for all staff, and provided support for Gmail users, their statistics showed that the login process was four times faster compared to Google Authenticator (their mobile authentication app). The process of picking up a phone, opening an app, and re-typing a code — not only is time-consuming but error-prone. With YubiKey, it’s just a simple touch.

However, the main reason Google deployed U2F-powered YubiKeys is security. One in fifty emails that land in your Gmail inbox is a phishing attempt. Although sophisticated spam filters block most of them, it is still difficult to stop individually-customized phishing emails, even with the one-time password from Google Authenticator. With U2F and public key crypto, Google has measured significant fraud reduction.

U2F also enabled Google to cut support by 40% compared to Google Authenticator. There may be a perception that paid hardware is more costly to deploy than free software. But when the industry-average cost for recovery support is approximately $30 per ticket, the reality can be different. With backup YubiKeys on a keychain, in a wallet and the USB port, users submit fewer support tickets and are at lower risk of being locked out than those who rely on a single phone app.

Many of our customers value that we allow them to easily program and fully control their own YubiKey secrets. Others like that one single YubiKey can be used with the range of authentication and cryptographic protocols. All like that YubiKeys are water- and crush-resistant (as demonstrated in the picture above). To learn more about the security, usability, and cost benefits of the YubiKey compared to other authentication technologies, see our  chart: Why YubiKey Wins.

There may not be a silver bullet for strong authentication, but the YubiKey is getting close.

November 2015 Newsletter, Blog
Stina Ehrensvard

W3C Submission Hints At Strong Future For U2F

As with any growing standards organization, the FIDO Alliance is evolving. Today, the organization marks a glimpse of where it’s headed and how U2F will help make secure login easy and available for all internet users.

The FIDO Alliance has submitted to the World Wide Web Consortium (W3C) a set of specifications defining a Web API to enable high-security web applications that offer secure user authentication. This FIDO-built Web API can be seen as a natural evolution and a superset of the FIDO U2F Web API. It is intended to ensure standards-based strong authentication across all web browsers and related web platform infrastructure.  

This is great news for Yubico’s customers as these Web API specifications will end up in all browsers. Our goal is to make the YubiKey ubiquitous, leveraged by universal support in leading platforms and browsers.

A year after the U2F specs were finalized, Google, Dropbox, and GitHub are on our list of large scale services supporting U2F, and many more are on their way. In the same timeframe, the U2F Technology Working Group has developed technical specifications for NFC and Bluetooth transports to address mobile applications. (For a look at the current U2F ecosystem, see our blog post.)

The FIDO 2.0 Technology Working Group was formed in late 2014 to address a wider range of authentication use cases, including the passwordless experience, and platform support for computers, phones, and other devices. This Web API submission to the W3C, from the FIDO 2.0 Technology Working Group, consists of three technical specifications required to define a standard web-based API, and is designed to increase FIDO’s existing desktop, Chrome, Android, and iOS support. The contributed FIDO specifications will be handled by a new group W3C is creating called the Web Authentication Working Group.

The W3C is the steward of the web with its principles of an open, secure, and democratized platform. It develops protocols and guidelines that ensure the long-term growth of the web.

Yubico agrees with the W3C’s principles as they are core to our own philosophy. We are working closely with the FIDO 2.0 Technology Working Group, including Google and Microsoft, with the goal to keep protocols lean and scalable, and offer a seamless evolution and migration path between FIDO U2F and FIDO 2.0.

The FIDO Alliance strategy is that every computing device will have built-in support for FIDO standards, just as we see today with standards like Bluetooth or Wi-Fi. To enable a higher level of security and privacy, users will need simple and portable external FIDO devices, including YubiKeys. These will also be needed as bridges when migrating to a new phone or computer, when any of these devices are broken or lost, with billions of existing computing devices, or to log in from a borrowed device.

For the time being, the bulk of FIDO 2.0 work is still under development at the Alliance, and it will take some time before this superset of U2F is completed. In parallel, we are working with many service providers who are adding support for FIDO U2F today to provide proven, simple and strong authentication now and into the future.

Step-by-step, we are getting closer to our vision of enabling one YubiKey to any number of online services. And, one day, you will walk into your local convenience store, and you will find a YubiKey there, perhaps hanging among the gift cards: the key that allows you to fully own and control your secure online identity.

Stina Ehrensvard

Launching The 4th Generation YubiKey

Today is historic as we launch our 4th generation YubiKey. It is built on high-performance, secure elements, and enables stronger and faster crypto operations. We are also expanding beyond our authentication heritage to code signing: Our new touch-to-sign feature was brought to life with our friends at Docker.

For every generation of YubiKeys, we have added new YubiKey versions with select feature sets. With YubiKey 4 and YubiKey 4 Nano, we are reversing that trend with fewer products, more features, and simplified choices for customers that bring better value.

We are also evolving in other ways. We are complementing our authentication pedigree by improving and adding  specific security features: OpenPGP encryption can now be performed with 4096-bit RSA crypto keys, we have added a PKCS#11 library to support PIV functionality, and, together with Docker, we are introducing container code signing with touch-to-sign and user verification.

Our new YubiKeys are the market’s Swiss Army knife for authentication and encryption. For large volume needs, we will enable customers to order exactly the functions they want. And our unique programming tools allows organizations to program and control their own cryptographic secrets. This security approach is something we are convinced will soon define the market.

The small YubiKey 4 Nano is priced at $50, and the YubiKey 4, the larger keychain version, is $40. Neither includes support for Near Field Communications (NFC), which is now just found in the YubiKey NEO. For those who don’t need NFC, the YubiKey 4 offers faster and stronger crypto at a lower price.

We will introduce a new retail web sales lineup and continue to serve enterprise customers with existing commitments to our former YubiKey products.

Strong authentication is an important part of the identity stack and we are quickly growing market share there. The YubiKey, however, also includes vital encryption functions highlighted by code signing. Both these areas is where we have innovated with YubiKey 4 to provide best-practice security and the simplest user experience. This is truly the start of a new generation.

November 2015 Newsletter, Blog
Jerrod Chong

With a Touch, Yubico, Docker Revolutionize Code Signing

Today we released the YubiKey 4, our next generation product that includes a new function called touch-to-sign, a unique and simple method for code signing that we have brought to life together with Docker, an open platform for distributed applications.

At DockerCon Europe 2015 in Barcelona, Docker and Yubico together unveiled the world’s first touch-to-sign code signing system using the new YubiKey 4. A developer only needs to touch his YubiKey for user presence verification and to digitally sign code, using a private root key stored on the device. This capability is the first hardware signing key to provide content integrity for containers that are part of Docker Content Trust, and it enables secure software lifecycle development for Docker developers, sysadmins, and third-party ISVs. We think it’s slick, and cool, and the future of hardware-backed keys.

As part of YubiKey 4, we also released a new PKCS#11 module that our customers and partners can use with their cryptographic projects. The open standard protocol, PKCS#11, lets applications speak to cryptographic smart card devices, such as the YubiKey 4, and perform cryptographic functions. Docker has integrated the PKCS#11 module into its platform to support touch-to-sign, and we hope this inspires others to develop other cutting-edge security solutions.

This is an important milestone for Yubico and our customers as we complement authentication with another category where the YubiKey excels, strong security with ease-of-use for code signing. Having the root keys stored in the secure element of the YubiKey means attackers cannot duplicate the root key to forge sign operations. Insecure storage of keys, for example in software modules, is often the cause of many of the vulnerabilities found in software packages.

We salute Docker for taking this first major step to help developers secure the creation and on-going maintenance of their code. With Yubikey 4 and touch-to-sign, we hope all Docker users take advantage of this fantastic opportunity to secure their code!

Read Docker’s blog on touch-to-sign. Or watch Docker CTO and Founder Solomon Hykes introduce and demonstrate YubiKey integration with Docker at DockerCon Europe 2015.



November 2015 Newsletter, Blog
Yubico Team

YubiKey Static Password Offers Up Options

One of the original functions on the YubiKey is a static password for use in the password field of any application. Such an option seems to challenge common misgivings about reusing passwords. And we would agree.

But if you look a little deeper, the static password, which has attracted more users than we thought it might, falls somewhere between pervasive support and strong authentication. It works with any application requiring a password, but it’s not a two-factor solution.

The static password was born from a simple idea —  since the YubiKey can function as a USB keyboard that types out characters with the touch of a button, we figured the capability provided other options in addition to one-time passwords.

Our lead engineer, Dain Nilsson, has written a whitepaper that goes into detail on this YubiKey function, but we’ll give you a preview here.

We originally achieved “static”  by freezing counter values and using crypto functions to provide the same password over and over, rather than creating a new one with each YubiKey button touch. We then added the capability for a user to create a password of their choosing on the YubiKey using scan code mode. Then we moved on to explore ModHex and its 16-character alphabet, and encoding that introduces a measure of “randomness.” That randomness helps create a password that has a tougher resistance to cracking than you might think.

A 32-character ModHex password would take a hacker around five billion years to even get a 1 in 2,158,056,614 chance of a correct guess (yes, that’s two billion!). Even a 16-character ModHex password would take around half a million years to crack given internet bandwidth issues and basic server security.  

The static password is interesting to ponder, and many people use them, but it is a password. We think a second factor provides the kind of strong authentication end-users really need.

That said, you might examine if a static password has value in any of your use cases.

John Fontana

LinkedIn Secures Employees with MFA, Okta, YubiKey

Weak passwords and the employees that use them are the biggest threat to IT security, Raj Nagalingam, Senior Systems Engineer at LinkedIn, told the audience at last week’s Oktane15 conference.

To combat such threats at LinkedIn, Raj has turned to Okta’s multi-factor authentication as one way to protect resources and employees (often times from themselves).

Raj and Jerrod Chong, Vice President of Solutions at Yubico, walked the Oktane15 audience through the YubiKey’s benefits and strengths, and the strategy and tools LinkedIn used to deploy Okta’s cloud-based Adaptive Multi-Factor Authentication with a one-time password (OTP) generated by a YubiKey.

LinkedIn’s user login begins with entering a user name and password into Okta. If valid, Okta pops up a window asking the user to insert and touch the button on their YubiKey. The Okta platform checks to ensure the YubiKey itself is registered to the user before verifying the OTP. Upon successful OTP validation using the Okta validation service, the user is allowed to log in.

Raj stresses that YubiKey’s OTP is harder to phish and is resistant to malware since nothing can be written to the key. And, he added, users are instantly hooked on the ease-of-use.

“If you ask your mom to do this, she can,” he told the audience.

LinkedIn’s current plan is focused on Yubico OTP, but in the near future, the company wants to move to authentication using the FIDO Alliance’s U2F protocol that is based on public key cryptography.

During the session, LinkedIn also reviewed how it used the security and policy framework developed by the Cloud Security Alliance (CSA) to decide how to enforce second-factor authentication for applications. The framework categorizes applications into three levels — Limited, Confidential, and Highly Confidential — each of which define required access controls for apps. 

“We grade every app in our environment and our security team makes decisions based on data classification,” said Raj. “In today’s world, everyone works in cloud apps and they use passwords that are static and weak. I recommend enabling multi-factor authentication.”

And he thinks the YubiKey has the right stuff. “It’s fast and easy. Just insert and touch.”

Yubico Team

One Key, Many Features Is Yubico’s Forte

You may have noticed that Yubico’s support for the Universal 2nd Factor (U2F) strong authentication protocol has made some major news in the industry lately, with the help of millions of Google, Dropbox, and GitHub users.

But the YubiKey isn’t just tuned for the magic of U2F, a protocol we co-created with Google and NXP. YubiKeys boast an impressive array of available options from protecting accounts to public key cryptography (re: U2F) to signing code, with the YubiKey NEO and YubiKey NEO-n as Yubico’s do-everything devices. Our other popular YubiKeys are tuned for specific features.

On December 1, Yubico will present a webinar “One Device, Many Functions: Inside the YubiKey” that will examine the DNA of our versatile hardware security device and give you a peek at all the big-time security power that lives under the small key’s molded plastic. Registration is open now.

What began as a single-purpose OTP device has matured in the shadow of password breaches, enterprise hacks, and end-user anxiety. In this webinar, we’ll detail OTP and other YubiKey security options and introduce how enterprises and consumers are using those to move up to improved security and access controls.

A YubiKey factors in a wide range of secure access scenarios, including remote access and VPN, password managers, computer login, content management systems, and online services.

The YubiKey NEO uniquely supports One-Time Passcodes, smart card functionality (including OpenPGP and PIV), and the emerging FIDO Alliance U2F standard. There is also support for creating a complex and difficult to crack static password.

The webinar will take you through the technical details behind the secure, simple, and scalable solutions that are the hallmarks of the YubiKey. The discussion will conclude with a question and answer session.

Join us at 7 a.m. PST on December 1 for an hour-long look at our versatile YubiKey.

Yubico Team

U2F Webinar: From Concept To Implementation

Note: This webinar was recorded on Oct. 27, 2015. The video recording is embedded at the end of this blog.

Ever wonder what’s under the Universal 2nd Factor (U2F) covers? How to build U2F into your own service or project? Or what’s the extended value of your YubiKey?

Now that U2F is catching fire as the protocol that defines strong authentication, we get a lot of these inquiries.

On Oct. 27, Yubico’s lead engineer, Dain Nilsson, will lay out all you need to know to understand the power of the protocol, the basic concepts for implementation, and the value of any U2F-enabled YubiKey.

The webinar, “Integrating U2F: From Concept to Implementation,” is scheduled from 8am to 9am PDT. This webinar is for those who use a U2F YubiKey but don’t quite know what happens behind the scenes, or for those who want to add U2F into their own service or application.

During the webinar’s demonstrations, Nilsson will take an existing service that relies on usernames and passwords and, using Yubico’s open source libraries in combination with U2F,  will add the protocol’s two defined flows — key registration and strong authentication based on public key cryptography.

Nilsson will feature code samples using Python, which will be made available on GitHub, and outline the steps for implementing U2F. He will provide other practical details around enabling U2F with an existing online service.

Major online services — such as GitHub, Google, and Dropbox — are leading the way to protect their employees and global users with U2F. Millions of YubiKeys are in the hands of users across the globe. But U2F isn’t exclusive to mega services with giant dev teams — it’s straightforward to implement and simple enough not to require user training courses.

Yubico will show you how.

And if you’re a GitHub user and want to increase your YubiKey count prior to the webinar, we have a special offer for 20% off all U2F YubiKeys — including YubiKey NEO and YubiKey NEO-n.

Jerrod Chong

GitHub, Yubico Introduce Millions To U2F

Since 2008, GitHub has grown into one of the largest developer communities in the world. With more than 11 million users working on more than 27 million projects, GitHub supports and encourages security measures — such as two-factor and the emerging open authentication standard, Universal 2nd Factor (U2F) — that keep accounts safe.

Today, GitHub announced U2F support enabling its users to access and protect the integrity of their software code with easy-to-use strong public key cryptography. GitHub’s volume of sensitive data demands proactive efforts to constantly improve security and access controls. Strong authentication, like that provided by U2F, helps protect against modern hacker techniques used in the current breach-filled world.

The YubiKey is a hardware device that implements U2F and works with a simple touch to trigger U2F’s public/private key exchange. The YubiKey simply plugs into a USB port to begin the process of securely authenticating the user.

As co-creators of the FIDO U2F protocol, we are thrilled to help GitHub put U2F-compliant YubiKey devices in the hands of developers currently creating services used by everyone on the internet. After taking a look at the open-source examples of U2F implementations, GitHub was able to build comprehensive support in a short time, taking advantage of the open-source community around U2F that Yubico has nurtured.

On the heels of U2F support added by Google and Dropbox, GitHub — committed to adopting standards-based technology — is stepping up as a strong U2F advocate. The company aims to set an example and help put the ‘U’ in Universal 2nd Factor by making U2F available for every GitHub user, including every GitHub employee. GitHub also plans to push leaders in technology and other industries to support U2F’s ease-of-use along with its promise of better security and privacy.

We are proud to be associated with GitHub and its ecosystem, and we join them in pushing developers, companies, and industries to take action now and put simple, scalable public key cryptography in the hands of millions of internet users.

To the GitHub community, we hope you enjoy your YubiKey!  

(Attn: GitHub users — For a limited time, you are now eligible for a 20% discount.)


GitHub Supports Universal 2nd Factor Authentication from Yubico on Vimeo.


Also see:

Yubico Team

Versatility, Scale, Innovation Define YubiKeys

Depending on the numbers you consult, there are nearly three billion people on the internet, mostly protected by usernames and passwords, and nearly 100 million servers with limited or no protection.

They are joined by an untold number of hackers feasting on this reality.

This week, Yubico took on that scenario in a live webinar focused on YubiKeys, Google, Dropbox, and U2F. The webinar is available for playback at the bottom of this blog.

Yubico CEO Stina Ehrensvard opened the discussion by introducing the YubiKey and the YubiHSM “as simple and secure hardware devices to protect users and servers at scale.”

Ehrensvard, and Yubico Product Manager Kevin Casey then laid out YubiKey’s benefits and simplicity, including multiple protocol support in a single device, public key crypto that thwarts phishing and man-in-the-middle attacks, and the ability for users and organizations alike to own and control their identity. YubiHSM offers this same class of protection to servers.

The highlight is a live demo that shows how to activate YubiKey’s FIDO Universal 2nd Factor (U2F) cryptographic authentication for web-based applications (Gmail  and Dropbox) without need for codes, client software, or phone apps.

Ehrensvard and Casey describe the high-level of authentication offered by the YubiKey, support for multiple online services from a single key, the elimination of a central identity provider, the unique touch sensor to verify user presence, and the key’s durability.

The webinar also outlines where other authentication technologies show weakness when trying to achieve YubiKey’s scale and ubiquity: smart cards that were too complex and costly to scale beyond government use and sensitive apps; OTPs that don’t protect against phishing; biometrics that have so far failed to answer privacy, security and revocation concerns; and mobile phones whose constant internet connectivity makes their resident software vulnerable to malware.

The final 15-minutes takes on audience questions that range from iPhone support,  SSH, Yubico’s Bluetooth and NFC features, financial services adoption, and FIDO browser support.


Nano OLD body style
Jakob Ehrensvärd

U2F Thriving; YubiKey Nano Sales Retiring

It’s no secret Yubico is making a big investment in the FIDO Alliance’s U2F protocol, which we believe will significantly strengthen security on the internet. We are co-authors of the specification and no less than nine Yubico employees help steer the evolution of FIDO and U2F.

Recently, we joined with Google and Dropbox to support U2F strong authentication for hundreds of millions of users.

Over the past months, we’ve made U2F a base capability in our YubiKeys with the idea that all devices should support our internet commitment to deliver one key for many services. The public key cryptographic pedigree of the U2F protocol ensures security, privacy, and ease-of-use.

As part of this commitment, we will discontinue selling our YubiKey Nano as of March 16, 2016 and replace it with the YubiKey Edge-n, which has all the features of the Nano plus U2F.

This decision has little or no impact on current YubiKey Nano owners, who can continue to use the device as always for as long into the future as they like. Yubico will provide support for two years after March 16, 2016 for those with valid support contracts. (See the full set of policies on our website).

One of the most important security features of a YubiKey is that they cannot be upgraded. If you can’t write to the key neither can hackers, which means no chance of malware or stolen secrets. As alternatives, YubiKey Nano owners can complement their device with a U2F-only Security Key. Or they can opt for the YubiKey Edge-n. The  YubiKey Nano then becomes a backup for all of its supported features — YubiKey one-time password, OATH time- and event-based OTPs, and static passwords. Or, we’re happy for you to just be happy with the YubiKey Nano you have.

So please don’t dwell on the industry standard, and ominous sounding, “End-Of-Life” term used in official announcements. We are not burying existing YubiKey Nano devices. Please use them and try to wear out the military-grade gold. The YubiKey will withstand your washing machine, your dog’s insatiable appetite, a winter spent in the snow, and being run over by just about anything.

The versatility of the YubiKey product lineup also remains, which includes support on various devices for other strong authentication options, services and features such as a PIV-compliant smart card, OpenPGP, and a secure element.

We are building a path to an internet future we think is paved with U2F support for all online services. We believe we have a clear vision of where strong authentication is headed and our goal remains delivering our customers to that destination.

Jakob Ehrensvärd is CTO at Yubico

Jerrod Chong

YubiKey to Secure Okta Adaptive MFA

There is a trend developing in identity management focused intently on security that incorporates strong two-factor authentication.

Today, we provide more proof of that trend by announcing our partnership with Okta to integrate YubiKeys into their cloud identity ecosystem. Okta has achieved the status of being the only solution among its peers to occupy the leaders’ quadrant in Gartner’s Magic Quadrant for Identity and Access Management as a Service (IDaaS). Inclusion into Okta’s platform reaffirms the reputation of the YubiKey as a highly sought after authentication technology by many leading software providers and services.

YubiKeys will soon be an option for stronger authentication as part of Okta’s just-released Adaptive Multi-Factor Authentication (MFA)With this service, users will be able to securely and easily authenticate with the YubiKey to Okta’s platform, which lets users authenticate once and access any number of applications.

The YubiKey is a hardware device that plugs into a USB port and works with a simple touch to trigger a one-time passcode (OTP) that securely authenticates the user. This single touch to activate a second factor makes YubiKey the preferred choice for users logging in from any device with a USB port.

YubiKeys supporting the upcoming Okta integration include the YubiKey Standard and Nano, YubiKey Edge and Edge-n, and the YubiKey NEO and NEO-n.

In addition, Okta also announced it has joined the FIDO Alliance, which develops open protocols for strong authentication, including the Universal 2nd Factor (U2F) specification. Both OTP and FIDO U2F features are natively supported in a single YubiKey.

Being the co-creators of the FIDO U2F protocol, we are excited that Okta has joined the Alliance. The FIDO protocol uses public key cryptography and is engineered specifically to address phishing and man-in-the-middle (MiTM) attacks.

The YubiKey Edge and YubiKey NEO support FIDO Alliance’s U2F protocol mode together with OTP. In addition, YubiKey NEO and YubiKey NEO-n have other capabilities such as a PIV-compliant CCID smart card and OpenPGP (SSH login, code signing, and more).

John Fontana

Secure Shell, Standards, And The YubiKey

In new entries added recently to the white paper section of our website, we’re detailing Secure Shell options using a YubiKey, and emerging standards that combine to solve online identity challenges.

These white papers are a nice place to uncover some lesser-known YubiKey gems, learn a little more about our crypto strategy, or dive deeper into topics that offer leading-edge security choices.

Those who use their YubiKey NEO or NEO-n in conjunction with Secure Shell (SSH) love the feature, but it lives in the shadow of other, more popular, YubiKey NEO services.

For the uninitiated, you can use a YubiKey NEO with SSH to establish secure connections with remote servers.

Author Alessio di Mauro, a Yubico software engineer, explains what SSH is and why you want to use it with a YubiKey. There are many advantages to using a YubiKey with SSH. The private key is stored within the YubiKey’s secure element, and your master key stays safe as you use only an authentication subkey. In addition, if your YubiKey falls into rogue hands, the attacker only has three very slim chances to authenticate as you before the key locks down.

Once you configure your computer to use SSH keys from a YubiKey, you are set to use them with your personal server or with one of the many services that allow public key authentication such as GitHub or Bitbucket.

Alessio’s white paper takes you through all the benefits.

Also new to our white paper section is a peek at some interesting standards-based identity and authentication options fostered by the intersection of FIDO Universal 2nd Factor (U2F) and OpenID Connect. Each has its own important qualities, but also soft spots. Used together, they present new security possibilities that are explored by guest author Justin Richer, a standards advocate and consultant at Bespoke Engineering.

Also in the white paper section is Alessio’s original three-part crypto key length discussion now available as one document available for download (and sharing).

Our white paper section is a growing resource, so we hope you’ll visit now to learn more, and return in the future to find in-depth looks at a flourishing ecosystem that includes the YubiKey, FIDO U2F, security and the future of strong authentication.

John Fontana

Time Flies When Trying To Secure The Internet

A year ago, I joined Yubico and wrote a blog with the headline “Welcome to the Future, It’s About to Get Really Interesting.”

On reflection, perhaps that was an understatement.

The past 12 months have seen unprecedented hacks on industry and government that have resulted in more than a billion stolen passwords and personal records. The carnage created enough of a pain point to move security and two-factor authentication from an afterthought to an active, mainstream conversation topic.

It was a wake up call to the weakest factor in security – the human factor.  

Eyes popped out when Apple was hacked and celebrity nude pics were stolen. President Obama signed an executive order requiring the use of multi-factor authentication in federal agencies. Red Hat and Microsoft announced multi-factor authentication plans, New York State banking regulators added two-factor authentication to their definition of a secure environment, and the US Postal Service added two-factor authentication to its post-hack remediation efforts.

Then the Cavalry started to round up its horses.

In October 2014, Google announced the first application support for the FIDO Universal 2nd Factor protocol and gave Gmail (and eventually Google for Work) users strong authentication backed by simple-to-use public key cryptography in the form of a Yubico Security Key.

At Yubico, we grew to keep up with the changing security landscape. We developed a two-factor login app for Salesforce.com users, sweetened our YubiKey portfolio with U2F support, offered our Security Key as a complement to Google’s launch, continued to bring on handfuls of enterprise customers looking to secure authentication, and helped finalize and offer to the world the FIDO U2F specification we co-invented.

And that was all before the end-of-year holidays. (Oh yeah, and we brightened the holidays with an array of colorful YubiKeys).

In January, the FIDO U2F ecosystem was active and buzzing with chipmakers, biometric devices, YubiKeys, mobile apps/clients, wireless connectivity development, cloud services, open source software, and other goodies.

Our CEO talked internet security with President Obama at a cybersecurity summit in Palo Alto, and recruited Salesforce CEO Marc Benioff as an investor and advisor.

We drew crowds eagerly seeking two-factor authentication as a silver lining at conferences such as Showstoppers, RSA, Cloud Identity Summit and Black Hat.

We released the world’s smallest HSM, debated cryptographic key sizes, announced the YubiKey Edge with OTP and U2F support, earned FIDO Certification, contributed to the release of Bluetooth and NFC support for U2F, crowned three YubiKings, and saw Dropbox become the first non-FIDO online service to adopt U2F supported by the YubiKey.

We also met with Victoria, Crown Princess of Sweden, and her husband, Prince Daniel, in California and introduced them to the YubiKey. And we went Hollywood with the YubiKey’s good-guy cameo in the dramatic film “Blackhat.”

But among all that change, we had constants: our commitment to open source and standards; our faith in one key for many apps; our belief in the right to internet privacy; our integrity; our focus on secure authentication for computers, servers, and internet accounts; and on providing the world’s enterprises with simple and secure authentication.

The next 12 months are lining up to be even more energetic, so you can count on one additional constant: more to come from Yubico (soon!) and our continued presence at the forefront of strong authentication.

Stina Ehrensvard

Dropbox Adds Support For FIDO U2F, YubiKeys

Today, cloud storage giant Dropbox announced to its more than 400 million users that it now supports FIDO U2F for strong two-factor authentication.

On the company’s blog, Dropbox said users now can protect their files with U2F-powered devices in addition to the current feature of a one-time code sent to a mobile phone. Those U2F devices include YubiKeys, which enable high-security, public key cryptography to protect against advanced malware, phishing, and man-in-the-middle attacks. 

FIDO U2F removes cost and complexity from traditional public key and smart card technology. U2F-powered YubiKeys can be purchased from the Yubico store or at Amazon.com, and one single U2F device can access Google, Dropbox, WordPress and any number of U2F-compliant services. No client software or third-party services are needed, and no encryption secrets or information about users are shared between service providers.

The emerging open authentication U2F standards initiative was co-created by Yubico, Google and NXP, and turned over to the 200-member strong FIDO Alliance. Dropbox is the first major non-FIDO member to recognize the security advantages of FIDO U2F and offer those benefits to its customer base. FIDO membership is not a requirement for adopting FIDO U2F. The standards specifications for USB form-factor keys have been publicly available since December 2014, and the server code is free. Recently the FIDO U2F Technical Working group published specifications for NFC and Bluetooth transports for secure authentication mobile platforms. In addition, the FIDO Alliance announced today its latest round of products that have achieved FIDO certification. All U2F-compliant YubiKeys have earned the FIDO Certified designation. 

Today, trillions of dollars are lost, and billions of internet users risk getting their online accounts hacked because of compromised static credentials. It’s encouraging that some great large-scale service providers are adopting technologies that represent the future of authentication — simple, open and secure, yet safeguarding your privacy.

The Yubico lineup that supports FIDO U2F, and works out-of-the-box with Dropbox and Gmail, includes YubiKey Edge and Edge-n, YubiKey NEO and NEO-n and Yubico FIDO U2F Security Key. In addition to FIDO U2F, YubiKeys can support OATH One-Time Password, OpenPGP, and smart card (PIV) capabilities. For more information, see the YubiKey feature comparison chart.

On our Web site we have posted instructions on how to register a U2F-compliant YubiKey with your Dropbox account.

Justin Richer

U2F, OIDC mix widens authentication options

The Universal Second Factor (U2F) protocol from the FIDO Alliance is an interesting authentication story on its own, but even more so when coupled with another emerging standard called OpenID Connect. With the pair, you can solve more authentication challenges than either could on their own.

U2F provides a way for users to authenticate to sites using a hardware cryptographic device. It does this by using public key cryptography, but without the problematic infrastructure of legacy PKI systems. A new key pair is generated for every service that the user connects to, offering a secure and privacy-preserving authentication system. U2F support is included on all but one version of Yubico’s Yubikeys.

However, this isn’t quite the whole story. The U2F protocol on its own doesn’t actually identify any particular user, it merely proves  someone has the device with control over a registered key. The user’s identity is intentionally left out of the U2F process, and it must always be bound to some kind of user account for it to represent a person.

OpenID Connect (OIDC), on the other hand, is an identity federation protocol that is in use across the internet. Built on OAuth 2.0, OIDC lets users log into a website using an Identity Provider (IdP) service. This approach lets users leverage one account across a multitude of sites across the web and gives people control over which attributes of their identity are asserted and to whom in a secure and privacy-controlled fashion.

However, this isn’t quite the whole story either. The OIDC protocol doesn’t authenticate the user but rather conveys that authentication across the network. OIDC still requires that the user authenticate at the IdP, somehow. This could happen with a username and password, a certificate, a hardware token, or any number of other things.

So we’ve ostensibly got two authentication protocols, but authentication is a many-faceted thing. Each of these protocols addresses a slightly different take on authentication, intentionally leaving gaps to be filled by other technologies and components. The good news is we can combine U2F and OIDC to solve an even wider array of challenges than either can address alone.

For instance, an OIDC IdP could use a U2F device as part of its primary authentication mechanism for its users. This approach allows the user to strongly protect the primary identity they use all over the web. Alternatively, or even additionally, the OIDC and U2F protocols can be used in parallel. With this option, OIDC acts as a user’s primary login to a service, but a U2F device is registered on top of this federated login for additional protections that the service itself can check.

Want more details? We’ve put together a whitepaper that compares and contrasts U2F and OIDC, and gives more information on how they could be used together, both today and in the future. This whitepaper is freely available for download under a Creative Commons license.

Justin Richer is a guest blogger. He is a consultant at Bespoke Engineering, a disruptive technologist, and open source and standards advocate.

Yubico Team

We’re Headed to Black Hat

Yubico is going where it has never (officially) been before – this week’s Black Hat conference in Las Vegas. (Although we were once featured in a movie called Blackhat.)

After 18 editions of Black Hat USA, some may consider us late to the party (of course, we were only founded in 2007), but we have some exciting tools to bring into the security conversation. (You can talk with us in Booth 964).

We’ll be showing off our YubiKey lineup designed to strengthen authentication and security with everything from OTPs to OpenPGP. It’s a versatile hardware device that has an amazing range of capabilities.

At Black Hat, the focus is on the YubiKey’s support of the FIDO Alliance’s Universal 2nd Factor (U2F) protocol (Yubico is a co-author), integration with single sign-on software from our partner Ping Identity, support for Near Field Communication (NFC) that brings strong authentication to mobile devices, and added security for Windows login via the YubiKey.

Of course, we’ll have some fun odds-and-ends to make you smile and that you can bring home.

In addition, we’ll have details on the winners in our recent 2015 YubiKing Virtual Hackathon.

Black Hat’s main event runs August 5th and 6th and includes over 100 independently-selected sessions, a business hall, Arsenal (tool/demo “weapons” area), Pwnie Awards (9th annual), and more. Yubico’s booth is open Wednesday from 10 a.m. until 7 p.m., and Thursday from 10 a.m. until 5 p.m.

If you’re at the show, we’d love to walk you through the benefits of the YubiKey, which makes your accounts safe from hackers and data breaches. If you are in Vegas, or live there, we welcome you to come talk to us  about hacks, breaches, authentication, privacy and security.

Stina Ehrensvard

A Milestone for Wireless U2F

The FIDO Universal 2nd Factor (U2F) protocol passed a significant milestone last month, adding new transport protocols that emphatically answer questions about support for mobile devices.

Yubico is a leading contributor to the U2F specs, including the USB transport and the new specs for Bluetooth and Near Field Communication (NFC). We are now excited to see the recently completed Bluetooth and NFC transports published, enabling strong public key authentication to expand across computers, tablets and smartphones.

Despite the rapid growth of mobile devices, the majority of high-security applications will continue to be accessed from computers as long as those devices provide more computing power, user-friendly screens and full-sized keyboards. However, as more users and sophisticated applications move to smartphones and other Internet-connected gadgets, they have become a fast-growing target for hackers and malware. Wireless U2F will help ensure that the mobile device does not become the weakest link in a security system.

To understand the significance of strong authentication coupled with wireless communication via Bluetooth and NFC consider these facts: The Bluetooth Special Interest Group says there are more than eight billion Bluetooth enabled devices in use today and over 10 billion are projected to ship in the next three years. The NFC Forum says there are more than 500 million NFC-enabled devices in the market today. Analyst firm IDC predicts that from 2015 through 2017, that nearly six billion mobile phones will ship. That compares to fewer than one billion PCs in the same timeframe. Add to those numbers Cisco’s prediction of 50 billion Internet of Things devices and objects that will connect to the Internet in five years.

The new NFC spec for U2F has been successfully proven in enterprise deployments, and now all YubiKey NEOs that are running version 3.4 or later of our firmware (introduced in early-February) will work for NFC U2F authentication once relying parties incorporate support. And later this year, Yubico plans to launch a Bluetooth U2F device.

The wireless U2F specs published on June 30 are a major milestone for authentication that is secure, easy and available for everyone.

Yubico Team

Yubico Webinar: Google Talks Security Key, Apps

Google is doubling down on authentication with a strong commitment to FIDO’s Universal Second Factor (U2F) protocol and Yubico’s Security Key as part of an expanding emphasis on security.

The cloud computing giant joined Yubico on a live Webinar to continue a conversation entitled “Google for Work, FIDO U2F, and YubiKeys.” A recording of the webinar is now available for playback online.

Julien Blanchez, marketing lead for Google for Work, outlined where the Security Key fits into Google’s security strategy. He cited three security trends — increased risk, more complex security, and new work environments — as proof that the cloud is the right response for Google to address all three.

“We are not facing teenagers in basements anymore, we are facing armies targeting large organizations and individuals,” he said.

He cited Google’s innovation, size, and agility as top weapons in its arsenal. “Google can see things in a comprehensive way,” he said. Blanchez  tagged authentication as the most important security issue today, saying three-quarters of 2014’s hacks were linked to the theft of login credentials.

Yubico and Google co-invented the U2F protocol. Yubico invented the Yubikey, including the Security Key, and has focused on U2F support. These U2F-based keys can now protect all Google services with two-step verification. Currently Google has a special offer for a 50% discount on Security Keys for Google for Work customers in the US, Canada, and EU. (It should be noted that FIDO U2F Security Key, YubiKey NEO, and YubiKey Edge all support U2F but only Security Key is part of the offer.)

In addition, Google is actively adding Security Key management controls to its cloud services, including Google for Work, Google Apps Unlimited and Google for Education. “In the coming months we will become stronger and stronger advocates for these Security Keys,” Blanchez said.

Yubico continued the discussion with an in-depth look at the YubiKey, its place on the authentication landscape, its range of authentication options, support for U2F, and how its unique one-touch user interface is solving one of cryptography’s major complexity issues.

A live demo shows how to register a YubiKey in the Chrome browser with three brief steps. The benefits are phishing protection, privacy, affordability and the ability to use one key to authenticate to many services.

A glimpse is given of the differences and complementary relationship of the YubiKey and smartphones-as-authenticators. The wrap-up features answers to a range of audience questions from browser-based U2F support to lost YubiKeys.

Yubico’s Kevin Casey, senior solutions engineer, and Sue Heim, information development, host the webinar.

John Fontana

Innovative Projects Topped with YubiKing Crowns

Break out the trumpets. Lower the drawbridge. The YubiKings are here to claim their thrones!

Today, Yubico is announcing the three winners of the months-long YubiKing contest, designed to discover who had mad enough skills to build the most innovative, creative and compelling solution around the YubiKey.

We received and evaluated a pile of fantastic entries. It was hard to cut them to a reasonable number before deciding on the three winning teams, each of which had incorporated a number of Yubico and open source elements into their YubiKing projects.

Congratulations to the leaders and team members of the victorious projects:

Each team will receive a $3,000 prize and special-edition etched “YubiKing” keys. YubiKing Key Blog

And we need to have a well-deserved virtual cheer for all those who took their best ideas and spent time working them into tangible solutions over the past months.

YubiKing Buckell and his team of four added support for YubiKey protocols ­— OTP, OATH and FIDO’s U2F — to the two versions of their MFAStack platform, that include two-factor authentication (2FA) support, IdP capabilities, and standards-based single sign-on. The YubiKey supports two-factor authentication to access the admin console, and a Yubico OTP is also used to approve changes to user settings, such as revoking keys.

But it’s the integration with U2F that gives users private key cryptography capabilities. In essence, it is strong authentication to protect an end-user’s single sign-on account. Buckell’s development team also included Nikola Bursac, Dominik Trupčević, Marko Bencek and Domagoj Paljug.

YubiKing Qvist and his teammate, Michael Bisbjerg, built CSIS Enrollment Station, an application that lets IT departments easily deploy and manage certificates and YubiKeys (PIV support, enrollment, pin reset, revocation) on behalf of Microsoft Windows users. This was not possible previously because the YubiKey does not have native write support with Microsoft’s Base Smart Card Crypto Provider. So the team used Yubico’s PIV tool and a YubiKey PIV library .dll to generate a private key directly on the YubiKey and then generate a Certificate Signing Request. The request is read by their program as PKCS#7 and then packaged in a Certificate Management Message over CMS (CMC). The package is then sent to the Windows Certificate Authority. For good measure, Qvist and his team added the ability to generate a Pin Unlock Code and management keys by interfacing with Yubico HSM’s random number generator.

Not to be outdone, YubiKing Schürmann and his teammate, Vincent Breitmoser, went mobile with OpenKeychain for Android, which provides OpenPGP encryption, decryption and digital signatures to protect messages on an Android smartphone. Schürmann’s team added support for the OpenPGP feature of YubiKey NEO and its Near Field Communication (NFC) option. By separating the key mechanism from the device, OpenKeychain dramatically increases the security of the device. The application integrates with K-9 Mail and Conversations.

Thank you, everyone, for the wonderful submissions and for contributing to a successful contest. Don’t forget to look up Yubico at the Black Hat conference next month in Las Vegas at Booth #964. We can talk a little YubiKing.

See you next year!

John Fontana

Yubico CEO to EU: Open Standards Nurture Trust

Trust has to be a cornerstone in order to protect the online identities of 500 million people doing business across borders, Yubico’s CEO and Founder, Stina Ehrensvard, told an exclusive crowd of 500 EU digital policy makers and industry representatives last week at Digital Assembly 2015 in Riga, Latvia.

She held up a single YubiKey and told the audience how its support of “new open internet security standards can help us to reinforce the trust for our internet. “

A who’s who of invited guests from across the EU were gathered at the request of the Latvian Presidency of the Council of the European Union to attend workshops and hear from six hand-picked inspirational speakers.

The Council of the European Union is an essential decision-making body that works together with the European Parliament to adopt legislation and coordinate EU policies.

The Digital Single Market Strategy for Europe, published by the European Commission early last month, framed the proceedings. The strategy aims to open up digital opportunities for people and business and enhance Europe’s position as a world leader in the digital economy.

Yubico’s Ehrensvard was the first inspirational speaker to take the stage (video below). She led the audience back fifty plus years to the invention of the three-point seat belt by her Swedish countryman Nils Bohlin, highlighting that its success was based on simplicity, unobtrusiveness and one-handed ease-of-use. It went on to become an open, global standard.

Fast-forward to today’s digital world, where she applied the same trio of traits to the YubiKey (although ease of use is accomplished with just one finger). She highlighted the weaknesses of other technologies: smart cards (complex), OTP devices (single purpose) and phones (vulnerable to attack).

She said standards are essential such as the FIDO Alliance’s Universal 2nd Factor (U2F) protocol for strong authentication, which is supported in Yubico’s YubiKey.  This emerging standard provides a way to share an authentication device across multiple services while maintaining respect for privacy, she said.

Her vision of the near future included the ability for anyone to buy a secure online identity based on U2F at a local convenience store from the same rack where the gift cards hang. Banks, governments, email sites, and healthcare organizations are among providers who would honor the secure identity.

She told the audience, “to realize the vision of a digital single market, the cornerstone is that we can trust the Internet.”

See the full talk below.


*Image courtesy of EU2015.LV

John Fontana

Cloud ID Summit Sharpens Focus on Future

One common theme across the talks at last week’s Cloud Identity Summit (CIS) revealed a desire to simplify and unify existing identity and access management technologies and standards to build a pragmatic approach to modern identity.

For years, authentication, authorization, single sign-on (SSO), federation, governance, risk, compliance, standards, etc., etc. have all been pointing toward their own identity-based and secured Nirvana. With each one sporting a unique and clearly articulated picture of a future void of complexity and inadequacies. (Oh, if we could only move to that address yesterday.)

But here’s what I heard last week in San Diego.

More than at any previous time, the intersections of these discrete technologies and standards are now closer, clearer, and capable of a scale that is significant to enterprises and consumers. These intersections are beginning to define the possibilities of a common identity and access management stack that can potentially address a large number of use cases while simplifying the number of edge cases.

Is it around the corner? Nope. Are we in the last mile? Perhaps. Does it have promise? Absolutely.

Let me start from a Yubico perspective, the multi-factor authentication and single sign-on integration unveiled last week between Yubico and Ping Identity highlights advantages when authentication hardware is paired with software-based federation and  SSO. This combination moves security and convenience closer to being on the same side of the ledger.

And there are other pieces arriving at intersections.

Standards such as OAuth, OpenID Connect (OIDC), Security Assertion Markup Language (SAML), System for Cross-Domain Identity Management (SCIM), Fast Identity Online (FIDO), and User Managed Access (UMA) provide a view into managing modern identity users, authentication, applications, and services. Emerging standards for authentication and SSO (to mobile devices and applications) are evolving within FIDO (Bluetooth and NFC support) and the OpenID Foundation (Native Application SSO).

The result could add up to an infrastructure that begins to define security, levels of assurance, and user control across enterprise and consumer services accessed from desktops, laptops, and mobile devices.

Organizations like the Open Identity Exchange and the Kantara Initiative are adding trust models and certifications. The vetting of IAM systems will eventually look at the whole infrastructure and not the piece parts, which should come to the table already validated.

Add to the mix efforts underway in global governments including the National Strategy for Trusted Identities in Cyberspace (NSTIC) and the United Kingdom’s Office of the Cabinet. These programs are already proving out models that incorporate technologies constructed with the building blocks displayed at CIS.

The qualifier, however, is that integration of identity and security on such a scale does not handle weakness well. Mastering these integrations initially won’t be for the faint of heart. Failures could be epic fireballs.

Vendors will have to partner and defer to customer needs rather than push their checkbox implementations of their competitors’ strengths. Standards in many ways will deflect some of that conflict.

Major vendors at CIS lined up and vowed to work together and push the adoption of standards. Alex Simons, director of program management for Active Directory at Microsoft, said he now has 1,000 engineers in the security and identity business, and “we are here to be your partner.” Google’s Eric Sachs, product management director for Identity, said in his keynote, “We’ve blocked almost all password access to our APIs by default. You have to use OAuth.” And Ian Glazer, senior director of Identity at Salesforce, laid down the gauntlet, saying companies that continue to manage user names and passwords are “toxic waste farmers.”

Color this analysis optimistic. Argue over timelines. Wrestle with cynicism. But don’t underestimate progress made over the past years regardless of the amount of hope crushed along the way. There is a better identity and access management model. It’s more attainable perhaps than ever before, and with better pieces that reduce complexity and improve usability.

It’s time to jump on and follow this arc of progress.


Photo credit: Brian Campbell

Jerrod Chong

Hello, SSO. It’s Me, Authentication

There’s a secret that single sign-on (SSO) never talks about. It’s called authentication.

The SSO conversation starts without mentioning the assumption that the user is already logged in. A login that requires a password. Instead, SSO is quickly positioned to triumph over the dangers of weak and reused passwords.

Many times, however, those same suspect passwords are the ones used for the initial authentication into the SSO environment.

Authentication is actually SSO’s most critical gatekeeper for a user’s identity. If the authentication password is stolen, all the user’s identities associated with that federated service are exposed.

Password policies, crazy character composition guidelines, and x-day expiration dates are the techniques enterprises typically use ﹘ with varying degrees of success ﹘ to get users to create passwords deemed strong enough for authentication to the SSO environment.

It’s within this scenario that Yubico has entered into a partnership with Ping Identity, a leader in the SSO and federation ecosystem, to create strong two-factor authentication for those critical and initial logins.

The one-time password (OTP) functionality of the YubiKey is integrated into PingID, a multi-factor authentication engine within the company’s flagship cloud identity service, PingOne.

So even if a user’s password is phished or stolen, a hacker is unable to access the user’s SSO environment without also having the user’s physical YubiKey. In addition, the Yubikey is not vulnerable to man-in-the-middle attacks that plague SMS phone-code solutions.

PingOne users now have the option to add hardware-based, two-factor authentication to secure primary logins to Ping Identity’s cloud SSO environment. There are plans to integrate YubiKeys with other components of Ping Identity’s recently unveiled Identity Defined Platform, which includes PingFederate and PingAccess. Soon privileged accounts in the Ping Identity environment also will be covered under this OTP security blanket, further protecting specific enterprise accounts.

The USB-based YubiKey is one-touch protection for all applications protected by SSO and federation. It’s a hardware authenticator that doesn’t require a battery or the installation of any client software. By design, nothing can be written to the YubiKey, so malware can’t be loaded onto it.

Support for OTP is included on the YubiKey Standard and Nano, YubiKey Edge and Edge-n, and the YubiKey NEO and NEO-n.

In addition, the YubiKey is not a single purpose device. Both the YubiKey Edge and YubiKey NEO offer support for multiple authentication options, including the FIDO Alliance’s U2F protocol. The YubiKey NEO and YubiKey NEO-n have other capabilities such as a PIV-compliant CCID smart card and OpenPGP (for code signing, etc.). The YubiKey NEO also supports NFC for logging on to mobile applications.

John Fontana

Ode to Backup

A few weeks ago, I was in my hotel and reached into my pocket to get my YubiKey. Without it, I can’t log into certain email, CMS or other systems without going through an involved IT administrative process.

The key was gone.

That is an instantaneous bad feeling, wiped away only by the backup key I carry and store in a separate location.

Earlier, at a gathering of identity and authentication geeks, I was one of three Yubico employees walking people through the registration and use of the YubiKey with various apps.

Afterward, I left my computer with colleagues to go have a side conversation for a few minutes. YubiKey in plastic sleeve

Unbeknownst to me, my diligent co-worker was cleaning up and collecting keys that had not been used or handed out. He saw a key inserted into my computer, and thinking it was part of the demonstration, removed it, tucked it back into its plastic sleeve and tossed it in a bag with 50 or so other keys.

(In his defense, he was unaware that I use the plastic package sleeve to protect against inadvertent key taps. What? You throw the sleeve away!)

The next day, my colleague unknowingly handed the key out to a random person who had requested a sample. My key was gone. Never to be seen again.

(I only learned that part of the story after telling him the next day about how I had lost my key but had been saved by a backup.)

So when I discovered in the hotel that my key was missing, my immediate reaction was “where is it?” and I spent a few moments searching for it. But I knew I had my backup YubiKey cleverly concealed in the room.

I retrieved the backup key and got right to work, having full access to my complement of applications and services.

This scenario is the answer to a common question Yubico hears: “What happens if I lose my YubiKey?” If you are prepared, the answer is nothing happens. It’s the same answer for “What if my hard drive crashes?” The real question is how important is my data/security and how do I protect and preserve it.

Given the YubiKey’s design, I didn’t need to worry about my main key in the hands of a stranger. The key has no data about the owner so I was undiscoverable. In addition, I was able to delete my YubiKey registrations from each one of my apps.

On the (very) off chance the stranger with my key located my computer and me; the key was worthless (even without deleting registrations, an attacker would also need my username and password for each app). I was able to pick right up with a new key. The only thing I had to do was establish a new backup key.

I did that after I was done working just to get a taste of what it feels like to live on security’s edge for a few hours. The feeling of having a backup is much more comfortable.

John Fontana

YubiKeys Earn FIDO Certified Label

Interoperability is king and today the FIDO Alliance announced its FIDO Certified program and a list of 31 products that have passed conformance and interoperability testing.

The three YubiKeys that support FIDO’s Universal 2nd Factor (U2F) protocol ­­– NEO, Edge and Security Key – are now certified and part of this important maturation in FIDO’s design.

“FIDO Certified” means that any FIDO U2F product earning that designation will work with any other U2F product that is certified. The same goes for FIDO’s UAF protocol. The two-step testing requires products survive a gauntlet of test tools that examine validation and conformance to FIDO 1.0 specifications. The second phase is interoperability testing among products at an event overseen by FIDO.

Certification brings a level of confidence to FIDO products that are quickly moving into deployment phases among consumers and enterprises alike. The Yubico strategy around U2F centers on having one key that will access many services secured by a proven public key cryptography design. We think certification is a concept fundamental to this goal.

Certification signals that the Alliance is building an ecosystem that not only protects the value Yubico builds into the YubiKey but the investment customers put into FIDO and its range of security products.

This certification program also helps non-FIDO members build products that preserve the pedigree of the FIDO brand, ensuring a plug-and-play environment.

We will update our website and packaging to highlight our FIDO Certified designation. And we will highlight our partners that have followed us down this necessary path and we will encourage enterprises and consumers to always buy FIDO Certified.

Yubico Team

U2F, Google, Yubico Lead Authentication Makeover

The authentication landscape has been altered and evidence of that can be seen among a trio of front runners: FIDO U2F, Google and Yubico.

This week, Yubico laid out the details during a live webinar entitled “FIDO U2F, Google Drive for Work and YubiKey,” that is now available for playback online.

The in-depth discussion starts with the YubiKey, its place on the authentication landscape, its range of authentication options, and how its unique one-touch user interface is solving one of cryptography’s major complexity issues.

From there, the focus hones in on YubiKey’s implementation of the FIDO Alliance’s Universal 2nd Factor protocol, which Yubico helped invent.

A live demo shows how to add a YubiKey to Google Drive for Work using three brief steps for activating U2F’s cryptographic authentication and strengthening Google’s existing username and password login. No codes or phone apps needed.

The themes here are phishing protection, privacy, affordability and the ability to use one key to authenticate to many services.

In addition, Google’s new U2F key management tools for its Drive for Work administrative console are discussed. Now, for the first time with U2F, enterprises have backend management tools, standard clients (Google Chrome) and hardened security devices (Yubikeys).

In addition, listeners are given a behind-the-scenes understanding of key registration and how authentication is secured at a relying party using the U2F protocol.

A glimpse is given of the exploding ecosystem of U2F authenticators, services, chips, enterprise servers, open source options, and mobile apps. Finally, the conclusion examines the differences and complementary relationship of the YubiKey and smartphones-as-authenticators.

The wrap-up features the answers to 15 minutes of questions received from the audience.

Yubico CEO Stina Ehrensvard hosts the Webinar and is joined by two of her colleagues, industry veteran John Haggard, Yubico’s chief business officer, and Jerrod Chong, vice president of solutions engineering.


David Maples

YubiKey NEO OpenPGP Security Bug

Yubico recently learned of a security issue with the OpenPGP Card applet project that is used in the YubiKey NEO. If you are not using OpenPGP, or have the OpenPGP applet version 1.0.10 or later, this vulnerability does not apply to you.

The OpenPGP Card applet defect was inherited from the open-source software project “javacardopenpgp.” The technical details are available in a security advisory posted on our website. This issue only affects the OpenPGP applet and does not impact the security of the YubiKey or its other functions.

While we continue to believe that the practical impact for the majority of users is not critical, Yubico aspires to exceed expectations related to security incident handling. Therefore, we have developed a policy on replacing affected YubiKey NEOs.

Note that moving usage of an OpenPGP key to a new YubiKey NEO requires that you have saved a backup copy of the private key on the card as there is no way to retrieve the private key from any YubiKey, including the YubiKey NEO. If you did not save a backup copy of the private key when you initially generated the key, you will need to revoke the existing key and create a new key. Therefore, we urge you to consider whether you are truly affected by the security issue before proceeding.

If you are using the YubiKey NEO with the OpenPGP Card applet and want to replace your YubiKey, go to yubi.co/support to log a support ticket. Include the output from ‘gpg –card-status’ on your YubiKey NEO (masking out personal information) together with your order number in the ticket you submit. We will give you a coupon code so you can order a replacement YubiKey NEO.

3 x 1 Image
Yubico Team

Google Tools Boost Value of YubiKeys, FIDO U2F

Deploying enterprise software or services that lack a management console is comparable to jumping out of a plane without a parachute. It’s just not done without damaging consequences.

Today, Google delivered a parachute to all high-flying enterprises seeking managed two-factor authentication for their Google Drive for Work deployments. The company updated the Drive for Work Admin console to include tools for managing Yubico’s U2F-compliant keys, which are essential to Google’s two-step verification (2SV) security protection.

Compatible Yubico keys — U2F Security Key, YubiKey NEO or YubiKey Edgegive end-users strong authentication while Google’s Admin console provides administrators the tools for deploying, monitoring and managing, at scale, keys based on the FIDO Alliance’s Universal 2nd Factor (U2F) protocol. YubiKeys support the U2F protocol that Yubico co-created and that works with Gmail and other U2F compatible services.

This milestone tracks on Yubico’s vision for U2F and a world where one key can authenticate to many services. And it signals a powerful evolution of the enterprise value in Yubico’s lineup of FIDO-compliant keys, and the emerging scalable, open authentication FIDO standard. Enterprises and organizations now have a richer package including the backend management infrastructure, a universal client (Chrome), and a hardened security device in U2F-compliant keys.

A Yubico U2F authenticator is easily enrolled by the end-user, who inserts it into a USB port and touches the button when prompted (see video below).The U2F protocol uses public key cryptography and is specifically designed to protect against man-in-the-middle and phishing attacks and preserve privacy. In addition, YubiKeys are resistant to malware because nothing can be written to them, and their secrets are protected by a secure element.

Coupled with Google Drive for Work, which offers data storage and collaboration tools, YubiKeys shut out hackers, phishers, and other virtual ne’er-do-wells. Even with your username and password, the bad guys can’t get into your account without also having stolen your physical YubiKey.

With this model, end-users, partners and contractors can bring their own security device and control their identity while the enterprise can control access not by assigning passwords, but by activating or deactivating U2F-compliant keys — without ever needing to collect and store the end-user’s secrets.

Security for Google Drive for Work has been defined by username and password. And previous 2SV options all required the addition of unmanaged codes delivered via SMS, mobile apps or printouts, which have their own vulnerabilities to man-in-the-middle attacks and increase friction for end-user adoption.

Google’s 2SV management tools come to Drive for Work without the need to install any additional software because the tools are embedded in the existing Admin console.

With new administrative features for YubiKeys, organizations now have the management piece they need to implement and control 2SV rollouts. This relegates passwords to nothing more than an identifier, thus eliminating it as a form of account protection. (Expel your sigh of relief here).

For enterprises, this is the strong authentication parachute they should be demanding.

John Fontana

An Edge over the Bad Guys

The one thing end-users don’t seem to have over hackers these days is an edge.

Yubico is changing that.

Today, we introduce a new key we’ve dubbed the YubiKey Edge. The goal is a cost-effective key with a collection of second-factor authentication options that guard against attacks on your accounts either via malware, phishing and other techniques. YubiKey Edge also includes an option to create a strong static password for use with apps and services that require a login but do not support one-time passwords.

YubiKey Edge, which comes in both the Standard and Nano format, includes the one-time password (OTP) features that are the foundation of YubiKeys, including Yubico OTP, OATH, and Challenge-Response. The OTP provides a secure 128-bit AES encrypted single-use password. The features work with apps such as Salesforce and LastPass.

In addition, we’ve added support for the FIDO Alliance’s Universal 2nd Factor (U2F) protocol, which provides easy-to-use public key cryptography.

YubiKey Edge shows itself as a USB keyboard when used in an OTP mode. There are two configuration “slots” on the key that are active at one time, which in essence turns the key into two keys in one. (A longer touch to the key activates the configuration in the second slot.)

For example, Slot 1 could be configured to provide a complex static password that replaces your traditional password. In Slot 1, the static password is activated with a quick touch to the key. Slot 2 could be configured with a second-factor OTP activated with a longer, multi-second touch of the key.

This configuration is easily achieved with a personalization tool available free from Yubico.

The static password can be used to replace your current password (just change your password using the “change password” feature of your app or service and when needed the Yubikey will enter the password you have configured).

This is only one example, the slots on the Yubikey can be a combination of any of the OTP or static password options.

On the U2F side, the key presents itself as an HID (Human Interface Device), similar to mice, game controllers and display devices that plug into USB ports. U2F works via the browser, with Google Chrome offering initial support and Mozilla’s Firefox under development. Gmail and other applications such as WordPress are supported, and additional U2F-compliant apps and services are in the queue for release by various vendors in the coming months.

U2F does not require any client software or drivers, and is available on every version of Yubikey except the YubiKey Standard and YubiKey Nano.

As part of the YubiKey Edge introduction, Yubico has released a new version of its NEO Manager that supports YubiKey Edge.

John Fontana

YubiKey, YubiHSM: Secret Weapons to Guard Secrets

U.S. intelligence officials in 2013 said they planned to significantly reduce the number of individuals within their network with system administrator privileges. Those privileges gave administrators rights to view and move around any document.

“U.S. intelligence has invited so many people into the secret realm,” an official told NBC News, that it left the organization overly exposed to threats of compromise.

The question is how many people need to know a secret before it isn’t a secret anymore?

Yubico hears from many organizations and enterprises asking this very question. The idea is they want to tightly manage and shrink the circumference of their security circles. Smaller is safer (not foolproof) and easier to control and monitor.

Enterprises with high-assurance needs often look to eliminate third-party contractors from their security efforts, drastically reduce or eliminate reliance on identity service providers, and produce and protect their own secret keys. And where possible, reduce the number of internal privileged access accounts.

To help achieve these high-assurance goals, Yubico today released YubiHSM 1.5. It sits elegantly inside the USB-port of a standard server to secure encryption secrets and passwords from both remote and physical attacks. And high-assurance is why we helped create the FIDO Alliance’s Universal Second Factor protocol and why we built our U2F Security Key. Together, the keys are a one-two security punch for client machines and servers.

The original YubiHSM (Hardware Security Module) was developed by Yubico engineers five years ago to protect the company’s own hosted servers, including the YubiCloud. Yubico needed to protect YubiKey authentication secrets stored on multiple servers across three continents and  found the HSMs available on the market too complex and costly for its needs. As customers heard what Yubico was doing, they requested access to the product. Today, the YubiHSM is deployed by hundreds of companies around the world, including leading cloud companies, financial services and U.S Department of Defense contractors.

YubiHSM can store Yubico OTP secrets for validating one-time passcodes, and it offers encryption choices including HMAC-SHA1 hashing of a variable length input, symmetric encryption using AES ECB, and cryptographically secure random number generation.

While the main functions of YubiHSM 1.5 are symmetric key operations, Yubico is looking to extend capabilities in the future to address asymmetric key operations.

The YubiHSM follows the same “Trust-No-One” approach like all of Yubico’s inventions and co-creations, including the YubiKey and the FIDO U2F Security Key. This allows Yubico customers to control their own authentication servers and secrets. These capabilities are a hallmark for Yubico’s suite of Yubikey functions including one-time passwords, smartcard capabilities, and data encryption capabilities.

On the device side, FIDO U2F Security Key gives enterprises high-security public-key cryptography and privacy without having to widen their security circles: No third-party service providers or certificate authorities are required. For the Yubico OTP, customers are allowed to load their own secrets and easily reprogram any YubiKey they buy without the need for special hardware or need to contact Yubico. In addition, all protocols implemented on our keys are open source. What this means is that enterprises can have strong authentication literally without having to trust anyone outside their organization, including Yubico.

All these features are foundational to Yubico’s philosophy. A secure identity that enterprises, organizations and individuals can own and control.  And these features are how Yubico helps customers shrink security circles, even down to a single person who can use a YubiKey to protect their anonymity.


Dain Nilsson

Memoirs of a YubiKing

While I’ve been an employee with Yubico for a little more than two years now, my history with the company dates back a bit further. And the YubiKing contest we announced today to discover the next innovative use of the YubiKey transports me back to that time. Before I was an employee, I was a winner in the initial YubiKing contest.

The first time I heard of the YubiKey was on an episode of the Security Now podcast back in 2008. An enthusiastic Stina Ehrensvard (CEO and founder of Yubico) was being interviewed, and the details of how the YubiKey worked were being explained down to a very technical level. I remember later trying to explain how it worked to my then girlfriend (now wife), who didn’t quite share my excitement for the device. Nonetheless, I was smitten.

YubiKing is your opportunity to create the next innovative use for a YubiKey. Enter your project in the YubiKing Virtual Hackathon today to become eligible to win great prizes!

A while afterward, the first YubiKing competition was announced in a follow-up episode. This was the perfect excuse for me to get a YubiKey and play around with it. The rules were pretty simple: Create something that uses the YubiKey and submit it to the competition. I had what I considered a pretty neat idea for a hack, but with several companies entering the competition I saw little hope of actually winning. Still, the promise of a YubiKey for entrants was there. I had no excuse not to give it a shot.

At the time, very few web sites offered two-factor authentication. We’ve come a long way since then (with an even longer way to go, still), but I had an idea to immediately start using a YubiKey with more sites. My solution was a very basic password manager of sorts, which used Yubico OTPs for authentication.

It worked like this: You would store passwords for different sites, and the YubiKey would protect access to your passwords. A small browser plugin would then hook into password fields on third-party sites, detecting if an OTP was entered instead of a password. When it saw an OTP, it would query the server for your password and seamlessly replace the OTP with your actual password before submitting the field and logging you in. Boom, instant YubiKey support for any site!

My submission lacked polish and was mostly thrown together over the course of a weekend. But it worked, and the idea was novel enough that it earned me one of the coveted YubiKing titles awarded that year. This contest began my relationship with Yubico and eventually led me to a new job working with the technologies I’m passionate about.

Now we’re running another YubiKing contest, and I’m very excited to see what kind of new innovations will pop up this time around.

John Fontana

Yubikey and the Emerging Wireless World

Wireless has become the de-facto connecting point for consumers today and even among enterprises, where employees expect to leave behind desktop Ethernet connections for wireless connectivity in board rooms, conference rooms and common areas.

Apple makes this point emphatically with its new MacBook where the message is everything should be done without wires via technology such as Wi-Fi, Bluetooth, AirDrop, etc. Only a charging port is left and a set of adapters for those with cord-cutting anxiety.

And strong authentication is moving in the same direction so as to avoid being limited to a hard-wired port to accommodate its security benefits.

As the driving contributor to the FIDO 1.0 U2F USB-specifications, our Yubico engineers are now deeply involved in developing extensions for U2F that support Bluetooth and NFC.

Today, our NFC-enabled YubiKey NEO works with Android devices, and eventually Apple products when the company opens its NFC implementation to developers. (See some ideas on using NEO without a USB port).

Both the Bluetooth and NFC authenticators perform in a similar way as today’s USB-based YubiKeys, but do it without plugging anything into a port. The NFC YubiKey is simply tapped to an NFC-enabled device. A Bluetooth version will hang on your key-chain or sit in your pocket and you touch it for generating authentications that are completed wirelessly. The addressable market for these wireless options includes smart phones, tablets, devices, and yes, future laptops that may be pruning ports.

Though wireless come with great benefits, such as eliminating messy and unsightly cables, physical connectors do have many other benefits. The USB YubiKey will always be fastest and easiest to use with the millions of current and future computers equipped with classic USB-ports. And Yubico will judge the viability of a USB-c YubiKey if and when the market demands one.

Photo ©Jeroen van Oostrom/FreeDigitalPhotos.net

John Salter

My Work Day Reflects YubiKey’s Flexibility

I work as a developer at Yubico. Like a lot of developers these days I’m empowered to not only develop software, but to publish it and configure the servers it runs on. This means that I have access to many systems, to which I authenticate using different keys.

The Key to Henrik’s Day
YubiKey NEO Feature Authentication uses
OTP Salesforce, Yubico Forums, WordPress
U2F Gmail
PGP Signing code changes
SSH (via PGP) Servers
NFC (+ OTP) Unlocking office door
NFC (+TOTP) Facebook, GitHub
Mifare Classic ID (+ code) Unlocking door to office building

I store these keys on my YubiKey NEO, from which they can never leave, and let it do all authentication and signing. This means I am assured no one accesses systems in my name, even if they’ve stolen my laptop or have my passwords.

To make this more concrete, I have documented a regular workday.


Entering the office building

The office building doors are unlocked using plastic fobs. Fobs are identified using their ID (Mifare Classic UID). Since my YubiKey NEO supports Mifare, I use it instead.

The office

A few minutes later I swipe my NEO again to unlock the door to the Yubico Stockholm office. This lock (sold by KEYnTO) is more secure since it uses YubiKey One-Time Passwords.

Reading e-mail

Yubico, like many other companies, uses Google for e-mail, calendar and documents. Google encourages you to use a Security Key (U2F device) to protect your account.


Google’ s U2F Second-Factor Verification

Needless to say (since Yubico is a driving force behind U2F), I use my YubiKey for this as well.

Checking the forum

Yubico’s forum runs PhpBB and uses YubiKey One-Time Passwords as a second factor for authentication.


Checking Facebook during lunch

I’ve configured Facebook to “keep me logged in” on trusted devices. But when I login to Facebook (and Dropbox, GitHub, etc.) from untrusted devices, I’m asked to enter a 6 digit time-based code. To get the code, I just tap my NEO to my phone (the code is transferred using NFC). This has a couple of advantages:

  • The secrets used to generate the codes never leaves my YubiKey, so I don’t have to worry about phone malware or securely wiping the phone when selling it.
  • I’m not tied to a single phone. I can even use a friends phone if mine is out of battery.

Pushing code to Gitssh

Today, I’m working on our developer portal, developers.yubico.com. After a few hours of coding, I’ve got something that I’m ready to publish. I type “git push” in the terminal, enter my YubiKey’s PIN and let it authenticate me to GitHub. My private SSH key never leaves the YubiKey.

Connecting to a server via SSH

My new code isn’t working as expected, so I SSH into the web server hosting developers.yubico.com to have a look in the logs. Once again, my YubiKey does the authentication.

Signing released software

I spent the afternoon adding some features to our U2F library for Java. In order to publish the release, I have to sign the artifacts using OpenPGP. Luckily, the build system (Maven) has a plugin for this. All I have to do is to type “mvn deploy -P release” and the YubiKey will sign the files using my PGP key.

Things I didn’t do today

I use my YubiKey for even more things. Here are some of the things that I didn’t do today:

  • Logging into Yubico’s website that’s running WordPress, using FIDO U2F.
  • Logging into Yubico’s Salesforce instance, using a YubiKey One-Time Password.


Alessio Di Mauro

The Big Debate, 2048 vs. 4096, Yubico’s Position

In Part 2, we got a better understanding of what an algorithm like RSA does and what the length of a key entails.

Now, in Part 3, we can talk about the elephant in the room. Are 2048-bit keys useless? And are your documents completely insecure if you are using them? What are the pros and cons of one key length versus the other?crypto bug

As I showed in my last installment, RSA-2048 still has fifteen years of life left before it is considered obsolete. Plenty of time not to be worried now. Just imagine where technology was fifteen years ago!

While it is true that a longer key provides better security, we have shown that by doubling the length of the key from 2048 to 4096, the increase in bits of security is only 18, a mere 16%. Moreover, besides requiring more storage, longer keys also translate into increased CPU usage and higher power consumption.

While this might not seem much on a modern computer where we measure things in the order of gigabytes and hundreds of watts, it is still a valid concern for the ever-increasing low-power embedded devices where CPU frequency is measured in kilohertz and power consumption in milliwatts and microwatts.

In these cases using a longer key means longer time to compute the result and shorter battery life on devices.

The real advantage of using a 4096-bit key nowadays is future proofing, but even that is not so strong an argument. By the time that RSA 2048 is declared dead, hopefully Elliptic Curve Cryptography (ECC) will have taken over, or even better, new and wonderful encryption algorithms will have been discovered.

What about ECC

So what about Elliptic Curve Cryptography? These encryption schemes are an alternative to RSA and are based on a completely different mathematical problem. Apart from that, however, they are just normal asymmetric encryption algorithms.

On the other hand, when it comes to speed and memory, ECC considerably outperforms RSA (with the notable exception of signature verification, where RSA is faster), even on embedded system and smaller microcontrollers.

Key lengths for these kinds of algorithms are considerably smaller. According to NIST, 112 and 128 bits of security, (equivalent to RSA-2048 and RSA-4096) correspond to 255-bit and 383-bit long ECC keys (worst case, even less on some specific curves).

So why are we not using this everywhere? Although the math behind them has been known for a while, ECC is a relatively new concept in cryptography, an inherently slow-changing and conservative field.

New implementations and new “fast reduction” curves that make computation significantly quicker are still under study and it takes time. As if that was not enough, some curves and implementations are behind patent walls.

Support for these kinds of encryption algorithms in OpenPGP has been proposed, and the first implementations are slowly starting to appear. Implementing cryptography, however, is an error-prone procedure and a fine art in and of itself.

Blindly implementing an algorithm is usually not enough to plug all the potential security holes, and be impervious to side-channel attacks and the like.

It is clear that once the issues are resolved and more implementations start coming around, ECC is the way forward.

Where does Yubico stand

Both the NEO and the NEO-n implement OpenPGP and support RSA up to 2048 bits. This is not a constraint from Yubico, but rather a hardware limitation of the NXP A700x chip used within the YubiKeys.

While the chip also supports ECC, it cannot be easily implemented without using some proprietary extensions, making it troublesome to comply with the license used by OpenPGP (GNU GPL). Moreover, as stated before, implementing crypto is a difficult process and although we have an initial version available on github, this still requires more thorough testing before it is considered production-ready.

A best practice is to determine how long you plan to use a specific key and then select a key length based on that decision. Everyday smartcards are fine at 2048 bits because they get changed out at regular intervals and will naturally migrate to longer key lengths over time. Long-term keys, like your master OpenPGP key that isn’t on a smartcard or used everyday, could be viable for the next 30 years if you pick longer key lengths today.

All in all, we believe that the security of the asymmetric cryptography provided by the YubiKey NEO and NEO-n is adequate for the time being. However, we are constantly working to keep ourselves ahead of the curve (no pun intended) and we will make sure to provide new solutions when the time (and the technology) is right.

Part 1: Does Key Size Really Matter in Cryptography?
Part 2: Comparing Asymmetric Encryption Algorithms

Alessio Di Mauro

Comparing Asymmetric Encryption Algorithms

In Part 1 of our crypto blog, I briefly introduced the concept of asymmetric encryption algorithms and the general rule that the longer the key the better. Let’s take a deeper look at that logic here in Part 2.

There are many asymmetric encryption algorithms, but lets focus on RSA, which is one of the most popular and is supported by YubiKey NEO and NEO-n. What is a suitable key length to use with RSA and why not just use the longest key possible?crypto bug

RSA was first introduced in the ‘70s but since it is based on a mathematically hard problem as discussed in Part 1, we are still able to use it with some adaptations.

Historically, a common starting point for a key length has been 1024 bits. Despite the fact that attacks on this key length are very sophisticated and targeted to specific platforms, 1024-bit keys are generally considered not secure enough and their use is highly discouraged.

In 2012, the National Institute of Standards and Technology (NIST), a U.S. agency that promotes technological advancements, published this document, which contains the following table (Table 4 on page 67).

Security Strength 2011 – 2013 2014 – 2030 2031 – beyond
80 Applying Deprecated Disallowed
Processing Legacy use
112 Applying Acceptable Acceptable Disallowed
Processing Legacy use
128 Applying/ Processing Acceptable Acceptable Acceptable
192 Acceptable Acceptable Acceptable
256 Acceptable Acceptable Acceptable

The column “Security Strength”, or more colloquially “Bits of Security” is an estimation of the amount of work required to defeat a cryptographic algorithm, and therefore the higher the value, the better.

The keywords “Applying” and “Processing” refer to encryption and decryption operations respectively.

A Security Strength of 80 bits is currently “Disallowed” which translates to “an algorithm or key length [that] shall not be used for applying cryptographic protection.” Now, if you were guessing that 80 bits of security are approximately equivalent to RSA-1024, you have guessed right. This is mentioned in the same NIST document (Table 2, page 64).

Similar results can also be found in a yearly report (Tables 7.2 and 7.3 on page 30) from ECRYPT II, the second incarnation of ECRYPT, the European Network of Excellence in Cryptography. For clarity, in the following text we will use the data from the NIST publication.

The next relevant value in the table is 112 bits of security, which roughly corresponds to RSA with a key length of 2048 bits. At the moment this value is considered “Acceptable,” which means that it is not known to be insecure and it is deemed to be so until 2030.

Now comes the interesting bit. Although there is no requirement to use RSA keys with a length that is a power of two, depending on the implementation there might be some advantages in terms of speed.

For this reason we take into account a length of 4096. Unfortunately, this value is not on the table above. However, with a bit of exponential regression and assuming that the “Security Strength” function is continuous (or better, derivable) between the data points provided in the table above, we get the following plot:

As you can see, a 4096-bit RSA key clocks in at around 129 bits of security.

This value is marginally better than a key length of 3072 bits, and considered acceptable beyond year 2030. (Also see this key length calculator).


Part 1: Does Key Size Really Matter in Cryptography?
Part 3: The big debate, 2048 vs 4096, Yubico’s stand



Alessio Di Mauro

Does Key Size Really Matter in Cryptography?

One of the most interesting and useful aspects of the YubiKey NEO and NEO-n is that they can act as a smart card and come pre-loaded with a bunch of interesting applications, such as an implementation of OpenPGP Card.

Many end-users like this functionality, but some question the key lengths. It’s an expected cryptographic question and is worth examining in some detail. I will walk you through it with a series of three blogs I will publish this week. Today is the first installment.crypto bug

OpenPGP is a standard that allows users to encrypt, decrypt, sign and authenticate data. It is an open standardized variant of PGP, available as a FOSS implementation in the form GNU Privacy Guard (GPG) and is most notably used for email encryption and authentication. Independent of the actual implementation, OpenPGP (and PGP) supports both symmetric and asymmetric cryptography. Today we will focus on the latter.

Simplified cryptography primer

To better understand what follows, a few very basic concepts of cryptography are required. In asymmetric or public-key encryption there are two main players: the encryption algorithm itself (RSA, ECC, ElGamal, …) and a cryptographic key pair. (There are also encryption/signature schemes such as PKCS#1, ECDSA and ECDH, but that is another discussion).

Each encryption algorithm is based on a computationally-hard problem. The mathematical transformation constitutes the operation that the encryption scheme can perform,  encrypt/decrypt, whereas the keys provide the additional data. A similar statement can be made for signature algorithms where the operations are sign/ verify.

The two keys of a same key pair are strongly interconnected, this is a fundamental property of asymmetric cryptography. The keys must be used together to achieve different properties such as confidentiality, authenticity and integrity.

Confidentiality is a guarantee the message is received only by the intended recipients. Authenticity guarantees the identity of the author, and integrity confirms both confidentiality and authenticity by ensuring that a message has not been modified in transit. (Click here for a brief introduction to cryptography)

On to PGP

All this can be achieved if, and only if, the secret key of a user remains uncompromised. However, not all keys are created equal.

In computer security, the length of a cryptographic key is defined by its length measured in number of bits, rather than being connected to the number and shape of its ridges and notches like in a physical key (say for your car). Provided that an encryption algorithm actually supports different key lengths, the general rule is that the longer the key, the better.

In the next installment, we’ll look at suitable key lengths and how they compare. In a third installment, we will take on the 2048 vs 4096 key length debate then examine chip-based characteristics that define today’s YubiKey cryptography. And then wrap-up by looking at what Yubico has in the lab and how we plan to move forward. See you tomorrow.

Part 2: Comparing Asymmetric Encryption Algorithms
Part 3: The big debate, 2048 vs. 4096, Yubico’s stand

Alessio Di Mauro

A Crash Course in Cryptography

To better understand asymmetric cryptography, you need knowledge of some basic concepts.

For those that are not familiar with public-key cryptography, I will provide here a brief, stripped-down introduction to the topic.

In asymmetric or public-key encryption there are two main players: the encryption algorithm itself (RSA, ECC, ElGamal, …) and a cryptographic key pair (there are also encryption/signature schemes such as PKCS#1, ECDSA and ECDH, but that is another discussion). The former is something that is (or should be…) publicly available. It tells us what are the steps to follow in order to encrypt and decrypt messages. crypto bug

A public/private key pair on the other hand is part of the input to the encryption algorithm and provides two things: the information necessary to uniquely identify a user (public key), and a connected secret required to make the scheme secure (private key).

How does this work all together? Each encryption algorithm is normally based on a computationally hard problem. That is, some kind of mathematical operation that can be performed and inverted relatively easily provided that some information is available. The mathematical transformation constitutes the operation that the encryption scheme can perform, encrypt/decrypt, whereas the keys provide the additional data.

The two keys of a same key pair are strongly interconnected. If the public key is used as part of a message transformation, only the private key can be used to invert it and obtain the same data back. This is a fundamental property of asymmetric cryptography and, depending on how the transformations are applied, and as long as the private key remains so, it allows us to achieve different properties such as confidentiality, authenticity and integrity.

Confidentiality is the guarantee a message will only be received (in a meaningful state) by its intended recipients. This is achieved by encrypting the message with the public key of the recipient, so that only she will be able to decrypt it with her private key.

Authenticity, on the other hand, guarantees the identity of the author and can be achieved by signing a message with the private key of the author and verifying it with his public key.

Finally, integrity is a somewhat orthogonal property, necessary for both confidentiality and authenticity to be upheld. It can guarantee that a message has reached a recipient (intended or not) unmodified. A typical way of providing integrity is through message authentication codes (MACs).

See Part 1 of our 3-part blog series on cryptographic key length, and Yubikey NEO/NEO-n.


Stina Ehrensvard

Yubico Meets President Obama

Last Friday I biked to Stanford to discuss online identity protection with the President of the United States.

President Obama is a man passionate about the Internet and dedicated to helping secure it. After our short one-on-one conversation about Yubico solutions, he took the stage at the Stanford Memorial Auditorium. In front of him he had CEOs and CISOs from the leading companies in the financial and tech industries, who were also invited as speakers during the day-long White House Cybersecurity Summit.

In an afternoon session with a group of tech CISOs, the highlight was FIDO and second-factor authentication, and implementations that work today to secure online identities. And when one of the CISOs held up a small USB-key in his hand someone from the audience called out; “That’s a YubiKey!”

In a panel entitled “Authentication Beyond Passwords”, I was one of three speakers advocating for open standards, including representatives from FIDO and NSTIC (National Strategy for Trusted Identities in Cyberspace). We agreed that the world does not need to wait; there are real-world deployments for open, secure, easy-to-use, affordable, and high-privacy online identity protection.

It was a beautiful, warm and sunny afternoon when I headed back home to Palo Alto; a 15 minute bike ride from the Stanford campus. I chose to live here for the same reasons the White House chose to host the event here; to work closely with the Internet thought leaders to solve real problems that cannot be solved alone by governments or tech giants.

While such cooperation is needed to achieve identity protections, Yubico is not blind to the current debate around government surveillance and the very public boycott of Obama’s Summit by some tech giants.

Since the NSA breach, leading tech companies are building encryption into their products that they themselves cannot break into. This effort eliminates the ability to disclose customer information even if ordered by a court. Both the British and the U.S. government have tried to stop this. The New York Times summarizes the issue well.

At Yubico, we are committed to help Internet citizens take control over their online identities. We believe that your secure online identity should not be owned or controlled by tech giants, governments, banks – or by Yubico. We believe in an open and secure Internet where users can have multiple identities, even anonymous, and hide information if they need to and want to, a topic I highlighted in my previous blog on global dissidents using YubiKeys: https://www.yubico.com/2014/11/fido-u2f-designed-protect-privacy/

See Obama’s opening remarks from the Summit (video):

Ronnie Manning

We Love Third-Party Validation!

It’s always rewarding when you see third-party validation of your company’s product, and that is why today started off so well.

In separate articles published today, Yubico’s YubiKey was highlighted for its tight security and ease of use by authors Don Sambandaraksa at TelecomAsia.net, which is aimed at the telecom market, and Greg Harvey, co-founder and director at Code Enigma, which offers secure Linux hosting.

Both articles not only speak to the crypto power of the YubiKey, but its flexibility in terms of strong authentication options (including eating the key, really! but please don’t try this at home!) and Yubico’s commitment to open source software and the possibilities it provides.

Sambandaraksa’s article focuses on YubiKey’s OpenPGP support, how a private key is protected and YubiKey’s ability to solve “the usability / security trade-off that has hampered widespread PGP adoption on mobile devices.”

Harvey focuses on YubiKey’s one-time password capability to help protect access to production servers at Code Enigma, including how it is hack-proof, how the key can be certified, and the use of open-source YubiCloud software. Harvey also includes a great tutorial video: Using YubiKeys to secure Debian Linux.

Want to know who else has covered Yubico and YubiKeys lately? see our In the News section.

(image courtesy of Code Enigma

Stina Ehrensvard

The Key and the Princess

After Silicon Valley, Sweden is considered one of the world’s more interesting tech innovation hubs, giving birth to global brands such as Skype, MySQL, Spotify, King – and the rising Yubico!

The growing and fruitful cross-pollinization between Silicon Valley and Sweden is the reason Victoria, Crown Princess of Sweden, and her husband, Prince Daniel, this week visited the Bay Area (pictured above left in photo with Yubico CEO Stina Ehrensvard, center, and Chief Business Officer John Haggard, right).

I had the honor of meeting the Royal couple during a private event at the Computer History Museum, and participating on a panel of Nordic tech-entrepreneurs that shared stories of building successful companies in this magic place in the world.

“Nowadays every road leads to the Bay Area,” Barbro Osher, the Honorary Consul General of Sweden, said during the event. “They felt they’ve been here before, but they haven’t been down to the Valley and it was time to learn about the innovations.”

Princess Victoria, heir apparent of King Carl XVI Gustaf, is a cool, authentic and modern woman asking intelligent questions.
Educated at Yale, she married a successful entrepreneur and gym owner who at the time was also her personal trainer.

In case the Princess by chance finds this blog, I hope you continue to encourage entrepreneurship and to be yourself; a shining representative for Sweden. Meanwhile, my team at Yubico will do its best to help protect people across any country border, driving new open security standards for all Internet citizens.

John Fontana

YubiKey’s Hollywood Cameo Trips up Bad Guys

The YubiKey made it into Hollywood’s spotlight last weekend, taking on a plot-turning cameo appearance in the movie Blackhat. (Cue the suspenseful music).

When it was all said and done, the YubiKey showed some of the power of two-factor authentication – not in terms of fingering (pun intended) the suspect, but narrowing the field of potential culprits to whomever had physical access and touched the key.

In a cinematic trick, the YubiKey took the role of a biometric device, something it is not in real life.

Blackhat’s plot involves the pursuit of a hacker who has attacked a Hong Kong nuclear plant, causing an explosion. He then moves on to Chicago’s Mercantile Trade Exchange, causing pricing chaos.

The Hollywood twists and turns include little you’d find in a server room or the day-in-the-life of a developer including a bad boy convict, international security teams, globe hopping, car chases, hand guns, heavy artillery, grief, triumph and romance. Ok, maybe heavy (video game) artillery.

As the search for the perpetrator begins, it is quickly narrowed down by a hot lead provided indirectly by the YubiKey.  The key allows the good guys to ascertain the sophisticated hack began as an inside job, since whomever infiltrated the systems had to have touched the key to access sensitive data.

Ah, the power of touch. At least the film got that right.

The touch of YubiKey’s capacitive sensor is a key feature, proving physical user presence – something a hacker or a Trojan can’t do over the network.

Other hacker movies may want to consider the YubiKey in any number of other whitehat roles.

In real life, YubiKeys are used for physical access to offices, logging into servers, or accessing Gmail or Salesforce or GitHub, or WordPress or many other apps. Options include Mifare Classic, OTP, TOTP, U2F, NFC, Windows login/RDP with PIV, and SSH via PGP.

Now there’s a blockbuster lineup of good actors.

Perhaps we need a sequel. (Actually, while the cybersecurity scenes were fairly realistic and believable, Blackhat overall isn’t up to a sequel).

Here’s a look at the YubiKey’s cameo – don’t blink at 00:43 seconds.

John Fontana

FIDO U2F Ecosystem Coming Alive

Update: New entries added to Enterprise Software list; new section, Governments, added; April 13, 2016

FIDO U2F (Universal 2nd Factor) is, as the name implies, a universal protocol that supports a wide range of modalities and use cases. Many people forget this fact given the current popularity of the USB form factor. But evidence is mounting including biometric, software,  server-side implementations and adoption by relying parties that shows U2F has valuable versatility.

Yubico, as a leading contributor to the U2F specification, has always envisioned that U2F would cover a wide-range of authenticators each taking advantage of the open protocol.

It’s with great excitement we now see this vision becoming a reality. After the public release of the U2F technical specification in early Dec. 2014, we see almost daily reports about new U2F authenticators, clients and servers, including those listed below. There are now dozens of FIDO Certified U2F products available in the market.

And remember, each U2F device is indeed “universal” and works across all implementations while preserving privacy for users and integrity for web application owners. The value of U2F is that a single authenticator works with all U2F-enabled services. We also posted a blog that walks through a side-by-side examination of U2F and one-time passwords (OTP).

Here are some of the ways U2F is growing:

  • Biometrics
    The myris handheld USB biometric iris scanner by Eyelock, which was named a 2015 CES Innovations Awards Honoree, is paving the way for U2F powered biometrics such as fingerprints, voice and facial recognition. Biometric scans prove presence and validate the user without the data ever leaving the device. U2F powers the public key cryptography authentication. Sonavation has released a biometric IDKey, which uses a fingerprint scan and supports U2F.
  • Mobile Apps and Clients (formerly phone-based software implementations)
    Entersekt and Bluink offer mobile software solutions where the phone acts as the U2F authenticator. Google and Android are adding mobile clients. At the 2016 Computer Electronics Show, Yubico demonstrated a software-based U2F mobile client.
  • Chip providers
    Leading chip providers have stepped in, including NXP, Infineon and ST-Microelectronics, offering device manufactures U2F reference designs. ARM, a FIDO board member, supports FIDO in its ARM TrustZone technology-based Trusted Execution Environment.
  • USB devices
    Yubico was the first to offer U2F powered USB authentication keys. YubiKeys are available in different form factors and features, they are available on Amazon, and were named among the top 10 product to watch at CES. NeoWave (France), Happlink (France) and  HyperSecu (Canada) have all introduced U2F devices.
  • NFC & Bluetooth devices
    On June 30, 2015, the FIDO Alliance released extensions to the U2F protocol to support both Bluetooth and Near Field Communication (NFC) transport over U2F.  The YubiKey NEO has earned a FIDO Certified designation for its support of U2F over NFC. Products supporting U2F over Bluetooth are scheduled to appear in 2016 from Yubico and other vendors.
  • Cloud services
    Google has launched wide-spread support for U2F on its platform. In August 2015, Dropbox added support for U2F, and in Oct. 2015 GitHub incorporated U2F strong authentication into its platform.  These roll-outs were significant as the two vendors were the first non-FIDO members to recognize the value of  U2F and offer it to their users. PushCoin, also not a FIDO member, added in early 2015 U2F support to its in-school sales systems that lets kids buy lunches and supplies.
  • Governments
    In early 2016, Gov.UK Verify became the first government service in the world to add support for U2F. GOV.UK Verify uses a host of identity providers, including Digidentity which supports U2F, to validate a citizen’s personal data, store that data, and verify the user is who they say they are when they attempt to access government digital services.
  • Open source servers and applications
    Google and Yubico offer free software libraries, and U2F software and documentation that has received positive feedback from developers worldwide. An open source U2F plug-in for the SAML-based Shibboleth identity federation platform is available on GitHub. In early 2016, WSO2 announced U2F support in its Identity Server. Other applications include a WordPress plugin and a Ruby on Rails U2F implementation (and here). In addition, the open source Gluu Server, an identity and access management suite, now supports U2F.
  • Enterprise software providers
    In addition to open source, there are commercial software packages, including from Duo Security and SurePassID. In early 2016, EgoSecure added U2F support to its Data Protection disk encryption platform. Nok Nok Labs supports U2F in its Multifactor Authentication Server. Entersekt and StrongAuth are playing here and RCDevs is offering U2F support in its commercial and free versions of its OpenOTP Server. Authasas supports U2F in its Advanced Authentication solution for cloud and enterprise. Dashlane added support in early 2016 for U2F in its Dashlane Password Manager.
  • Browsers
    Starting with Chrome, native browser support enables U2F to perform high-security public key cryptography from any computer without installing  client software. A group of Mozilla developers are working with goal to add U2F support in Firefox in the first second half of 2016.
  • Coming next…More cool U2F implementations are on the way this year. Stay tuned by subscribing to our blog feed or follow us on Twitter @yubico. Or on Facebook.