Yubico at Internet Identity Workshop

Meet Yubico at the 17th annual Internet Identity Workshop next week from 10/22-10/24! Better known as IIW, the workshop is an un-conference at the Computer History Museum, in the heart of Silicon Valley. IIW gathers developers, thought leaders and interested parties moving both code and conversation forward for online identity initiatives and standards.

Yubico has been a long term supporter of open identity standards, and have contributed with code enabling two-factor authentication with SAML. In close collaboration with Google and NXP, Yubico has also contributed to U2F (Universal 2nd Factor); a new open identity and authentication standards initiative hosted by FIDO Alliance. At the IIW event, we will provide updates and demos of the YubiKey NEO and U2F, which has now been successfully deployed inside Google.

YubiSwitch and the YubiKey Nano

Ever felt like disabling the output of a YubiKey so you won’t trigger it accidentally? If you’re a Mac OS X user, you’re in luck! Angelo “pallotron” Failla has written an application that runs on the OS X status bar that automatically disables your YubiKey after a period of inactivity.

YubiSwitch Screen Capture

Here’s a screen capture of how it looks like. It’s primarily designed for the YubiKey Nano, which is meant to be left in the USB port for long periods of time, but will work with the standard sized YubiKeys as well. Check it out here.

David Maples

User-Centric ID Live

If you are attending User-Centric ID Live at the Washington DC Convention Center, be sure to check out the ¨Drivers and innovators: Meet leaders from the major identity initiatives¨ session today (10/15/13) from 4:00pm – 5:15pm. Our CEO and Founder, Stina Ehrensvard, will be participating on this panel with other FIDO Alliance members from Google, Blackberry, NXP Semiconductors and Nok Nok Labs. The panel will be discussing how the FIDO Alliance works on open standards for simpler, stronger open authentication standards.

Also, do not miss the session “Track 1: Identity Ecosystems & Technologies: User-centric identity concepts, technologies and how they will impact business”  tomorrow (10/16/13)  from 9-10:15 AM. In this session Stina will be presenting more details about Universal 2nd Factor Authentication (U2F). As one of the technical specifications hosted by FIDO Alliance, U2F introduces the first driverless smart card with user presence. Successfully deployed inside Google, it also challenges the traditional business model for secure online identities, allowing users to buy and control any number of real and “anonymous” identities to easily and securely access any number of services.

User-Centric ID Live is an event focused on the business of user-centric identity. Conference sessions focus on technologies, standards, implementations, applications, and business models in the new user-centric identity ecosystem.

David Maples

Facebook Uses YubiKey and Duo

Yubico and Duo Security are happy to jointly announce today that Facebook has successfully deployed technologies from both companies to provide two-factor authentication across its enterprise.

In order to securely authenticate software engineers to production networks and servers, Facebook needed a solution that provided quick and easy authentication, a fast rollout to employees, and the flexibility for multiple authentication options. After careful consideration, the company deployed solutions from both Duo Security and Yubico. When coupled together, the respective technologies successfully addressed Facebook's authentication priorities — placing equal emphasis on usability and security.

This complementary combination of two-factor technologies include multiple authentication methods — push, SMS, mobile, voice — of cloud-based authentication from Duo Security and the YubiKey Nano.  Together, these technologies allow Facebook employees and developers to quickly authenticate using the YubiKey Nano, while offering the flexibility and ease of use from Duo Security.   With Duo, users are given a choice of device and method each time they authenticate.  Additionally, Duo supports all phone types, from smart phones to landlines, and lets users authenticate with a variety of authentication factors including the YubiKey.

The YubiKey Nano is the world's smallest OTP token, and is designed to stay inside the USB-slot once inserted.  To authenticate, users simply press the device and a pass code is instantly and automatically entered, there is no need to physically re-type pass codes.

For additional background on the deployment, recently, a team from Facebook gave a presentation to the Center for Education and Research in Information Assurance and Security (CERIAS) Seminar at Purdue University, explaining how the company utilizes Duo Security and YubiKeys to provide two-factor authentication for the company's engineers. The presentation provided thoughtful insight into the security culture of Facebook and how that led them through the evaluation and implementation decisions of their two-factor authentication deployment. That presentation can be found here - duo.sc/facebook-purdue

More about Duo Security

More about the YubiKey Nano

David Maples

YubiKey NEO OATH Applet

Yubico is proud to announce the release of our Free YubiKey NEO applet to help with storing OATH secrets and generating OATH one time pass codes.

With the increasing deployment of two step verification (e.g. GitHub this week, DropBox, Google, Microsoft, Evernote) relying on the OATH protocol, many users are concerned about using their mobile phones to store the secrets used to generate the 6 or 8 digit numbers, and the difficulty of changing devices. The applet we’re releasing today allows you to store those secrets in the secure element on your YubiKey NEO – and simply tapping your NEO against any NFC enabled Android device with the YubiOATH app running shows you your current codes. See the video below to see it in operation.

Existing YubiKey NEO owners comfortable with using command line tools can add the new applet to their NEO – see our forum post here. The source codes of both the YubiKey NEO OATH applet and the Android YubiOATH applet are available here.

Stina Ehrensvard

Yubico at TechCrunch Disrupt

As a Swedish-American innovator, Yubico has been selected to represent cutting edge Swedish innovation, and will demonstrate the YubiKey NEO on Tuesday, September 10, at the Nordic Pavilion at TechCrunch Disrupt.

At the event, Yubico will also outline the basics for U2F (Universal 2nd Factor); the new online security standards initiative, developed by Google, Yubico and NXP, focused on scaling high security smart card technology beyond government and enterprise to every Internet user. The YubiKey NEO with initial U2F specifications are already successfully proven with thousands of users, and by the end of the year, we expect more than 200,000 YubiKey NEOs will be deployed within Google and elsewhere for U2F authentication.

To TechCrunch Disrupt web site

Stina Ehrensvard

YubiKey in Fashion – Win a Laptop!

Lucy in the picture above is wearing her back-up Yubikey in her ear. How are you using your YubiKey? Send us your cool, fun or serious and useful YubiKey stories in any form that can be posted on our Facebook page; pictures, videos, quotes, links to blogs and Twitter feeds…

All applicants that present the YubiKey in a positive way will automatically win one free Yubikey NEO and one free YubiKey Nano. Starting now, we welcome submissions until Nov 1, 2013. The Yubico team will then select the best Yubico promotion or story that will win a Chromebook!

Tell us your story at our Facebook Page

YubiKey NEO production launch

YubiKey Neo and Claws Mail

In an earlier post, we went through the steps of enabling and setting up the OpenPGP applet on a production YubiKey NEO. In this post, we’ll be expanding on how to use it with Claws Mail to sign and encrypt emails, one of the main uses of PGP encryption. Claws Mail is an open source email and news client based on GTK+. It is widely available – more information can be found here.

First, make sure your YubiKey NEO is properly configured. For information on how to do so, please refer to this. A properly configured YubiKey NEO should behave no different from a smartcard and its reader – as such the steps described here are exactly the same as that when using an OpenPGP smartcard. If you’ve used Claws Mail with an OpenPGP smartcard before, this should be no problem for you.

Once done, open Claws Mail. Configure it for your chosen email service and ensure that the PGP plugins are loaded, as shown in the screenshot below.

Claws_Screenshot_1

Assuming everything is configured correctly, incoming encrypted messages will be automatically decrypted and incoming signed messages will have their signatures automatically validated – very convenient!

To send your own signed or encrypted messages, click on Options, Privacy System then pick either None, PGP MIME or PGP Inline. Choose PGP MIME if the email client used by your intended recipient supports the MIME protocol and PGP Inline if it does not. In the screenshot below, PGP Inline is selected.

Claws_Screenshot_2

Before sending your message, click on Options then Sign to sign it or Encrypt to encrypt it. Then enter your PIN when requested and it will be sent!

Claws_Screenshot_3

Enjoy using your YubiKey NEO with Claws Mail!

Expanding YubiKey Keyboard Support

Hi. We’ve had a few queries about using the YubiKey with various keyboard layouts, so we thought we’ll spend some time describing the different methods available to do that.

Like a USB keyboard, YubiKeys work via inputting scan codes as opposed to actual characters. This means that when you type, the keyboard only sends the key number, or “scan code”, which the computer then translates depending on your keyboard settings.

This presents an issue as there are many different keyboard layouts in use in the world today. In order to mitigate the problem, the YubiKey only uses modhex (MODified HEXadecimal for short) characters, which are characters which are mapped to by the same scan codes in almost all keyboard layouts. If your chosen keyboard layout is not one of those covered by the modhex system (like Dvorak, etc), your YubiKey might not be able to output the characters correctly. If this is true for you, here are 3 ways to resolve the issue.

Option 1

Our recommended “best practice” is to switch to a US standard keyboard layout when entering the OTP and switching back when done. When properly configured this is quick and convenient – in a Windows environment, for example, pressing alt+shift (to switch the input language) and ctrl+shift (to switch the keyboard layout) can allow one to quickly switch to an alternative layout.

Keyboard_Screenshot_1

The screenshot above shows a sample configuration of a US standard keyboard layout and a US dvorak keyboard layout.

Option 2

If you are trying to output digits (0-9) with the French AZERTY keyboard layout, you can simply use the press the shift key while using the YubiKey or set the flag in personalization tool to use the numeric keypad instead (for firmware 2.3 onwards).

Keyboard_Screenshot_2

The screenshot above shows where the flag setting in the personalization tool is.

Option 3

If neither of this is possible for you, another solution would be to modify the scanmap used by your YubiKey NEO. This feature requires a YubiKey NEO and the command line version of the Cross-Platform Personalization Tool. Your YubiKey NEO will only work properly on the keyboard layout that you modified it for – if you modified it for a dvorak keyboard layout, for example, it can only be used on the dvorak keyboard layout.

The YubiKey uses the following alphabet:

cbdefghijklnrtuvCBDEFGHIJKLNRTUV0123456789\t\r

The scan map is the 1 byte scan code for each of those characters. So for a US standard keyboard layout (and the YubiKey default), the scanmap is:
06050708090a0b0c0d0e0f111517181986858788898a8b8c8d8e8f9195979899271e1f202122232425262b28

To set the scanmap, use the -S argument of the ykpersonalize tool and then affix the desired scanmap after. Shown below are some examples.

Simplified US Dvorak:
0c110b071c180d0a0619130f120e09378c918b879c988d8a8699938f928e89b7271e1f202122232425269e2b28

French AZERTY:
06050708090a0b0c0d0e0f111517181986858788898a8b8c8d8e8f9195979899a79e9fa0a1a2a3a4a5a6382b28

Turkish QWERTY (with a dotless i instead of usual i):
06050708090a0b340d0e0f111517181986858788898a8b8c8d8e8f9195979899271e1f202122232425269e2b28

Note that you must remove any whitespace present in these examples before using the values. Leaving the argument empty will reset the scanmap to the YubiKey’s default.

Keyboard_Screenshot_3

The screenshot above shows a YubiKey NEO’s scanmap being configured for the dvorak keyboard layout.

Interested to know more? Head to our technical forum.

Enjoy using your YubiKey!

Stina Ehrensvard

Best Vaccine for Mobile Viruses

A security research team at Bluebox have unveiled a vulnerability in Android, claiming that malware can get full access to the mobile operating system and applications. The complete details are not yet public, so the Yubico security team does not know how such an attack would work. But we know for sure that we will see more sophisticated mobile malware attacks in the near future.

For many years Apple claimed that their computers were more secure than PCs, being immune to PC viruses. This was a correct statement until Max OS X and IOS won enough market share to become increasingly popular for malware creators.

As the security of static passwords and software authentication installed on computers was exposed, and more and more users adopted smart phones and tablets, SMS and authentication apps were presented as the more secure way to login.  But malware creators always follow the crowd. Long before the Bluebox vulnerability discovery, software authentication applications, running on mobile devices, have been copied and misused.

At Yubico we had these threats in mind when we developed the YubiKey NEO, enabling true second factor authentication across computers and NFC mobile devices. For users and devices that do not have NFC, the Yubikey NEO can also hold an authentication app on the YubiKey itself, offering higher security than loaded on a device exposed to the Internet.

Just as biological viruses have spread, infected and killed humans in the physical world, another type of virus is infiltrating the veins of the Internet. Cloud companies, that have been part of the YubiKey NEO development and success, have seen these viruses attacking their systems. And we know that authentication hardware is the most powerful vaccine.

Stina Ehrensvard

Yubico named Gartner Cool Vendor

Yubico has been named a “Cool Vendor in NFC 2013” by Gartner, Inc., one of the world’s leading information technology research and advisory companies. Each year, Gartner identifies new Cool Vendors in key technology areas and publishes a series of research reports highlighting these innovative vendors and their products & services.  Yubico is recognized for the YubiKey NEO, a YubiKey two-factor authentication device that combines NFC, USB, one-time password and PKI authentication technology. To protect against sophisticated malware, it also includes a touch button for user presence.

 According to Gartner, “YubiKey NEO’s beauty lies in instant authentication through one tap without need to re-type the OTP, and it’s small, robust and waterproof form factor without any battery.”

For secure login to mobile applications, the user simply taps the YubiKey NEO to an NFC enabled mobile device or. For computers, the user plugs the device into a USB-port.

“The YubiKey has seen massive adoption rates in the market, and currently being used at five of the top 10 Internet and social media companies in the world,” said Stina Ehrensvard, CEO & founder, Yubico.  “We are honored to have been named a ‘Cool Vendor’ by Gartner, which speaks to every individual who follows the Yubico vision of making strong authentication easy and ubiquitous.”

The rugged, yet tiny YubiKey NEO fits naturally as on a keychain. It can be ordered from the Yubico web store for $50, with free open source software.

 

Disclaimer

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Stina Ehrensvard

Yubico joins FIDO Alliance

Yubico has joined FIDO Alliance as a board member, and will be a part of the Universal 2nd Factor (U2F) working group that Google is creating  focusing on open authentication standards work for strong, universal second-factor devices.

The U2F working group will continue the work that was presented earlier this year in an IEEE paper and Wired, based on the technical specifications that jave now been successfully proven with thousands of YubiKey NEOs and users. By end of the year we expect more than 200,000 U2F protocol compliant YubiKey NEOs being deployed within Google and elsewhere.

U2F will be available as a stand-alone offering, and the working group will also collaborate closely with the already existing FIDO UAF Technical working group, to ensure harmonization of specifications. UAF aims to create a web eco-system including a broader range of authentication methods, including biometrics.

 

Simon

BrowserID and YubiKey

To to learn how you use the YubiKey with BrowserID, a new open identity initiative, please check out this video from a BrowserID developer: https://vimeo.com/64514090

BrowserID was introduced in mid 2011 by the Mozilla Project. It addresses the same problem as OpenID and SAML, as well as the common OAuth or OpenID-based login-with-an external-account (such as Google, Facebook or Twitter) flows. From a usability point of view, in comparison to OpenID, BrowserID uses email addresses instead of URLs, which is more natural for users.

Perhaps the strongest feature of BrowserID, when compared to OpenID and SAML, appears to be user privacy; with BrowserID your Identity Provider is not involved in the per-site login flow, so they cannot track which sites you have accounts on.

Technically, BrowserID has the simplicity of OpenID and OAuth but can provide stronger security (including public/private-key crypto, and provide session keys). The downside is that the BrowserID protocol is not well specified, such as in the form of an IETF RFC document, and supposedly uses obsolete JSON-security formats which poses some migration pains.

Yubico is happy to see that YubiKey support is possible with BrowserID, and we will continue to learn about this area so we can provider our customers with good advice about best usage of the YubiKey. We believe that the Internet needs better authentication methods, and also think that the YubiKey provides good security and ease of use for users.

Please note that BrowserID is not the same protocol used for the open authentication project that Google is currently working on, mentioned in Wired earlier this year and Yubico is closely engaged in.

The Source Code for the YubiKey Persona integration is avalible at https://github.com/jedp/persona-yubikey

David Maples

miiCard Proofs Identities with YubiKey

Online identity proofing service miiCard can prove an individual’s identity to the level of an offline photo ID check in minutes and purely online. By now adding YubiKey authentication to miiCard’s bank level ID verification service, the most secure and high value transactions can be performed online. Read more about how miiCard and YubiKey can make online identification safe and secure in the full press release and on our partner site!

Read full press release

Visit MiiCard’s YubiKey Protection Page

Morning dew. Shining water drops on spiderweb over green forest background. Hight contrast image. Shallow depth of field
Stina Ehrensvard

The Future of Authentication FAQ

A selection of questions we have received and answered on YubiKey NEO and Universal 2nd Factor (U2F), since this new open authentication standards initiative was announced in Wired Magazine and the Yubico identity vision blog.

Why do you want to kill the password?

We don’t. Yubico does and will continue to recommend two-factor authentication, consisting of a PIN or password in addition to a device which generates new and encrypted pass codes every time it is used, such as the YubiKey. The best security practice is to use something you have with something you know. With the YubiKey, the password becomes a supporting element rather than the main defense; thus a simple PIN suffices to protect you against misuse of your YubiKey by those around you.

 

What is the user experience of YubiKey NEO and U2F?

It is easier to use a YubiKey NEO with U2F than logging in with a username/password. With NFC mobile devices, all you need to do is to enter a PIN and tap the YubiKey NEO to an NFC-capable phone or tablet. With computers, you place the YubiKey NEO in the USB-port enter a PIN and touch the device. And you will only need a YubiKey and a simple password for any number of services. To see how it works, watch this video.

 

Why is a hardware key better than software-based authentication methods?

A software application, regardless if it’s on your computer or your smart phone, can be easily targeted and misused by malware – which has already happened to SMS and authentication apps. The best security practice is to move login credentials to a separate hardware device not connected to the Internet. To further improve security, it is recommended to use PKI encryption with session security, and a user presence touch button; features uniquely provided by the Yubikey NEO and the U2F specifications.

 

Will U2F support software-only implementations?

The initial U2F deployments inside Google and elsewhere are all based on hardware devices. However, for lower security applications, U2F software-only implementations are likely to be offered down the road.

 

Why can’t I have my identity and a security chip integrated in my device instead?

A user identity, including U2F specifications, can be integrated directly in your smartphone or computer using TPM, Arm TrustZone, SIM Card or a secure element. While this approach reduces the number of separate devices needed, it has notable disadvantages from a security, privacy and mobility perspective.

Security – Identity and authentication technologies that are permanently connected to a computer or phone fails to meet the “not connected to the Internet” best practice for storing sensitive secrets. These devices are all more or less exposed to malware, malicious apps, Wi-Fi exploits and VPN masking. In addition, they don’t help against the social attacks (i.e., software tricking the user into doing something unintended) which will continue to be the easiest way to attack users. Those social attacks will always be available on general multi-purpose devices where users can download and install apps on their own, and provide an avenue to attack the secure elements directly.

Mobility – With your credentials tied to a integrated device, it may be difficult to move your identity between other devices, or to use a computer at a hotel or friend’s house. For the majority of high security applications that are performed on computers, it may not help to have an identity tied to a phone, as there is no communication standard between all computers and mobile devices.

Privacy – The device identity may be controlled or monitored by the telecoms provider or other party, which may add cost, complexity and privacy concerns. In a time of “Big Data” and government surveillance, many enterprises and individual users have concerns about privacy. What’s more, tying your identity to a device does not easily allow for multiple identities, such as separate identities for work and personal accounts.

 

Why would users want to have multiple identities?

U2F and Yubico supports an open identity eco-system where users can be secure – but still guard privacy. Just as with email, many users chose to have multiple accounts; a real/personal, a real/job and an high privacy/alter ego or spam email account. We want to help you to prove that you are the legitimate owner of an account, while not requiring additional personal information. We also want to support use cases where identities are used for a limited time and revoked when needed. We believe you should be in control about how sites track you over your digital life; With the YubiKey NEO and U2F, minting new Private/Public key pairs for each site, tracking across sites is not enabled.

 

I still do not like to have to keep track of one more thing.

You will not need to. U2F is designed for secure elements; high security chips, for integration into many of the things you are likely to carry with you today; a card in your wallet, a key in your key-chain or directly in your phone. Therefor the U2F technology gives you the choice; you can use it embedded into your existing devices for low-risk purposes, or use U2F via a Yubikey NEO when you want better mobility, privacy and security properties.

 

So, what about fingerprints or face recognition?

We don’t believe that biometrics sent over the wire to authenticate users is appropriate for privacy and security reasons; Your fingerprint is a static and unique image that can be copied and misused – but not revoked. However, once the technology is proven to be more dependable, biometrics to unlock a phone or computer could be useful, but where the actual interaction and authentication is done between a security chip in the device and the server. But as discussed earlier, having a security chip permanently tied to a computer or phone device may have limitations from a security, privacy and mobility perspective.

 

When will NFC get mass adoption?

The majority of high security applications requiring strong second factor login are still performed from a computer with a USB-port. To address the growing use of mobile devices, YubiKey NEO and U2F also support NFC. While Apple is waiting to adopt NFC, their competitors, who represent a combined 80% smart phone market share, will have sold more than 200 million NFC enabled devices in 2013. Banks are pushing NFC enabled payment solutions and critical mass is being achieved in several countries. Once the next generation NFC credit- and debit cards have been deployed, allowing “one touch” secure payments directly on your own phone and computer, there will be a market demand for NFC on all devices and platforms.

 

How does the Yubico identity vision relate to federated identity services?

It is very complementary to SAML, Open ID Connect, etc, as these protocols enable powerful single sign-on opportunities but need to be combined with two-factor authentication. U2F is based on a PKI infrastructure where every service provider can optionally also be their own identity provider. When user data and cryptographic secrets do not need to be shared between service providers, both security and user privacy can be enhanced.

 

Why would users want to pay for their online identity?

In a time where users’ personal information is collected and used by a growing number of organizations, many users are growing concerned about privacy. Once a single U2F device can be used for a multitude of popular services, users will want to buy, own and control their own online identity, that does not need to be tied to a service provider. Also, with a physical U2F device, users will be ensured that their online identity is well protected and is not being exposed to malware, which has already happened to software authentication apps. Some service providers will offer financial incentives for users to buy and use a U2F device with their service, but many users will also be willing to pay for it themselves. In partnership with leading password managers, Yubico has already proven that there is a real market demand for a single and secure authentication hardware solution. Also, the millions of end-users who have purchased anti-virus software, prove that we are willing to pay to protect ourselves on the Internet.

The U2F and the NEO technology still allows enterprises and organisations to purchase larger volumes of devices and put them in the hands of their users, so you can chose whether to adopt the model where the user acquires and own the device and where the service organisation purchases and deploy the device.

 

What would happen if a user loses a U2F device?

A user will be able to have multiple and back-up U2F devices enrolled with an account, with the possibility to easily disable a lost device. Similar to other account recovery processes, the service provider may also choose to send “recovery codes” over email or phone as a back-up to the physical device. Ultimately, revocation is something that needs to be resolved by each website that authenticates users because they have the direct relationship with the user. U2F does not solve this problem, but makes it easier to have stronger recovery processes by introducing new authentication factors.

 

Why can’t we use Big Data to fix the authentication problem?

Server side risk evaluation software has its place in services, especially involving high-value transactions. However, easy-to-use strong authentication is critical in striking a balance between ease of use, reducing false positives and eliminating fraud. Computers, phones and networks will never be free from malware, and users will need to move their secure identity between devices and services. The YubiKey NEO with U2F enables true end-point authentication, where we only need to trust a key in our pocket and the services it connects to.

 

What are the main barriers in the broad adoption of YubiKey and U2F?

The inventor of the 3-point seatbelt at Volvo realized that security needs be really quick, simple and made into an open standard to scale. Online authentication for the masses has the same requirements. A YubiKey with U2F is easier to use than easier to use and more secure than traditional two-factor solutions, and is being supported and deployed by leading Internet thought leaders, including Google. This is a great start, but just like the seat belt; mass adoption will be derived from more severe accidents, increased concerns about security and privacy, and government and industry regulation.

 

What is the business incentive for driving a new open authentication initiative?

Yubico recognizes the potential that a higher level of authentication using PKI can offer, designed with better usability and less complexity than solutions available today. We found that Google’s authentication efforts are aligned with these goals. To support a next generation secure Internet, scaling our technology to as many services as possible, our approach is to make U2F a new and truly open standard.

 

How would you make high security transactions with a device you could purchase at your corner store?

For some identities you may choose to be secure and “anonymous”. For services requiring a higher level of identity assurance, you would bring your identity device along with your Passport, driver licence or ID to an official location which would associate your U2F device with your real identity. There are also online services offering identity proofing which could accredit your device.

 

What authentication technology initiative do you see as your biggest competitor?

All initiatives in this space help to educate and challenge the market for something better than the legacy username/password. There will not be one single authentication method and security protocol to rule the world, but the winners will address different needs and be open and interoperable. And Yubico’s focus is to make online authentication as easy and affordable as possible, yet retaining the highest level of security and privacy.

David Maples

Meet Yubico at RSA Conference

The Yubico team will be attending the RSA conference in San Francisco, February 25th – 28th.
We will have the YubiKey NEO on demonstration, featuring NFC functions like the OATH TOTP generator for Android and LastPass.

Come see us at the OATH Pavillion, Booth #829.

We look forward to seeing you!

Stina Ehrensvard

Yubico’s Vision for Secure Online Identities

Wired Magazine recently announced that Google is working on a new online authentication protocol as an alternative to legacy username/password login. Yubico and NXP are co-creators of this protocol, designed to be integrated across a wide range of devices, including SIM cards, YubiKey NEOs, or a ring you carry on your finger, and to solve some of the fundamental problems with online identity. And these are problems we need to fix soon. Very soon. Or billions of people, along with the great creation named the Internet, will be in serious trouble.

At this stage we cannot say which route we will choose to ensure mass adoption of this new security protocol. But we can say that Yubico has decided to engage in the project as we believe it could be a game changer.

And this is the vision: 

Imagine that you have one single key and one single password to securely access all your Internet life. 

The key would not be issued, controlled or hosted by a government or a service provider. Instead, you would buy this key at your retail store, such as 7-Eleven or Amazon.com, similar to a gift card or pre-paid phone card.

The key would remain in your own full control, guarding your privacy. And you may even choose to have multiple keys and identities, enabling you to protect your digital identity while remaining anonymous.

From your computer or mobile device, you would be able to instantly, with no required software installed, connect your key to any number of online services. Placed in the USB-port or tapped to your NFC phone/tablet/laptop you would replace all your multiple, long, painful passwords with a simple touch. Combined with a simple PIN or password, you would then securely access your email, bank, healthcare records or any online account.

With built-in support for platforms and browsers, the key would offer superior security, protecting against man-in-the-middle and phishing – but with no drivers or client software needed.

With an open source approach and a clever ecosystem, there would be no fees for service providers, and the costly Certificate Authority model associated with traditional smart cards could be eliminated. But more importantly, there would be no single token or service provider who would control your digital identity or any cryptographic secrets.

Yes, there are a few obstacles to overcome, including aligning influential thought-leaders and global stake holders on the same page. But if enough people want to, it would be possible to create a new, really simple, secure and affordable online identity solution as outlined above.

Bring it out – click – go!

PS. Please find additional comments on this topic in the Future of Authentication FAQ 

Stina Ehrensvard

Internet Identity and the Safety Belt

60 years ago the car industry and our society faced a security problem similar to the challenges facing online identity today. It was a time when the car changed our modern society by delivering on its promise of freedom and speed, but security and safety measures were overlooked; there were no seatbelts in cars. In fact, when happy car drivers hit the brand new highways and fatal accidents swelled, car manufacturers denied the problem. They feared that any acknowledgement of the risk associated with driving would negatively affect sales.

Nils Bohlin, the chief safety engineer at Volvo and a former aircraft designer, realized for a seat belt to be accepted by the everyday user it could not be clunky and complicated like the harnesses used by fighter pilots. It would need to be simple and take no more than a second for anyone to put on. With those objectives he designed the three-point seat belt in 1959, and then led the initiative making his invention into a standard feature in every car.

It was just a matter of finding a solution that was simple, effective and could be put on conveniently with one hand,Nils. Bohlin has said. “The pilots I worked with were willing to put on almost anything to keep them safe in case of a crash, but regular people do not want to be uncomfortable even for a minute.”

So, what can we learn from Mr. Bohlin when developing security for the Internet? This even more brilliant invention, which we all love until we get our digital life and identity smashed?

The answer is: Make online identification and authentication open and as easy and intuitive as the three-point seat belt:

Bring it out. Click. Go.

Yubico Team

Securing OATH Secrets on Android

Some people are concerned about the risk of storing cryptographic secrets on Android devices – for example, those used to generate One Time Passcodes (OTP) from Google Authenticator.  The production YubiKey NEO is the perfect companion to Android devices with NFC support.  By bringing your YubiKey NEO close to the back of the Android device (such as the Nexus 4 from Google), Android Apps can use the YubiKey NEO’s challenge response capability to generate an Open AuTHentication (OATH) time based OTP – such as those used by Google Apps and Dropbox.  And we have created a sample Android App to show this.  [Update] Take a look at the video here.

YubiTOTP Android Widget from Yubico on Vimeo.

 

When you first enable 2-step verification on Google Apps or on DropBox, you are presented with a 2D matrix code which contains the cryptographic secret used to create the OTPs.  Our YubiTOTP Android App reads this (using Google’s open source scanner app); however, instead of storing the secret on the Android file system, it programs one of the YubiKey NEO’s slots with the secret as part of an HMAC-SHA1 challenge/response configuration.  The secret can not be recovered from the YubiKey NEO, however, UNIX time can be sent to the YubiKey NEO (over NFC or via the USB connector) and the result truncated by the App to produce the OTP – which is displayed on the screen or can be put on the clipboard.

If you lose your Android Phone – or it dies, you just get a new one and reload the App – the secret stays in the YubiKey NEO!

[Update] We have enhanced the app to include a re-sizable home screen widget – just tap on the YubiKey icon and prompts you swipe your YubiKey NEO and displays the 6-digit OATH code on the icon.

Download the app here.  Let us know what you think…

Want to install it directly to your Android Device? Download the .apk file here.

David Maples

YubiKey NEO Composite Device

The YubiKey NEO differs from the standard YubiKey as it can become a composite USB device – presenting both a HID (Keyboard) and CCID (SmartCard) device to the host.  This allows us to support all the great features of the standard YubiKey and add new support for SmartCard functions.  Our last NEO post described the OpenPGP NEO App that ships with the production YubiKey NEO.

In this post, we want to describe how to control how the YubiKey NEO presents itself to the host computer.

We ship the YubiKey NEO with just the HID (keyboard) USB device enabled.  We did this to maximise compatibility with the YubiKey Standard and the pre-production YubiKey NEO – neither of which support SmartCard functions.  To enable the OpenPGP SmartCard function, you need to configure the YubiKey NEO to switch on the CCID interface.  So far, we have updated the ykpersonalize command line to support the “-m” switch; this controls the composite modes the YubiKey NEO exhibits. Be careful, you can use the -m command to remove HID support; as ykpersonalize only works with the HID interface, this means you cannot use ykpersonalize anymore if you remove HID support.  We have added the tool ykneo-ccid-modeswitch which allows you to enable HID if it gets removed!

 

Here are the common modes:

  • -m0  HID (OTP) mode
  • -m1 CCID (OpenPGP only – no OTP) – warning – you cannot use ykpersonalize after this setting!
  • -m2 HID & CCID Only (OTP & OpenPGP)
  • -m82 HID & CCID (OTP and OpenPGP) EJECT Flag set – allows SmartCard and OTP concurrently.
  •  (Updated: 9/28/2015; You can enable CCID, OTP, and U2F with -m86 on YubiKey NEOs with 3.3 firmware or higher.)

The EJECT_FLAG (0x80) operates as follows:

  • with mode 1 with the EJECT_FLAG set, when touching the button the NEO will “eject” the smart card, making it unavailable to the host, when touching again it will be “inserted” again.
  • with mode 2 with the EJECT_FLAG set, when touching the button the NEO will “eject” the smart card, send the OTP from the HID interface and then “insert” the smart-card.
YubiKey NEO production launch
Yubico Team

YubiKey NEO and OpenPGP

In this post, we will take you through the steps to enable the YubiKey NEO’s OpenPGP applet on a production YubiKey NEO. YubiKey NEOs are currently shipped with an OpenPGP applet already installed but disabled. You will need to enable the Applet functionality of the YubiKey NEO before you can use the OpenPGP applet.

To do this, you will need to use the command line interface (CLI) version of the YubiKey Personalization Tool. If you are not familiar with using command line tools, this applet is probably not for you. To download ykpersonalize please click here.

Once you have installed the ykpersonalize software, insert your YubiKey NEO and you can check the version with the ykinfo -v command – which shows version: 3.0.1 for our YubiKey NEO. To enable your YubiKey NEO’s Smartcard interface (CCID), enter the command ykpersonalize -m82 as:

The -m option is the mode command. To see the different modes, enter ykpersonalize –help. Mode 82 (in hex) enables the YubiKey NEO as a composite USB device (HID + CCID) and allows OTPs to be emitted while in use as a smart card.  Once you have changed the mode, you need to re-boot the YubiKey – so remove and re-insert it.

Now our NEO App: OpenPGP is visible we can use the gpg program to set-up a new smart card: gpg –card-edit and then enter the admin command to enable admin commands. The command to create a new set of public/private key pairs is generate.  You should see something like:

Note the default PINs as you will need to enter them into the pop ups – e.g.:

Once you enter the Admin and User PINs, gpg will ask you for various settings. Once you select Okay the YubiKey NEO will work for between 1 minute and 3 minutes to generate 3 key pairs. It took our YubiKey NEO 1 minute 40 seconds.

WARNING: You cannot backup the secret keys – so if you lose the YubiKey NEO, re-generate another key pair or other lose the key pair there is no way to retrieve it! When you encrypt a file, make sure you have a plain text backup.

It is recommended to backup the Public key – we often use the Export Certificates to Server function in Kleopatra to do this. This is our screen:

The public keys and private key stubs are automatically loaded into the gpg database; we are running Kleopatra – so before completing, Kleopatra showed my soft keys:

And afterwards Kleopatra shows the YubiKey NEO with the SmartCard icon:

With details:

We can now select my YubiKey NEO to sign and encrypt files e.g.:

The source code for the YubiKey NEO OpenPGP app is available here.

Special Holiday Offer
Stina Ehrensvard

Special Holiday Offer

It’s time for Yubico’s Special Holiday Offer! The v2.3 firmware has just been released and the Yubico team, with help from Rob, our hard working robot, have put together a Holiday Pack to give you a chance to try it out.

Here’s what you get with a purchase of the Holiday Pack: two black YubiKey Standards and a very special Gold Edition of the YubiKey Nano. Fancy! And yes, all YubiKeys in the Holiday Pack comes with v2.3 firmware. You’ll save 35% on the Holiday Pack as compared to buying them separately, not forgetting the special edition of the Nano that’s currently only available with the Holiday Pack.

Click here to order online, but remember that we have limited stocks.

Enjoy the holiday season trying out the new features!

Changes to YubiKey VIP
Yubico Team

Changes to the YubiKey VIP

We’ve made some changes to the YubiKey VIP! Previously, the YubiKey VIP came with a Symantec VIP credential used with services that support the Symantec VIP second factor authentication. If you wanted to use the YubiKey with a YubiCloud service (such as LastPass) you would need to add a YubiCloud credential to the YubiKey VIP.

With the release of the v2.3 firmware for the YubiKey, we have decided to add a “dormant” YubiCloud config to the second slot. You can use the cross platform personalization tool to activate it – indeed, you can also swap the configs so your YubiCloud credential is in slot 1 and your VIP is in slot 2!

To help prevent making mistakes, we have password protected both YubiKey configuration slots. You will need to enter the configuration Access Code to make changes (such as swapping, or making the configuration active or dormant). Just enter the serial number of the YubiKey VIP in as the Access code – as it appears lasered on the YubiKey. As with other versions of the YubiKey, you can change the configuration passwords – but be aware there is no way to reset the password should it be lost or forgotten!

YubiKey cross platform personalization tool
Klas Lindfors

Updated Personalization Tool

Good news! We have just released a new version of our Cross Platform Personalization Tool, available for download from our website. Your feedback has been valuable for us, and we’ve incorporated many requests to make the tool better and easier to use. The changes to the new Tool includes new features, improved user interface and, of course, a number of bug fixes. Some if the new features include:

  • NDEF configuration support for YubiKey NEO beta/Production
  • Possibility to clear configuration slots
  • Secret ID is now always a random value
  • Allows HMAC-SHA1 with a static secret
  • Default option to automatically use the YubiKey Serial Number as the public ID
  • Choice of log file formats
  • All v2.3 features supported (we will soon tell you more)
  • Enhanced Static password input features, including copy/pasting passwords
  • Enhanced status display; reports the configuration of each slot and displays an icon matching your YubiKey

You can download the new version of the Cross Platform Personalization Tool here, and remember to continue to let us know if you have any feedback!

Yubico Team

YubiKey NEO in Production

We know you have been waiting a long time for the production launch of our YubiKey NEO, and we are very happy to announce our plan to start shipping the production versions of the YubiKey NEO by December 10th. We are already accepting orders for the YubiKey NEO, so place your order today to get your full production sample of the NFC authentication token as soon as possible! And if you happen to be at CARTES in Paris this week, stop by the NXP booth where we will demonstrate the NEO.

The previous limitations of the beta version of the NEO have been addressed in the production version. The final version of the YubiKey NEO also includes a new secure element, enabling smart card/PKI functionality, which is certified for Common Criteria and the highest level of security. You can read more about all the new features here, as well as more about RFID and the YubiKey NEO.

We will naturally continue to expand and improve the YubiKey technology, so stay tuned for even more updates in the future!

Yubico Team

Yubico.com and Our Blog

Finally! We are very happy to launch our new website, based on the open source CMS WordPress. But that’s not enough! We have an exciting future ahead of us, including the long awaited release of the YubiKey NEO in volume production and a whole range of other things we are getting ready to talk about. While the awareness and discussion about online security, breaches and two-factor authentication continues to rise, this blog will be the place where we publicly talk and discuss these topics with you. At this blog you will also get product updates, how to-guides and other fun stuff going on in the Yubico world.

You will meet Stina Ehrensvärd, CEO & Founder, Simon Josefsson, Security Architect, David Maples, Technical Support, Evelina Ander, our Marketing Manager, as well as the rest of the Yubico team here at the YubiBlog. You might also find guest blog posts written by our friends and partners, and our very important community (you!) in the future.

As always, a brand new site is likely to have minor errors that we are just blind about. Please let us know, or if you have any other feedback, in the comments below or with an email to info@yubico.com. We would also love to hear your thoughts about what you would like us to blog about! And of course, stay tuned by subscribing to the YubiBlog via RSS.

All the best,
The Yubico team

PS. If you would like to secure your own WordPress site with YubiKey two-factor authentication, read more here.

Yubico Team

RFiD and the YubiKey NEO

When Yubico first introduced the YubiKey RFiD in 2009, it provided users with an unmatched integration of physical and network security. Many facilities with existing RFiD based security systems have integrated the RFiD YubiKey into their systems, allowing users to use one device to access their office space as well as network account. The RFiD YubiKey could be used with both standard RFiD readers as well as with any computer with a USB port, removing the need for additional hardware when integrating the RFiD YubiKey.

Since then, there has been a significant rise in the world of mobile computing. The task of authenticating users on Tablet PCs and SmartPhones is becoming just as vital as securing PCs or Laptops. With the growing addition of NFC support in mobile devices, Yubico decided to create the YubiKey NEO, capable of providing wireless authentication to NFC supporting devices while also allowing for standard USB authentication.

During the pre-production phase of the YubiKey NEO, we decided to simplify our product line to provide the best customer experience. From this decision, Yubico has decided to combine YubiKey support of RFiD and NFC into one device. When the Production YubiKey NEO is launched in November of 2012, it will support all of the capabilities of the YubiKey RFiD tokens alongside the new NFC communication features. The YubiKey NEO will allow users to validate against RFiD systems, NFC systems as well as the standard YubiKey Authentication.

However, with the introduction of the YubiKey NEO, Yubico will withdraw the RFiD YubiKey. New users looking for an RFiD-compatible solution, as well as existing users looking to expand their solution, will be able to utilize the production YubiKey NEO in place of the RFiD YubiKey.

We will continue to offer support of the YubiKey RFiD functionality, both in the older RFiD YubiKey and the new YubiKey NEO. We thank you all for your support of the RFiD YubiKey and hope that the YubiKey NEO continues to meet your high expectations!