U2F support for Google and WordPress will be demonstrated at CES ShowStoppers
Ronnie Manning

Yubico at CES ShowStoppers

Today, Yubico is demonstrating how to protect Google and WordPress accounts with YubiKey and U2F open standard at the ShowStoppers event (booth A-13) at CES 2015 (Consumer Electronics Show).

With the mission to make secure login easy and available for everyone, Yubico serves as a FIDO Alliance board member and is co-author and key driver of the FIDO U2F (Universal 2nd Factor) protocol. The YubiKey NEO and U2F Security Key are the first devices to support the public deployment of U2F-enabled Google Accounts and WordPress.

“CES highlights tomorrow’s consumer and business technologies, such as wearable computing, and Connected Homes. Secure user authentication will play a critical role as these products continue to become part of our daily lives. Yubico believes that U2F is the beginning of an entirely new generation of strong authentication — simple enough to scale to consumers, yet strong enough to protect against advanced hackers.” – Stina Ehrensvard, CEO and Founder, Yubico, Inc.

Main differentiators between Yubico U2F keys and traditional smart card- and hardware-based authentication devices include:

  • No need for drivers, client software and middleware – Uses native drivers and support built into the browser. No installation, no configuration – they just work! No certificate authority needed and open source reference software is available for integrations.
  • Highly scalable while protecting your privacy – Generates a new set of encryption keys for every service. The keys are only stored on the specific service being accessed. With this approach, no secrets are shared among service providers and YubiKeys support any number of services.
  • Great user experience – All it takes to register and authenticate is a simple touch of a button! Authentication can be owned and controlled by users, who connect directly to a service provider without a third-party software or service provider.

YubiKey NEO and FIDO U2F Security Key work across Windows, Mac, Linux and are currently available via Amazon.com and the Yubico store.

Stina Ehrensvard

U2F, WordPress and Security for the People

Only a few weeks after Google announced U2F support and the protocol’s technical specifications were published, a U2F plugin for WordPress popped up and proved that U2F is the simple and open authentication protocol we envisioned it to be. High-security, public key hardware is no longer limited to a few enterprises and government services, but available today for everyone.

Today, we live in a world where both security and speed are critical for working on the Internet. If you are afraid that strong authentication will delay your login process, give the U2F Security Key for your Gmail account a try – you will be surprised how easy it is.

Once you have linked the U2F Security Key with your Google account, the account password and a touch of your U2F device is all you need for strong authentication. Google can remember your password and key for a month at a time, which allows you to click the Gmail shortcut on your desktop or smartphone for instant secure login to your email. Just press your email icon and you are in! How much easier can it be? (There is also an option to require the key be touched before each login).

As a driving U2F contributor, Yubico welcomes the U2F WordPress plugin developed by Daisuke Takahashi and available on GitHub. If you are a developer and considering implementing U2F authentication for your software or service, the Yubico team is happy to help. We offer free and open source U2F reference code, a U2F Technical Forum and U2F powered YubiKeys.

U2F is here to support high speed, high security, high privacy and lower-cost trust models for the Internet. It’s Universal 2nd Factor and security for the people.

John Fontana

Authentication: More Maturity, Choices in 2015

The past 12 months have been stressful given breaches and privacy violations and countries blocking all or part of their citizens’ access to the Internet (which by the way turned 25 in May).

As the calendar turns to 2015, there is unprecedented power and pitfalls harnessed in computing devices and digital life.

All this connectivity puts pressure on authentication, identity and access management to provide protections and reasonable peace of mind. I gathered a few of my colleagues to help sketch out some predictions on how that all looks in 2015, a year that will inherit the responsibility to fix 2014’s sins. In no particular order, here are our predictions: 

Deepening security concerns fuel new authentication methods.
Consider authentication’s importance as hacks ratchet up security needs while the number of connected devices explodes. Strong authentication is paramount as reliance shrinks on passwords as a security boundary. Adoption accelerates with help from vendors and organizations like the Fast Identity Online (FIDO) Alliance. Second factors will mature but watch out for new attacks, especially on mobile apps and SMS that leave a man-in-the-middle vulnerability. Old security trust models will give way to distribute and user-controlled trust models.

Privacy violations raise awareness against unchecked data collection.
Personally identifiable information (PII) has value and requires protection. PII is currency for free online services and retail discounts, but also bait to snare users into compromising positions or grave risk. A backlash against unchecked collection will arise as privacy missteps make headlines. Already the Pew Research Center shows more than 90 percent of adults feel a loss of control over how their personal information is collected and used by companies.

Innovation around devices and home automation give rise to more authentication options.
Who wears the pants in the family may not change, but who does the dirty work will. Wearables, smart devices, and the Internet of Things begin to handle the daily chores and processes of life. Most of these products arrive with little or no concept of a larger security context. Look for better protection on devices, or collections of devices, provided by contactless authenticators be it Bluetooth or Near Field Communications.

Encryption for the masses that’s simple and secure hits mainstream.
The past 12 months were about HTTPS, which had consumers encrypting most things on the move [even if they didn’t know it].  In 2015, we will start to care more about data at rest.  What if your cloud storage provider gets hacked?  Your login credentials go missing? There are bleeding edge options out there – these will become more refined with one or two emerging as leaders.  They will use Public Key cryptography deployed in a “Trust No One” [thanks, Steve Gibson for coining this] mode – where the secret keys never leave your control. Ideally those are generated on, and never leave, a Secure Element based authenticator.

Browsers vie to become the next password managers.
Browser sophistication is on the rise and that means new innovation. The second attempt at managing passwords via the browser will show marked improvement over the previous attempt that was picked apart by the security community. Capabilities will focus on frequently used sites, those that don’t involve financial transactions or as assistants for managing external authenticators.

Phishing attacks in the enterprise grow by 10X.
Give a man a phish and he hacks for a day, teach a man to phish and all hell breaks loose.  2014 demonstrated many corporate attacks are started by phishing someone inside the organization.  In 2015, best practice in the enterprise will include giving every employee authentication that has a strong resistance to phishing. FIDO specifications already address this scenario.  It will become an arms race — closing all the phishing doors before damage is done.

Do you have any predictions for the coming year that relate to security, authentication, identity or access control? If so add them to the comments below.

My colleagues Jerrod Chong, John Haggard, Ronnie Manning and John Salter contributed to this blog.

Image: Stuart Miles/ FreeDigitalPhotos.net

John Fontana

FIDO Aims at Standardized Strong Authentication

In the early 1990s, a company called Softswitch found itself at a strategic crossroads in that it held the key to integrating disparate electronic messaging systems.

So strategic, in fact, that Lotus Software paid $62 million to acquire the company and send a ripple of fear through its main email competitor Microsoft.

In a story on the acquisition, the New York Times described Softswitch as the maker of “switches that allow corporate users of electronic mail to send and receive mail from other systems. So someone in an office in San Francisco could send a note to someone with a different sort of computer, word-processing software and E-mail message system in New York.”

By today’s messaging norms, the need for such switches is laughable.

Companies providing integration of email systems have disappeared, made obsolete by standards such as SMTP, POP3 and IMAP that scaled email to its current state as a global backbone of electronic communication.

Standards are how the Internet scales to service a global community; numbering systems (IP), naming systems (DNS), protocols, and coding to highlight a few. Bodies such as the IETF and NIST are some of the most well-known standards organizations.

These global-scale benefits provided by standardization are what the FIDO Alliance hopes to achieve with the release last week of its 1.0 strong authentication specifications. While not yet standards, the hope is to create an Internet layer of authentication that reduces the reliance on passwords and aligns with the traditional stack of identity and access management tools, themselves going through a standardization transformation.

Standards will allow the largest collection of vendors, enterprises and consumers to adopt and integrate strong authenticators into their computer systems, which are under attack at an unprecedented scale.

For 2015, Gartner says “all roads to the digital future will lead through security.” But it won’t be a magic bullet or a monolithic defense that defines the norm. Security will be defined in the marriage of technologies. “Security-aware application design, dynamic and static application security testing, and runtime application self-protection combined with active context-aware and adaptive access controls are all needed in today’s dangerous digital world,” according to Gartner.

And when security is assembled, it shouldn’t need specialized middleware to hold it all together like email of the 1990s. That task will be accomplished with standard APIs and standard protocols that add scale and subtract as much complexity as possible.

One of FIDO’s stated goals since its inception two years ago has been to turn over to a standards body its work on both the Universal Authentication Framework (UAF) and Universal Second Factor (U2F) specifications. Standardization of FIDO specifications, either de facto or by traditional means, is where FIDO will mark its work as finished.

Proof of initial success isn’t just in the 1.0 specifications, but in products and services available today from a number of FIDO members including Yubico with U2F support in FIDO U2F Security Key and NEO YubiKey. These keys are further simplified by not requiring drivers or client software, and providing a user identity independent of a third-party service.

Last week was an important milestone for FIDO, the next steps should be important for consumers and enterprises, and the final steps should deliver the connecting tissue needed to support strong authentication as a key tenet of future Internet security.

Today, we are one step closer to that reality.

John Salter

A Safer Internet for the Holidays!

There is a belief that colors have a profound effect on humans. Perhaps this is true.

Colored YubiKeys are often requested by our customers to help them organize their YubiKeys. In October, our blue Security Key received rave reviews. So we’ve decided that one of our holiday offers should come in living color: the Limited Edition Happy New Year pack.

The three-key bundle includes Red, White and Green YubiKeys, which support OTP and U2F exclusively. And the button is marked with a distinct ‘+’ sign. We also have a second offer of four traditional black YubiKey Standards paired with two LastPass password manager subscriptions.

Here’s what we have in our store for you:

  • Happy New Year:  $79 + free basic shipping*
    We have minted a limited edition run of three festive colors for a special YubiKey that exclusively supports the two most used YubiKey protocols – U2F (for Google Accounts) and One-Time Password (for a host of other services).
    (Note: This device is not a YubiKey NEO and has no support for CCID applications or NFC capability).
  • Happy Holidays: $59 + free basic shipping*
    Secured passwords for two. Do you want to manage your passwords with LastPass and secure them with a Yubikey? This special holiday bundle has four YubiKeys AND two LastPass Premium Subscription licenses. Holiday price is nearly 50% off regular pricing.

*where available

Stina Ehrensvard

Salesforce CEO Benioff Invests in Yubico, Ram Shriram Joins Board

We are excited to announce that Ram Shriram, founding board member of Google, has joined Yubico’s board of directors. In addition, Marc Benioff, founder of Salesforce.com, and Ori Eisen, renowned fraud protection entrepreneur, have joined as Yubico investors.

“I invest in people; great entrepreneurs and engineers solving real problems,” said Shriram. “Yubico has an opportunity to make a significant mark in the Internet security industry with the YubiKey, a device elegant in its simplicity.”

Shriram is a former executive at Amazon.com, founding board member of Google and the founder of Sherpalo Ventures. Benioff founded Salesforce.com in 1999 with the motto “The End of Software” and proceeded to grow the company into a juggernaut, while defining the current cloud computing model.

Eisen, founder of 41st Parameter, which develops online fraud intervention solutions and was recently acquired by Experian, is highly regarded as a fraud-prevention expert in the information and payment technologies industry. The trio of Shriram, Benioff and Eisen are aligning with Yubico at a time when trust across the Internet is severely challenged by identity theft and account hijacking.

Yubico’s vision is to enable all Internet users instant secure access across unlimited services using their YubiKeys; an innovative USB/NFC authentication key that works with a simple touch and with no additional client software needed. To help achieve this goal, Yubico is a board member, driving contributor and a leading device provider for FIDO U2F, an emerging open authentication standard today supported in the Chrome browser and Google Accounts. Recently, Salesforce offered support for Yubico’s flagship product, the YubiKey Standard, enabling their customers to login easily and securely to the Salesforce.com platform.

Jerrod Chong

NEO Supports U2F +OTP; Same Key at Same Time

Today, we whizz past another milestone. NEO keys built on our 3.3 firmware will support both U2F and OTP running on the same key at the same time. In fact, the configuration will support those two along with CCID.

We heard loud and clear during our launch of U2F support in October that a multi-function key that included the FIDO Alliance U2F protocol was on the must-have list for many Yubico customers.

We could not solve this immediately even though our multi-function capability was already resident on the NEO (as many of you theorized), but the FIDO client (browser side) needed the necessary plumbing in order to complete the experience.

With yesterday’s release of Version 39 of Google’s Chrome browser all the pieces are now in place.

If you have a NEO or NEO-n key (3.3 firmware) use the newly released NEO Manager for your platform (Windows, Mac, Linux) to configure the key.

What are the benefits of this multi-function key? Many people say they are using Gmail (U2F) and LastPass (OTP) or WordPress (OTP) to bolster security across their applications using just one YubiKey. You can also use the OpenPGP capabilities (CCID mode) in conjunction with U2F and OTP without needing to reconfigure the device for different protocols. And there are other combinations you can hear about from your peers on our Twitter feed @Yubico.

This is just one milestone we have been working on. There are others out there and they are just as interesting. Stay tuned. And enjoy the security.

Here are some relevant links to help get you started:

Ronnie Manning

Yubico CEO wins Gold Stevie Award for Female Executive of the Year

We are proud to announce that Stina Ehrensvard, CEO and Founder of Yubico has been named the Gold Stevie Award winner for Female Executive of the Year – Business Products. The Stevie Awards for Women in Business were announced Friday, November 14. The awards shine a spotlight on women executives, entrepreneurs, and organizations run by women.

“Yubico has seen a tremendous 2014!” said Ehrensvard. “Our technology has been adopted by the leading Internet companies, and as a driving contributor of FIDO U2F we are defining new global standards for simple and secure login. This award speaks very highly, and is a clear result of amazing work from all members of the Yubico team”

The Stevie, the Greek word for “crowned,”  is widely considered to be the world’s premier business award, and the 2014 awards received entries from 22 nations and territories. The awards presentations were broadcast live across the U.S.A., and simulcast around the world by Biz Talk Radio. The ceremony will be featured in a television special on Biz TV in January.

More than 160 executives worldwide who participated in the judging process this year selected the Stevie Award winners. Details about the Stevie Awards for Women in Business and the list of Stevie Award winners are available at www.StevieAwards.com/Women.

Dain Nilsson

Yubico’s Take on U2F Key Wrapping

How does Yubico’s implementation of U2F claim to be able to support any number of services with unique key pairs when we have limited storage? And do this in a way that is secure and respects your privacy?

First off, a refresher on how this is described in the U2F specification: “U2F tokens might not store private key material, and instead might export a wrapped private key as part of the key handle” (from the implementation considerations document).

What does exporting a wrapped private key mean? Basically this (somewhat simplified): When a U2F device is registered, an elliptic curve key-pair (using the secp256r1 curve, as specified in the U2F standard) is generated on the device itself. The private key is then encrypted using a device master secret, forming the key handle, which is then sent together with the public key to be stored on the RP (Relying Party) server. To authenticate, the RP sends a challenge together with the key handle, and the U2F device decrypts the private key to be able to produce a valid signature for the challenge.

Now this is a sound approach, and is secure when done correctly. It does have its drawbacks, however. One is that it feels less secure, as even though the private key is encrypted, it does leave the device. In practice as long as the encryption used for the wrapping is strong, this isn’t a problem. Another issue is that it introduces additional complexity to the protocol, as we now have a new cryptographic primitive (encryption), with possible pitfalls.

Rather than dealing with these issues, we at Yubico chose to use the following approach (still fully compliant with the U2F specs): instead of randomly generating the key-pair and then encrypting the private key, we deterministically generate a key-pair based on several inputs, so that we can re-create the same key later on when it’s needed, without needing to store it anywhere.

This is how we achieve it (slightly simplified):

When a user registers one of our U2F devices with a new service, the service provides an AppID (this is tied to the URL of the site and prevents phishing). The U2F device generates a random Nonce. We then take the AppID and the Nonce and run them through HMAC-SHA256 (a one-way keyed function), using a device-specific secret as the key. This device-specific key is generated on-chip at the time of manufacturing (just like the master key would be, if we were using regular key wrapping). The output of the hash function becomes the private key, and the Nonce value, together with a MAC (message authentication code), becomes our key handle. During authentication, the MAC helps to ensure that a key handle is only valid for the particular combination of device and AppID that it was created for during registration.

From the outside these two approaches are indistinguishable from each other, and for practical purposes either should be fine. However, we think that our approach offers some benefits: most obviously, the private keys never leave the U2F device, in any form. And since we’re re-using the SHA256 primitive that is already used elsewhere in the U2F protocol, we avoid introducing another cryptographic algorithm into the system. Fewer algorithms means lower potential for mistakes.

Key derivation during registration

Stina Ehrensvard

Why FIDO U2F Was Designed to Protect Your Privacy

If you are not a dictator, you probably love the Internet.

During the Arab Spring protests, social media played an important role in helping people to connect and organize protests against non-democratic governments. Inevitably, this created a backlash against such sites, intimidating them to provide information about individuals. In a discussion with a security engineer at one of the leading providers in this field, I really understood the concerns and the moral dilemma – you provide the tools, but also expose your user base, ultimately leading to punishment and death. One way it was phrased was “There have been times when we wished we didn’t have any personal data about our users. Arab Spring was one of those events.”

This highlights a key problem – do social media sites and e-mail providers themselves have a responsibility to ensure the integrity of their user base and their accounts? Even if a service is provided for free and on a best-effort basis?

Account integrity has been one of the main drivers for myself and Yubico. With this in mind, we’ve been one of the main contributors behind FIDO U2F (Universal Second Factor);  a high-security authentication technology designed to protect your online privacy. Two weeks ago, Google Accounts enabled support for FIDO U2F, and since then we have donated a large amount of blue Security Keys to global dissidents to help them protect their online identities from assaults by non-democratic forces.

The FIDO U2F Security Key is designed to be anonymous, a key without any publicly available serial number or central authority. The device is not tied to a user’s computer, phone, credit card, fingerprint or any means of a real identity. Every time you register a device to a new service, it generates a new set of cryptographic secrets that are only stored with the specific service, leaving no footprints. No personal data nor secrets are shared among service providers, making it impossible to track the user across multiple web sites.

Another aspect is openness and transparency; the technology behind U2F is public and documented. Anyone can implement and review, the are no hidden secrets. Yubico is actively contributing with open-source code to allow third-parties to make their own implementations. It is available to be used for good guys and for bad ones, but that is the way it has to be. Any organization that has tried to own and control online identity has failed.

YubiKeys and Security Keys supporting U2F are now available for anyone to order from our store and Amazon. In the future, you will walk into a retail store, and hanging among the gift cards,  any number of real and hidden secure online identities will be available for you.

In the picture above, a young Egyptian man paints civic-minded messages on a wall in downtown Alexandria, February 2011. The top line of the message he is painting reads, “I am Egyptian.” The message in blue on the far right reads,” I will throw the litter in the trash can.” And the second one from right reads, “I will respect the traffic lights.”

p.s. To learn more about Internet privacy from the advocates and experts in the field, join me at Pii, the Privacy Internet Identity conference, starting today in Palo Alto, CA. And read John Fontana’s blog on ZDNet on privacy.

Ronnie Manning

Yubico Grabs 2014 Innovation Award

Swedish business journal Veckans Affärer has awarded Yubico its 2014 Swedish Innovation Award along with a $15,000 prize.

The eigth-annual award recognizes Swedish companies that have made an extraordinary mark in the business world. Yubico’s chairman of the board Mats Wenneberg (third from right in picture) accepted the prize during a gala ceremony held in Stockholm.

Yubico recently released its Security Key, a device designed to work with the FIDO U2F protocol support Google recently added to its Chrome browser.

The Security Key is the first security device aimed at supplying two-factor authentication protection for every online application using just a single key.

CEO Stina Ehrensvard told Veckans Affäre, “Gmail has 1 billion users. If we get 1% percent of these customers within a year, I am satisfied.”

Ehrensvard founded the privately-held company in 2007. Yubico’s Yubikeys are used in 140 countries around the world and by seven of the Top 10 Internet companies.

Previous winners of the award include online music streaming service Spotify and ABB, which develops power and automation technology.

The 2014 winner of the Student Innovation Award was Johan Heden Hultgren.

This year’s awards jury consisted of Anders Snell, ÅForsk; Jonas Wiström, President ÅF; Jessica Nilsson, Investment Manager North Zone; Staffan Helgesson, Creandum partner; Annika Steiber, Ph.D. and founder Innoway; and Jill Bederoff, Business Week reporter.

 

Stina Ehrensvard

Google Unveils FIDO U2F Security Key Support

Google today announced on its security blog an extra layer of security for Google Accounts based on the emerging strong authentication standard; Universal 2nd Factor or U2F.

This is a good day for the Internet.

As a driving contributor to FIDO U2F specifications, Yubico celebrates this big day by releasing a new blue campaign version of our YubiKey that is designed to work with U2F support Google has added to Chrome. This U2F-only Security Key, as well as our multi-technology YubiKey NEO, pioneers the market for U2F devices.

This U2F support is a milestone in a standards journey that began a couple of years ago. Along with Internet thought leaders, we recognized the advantages of high-security, public key cryptography for scalability and for protecting against advanced Trojans, phishing and man-in-the-middle attacks. With a mission to make great security available for every Internet user, we decided to focus on the essential; to keep it really lean.

Below is a short summary of the main differentiators between U2F security keys and traditional smart card- and hardware-based authentication devices:

  • No need for drivers, client software and middleware – Uses native drivers and built-in support directly into the browser. No installation, no configuration – just works !
  • Highly scalable while protecting your privacy – Generates a new set of encryption keys for every service, that is only stored on the specific service it connects to. With this approach no secrets are shared among service providers, and even low-cost security keys can support any number of services.
  • Great user experience – To register and authenticate, all it takes is a simple touch of a button!

In January 2013 Wired Magazine first wrote about the U2F project. As a response to all the inquiries Yubico received, we published a blog summarizing our vision of a single key for securing access to all Internet. Since then, U2F has continued to develop within the FIDO Alliance open standards consortium.

And now our vision has been turned into reality.

You can get your own FIDO U2F Security Key today at Amazon.com. A key that you own and control allowing you to securely login into your Google Account, which lets you access services such as Gmail. The same is true for any number of service providers who choose to adopt simple and strong Universal 2nd Factor authentication.

A special thanks to everyone in the FIDO Alliance working groups for making this happen!

Learn more about the new FIDO U2F Security Key by Yubico

John Salter

YubiKey NEO & FIDO U2F: One Key for All Apps

I’ve been in this business for a long time and watched a lot of promise collapse and a fair number of snake oil salesmen flourish.

Strong authentication is one of those technology conundrums that always seems to be partially solved. The drawbacks of traditional one-time passcodes are well understood and we’ve always truly known their shelf life was limited.

I have been searching for something that would be more appropriate in today’s Internet, that would move past “partially solved” and would blossom into elegant simplicity spanning the technology, the plumbing and the user.

My eyes were opened to the answer while watching a room full of engineers work with their code — checking out, checking in, deploying live —and authenticating each time as they supported a massive cloud service that counts billions of users around the globe.

To cross each virtual security boundary the engineers simply press a small flashing Yubico YubiKey tucked into their USB ports to activate strong authentication. They were taking advantage of their body’s ability to hold an electrical charge and trigger a capacitance sensor.

A few years ago when I first saw this technology, I underestimated the capacitive touch. I did not think it had the needed security properties, but what I missed was how important it was to the end-user.

Once I realized that error, I began adding in the significance of the hermetically sealed, driverless YubiKey that is impervious to viruses and malware. I thought about its improvements over second-factor mobile devices that hackers can compromise, and over single sign-on, where conventional wisdom says authentication should happen as infrequently as possible then shared across domains boundaries.

I now understand security isn’t about limiting authentications but making hundreds, even thousands of them per day as easy as pushing another key on a computer keyboard. It’s a user-experience that requires zero training, even for technology’s bellwether grandmothers.

In addition, a previously missing piece is coming into focus with the FIDO Alliance’s Universal Second Factor (U2F) protocol, adding the standards-layer to enable one key to authenticate to all applications in our ecosystems while maintaining trust and end-user privacy.

Today, Yubico is releasing its YubiKey NEO with support for U2F and delivering it in two form-factors. This key will hold the promise of a significantly more secure online consumer experience, and a dramatic increase in enterprise security and ease-of-use.

This combination of all these factors (pun intended) leads me to believe we have our device and our extended shelf life for a proper “what you have” factor from a multi-factor authentication perspective.

And it has been a powerful enough epiphany for me after 30 years promoting and advancing strong authentication that I have joined Yubico as Chief Business Officer to explore this innovation and see it through to what I believe will be its rightful place in the security landscape.

As you will see in the coming weeks, my faith in these advancements will be validated by some of the most successful and influential Internet companies with arguably the largest end-user populations on the planet.

We can now challenge conventional wisdom around authenticating once then propagating credentials. I am a firm believer in SSO technology for gluing together computing across boundaries and would argue our SSO engines should play the primary role in directing identity traffic. They are, and will remain, essential in modern web architectures.

But, I argue fresh primary credentials trump older secondary credentials every time.  Application designers have never thought of a world where it is possible or desirable to verify primary credentials not just one time but many times. That world is coming into focus and I’m exited to have a front row seat, again.

John Haggard is Chief Business Officer at Yubico

Stina Ehrensvard

Growing Bigger, Stronger…

We are growing! The authentication market is locking into its stride, and there has never been another period when computer experts and novices have spent so much time, effort and debate on what has mostly been the silent corner of the Internet – security.

To keep up, Yubico has added horsepower by hiring new people and we are looking for more.

What’s driving growth? Ask the millions of people who have had their passwords stolen in the past 16 months. Ask enterprise security chiefs and corporate executives in industries such as banking, healthcare, and retail what keeps them up at night.

They need help in fighting an unprecedented blitz on their security.

Our Yubico team is lean and powerful like our YubiKey, a small, hermetically-sealed USB and NFC key. With a simple touch it generates trusted credentials. Loved by users in 140 countries, including 7 of the top 10 Internet companies.

In the past month, we have welcomed three industry veterans to our team: John Haggard, former crypto developer and President at VASCO Data Security; John Fontana, online identity evangelist with his own column at ZDNet.com; and security specialist Kevin Casey, formerly with the US Army, RightNow Technologies and Alcatel.

But now we are on the lookout for a supply chain manager, support engineer, system admin and perhaps a marketing guru. If you have the drive and enthusiasm to keep up with a company small in number but big in influence — give us a shout.

It’s time for Yubico to expand! Join us as a customer. Consider being a colleague.

John Fontana

Danish Experts Tap YubiKey Security

When security consultant Ian Qvist talks about YubiKeys, he does so with a knowing grin and the knowledge he’s tightening security without adding complexity.

Qvist works with customers such as government agencies and Danish banks whose IT teams are looking for answers to specialized security needs.

“We use YubiKeys in a lot of places,” says Qvist, an eCrime senior consultant for CSIS Security Group A/S in Denmark. “They are so flexible we use it wherever we want to.”

The YubiKey is a simple USB-key that looks like a keyboard to your computer, and with a simple touch delivers two-factor authentication to secure logins.

Qvist says CSIS, which stands for Cyber Security and Intelligence Services, discovered the power of YubiKeys when he rolled out LastPass password manager internally to the company’s employees. Being security minded, the employees were concerned that all their passwords were in one place. Qvist quieted concerns by strengthening authentication to the password manager with a YubiKey.

Ian-Qvist-CSIS

Jens Christensen, security researcher at CSIS Security Group A/S in Denmark, holds up a Yubikey. While small, it is giving his business and customers a big assist on security.

“LastPass was the first place we used YubiKey,” he said. “Insert the key, touch it and it is setup, anyone can do that.”

Ever since, the 10-year-old company has been finding spots where the YubiKey can boost security and protect end-users, systems and digital resources. And now the YubiKey is an important element in the security services CSIS offers clients.

Today, YubiKeys also are used at CSIS to bolster security for other services including Microsoft’s Remote Desktop Protocol, VPNs and domain passwords.

“Because the YubiKey can be configured, we use them for many different applications,” Qvist said. “That is amazing for us. And we are coming up with new ways to use them.” YubiKeys can be set up for  a long static password or the open authentication OATH standard.

He says from a security perspective the ease of use and configuration options are what make the YubiKey so valuable.

CSIS uses Yubico’s personalization tool to deploy YubiKey security with many different authentication methods.

YubiKeys have support for Yubico one-time passcodes, Open Authentication (OATH) including HOTP and TOTP , Challenge-Response and Static Passwords. The YubiKey NEO also supports Near-Field Communication (NFC) for using YubiKey with mobile devices, smart card functionality, including PIV and Open PGP, and later this fall the FIDO Alliance’s Universal Second Factor (U2F) protocol.

CSIS uses both the YubiKey Nano form-factor, which tucks inside a USB port and can be left in the computer, and the Standard form-factor, a small, hermetically-sealed device that can attach to a keychain.

YubiKeys don’t require any software installation, drivers or batteries to operate. But customers like CSIS do use Yubico’s free open source software to customize keys and create their own backend validation servers and services. The Yubico open source tools are also used to program and control YubiKey encryption secrets, or add a ModHex Calculator among other options.

Qvist only began using YubiKeys a year ago, which means he has gotten to warp speed very quickly. Now they are part of everyday operations.

“Our different departments have different patterns of work and we don’t have to disturb those patterns,” he says.

Qvist says one particular customer had a large IT department with a few security guys who scrutinized everything. “When we gave them YubiKey, they saw how it worked and how [it applied] to their use cases. That got ideas rolling around in their heads,” he says.

Enough ideas in fact to fuel more knowing smiles from Qvist.

John Fontana is the Identity Evangelist at Yubico. Also follow his Identity Matters column on ZDNet

John Fontana

When Will NEO Work with iPhone 6 NFC?

Yubico has heard this question a lot over the past days since the iPhone 6 was released with NFC support.

The answer would be “now” if Apple had an open ecosystem, but that likely won’t be the case for another 12-16 months. But put a pushpin on your roadmap, the YubiKey NEO will be a multi-factor authentication option, based on its current NFC support, for iPhone users once Apple opens it to developers.

And if Apple decides to join the FIDO Alliance, the Yubico promise of one authentication key for many services could get support from another heavyweight in the FIDO standardization effort.

It’s not far-fetched to envision Apple as part of FIDO given that Apple’s Touch ID is built from technology acquired when it bought AuthenTec – which applied for the original trademark on the FIDO name. (The company left FIDO the day it was acquired by Apple).

Apple showed its new willingness to work in international standards settings two weeks ago when it joined the GlobalPlatform, which creates specifications that address standardized infrastructure for securing multiple apps on smart chip technology.

The group has three areas of focus: secure elements, trusted execution environments and messaging that holds it all together. And it adds in security, interoperability, responsibilities, provisioning and a common language to exchange information.

Or as Global Platforms puts it, we’re “a cross industry, non-profit association that identifies, develops and publishes specifications that promote the secure and interoperable deployment and management of multiple applications on secure chip technology. “

Now that’s a mouthful, but what’s important is in a world where standards are the only way to reach Internet scale, it appears Apple is coming out to play.

Bravo Apple!

You can read more about the Apple/GlobalPlatform alliance on my Identity Matters blog on ZDNet.

Jerrod Chong

YubiKey powers Salesforce 2FA platform

In the next three weeks, Salesforce will add a second major piece within the past year to its identity and access management capabilities. At its annual Dreamforce conference, Salesforce will unveil the Winter 15 edition, including a new feature called Login Flows that allows Salesforce admins to customize the login experience for their users.

On Day One of Dreamforce, I’ll take the stage with Salesforce engineers to show off Yubikey for Salesforce. This is an application that integrates with Login Flows, and the small YubiKey device that provides a one touch, two-factor authentication experience for logging into a Salesforce account.

The hardware-based Yubikey defines ease-of-use and helps prevent replay and brute force attacks that have defined recent password hacks. Because the YubiKey identifies itself to your computer as an external keyboard, there are no drivers to install and it ‘s compatible with any platform. In addition, there isn’t a battery to replace and malware cannot infect the firmware, a needed improvement over software-based authentication tokens.

Last year, Salesforce modernized its authentication platform with the introduction of Salesforce Identity, a set of Open APIs to support identity protocols such as SAML, OAuth, OpenID Connect and SCIM for single sign-on and federation.

This year, Salesforce is adding Login Flows to its platform in order to answer customer requests for the ability to add extra security and features to end-user authentication. Yubico is adding YubiKey for Salesforce into that environment.

The solution is comprised of the YubiKey USB key and an application to validate Yubico one-time passwords against the YubiCloud service. The app also includes a console for IT to manage YubiKeys, including the ability to deal with lost YubiKeys, and an option for users to self-provision YubiKeys.

The end-user experience begins after the user enters their regular Salesforce username and password. Next, the user simply touches the lighted gold contact on the Yubikey inserted in their computer’s USB port – that’s it.  The touch produces a unique, one-time 44-character code that is passed to the computer as a second factor of authentication.

In addition, users with existing YubiKeys running under their default configuration will be able to use those keys with the YubiKey for Salesforce app.

We believe this stealth hardware device is the wave of the future — easy-to-use, simple, and secure.

 

For more information, see our YubiKey for Salesforce page

John Salter

Our Plans for YubiKey NEO & U2F

This is a common question for Yubico these days as media and end-users discuss recent password breaches and explore the promise of two-factor authentication combined with the standard Universal 2nd Factor (U2F) protocol from the FIDO Alliance.

Well I can tell you that the light you see at the end of the strong authentication tunnel is most definitely YubiKey NEO with U2F support. This is a powerful combination that begins to prove the viability and power of FIDO’s U2F protocol and the important role YubiKeys claim with support of the standard. We are truly moving toward one authentication key that can support 2FA to many services.

We are nearly ready for release except for some last minute issue resolution and Q&A reviews. Or said another way, we are close enough to spill some of the details. I can tell you what we have developed is a NEO update (version 3.3) that supports the latest U2F v2 review specification, including the USB protocol. Specifically, we have support for U2F over (raw) HID (human interface device). Version 3.3 also continues support for OTP and CCID modes (from version 3.2), or any combination of those two and U2F.

For the implementer, we are publishing software that allows you to build your own U2F ready authentication server. This will include Python-libraries for talking to U2F devices and Python-libraries for doing the U2F server-side crypto. We are releasing C and Java libraries as well, since that can be integrated in many environments. In addition, our demo service will be expanded to include U2F demo capabilities. When Chrome v38 goes into production, it will have support for YubiKey NEO v3.3.

We also will upgrade the YubiKey NEO Manager GUI to support mode-switching between OTP/CCID/U2F modes. We have already released new versions of the YubiKey Personalization library/tools, YubiKey NEO Manager library/tools, and YubiKey Cross-platform Personalization, and they all support the new 3.3 NEO version.

When will this be available? Our estimated time of arrival is by the end of October. Keep in mind, however, there are outside dependencies that could shift this timeframe, but I can assure you that the arrival of 3.3 will be a good day. We truly believe that U2F support will be the opening salvo on an entirely new generation of strong authentication — one that is simple to use and secure enough for a range of use cases across any enterprise.

John Fontana

Welcome to the Future, It’s about to Get Really Interesting…

This week ushered in my start with Yubico and I couldn’t be happier to be a part of what is going on here. The challenge in any new job is that while your colleagues are at a full-on run, you’re still learning how to walk. But after five days, I do know I better catch up to them soon because the advancements and opportunities related to authentication technology are poised to come forward fast and furious.

Apple’s iPhone event next week is a hint at security and usability improvements that will spread across the industry. While Apple is initially focused on electronic payment transactions, you could easily swap in the word “authentication” for “payment” and get a picture of where things are going.

The new iPhone 6 by all accounts will show up with NFC support, which is sweet music to the electronic payment system folks. Why, because they can insert new levels of security and fraud protection leveraging the chip technology infrastructure without upsetting the familiar end-user experience of using the card. And they can do it without passing through software susceptible to malware.

They can provision shared secrets, thus protecting real credit card numbers throughout the transaction process and thwarting hackers via a scheme known as issuer tokenization.

“Now if someone steals transaction records from Home Depot, they get one-time numbers that are useless, it totally kills all these breaches,” said Steve Sidner, an independent security and payments consultant based in Omaha, Neb.

Chip-and-pin cards, well known in Europe and coming by mandate to the U.S. next year, are proof that the system works. (The devil in the details is the cost for swapping out current technology in POS systems and issuing new cards).

But the real sweet music to security wonks; there is virtually zero convenience/security trade off, which has always been the barrier to end-user entry.

That is a win for customers and vendors.

Take that same scenario, but think about an authentication transaction rather than a financial transaction. It works in a similar way but with a different flow. Think of a simple yet elegant hardware-based way to exchange public keys and private secrets, think of no software installs, think of a contactless device that wakes up your phone and announces it is there for a private conversation around strong user authentication.

Think of that same scenario with other contactless technologies.  Think of form factors from earrings to watches to clothing.

Major companies with a significant stake in online services and applications are certainly thinking about all that.  And they are poised to roll out first phases, not next year, but by the end of this one.

The FIDO Alliance is thinking about it and how to run it over a standard set of protocols — and, of course, the Alliance contains some of the same card issuers salivating over Apple joining the NFC device party with rival Android.

And I have been thinking about all this. That is one reason I am at Yubico trying to help get the message out about the potential for a major shift and a run at finally gaining a significant share of end-user acceptance for stronger security.

I wrote about this yesterday on my blog Identity Matters that runs on the technology web site ZDNet.

Pay attention to what happens next week within Apple’s initial limited NFC scope, but keep in mind the bulk of the benefits are more wide-spread and still to come.

I think the YubiKey is poised to fuel this market with its one-touch strong authentication.

The one thing that jumped out at me is when you insert the key into a USB port it looks like an external keyboard to your computer. So in essence strong authentication is added to your computer by including just one additional key to the 78 or so that are already on a typical computer keyboard.

Strong authentication delivered with a keystroke, likely one of the oldest and most understood end-user experience in computing. As just one example, the strong authentication experience is already familiar to scores of engineering teams, who securely log-in hundreds or thousands of times a day just by touching the one extra key.

That is cool. I’m really interested to see where all this can go.

Jakob Ehrensvärd

YubiKey & BadUSB

Updated Oct. 22, 2014 to include information on Security Key

We have received a few questions with regards to “BadUSB” concept, presented at BlackHat 2014. This was picked up by wired.com, where the problem domain is somewhat expanded into a claim that the “Security of USB Is Fundamentally Broken”.

Although there are a few different (and known) issues presented, the main claim here is the possibility to turn a legitimate USB device into an evil one by replacing its genuine firmware with a malign image. The authors describes USB devices, but this general concept applies to almost all types of devices having the capability to upgrade the firmware in the field, a process known as Device Firmware Upgrade (DFU).

The concept of creating “hardware Trojans” is interesting (and scary) and gained quite some attention in the early 1990s when the first field-upgradeable flash BIOSes for PCs became available. It was then shown that by replacing a legitimate BIOS with a hacked image, malign functionality could be implanted deep into the functionality of a PC, beyond reach of anti-virus software.

However, although conceptually feasible, such attacks are not that easy to execute practically and to make them widespread. There are quite a few reasons for that.

  1. Many low-end USB devices do not support DFU, either because the firmware is factory-programmed in a non-alterable mask ROM, one-time-programmable ROM or simply because there is no DFU mechanism implemented. Supporting DFU adds cost and complexity and therefore makes little sense for low-cost mass-market devices, such as thumb drives, card readers, keyboards and mice.
  2. To perform DFU, often some active (and usually quite awkward) sequence has to be performed by the user, such as holding a button while the device is power cycled. Then, a specific executable has to be run in the computer where the device is connected to perform the actual firmware upgrade. This is not something that is likely to happen without the user actively initiating it.
  3. An attack of this kind has to be targeted on a per device model basis, and then requires extensive knowledge of the particular implementation, including reverse-engineering. An attack that works for a specific device will only work for that particular version of the device. Making a blast to a large number of users and try to fool them to upgrade with a malign image seems somewhat unlikely to get more than a marginal impact.
  4. Many low-end USB devices have limited memory capabilities which cannot be upgraded with a firmware that can do anything really evil while maintaining their intended function. So, if the device is infected, it won’t be able to perform what it was designed to do. High-end devices, such as MP3-players, cameras and phones are a different story, but there the problem can be mitigated by code signing.

There are probably quite a few devices out there that do not implement basic countermeasures against what has been listed above, but probably the biggest issue with DFU is that the user accidentally bricks a device when an update fails or stalls before it has been completed. This is an implementation issue and should be seen as a design flaw by the vendor rather than a system-wide problem.

One can wonder if low-end USB devices, such as thumb drives are in fact the scariest targets for malign firmware and also why these would implement or require DFU? Phones, network routers and gateways with extensive memory and processing capabilities together with constant network and power connection seems to be more obvious and attractive in this respect. Here, the number of vendors is less and DFU is supported on a more general scale.

Seen from a different angle, one can ask if this is really a USB problem or the fact that devices (above the complexity of a thumb drive) are nowadays frequently (and very fundamentally) updated. Replacing the operating system in a tablet, firmware image in a printer, phone or a network router does not require USB – it is done directly via the network connection. The scalability and harm of such attacks is probably orders of magnitude worse than what can be accomplished on a per-device basis via USB.

The question then inevitably becomes – so how does this all affect current Yubico products, which obviously are USB devices?

With regards to the FIDO U2F Security Key by Yubico and DFU…
– There is not a DFU mechanism in the Security Key and hence it cannot be updated.

With regards to the YubiKey Standard and DFU…
– The firmware is in non-alterable ROM and hence cannot be updated.

With regards to the YubiKey NEO and DFU…
– The YubiKey NEO technically does support DFU, but requires the new firmware image to be signed by us. Yubico does not endorse nor support use of DFU for users.

With regards to the YubiHSM and DFU…
– The device does not implement DFU and hence cannot be updated.

With regards to a USB device being a carrier for malign files…
– The YubiKey or YubiHSM do not support Mass Storage Device (MSD), so they cannot carry infected files or data.

David Maples

The Future of Online Authentication

Last week, Yubico delivered a glimpse into the future of online authentication with a presentation at Mozilla. If you missed the live talk about FIDO Alliance Universal 2nd Factor (U2F) and in-the-browser authentication for the mass market, please watch the archived video below.

In the 60 minute presentation, Yubico discusses the motivation behind U2F, provides a demo of U2F in action, explains the user privacy and security issues that are addressed, highlights the importance of browser support for U2F and dives into some key details about the protocol.

FIDO Alliance U2F is a new, open authentication standard focused on adding public-key cryptography to existing password authentication mechanisms, offering high security with friction-less user experience. U2F represents a crucial step in driving the rapid adoption of strong authentication technology, where the user will be able to use a simple password/passcode, which even if compromised, does not compromise the user’s identity. The elegance of the protocol lies in the fact that the user in possession of the authenticator can authenticate to any number of web-based services using only one device, without the need to install any drivers or client software. The added benefit of U2F also lies in the simplicity of how this protocol can be easily integrated into an existing password authentication model.

For more background on Yubico’s work with the FIDO Alliance and the future YubiKey NEO with U2F, please visit here.

Simon

YubiKey NEO Updates

UPDATE: YubiKeys with serial numbers 2624253 to 2624449 and 2624801 to 2625499 are also not configured with fixed card manager keys.

Our YubiKey NEO, is a JavaCard-based product, which has a set of card manager keys that allows you to delete/add/update the software “applets” running on the NEO, through the Global Platform interface.

We launched the YubiKey NEO as a “Developer Edition”, and as such, the card manager keys were set to a single value to facilitate development.

For production use we don’t recommend this, since anything you can do is also something an attacker can do, thus potentially achieving a denial of service of your NEO by (for example) removing all applets on it. (Note that the card manager keys does not give anyone the ability to extract secrets, that’s by design never possible.) As the Yubico applets have now reached a reasonable level of maturity, we are proactively changing our processes around card manager keys. The YubiKey NEOs that have shipped from July 1st 2014, starting with serial number 3,000,000, are no longer configured with the fixed card manager keys.

What does this mean if you are an existing YubiKey NEO customer? If you are concerned with someone else modifying the software on your NEO we recommend that you change the card manager keys. Global Platform can be used to change the card manager keys.

Initially we targeted YubiKey NEO towards early adopters and developers; now the majority of our customers are moving to production deployment and require production devices. What does this mean if you want to develop applets for the YubiKey NEO? We are setting up a YubiKey NEO Developers program for you to order YubiKey NEO “Developer Edition” that come with the known card manager keys, so you can load and delete applets as you wish, and services for Yubico to load your applets onto production YubiKey NEO for your customers. We will announce the launch of the YubiKey NEO Developer program here and on our social media channels.

We are improving the way we set-up the OpenPGP applet on YubiKey NEO; from shipments made today, we now set the card serial number to be the same as the YubiKey laser etched serial number; that’s important if you have multiple YubiKey NEO. Secondly, we are shipping version 1.0.6 of the OpenPGP applet that works with GnuPG version 2.0.22+ and supports import of secret keys – for some informal hints see my personal blog post on GnuPG and NEO usage.

Ronnie Manning

Meet Yubico at Cloud Identity Summit

Yubico is invited to showcase the YubiKey and FIDO U2F ready devices at the upcoming Cloud Identity Summit, in Monterey, California. On Saturday, July 19, you can meet our team at the FIDO Alliance interoperability showcase and demo at the Bonsai II room from 1:30-4:30 p.m. On July 20-22, we welcome you to the Yubico booth #TT8. To schedule a meeting, please email us at press@yubico.com.

Simon

Lost YubiKey Best Practices

We hope that you will not lose your YubiKey, but for larger deployments and serious use, establishing processes around lost YubiKeys is an important and challenging aspect. Yubico has offered the YubiRevoke service to help with this aspect, which is a centralized way to disable YubiKeys validated through the YubiCloud. Initially we thought this was a natural part of a YubiCloud service. The more we have worked with customers to establish and recommend practices around use and deployment of YubiKeys, though, we have come to reconsider this recommendation. We have realized that a centralized service for revoking a YubiKey often leads to deployments that are ineffective to use for administrators, and it introduces a new set of security considerations for deployments.

For systems that use YubiKeys validated through the YubiCloud, the standard pattern is to setup a service that performs authentication using username, usually a password, and a Yubico OTP. These systems usually have an administrative interface, of varying level of sophistication, for managing users. Technically the system performs authentication by validating the username and password, and then validates the Yubico OTP against the YubiCloud to achieve two-factor authentication. For example, the system may be as simple as a WordPress blog with the YubiKey plugin, or Unix (typically Mac or GNU/Linux) login using the PAM module. The WordPress system has its user management interface, and Unix has its own user management and configuration interface. When a YubiKey is lost, to regain access to the system, the administrator has to provide a mechanism for users to associate a new YubiKey, or at least temporarily disable two-factor authentication. When YubiRevoke is used, customers sometimes end up implementing procedures for administrators to disable the YubiKey in both systems, which is inefficient.

A centralized revocation system for YubiKeys also introduces security considerations for deployments. Our revocation system depends on good authentication, and with access to an admin account, you can disable a YubiKey immediately. For larger deployments, having an attacker gain access to the administrator password/OTP could lead to situations which are difficult to recover from — consider for example if the attacker (maybe a disgruntled employee) changes the YubiRevoke password and disables all your YubiKeys. Implementing proper social recovery mechanisms on our side is not cost effective, and there will always be room for doubt. There is also a risk for Yubico to host a service that is using username/password authentication, since that will become a target of attacks.

For the reasons above, Yubico is planning to decomission our YubiRevoke service on the 1st of October 2014. We advise customers to simplify their processes around revocation to not involve the YubiRevoke service. We will disable new YubiRevoke account registration on June 13th 2014, and disable adding new Yubikeys to existing accounts on the 1st of August 2014. Please find below a quick FAQ around this.

Q: If I lose my YubiKey what should I do?
A: You should login to the sites where you used the YubiKey on and change the account settings to use your replacement YubiKey instead.

Q: What if I can’t login to the site to change my settings?
A: Use the service’s authentication recovery method.

Stina Ehrensvard

The Internet of Trust

Over the last year, news headlines of compromised passwords and system vulnerabilities have continued to dent our trust in our Internet-connected computers, smart phones, networks, Certificate Authorities and software providers. A month ago, when the Heartbleed vulnerability was identified, some people claimed that this was the end of the great human experience called the Internet.

But great inventions don’t die just because security mistakes have been made. We trust seatbelts in cars and with new trust models we can build an even more powerful and secure Internet.

It begins with accepting that the static username and password for identification and authentication is not enough. And that networks, software and devices will never be free from hackers, backdoors and malware. Then we can then move our trust and login credentials to a small key, which we carry in our key-chain, and which is not connected to the Internet. Instead of trying to rely on vulnerable infrastructure, we set up a direct and secure link between the key and the application we want to connect to. And let the key change our user credentials every time we login.

In parallel, we are creating a new user centric trust model. Instead of relying on a single party for authentication to multiple services, we’re turning the model upside-down, where multiple services can rely on a single device. This concept of true end-point authentication is also the core idea behind FIDO Universal 2nd Factor.

Once you can purchase you secure online identity online or at your local store, and free and open source U2F libraries are published for any service to easily implement, the Internet will be a safer place. New, distributed, disruptive and lower cost trust models will evolve, empowered by billions of users.

Stina Ehrensvard

Silicon Valley Veteran Backs Yubico

Ram Shriram, founding board member of Google, and former executive at Amazon.com joins the strong authentication innovator Yubico as investor and advisor.

“At a time when Internet passwords are being hacked at scale, the Yubico team continues to excel at protecting digital identities in a very elegant manner. To win the mass market of Internet users, great security needs to be simple. The YubiKey user experience with no client software, a simple PIN and a touch – delivers on this promise!  says Ram Shriram, CEO & Founder, Sherpalo Ventures.

With offices in Palo Alto, Stockholm and London, Yubico has built a profitable business internationally. The Yubikey, the company’s flagship product, is an innovative and disruptive multi-factor authentication solution built strong enough for the largest enterprises while remaining simple enough to use for consumers. Trusted by 7 of the top 10 Internet companies, Yubikeys have been used for protecting digital identities for over 40,000 customers in over 130 countries.

Over the last few years the Internet has seen a growing wave of attacks and breaches that have highlighted the limitations of traditional authentication solutions. Weekly headlines of major password leaks, the Snowden/NSA publications and the recent Heartbleed vulnerability have significantly raised global awareness around secure Internet identity and privacy. While just usernames and passwords are not secure anymore, existing multi-factor authentication technologies, such as smart cards and one-time password hardware tokens have not yet scaled for the mass market. These solutions remain complicated to deploy and manage in addition to being expensive. Also, while smart phones and tablets have been rapidly adopted, mobile authentication software technologies have been exposed for malware, and have become a target attack for hackers into users’ accounts and enterprises.

The YubiKey is a strong authentication hardware solution that works instantly with computers and mobile devices for a range of Internet and enterprise applications. Enterprises can ensure that they have full control over their encryption secrets by leveraging Yubico’s trust-no-one deployment model offered as on-premise software or as a cloud service. Yubico’s vision is to enable Internet users to have secure access across unlimited services using their Yubikeys. To realize this dream, Yubico is a board member and a key contributor to the FIDO alliance, an open standards strong authentication consortium, along with leading Internet and financial services companies.

To accelerate its growth and make the YubiKeys ubiquitous, Yubico is proud to welcome Ram Shriram as an investor and advisor. Ram leads Sherpalo, his own Venture Capital firm, investing in promising new disruptive technologies. Ram continues to serve on the board of Google and has previously been an officer of Amazon.com.

 

 

Stina Ehrensvard

The Yubico Entrepreneur Journey

Earlier this month, I was invited to deliver a keynote at STING Day, an annual event for an audience of over 500 attendees, including the top European tech start-ups and investors. The event is hosted by STING (Stockholm Innovation and Growth), the leading tech incubator in Stockholm, where Yubico began.

For the talk, I was asked to share some key events from Yubico’s journey and what I have learned from them. Condensing seven years into a 15 minute keynote was not an easy task, and I’m generally reluctant in giving advice, knowing that all entrepreneurs have their own DNA and paths to travel. However, I accepted the challenge, and shared several Yubico stories, including how the YubiKey was invented and why part of the team moved from Stockholm to Silicon Valley to help develop FIDO U2F; the new and disruptive open authentication standard.

On the same topic, I want to comment on an article I read some time ago which focused on the personalities of entrepreneurs. According to the article, “the majority of all entrepreneurs have a slightly warped self image, being over confident with their own abilities”. After reading that quote, it was clear that it was not an entrepreneur or innovator who had chosen those words. We are more humble… about the fact that our number one asset is our passion for our ideas, and our confidence that we will accomplish them!

We also know that very few people succeed alone. I am here today thanks to all of the hard work given from the amazing individuals that have joined Yubico and to those whose paths I have crossed on this journey.

So, to all of you who carry a big dream, don’t let anyone define what you can or cannot do. Trust your gut – and do it!

STING Day 2014 from Yubico on Vimeo.

Watch above video for a 15 minutes summary of Yubico’s journey and lessons learned.

Simon

Improving YubiKey Physical Security

Yubico has been working with world-renowed cryptographers at the Ruhr-Universität Bochum to improve resistance against physical attacks directed at the YubiKey. This has been ongoing process over the last year. The results were made public at the RAID2013 conference, and have also been presented at 30C3. To follow our principles of openness and transparency, we will describe below, at high level, what we did over the last year to address the issues presented in their study. Our general philosophy around security is to tell you what we are doing, to ensure you stay informed.

First, let’s recap some basic things about physical attacks and the YubiKey. The YubiKey Standard was designed to combat security threats where someone spends a small amount of effort to attack a large number of YubiKeys. This is the kind of “asymmetric” threats usually found on the Internet. For example, a software trojan that manages to infect many machines (which is common) will not be able to generate One-Time Passwords (OTPs) because someone has to physically trigger the YubiKey touch button. Attacks where someone gets physical access to your YubiKey has been outside of our threat model, and we have urged users to use common sense to prevent such attacks, such as keeping your YubiKey on your person on in a secured location, instead of leaving it in a publicly accessed computer – essentially the same measures used for the key to the front door of a home or office.

For most environments, and we recommend this as a general rule, you should combine multiple factors to authenticate a user. Usually the YubiKey is used in a way where you combine something you know (a password) with something you have (a YubiKey). This means that temporary loss of a YubiKey is not a disaster — the attacker would still need to acquire the password. To acquire the password and temporarily borrow your YubiKey is still feasible, but it has a higher cost to the attacker compared to just acquiring passwords. Further, it provides the legitimate owner of the YubiKey time to contact the services they were using it with to disable it, preventing that YubiKey from having any access to secure sites or services.

The novel attack demonstrated last year was on how to extract the AES key from a YubiKey (version 2.3 and eariler) using a “side-channel” attack. Side channel attacks work via other channels into a system, such as power consumption, elctromagnetic emission, computation time, or audio information. Preventing this class of attacks is more challenging than preventing the direct attacks, since you must be aware of the attack vector before being able to build a defense against it. Some side channels, like time and power analysis, have been around for a couple of years now so that some common defense mechanisms have been established. For example, one way to deal with side-channel time analysis is to implement the software so that computations take a constant amount of time regardless of inputs.

The attack uses power and electromagnetic analysis of the YubiKey, and requires physical access to the YubiKey for an extended period of time; a typical attack would require access to the YubiKey over-night. The setup requires the YubiKey to be mounted in a special rig to measure power consumption, EM emission, and to fake YubiKey touch button presses. With this setup, and custom-built post-processing software, the researchers were able to extract the AES key used to generate OTPs from a YubiKey. In a sense, the YubiKey was “leaking” some information that could be used to calculate the AES key after many YubiKey touch button presses.

Yubico was informed of this research early last year. While the YubiKey Standard was not intended to resist physical attacks, we aspire to exceed expectations. So we worked with the researchers to produce an updated version of the firmware. The new firmware was tested by the researchers, and they confirmed that the attack was prevented, and also that they were unable to find another attack vector. This firmware was called version 2.4 and started to ship during May 2013 for the black YubiKey Standard, and incrementally rolled out for all form factors and colours, before the research was made public.

Q: What YubiKey products are affected?
A: Only the YubiKey Standard and YubiKey Nano with firmware before version 2.4. The YubiKey NEO is NOT affected.

Q: I’m using the YubiKey Standard in OATH or challenge response mode, am I affected?
A: No. Only the Yubico OTP mode.

Q: How do I find out what firmware version my YubiKey has?
A: You may use our Personalization tools. If you use a recent version of Debian/Ubuntu, the tools are part of that operating system.

Q: Should I be concerned about this attack?
A: Not really. Even if someone has physically access to your YubiKey, the attack requires sophisticated tools to extract the encryption keys, making it practically impossible for most people. Also, the majority of systems using YubiKey requires a second factor, such as a PIN or password.

References:

David Maples

Bank of America Joins FIDO Alliance

Today, Bank of America, has joined the FIDO Alliance and been appointed to the Board of Directors. Among the world’s leading financial institutions, Bank of America is committing to FIDO standards for strong authentication, along with other leaders in the financial sector, including Discover Financial Services, MasterCard and Goldman Sachs.

“Historically, strong two factor hardware authentication has been too costly and complicated to scale for mass markets,” said Stina Ehrensvard, CEO and founder of Yubico. “We are pleased to see an ever-increasing number of large online services and financial institutions joining the FIDO Alliance and addressing the issues. FIDO certified devices offer better security and a greatly improved user experience over traditional software-and-hardware based authentication technologies.”

FIDO Alliance members commit to share technology and collaborate to deliver open specifications for universal strong authentication that enables FIDO-compliant authentication methods to be interoperable, more secure and private, and easier-to-use. The YubiKey NEO is the industry’s first FIDO Universal 2nd Factor (U2F) Ready device and is currently being demonstrated at RSA 2014 at the NXP booth. (* Please note – as of May 21, 2015, Yubico FIDO Ready™ products became official FIDO Certified™ products.  Read more here).

“Providing our customers with a convenient, secure digital banking experience is a top priority for us,” said Dave Godsman, Bank of America Digital Banking Solutions & Operations Executive. “As the world rapidly changes, our involvement in the FIDO Alliance will help ensure we continue to provide the convenient and secure solutions our customers want.”

“Bank of America is counted among the world’s leaders in financial services. As an institution responsible to secure high-value interests and relationships across consumer, government, enterprise, and business, Bank of America is among a select few ‘Relying Parties’ ideally positioned to drive adoption of FIDO standards at Internet scale,” said Michael Barrett, president of the FIDO Alliance. “We welcome Bank of America to our Board of Directors at a pivotal point in FIDO Alliance history. With our review draft specifications just publicly released, and the marketplace poised to deploy ‘FIDO Ready’ certified solutions in 2014, both users and those who serve them are eager to embrace simpler, stronger FIDO authentication.”

To find out more and to read the release in its entirety, please visit FIDOAlliance.org

Ronnie Manning

See Yubico at RSA 2014

NXP booth #1341 in the South Expo Hall

Throughout the conference, Yubico will be demoing the YubiKey NEO and the industry’s first FIDO Universal 2nd Factor (U2F) Ready device at the NXP booth (Though successfully deployed inside cloud companies, FIDO enabled YubiKeys are not yet for sale for the public). We will also present the simplicity of two-factor authentication for other YubiKey NEO use cases, including Windows login, PIV, PKCS11, OpenPGP, password managers, and for leading cloud services with support for OATH TOTP.

FIDO Ready Showcase – Moscone North, Room 110

Additionally, on Wednesday, February 26, from 1:00 PM to 5:00 PM, Yubico will be participating in the FIDO Ready Showcase. The Showcase will feature a FIDO Alliance member panel, FIDO Ready live product demonstrations, and a chance to meet and interact in one-to-one meetings.

FIDO Alliance Member Panels – Moscone North, Room 110

Yubico is honored to be participating on two panel discussions during the FIDO Ready Showcase.  Read more about the FIDO Alliance.

Date and Times: Wednesday, February 26, 2014. 1:00 PM and 3:00 PM

  • 1:00 PM – Business Drivers for the FIDO Solution
    Moderator – Brett McDowell, PayPal
    Participants – Stina Ehrensvard, Yubico, Michael Barrett, FIDO Alliance and Kayvan Alikhani, RSA
  • 3:00 PM – FIDO Technology: a Primer
    Moderator – Brett McDowell, PayPal
    Participants – Jerrod Chong, Yubico (U2F) and Davit Baghdasaryan, Nok Nok Labs (UAF)

Schedule a meeting with the Yubico team

If you would like to set up a meeting at RSA, please email Ronnie@Yubico.com. Looking forward to seeing you at the show!

David Maples

CERN Research Secured with YubiKey

Read about how CERN is using YubiKeys in eWeek

CERN, the European Organization for Nuclear Research, pioneers of the World Wide Web and one of the world’s leading scientific research centers, uses YubiKeys for securing critical services.

“The YubiKey meets all our requirements thanks to its simplicity of use, its open algorithm and the available open-source software support. Moverover, YubiKey require no drivers, meaning that it is compatible with all our operating systems, which is a big advantage in a heterogeneous academic environment. The absence of a battery is yet another plus, limiting the maintenance costs to a strict minimum”

Remi Mollon, Computer Security Analyst, CERN

To case study

S. American Bank Deploys YubiKeys

Financial transactions and banking are top targets for online criminals and one simple stolen password can wreak havoc on one’s online identity. Yubico and SwissBytes are proud to announce that Bolivia-based Banco Ganadero has successfully implemented and deployed SwissBytes Virtual Box (SB-VBOX) with integrated YubiKey second-factor authentication to secure online banking services for its customers.

Banco Ganadero needed an easy-to-use and highly effective solution to secure their home banking portal ‘GanaNet’.  Banco Ganadero looked to SwissBytes and Yubico to address this need, while keeping the security of its customer’s accounts and data at utmost importance.  The companies worked together to develop a unique solution for GanaNet — SB-VBOX — which consists of two components, the authentication service and a web application called the ‘YubiKey Control Center’.

Since implementation, GanaNet users have a secure and fast way to access their accounts with the YubiKey from any computer. In the near future the customers will have the ability to log on to their online accounts from mobile devices across popular operating systems such as iOS, Android and Blackberry.

Banking and financial institutions can now add high security to their online services in a fast and affordable way. For more information, please visit www.yubico.com or www.swissbytes.ch.

David Maples

Yubico at CES

Yubico had an amazing time at the ShowStoppers event at CES yesterday evening. It was a night of rapid interviews with print and broadcast media, as Yubico spoke with more than 55 journalists! Such great conversations, demonstrations and interactions – Thank you to all who spent time with us!

Are you looking for more of Yubico at CES? Find us at the NXP booth! And be sure to see our CEO, Stina Ehrensvard, on this evening’s (1/8/14) ‘Why Security Matters’ happy hour panel discussion from 5:30-6:30 PM inside the NXP Booth at CES: Central Plaza #9. To register for the panel discussion, please visit NXP.

We hope to see you at the show!

Simon

YubiX: Reference Auth Software

Yubico is happy to introduce a project that combines several of our server-side software packages: YubiX. YubiX is intended as a reference architecture software stack to demonstrate how to build robust and secure authentication systems that utilizes the YubiKey and YubiHSM hardware. While YubiX may be run directly as-is, it is not intended as a “product”; rather it is intended as inspiration for customers and partners to adapt and build their own solution from. We encourage people to take parts of YubiX and put them into products or their own system designs. All the software in YubiX is free and open source software.

The current functionality includes a web service interface and a RADIUS interface for validating username, password and Yubico OTPs, together with related administrative interfaces. However the YubiX project goal is to generally showcase different technology options that can use Yubico OTPs; so expect it to go in any direction that new technology takes it. Yubico is committed to support our own components that make up YubiX and will engage with the community through GitHub using a issue tracker and source code development tools. However Yubico does not provide system-level support on external parts, such as the core Debian/Ubuntu operating system or components like FreeRADIUS: those are already well service by their own communities.

To focus our resources on YubiX, we are now retiring our old product YubiRADIUS including its components such as YubiApp. Yubico is not recommending any single migration strategy for YubiRADIUS, instead we encourage all existing YubiRADIUS users to evaluate different options. If you have technical know-how we believe the components that makes up YubiX will allow you to build something better and more robust going forward. If you prefer to take an off-the-shelf product, there are options like DuoSecurityLinOTP, OpenOTP, AuthAnvil and others. By partnering up with someone external, you can also create a custom solution for you based on YubiX components and components built by a partner. Of course, finally, if you are happy with YubiRADIUS, there is no reason to stop using it except that it will not be maintained or supported by Yubico going forward.

For more information, please see our page about YubiX. For discussion, we invite comments on our forum.

Yubico at Internet Identity Workshop

Meet Yubico at the 17th annual Internet Identity Workshop next week from 10/22-10/24! Better known as IIW, the workshop is an un-conference at the Computer History Museum, in the heart of Silicon Valley. IIW gathers developers, thought leaders and interested parties moving both code and conversation forward for online identity initiatives and standards.

Yubico has been a long term supporter of open identity standards, and have contributed with code enabling two-factor authentication with SAML. In close collaboration with Google and NXP, Yubico has also contributed to U2F (Universal 2nd Factor); a new open identity and authentication standards initiative hosted by FIDO Alliance. At the IIW event, we will provide updates and demos of the YubiKey NEO and U2F, which has now been successfully deployed inside Google.

YubiSwitch and the YubiKey Nano

Ever felt like disabling the output of a YubiKey so you won’t trigger it accidentally? If you’re a Mac OS X user, you’re in luck! Angelo “pallotron” Failla has written an application that runs on the OS X status bar that automatically disables your YubiKey after a period of inactivity.

YubiSwitch Screen Capture

Here’s a screen capture of how it looks like. It’s primarily designed for the YubiKey Nano, which is meant to be left in the USB port for long periods of time, but will work with the standard sized YubiKeys as well. Check it out here.

David Maples

User-Centric ID Live

If you are attending User-Centric ID Live at the Washington DC Convention Center, be sure to check out the ¨Drivers and innovators: Meet leaders from the major identity initiatives¨ session today (10/15/13) from 4:00pm – 5:15pm. Our CEO and Founder, Stina Ehrensvard, will be participating on this panel with other FIDO Alliance members from Google, Blackberry, NXP Semiconductors and Nok Nok Labs. The panel will be discussing how the FIDO Alliance works on open standards for simpler, stronger open authentication standards.

Also, do not miss the session “Track 1: Identity Ecosystems & Technologies: User-centric identity concepts, technologies and how they will impact business”  tomorrow (10/16/13)  from 9-10:15 AM. In this session Stina will be presenting more details about Universal 2nd Factor Authentication (U2F). As one of the technical specifications hosted by FIDO Alliance, U2F introduces the first driverless smart card with user presence. Successfully deployed inside Google, it also challenges the traditional business model for secure online identities, allowing users to buy and control any number of real and “anonymous” identities to easily and securely access any number of services.

User-Centric ID Live is an event focused on the business of user-centric identity. Conference sessions focus on technologies, standards, implementations, applications, and business models in the new user-centric identity ecosystem.

David Maples

Facebook Uses YubiKey and Duo

Yubico and Duo Security are happy to jointly announce today that Facebook has successfully deployed technologies from both companies to provide two-factor authentication across its enterprise.

In order to securely authenticate software engineers to production networks and servers, Facebook needed a solution that provided quick and easy authentication, a fast rollout to employees, and the flexibility for multiple authentication options. After careful consideration, the company deployed solutions from both Duo Security and Yubico. When coupled together, the respective technologies successfully addressed Facebook's authentication priorities — placing equal emphasis on usability and security.

This complementary combination of two-factor technologies include multiple authentication methods — push, SMS, mobile, voice — of cloud-based authentication from Duo Security and the YubiKey Nano.  Together, these technologies allow Facebook employees and developers to quickly authenticate using the YubiKey Nano, while offering the flexibility and ease of use from Duo Security.   With Duo, users are given a choice of device and method each time they authenticate.  Additionally, Duo supports all phone types, from smart phones to landlines, and lets users authenticate with a variety of authentication factors including the YubiKey.

The YubiKey Nano is the world's smallest OTP token, and is designed to stay inside the USB-slot once inserted.  To authenticate, users simply press the device and a pass code is instantly and automatically entered, there is no need to physically re-type pass codes.

For additional background on the deployment, recently, a team from Facebook gave a presentation to the Center for Education and Research in Information Assurance and Security (CERIAS) Seminar at Purdue University, explaining how the company utilizes Duo Security and YubiKeys to provide two-factor authentication for the company's engineers. The presentation provided thoughtful insight into the security culture of Facebook and how that led them through the evaluation and implementation decisions of their two-factor authentication deployment. That presentation can be found here - duo.sc/facebook-purdue

More about Duo Security

More about the YubiKey Nano

David Maples

YubiKey NEO OATH Applet

Yubico is proud to announce the release of our Free YubiKey NEO applet to help with storing OATH secrets and generating OATH one time pass codes.

With the increasing deployment of two step verification (e.g. GitHub this week, DropBox, Google, Microsoft, Evernote) relying on the OATH protocol, many users are concerned about using their mobile phones to store the secrets used to generate the 6 or 8 digit numbers, and the difficulty of changing devices. The applet we’re releasing today allows you to store those secrets in the secure element on your YubiKey NEO – and simply tapping your NEO against any NFC enabled Android device with the YubiOATH app running shows you your current codes. See the video below to see it in operation.

Existing YubiKey NEO owners comfortable with using command line tools can add the new applet to their NEO – see our forum post here. The source codes of both the YubiKey NEO OATH applet and the Android YubiOATH applet are available here.

Stina Ehrensvard

Yubico at TechCrunch Disrupt

As a Swedish-American innovator, Yubico has been selected to represent cutting edge Swedish innovation, and will demonstrate the YubiKey NEO on Tuesday, September 10, at the Nordic Pavilion at TechCrunch Disrupt.

At the event, Yubico will also outline the basics for U2F (Universal 2nd Factor); the new online security standards initiative, developed by Google, Yubico and NXP, focused on scaling high security smart card technology beyond government and enterprise to every Internet user. The YubiKey NEO with initial U2F specifications are already successfully proven with thousands of users, and by the end of the year, we expect more than 200,000 YubiKey NEOs will be deployed within Google and elsewhere for U2F authentication.

To TechCrunch Disrupt web site

Stina Ehrensvard

YubiKey in Fashion – Win a Laptop!

Lucy in the picture above is wearing her back-up Yubikey in her ear. How are you using your YubiKey? Send us your cool, fun or serious and useful YubiKey stories in any form that can be posted on our Facebook page; pictures, videos, quotes, links to blogs and Twitter feeds…

All applicants that present the YubiKey in a positive way will automatically win one free Yubikey NEO and one free YubiKey Nano. Starting now, we welcome submissions until Nov 1, 2013. The Yubico team will then select the best Yubico promotion or story that will win a Chromebook!

Tell us your story at our Facebook Page

YubiKey NEO production launch

YubiKey Neo and Claws Mail

In an earlier post, we went through the steps of enabling and setting up the OpenPGP applet on a production YubiKey NEO. In this post, we’ll be expanding on how to use it with Claws Mail to sign and encrypt emails, one of the main uses of PGP encryption. Claws Mail is an open source email and news client based on GTK+. It is widely available – more information can be found here.

First, make sure your YubiKey NEO is properly configured. For information on how to do so, please refer to this. A properly configured YubiKey NEO should behave no different from a smartcard and its reader – as such the steps described here are exactly the same as that when using an OpenPGP smartcard. If you’ve used Claws Mail with an OpenPGP smartcard before, this should be no problem for you.

Once done, open Claws Mail. Configure it for your chosen email service and ensure that the PGP plugins are loaded, as shown in the screenshot below.

Claws_Screenshot_1

Assuming everything is configured correctly, incoming encrypted messages will be automatically decrypted and incoming signed messages will have their signatures automatically validated – very convenient!

To send your own signed or encrypted messages, click on Options, Privacy System then pick either None, PGP MIME or PGP Inline. Choose PGP MIME if the email client used by your intended recipient supports the MIME protocol and PGP Inline if it does not. In the screenshot below, PGP Inline is selected.

Claws_Screenshot_2

Before sending your message, click on Options then Sign to sign it or Encrypt to encrypt it. Then enter your PIN when requested and it will be sent!

Claws_Screenshot_3

Enjoy using your YubiKey NEO with Claws Mail!

Expanding YubiKey Keyboard Support

Hi. We’ve had a few queries about using the YubiKey with various keyboard layouts, so we thought we’ll spend some time describing the different methods available to do that.

Like a USB keyboard, YubiKeys work via inputting scan codes as opposed to actual characters. This means that when you type, the keyboard only sends the key number, or “scan code”, which the computer then translates depending on your keyboard settings.

This presents an issue as there are many different keyboard layouts in use in the world today. In order to mitigate the problem, the YubiKey only uses modhex (MODified HEXadecimal for short) characters, which are characters which are mapped to by the same scan codes in almost all keyboard layouts. If your chosen keyboard layout is not one of those covered by the modhex system (like Dvorak, etc), your YubiKey might not be able to output the characters correctly. If this is true for you, here are 3 ways to resolve the issue.

Option 1

Our recommended “best practice” is to switch to a US standard keyboard layout when entering the OTP and switching back when done. When properly configured this is quick and convenient – in a Windows environment, for example, pressing alt+shift (to switch the input language) and ctrl+shift (to switch the keyboard layout) can allow one to quickly switch to an alternative layout.

Keyboard_Screenshot_1

The screenshot above shows a sample configuration of a US standard keyboard layout and a US dvorak keyboard layout.

Option 2

If you are trying to output digits (0-9) with the French AZERTY keyboard layout, you can simply use the press the shift key while using the YubiKey or set the flag in personalization tool to use the numeric keypad instead (for firmware 2.3 onwards).

Keyboard_Screenshot_2

The screenshot above shows where the flag setting in the personalization tool is.

Option 3

If neither of this is possible for you, another solution would be to modify the scanmap used by your YubiKey NEO. This feature requires a YubiKey NEO and the command line version of the Cross-Platform Personalization Tool. Your YubiKey NEO will only work properly on the keyboard layout that you modified it for – if you modified it for a dvorak keyboard layout, for example, it can only be used on the dvorak keyboard layout.

The YubiKey uses the following alphabet:

cbdefghijklnrtuvCBDEFGHIJKLNRTUV0123456789\t\r

The scan map is the 1 byte scan code for each of those characters. So for a US standard keyboard layout (and the YubiKey default), the scanmap is:
06050708090a0b0c0d0e0f111517181986858788898a8b8c8d8e8f9195979899271e1f202122232425262b28

To set the scanmap, use the -S argument of the ykpersonalize tool and then affix the desired scanmap after. Shown below are some examples.

Simplified US Dvorak:
0c110b071c180d0a0619130f120e09378c918b879c988d8a8699938f928e89b7271e1f202122232425269e2b28

French AZERTY:
06050708090a0b0c0d0e0f111517181986858788898a8b8c8d8e8f9195979899a79e9fa0a1a2a3a4a5a6382b28

Turkish QWERTY (with a dotless i instead of usual i):
06050708090a0b340d0e0f111517181986858788898a8b8c8d8e8f9195979899271e1f202122232425269e2b28

Note that you must remove any whitespace present in these examples before using the values. Leaving the argument empty will reset the scanmap to the YubiKey’s default.

Keyboard_Screenshot_3

The screenshot above shows a YubiKey NEO’s scanmap being configured for the dvorak keyboard layout.

Interested to know more? Head to our technical forum.

Enjoy using your YubiKey!

Stina Ehrensvard

Best Vaccine for Mobile Viruses

A security research team at Bluebox have unveiled a vulnerability in Android, claiming that malware can get full access to the mobile operating system and applications. The complete details are not yet public, so the Yubico security team does not know how such an attack would work. But we know for sure that we will see more sophisticated mobile malware attacks in the near future.

For many years Apple claimed that their computers were more secure than PCs, being immune to PC viruses. This was a correct statement until Max OS X and IOS won enough market share to become increasingly popular for malware creators.

As the security of static passwords and software authentication installed on computers was exposed, and more and more users adopted smart phones and tablets, SMS and authentication apps were presented as the more secure way to login.  But malware creators always follow the crowd. Long before the Bluebox vulnerability discovery, software authentication applications, running on mobile devices, have been copied and misused.

At Yubico we had these threats in mind when we developed the YubiKey NEO, enabling true second factor authentication across computers and NFC mobile devices. For users and devices that do not have NFC, the Yubikey NEO can also hold an authentication app on the YubiKey itself, offering higher security than loaded on a device exposed to the Internet.

Just as biological viruses have spread, infected and killed humans in the physical world, another type of virus is infiltrating the veins of the Internet. Cloud companies, that have been part of the YubiKey NEO development and success, have seen these viruses attacking their systems. And we know that authentication hardware is the most powerful vaccine.

Stina Ehrensvard

Yubico named Gartner Cool Vendor

Yubico has been named a “Cool Vendor in NFC 2013” by Gartner, Inc., one of the world’s leading information technology research and advisory companies. Each year, Gartner identifies new Cool Vendors in key technology areas and publishes a series of research reports highlighting these innovative vendors and their products & services.  Yubico is recognized for the YubiKey NEO, a YubiKey two-factor authentication device that combines NFC, USB, one-time password and PKI authentication technology. To protect against sophisticated malware, it also includes a touch button for user presence.

 According to Gartner, “YubiKey NEO’s beauty lies in instant authentication through one tap without need to re-type the OTP, and it’s small, robust and waterproof form factor without any battery.”

For secure login to mobile applications, the user simply taps the YubiKey NEO to an NFC enabled mobile device or. For computers, the user plugs the device into a USB-port.

“The YubiKey has seen massive adoption rates in the market, and currently being used at five of the top 10 Internet and social media companies in the world,” said Stina Ehrensvard, CEO & founder, Yubico.  “We are honored to have been named a ‘Cool Vendor’ by Gartner, which speaks to every individual who follows the Yubico vision of making strong authentication easy and ubiquitous.”

The rugged, yet tiny YubiKey NEO fits naturally as on a keychain. It can be ordered from the Yubico web store for $50, with free open source software.

 

Disclaimer

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Stina Ehrensvard

Yubico joins FIDO Alliance

Yubico has joined FIDO Alliance as a board member, and will be a part of the Universal 2nd Factor (U2F) working group that Google is creating  focusing on open authentication standards work for strong, universal second-factor devices.

The U2F working group will continue the work that was presented earlier this year in an IEEE paper and Wired, based on the technical specifications that jave now been successfully proven with thousands of YubiKey NEOs and users. By end of the year we expect more than 200,000 U2F protocol compliant YubiKey NEOs being deployed within Google and elsewhere.

U2F will be available as a stand-alone offering, and the working group will also collaborate closely with the already existing FIDO UAF Technical working group, to ensure harmonization of specifications. UAF aims to create a web eco-system including a broader range of authentication methods, including biometrics.

 

Simon

BrowserID and YubiKey

To to learn how you use the YubiKey with BrowserID, a new open identity initiative, please check out this video from a BrowserID developer: https://vimeo.com/64514090

BrowserID was introduced in mid 2011 by the Mozilla Project. It addresses the same problem as OpenID and SAML, as well as the common OAuth or OpenID-based login-with-an external-account (such as Google, Facebook or Twitter) flows. From a usability point of view, in comparison to OpenID, BrowserID uses email addresses instead of URLs, which is more natural for users.

Perhaps the strongest feature of BrowserID, when compared to OpenID and SAML, appears to be user privacy; with BrowserID your Identity Provider is not involved in the per-site login flow, so they cannot track which sites you have accounts on.

Technically, BrowserID has the simplicity of OpenID and OAuth but can provide stronger security (including public/private-key crypto, and provide session keys). The downside is that the BrowserID protocol is not well specified, such as in the form of an IETF RFC document, and supposedly uses obsolete JSON-security formats which poses some migration pains.

Yubico is happy to see that YubiKey support is possible with BrowserID, and we will continue to learn about this area so we can provider our customers with good advice about best usage of the YubiKey. We believe that the Internet needs better authentication methods, and also think that the YubiKey provides good security and ease of use for users.

Please note that BrowserID is not the same protocol used for the open authentication project that Google is currently working on, mentioned in Wired earlier this year and Yubico is closely engaged in.

The Source Code for the YubiKey Persona integration is avalible at https://github.com/jedp/persona-yubikey

David Maples

miiCard Proofs Identities with YubiKey

Online identity proofing service miiCard can prove an individual’s identity to the level of an offline photo ID check in minutes and purely online. By now adding YubiKey authentication to miiCard’s bank level ID verification service, the most secure and high value transactions can be performed online. Read more about how miiCard and YubiKey can make online identification safe and secure in the full press release and on our partner site!

Read full press release

Visit MiiCard’s YubiKey Protection Page

Morning dew. Shining water drops on spiderweb over green forest background. Hight contrast image. Shallow depth of field
Stina Ehrensvard

The Future of Authentication FAQ

A selection of questions we have received and answered on YubiKey NEO and Universal 2nd Factor (U2F), since this new open authentication standards initiative was announced in Wired Magazine and the Yubico identity vision blog.

Why do you want to kill the password?

We don’t. Yubico does and will continue to recommend two-factor authentication, consisting of a PIN or password in addition to a device which generates new and encrypted pass codes every time it is used, such as the YubiKey. The best security practice is to use something you have with something you know. With the YubiKey, the password becomes a supporting element rather than the main defense; thus a simple PIN suffices to protect you against misuse of your YubiKey by those around you.

 

What is the user experience of YubiKey NEO and U2F?

It is easier to use a YubiKey NEO with U2F than logging in with a username/password. With NFC mobile devices, all you need to do is to enter a PIN and tap the YubiKey NEO to an NFC-capable phone or tablet. With computers, you place the YubiKey NEO in the USB-port enter a PIN and touch the device. And you will only need a YubiKey and a simple password for any number of services. To see how it works, watch this video.

 

Why is a hardware key better than software-based authentication methods?

A software application, regardless if it’s on your computer or your smart phone, can be easily targeted and misused by malware – which has already happened to SMS and authentication apps. The best security practice is to move login credentials to a separate hardware device not connected to the Internet. To further improve security, it is recommended to use PKI encryption with session security, and a user presence touch button; features uniquely provided by the Yubikey NEO and the U2F specifications.

 

Will U2F support software-only implementations?

The initial U2F deployments inside Google and elsewhere are all based on hardware devices. However, for lower security applications, U2F software-only implementations are likely to be offered down the road.

 

Why can’t I have my identity and a security chip integrated in my device instead?

A user identity, including U2F specifications, can be integrated directly in your smartphone or computer using TPM, Arm TrustZone, SIM Card or a secure element. While this approach reduces the number of separate devices needed, it has notable disadvantages from a security, privacy and mobility perspective.

Security – Identity and authentication technologies that are permanently connected to a computer or phone fails to meet the “not connected to the Internet” best practice for storing sensitive secrets. These devices are all more or less exposed to malware, malicious apps, Wi-Fi exploits and VPN masking. In addition, they don’t help against the social attacks (i.e., software tricking the user into doing something unintended) which will continue to be the easiest way to attack users. Those social attacks will always be available on general multi-purpose devices where users can download and install apps on their own, and provide an avenue to attack the secure elements directly.

Mobility – With your credentials tied to a integrated device, it may be difficult to move your identity between other devices, or to use a computer at a hotel or friend’s house. For the majority of high security applications that are performed on computers, it may not help to have an identity tied to a phone, as there is no communication standard between all computers and mobile devices.

Privacy – The device identity may be controlled or monitored by the telecoms provider or other party, which may add cost, complexity and privacy concerns. In a time of “Big Data” and government surveillance, many enterprises and individual users have concerns about privacy. What’s more, tying your identity to a device does not easily allow for multiple identities, such as separate identities for work and personal accounts.

 

Why would users want to have multiple identities?

U2F and Yubico supports an open identity eco-system where users can be secure – but still guard privacy. Just as with email, many users chose to have multiple accounts; a real/personal, a real/job and an high privacy/alter ego or spam email account. We want to help you to prove that you are the legitimate owner of an account, while not requiring additional personal information. We also want to support use cases where identities are used for a limited time and revoked when needed. We believe you should be in control about how sites track you over your digital life; With the YubiKey NEO and U2F, minting new Private/Public key pairs for each site, tracking across sites is not enabled.

 

I still do not like to have to keep track of one more thing.

You will not need to. U2F is designed for secure elements; high security chips, for integration into many of the things you are likely to carry with you today; a card in your wallet, a key in your key-chain or directly in your phone. Therefor the U2F technology gives you the choice; you can use it embedded into your existing devices for low-risk purposes, or use U2F via a Yubikey NEO when you want better mobility, privacy and security properties.

 

So, what about fingerprints or face recognition?

We don’t believe that biometrics sent over the wire to authenticate users is appropriate for privacy and security reasons; Your fingerprint is a static and unique image that can be copied and misused – but not revoked. However, once the technology is proven to be more dependable, biometrics to unlock a phone or computer could be useful, but where the actual interaction and authentication is done between a security chip in the device and the server. But as discussed earlier, having a security chip permanently tied to a computer or phone device may have limitations from a security, privacy and mobility perspective.

 

When will NFC get mass adoption?

The majority of high security applications requiring strong second factor login are still performed from a computer with a USB-port. To address the growing use of mobile devices, YubiKey NEO and U2F also support NFC. While Apple is waiting to adopt NFC, their competitors, who represent a combined 80% smart phone market share, will have sold more than 200 million NFC enabled devices in 2013. Banks are pushing NFC enabled payment solutions and critical mass is being achieved in several countries. Once the next generation NFC credit- and debit cards have been deployed, allowing “one touch” secure payments directly on your own phone and computer, there will be a market demand for NFC on all devices and platforms.

 

How does the Yubico identity vision relate to federated identity services?

It is very complementary to SAML, Open ID Connect, etc, as these protocols enable powerful single sign-on opportunities but need to be combined with two-factor authentication. U2F is based on a PKI infrastructure where every service provider can optionally also be their own identity provider. When user data and cryptographic secrets do not need to be shared between service providers, both security and user privacy can be enhanced.

 

Why would users want to pay for their online identity?

In a time where users’ personal information is collected and used by a growing number of organizations, many users are growing concerned about privacy. Once a single U2F device can be used for a multitude of popular services, users will want to buy, own and control their own online identity, that does not need to be tied to a service provider. Also, with a physical U2F device, users will be ensured that their online identity is well protected and is not being exposed to malware, which has already happened to software authentication apps. Some service providers will offer financial incentives for users to buy and use a U2F device with their service, but many users will also be willing to pay for it themselves. In partnership with leading password managers, Yubico has already proven that there is a real market demand for a single and secure authentication hardware solution. Also, the millions of end-users who have purchased anti-virus software, prove that we are willing to pay to protect ourselves on the Internet.

The U2F and the NEO technology still allows enterprises and organisations to purchase larger volumes of devices and put them in the hands of their users, so you can chose whether to adopt the model where the user acquires and own the device and where the service organisation purchases and deploy the device.

 

What would happen if a user loses a U2F device?

A user will be able to have multiple and back-up U2F devices enrolled with an account, with the possibility to easily disable a lost device. Similar to other account recovery processes, the service provider may also choose to send “recovery codes” over email or phone as a back-up to the physical device. Ultimately, revocation is something that needs to be resolved by each website that authenticates users because they have the direct relationship with the user. U2F does not solve this problem, but makes it easier to have stronger recovery processes by introducing new authentication factors.

 

Why can’t we use Big Data to fix the authentication problem?

Server side risk evaluation software has its place in services, especially involving high-value transactions. However, easy-to-use strong authentication is critical in striking a balance between ease of use, reducing false positives and eliminating fraud. Computers, phones and networks will never be free from malware, and users will need to move their secure identity between devices and services. The YubiKey NEO with U2F enables true end-point authentication, where we only need to trust a key in our pocket and the services it connects to.

 

What are the main barriers in the broad adoption of YubiKey and U2F?

The inventor of the 3-point seatbelt at Volvo realized that security needs be really quick, simple and made into an open standard to scale. Online authentication for the masses has the same requirements. A YubiKey with U2F is easier to use than easier to use and more secure than traditional two-factor solutions, and is being supported and deployed by leading Internet thought leaders, including Google. This is a great start, but just like the seat belt; mass adoption will be derived from more severe accidents, increased concerns about security and privacy, and government and industry regulation.

 

What is the business incentive for driving a new open authentication initiative?

Yubico recognizes the potential that a higher level of authentication using PKI can offer, designed with better usability and less complexity than solutions available today. We found that Google’s authentication efforts are aligned with these goals. To support a next generation secure Internet, scaling our technology to as many services as possible, our approach is to make U2F a new and truly open standard.

 

How would you make high security transactions with a device you could purchase at your corner store?

For some identities you may choose to be secure and “anonymous”. For services requiring a higher level of identity assurance, you would bring your identity device along with your Passport, driver licence or ID to an official location which would associate your U2F device with your real identity. There are also online services offering identity proofing which could accredit your device.

 

What authentication technology initiative do you see as your biggest competitor?

All initiatives in this space help to educate and challenge the market for something better than the legacy username/password. There will not be one single authentication method and security protocol to rule the world, but the winners will address different needs and be open and interoperable. And Yubico’s focus is to make online authentication as easy and affordable as possible, yet retaining the highest level of security and privacy.

David Maples

Meet Yubico at RSA Conference

The Yubico team will be attending the RSA conference in San Francisco, February 25th – 28th.
We will have the YubiKey NEO on demonstration, featuring NFC functions like the OATH TOTP generator for Android and LastPass.

Come see us at the OATH Pavillion, Booth #829.

We look forward to seeing you!

Stina Ehrensvard

Yubico’s Vision for Secure Online Identities

Wired Magazine recently announced that Google is working on a new online authentication protocol as an alternative to legacy username/password login. Yubico and NXP are co-creators of this protocol, designed to be integrated across a wide range of devices, including SIM cards, YubiKey NEOs, or a ring you carry on your finger, and to solve some of the fundamental problems with online identity. And these are problems we need to fix soon. Very soon. Or billions of people, along with the great creation named the Internet, will be in serious trouble.

At this stage we cannot say which route we will choose to ensure mass adoption of this new security protocol. But we can say that Yubico has decided to engage in the project as we believe it could be a game changer.

And this is the vision: 

Imagine that you have one single key and one single password to securely access all your Internet life. 

The key would not be issued, controlled or hosted by a government or a service provider. Instead, you would buy this key at your retail store, such as 7-Eleven or Amazon.com, similar to a gift card or pre-paid phone card.

The key would remain in your own full control, guarding your privacy. And you may even choose to have multiple keys and identities, enabling you to protect your digital identity while remaining anonymous.

From your computer or mobile device, you would be able to instantly, with no required software installed, connect your key to any number of online services. Placed in the USB-port or tapped to your NFC phone/tablet/laptop you would replace all your multiple, long, painful passwords with a simple touch. Combined with a simple PIN or password, you would then securely access your email, bank, healthcare records or any online account.

With built-in support for platforms and browsers, the key would offer superior security, protecting against man-in-the-middle and phishing – but with no drivers or client software needed.

With an open source approach and a clever ecosystem, there would be no fees for service providers, and the costly Certificate Authority model associated with traditional smart cards could be eliminated. But more importantly, there would be no single token or service provider who would control your digital identity or any cryptographic secrets.

Yes, there are a few obstacles to overcome, including aligning influential thought-leaders and global stake holders on the same page. But if enough people want to, it would be possible to create a new, really simple, secure and affordable online identity solution as outlined above.

Bring it out – click – go!

PS. Please find additional comments on this topic in the Future of Authentication FAQ 

Stina Ehrensvard

Internet Identity and the Safety Belt

60 years ago the car industry and our society faced a security problem similar to the challenges facing online identity today. It was a time when the car changed our modern society by delivering on its promise of freedom and speed, but security and safety measures were overlooked; there were no seatbelts in cars. In fact, when happy car drivers hit the brand new highways and fatal accidents swelled, car manufacturers denied the problem. They feared that any acknowledgement of the risk associated with driving would negatively affect sales.

Nils Bohlin, the chief safety engineer at Volvo and a former aircraft designer, realized for a seat belt to be accepted by the everyday user it could not be clunky and complicated like the harnesses used by fighter pilots. It would need to be simple and take no more than a second for anyone to put on. With those objectives he designed the three-point seat belt in 1959, and then led the initiative making his invention into a standard feature in every car.

It was just a matter of finding a solution that was simple, effective and could be put on conveniently with one hand,Nils. Bohlin has said. “The pilots I worked with were willing to put on almost anything to keep them safe in case of a crash, but regular people do not want to be uncomfortable even for a minute.”

So, what can we learn from Mr. Bohlin when developing security for the Internet? This even more brilliant invention, which we all love until we get our digital life and identity smashed?

The answer is: Make online identification and authentication open and as easy and intuitive as the three-point seat belt:

Bring it out. Click. Go.

Yubico Team

Securing OATH Secrets on Android

Some people are concerned about the risk of storing cryptographic secrets on Android devices – for example, those used to generate One Time Passcodes (OTP) from Google Authenticator.  The production YubiKey NEO is the perfect companion to Android devices with NFC support.  By bringing your YubiKey NEO close to the back of the Android device (such as the Nexus 4 from Google), Android Apps can use the YubiKey NEO’s challenge response capability to generate an Open AuTHentication (OATH) time based OTP – such as those used by Google Apps and Dropbox.  And we have created a sample Android App to show this.  [Update] Take a look at the video here.

YubiTOTP Android Widget from Yubico on Vimeo.

 

When you first enable 2-step verification on Google Apps or on DropBox, you are presented with a 2D matrix code which contains the cryptographic secret used to create the OTPs.  Our YubiTOTP Android App reads this (using Google’s open source scanner app); however, instead of storing the secret on the Android file system, it programs one of the YubiKey NEO’s slots with the secret as part of an HMAC-SHA1 challenge/response configuration.  The secret can not be recovered from the YubiKey NEO, however, UNIX time can be sent to the YubiKey NEO (over NFC or via the USB connector) and the result truncated by the App to produce the OTP – which is displayed on the screen or can be put on the clipboard.

If you lose your Android Phone – or it dies, you just get a new one and reload the App – the secret stays in the YubiKey NEO!

[Update] We have enhanced the app to include a re-sizable home screen widget – just tap on the YubiKey icon and prompts you swipe your YubiKey NEO and displays the 6-digit OATH code on the icon.

Download the app here.  Let us know what you think…

Want to install it directly to your Android Device? Download the .apk file here.

David Maples

YubiKey NEO Composite Device

The YubiKey NEO differs from the standard YubiKey as it can become a composite USB device – presenting both a HID (Keyboard) and CCID (SmartCard) device to the host.  This allows us to support all the great features of the standard YubiKey and add new support for SmartCard functions.  Our last NEO post described the OpenPGP NEO App that ships with the production YubiKey NEO.

In this post, we want to describe how to control how the YubiKey NEO presents itself to the host computer.

We ship the YubiKey NEO with just the HID (keyboard) USB device enabled.  We did this to maximise compatibility with the YubiKey Standard and the pre-production YubiKey NEO – neither of which support SmartCard functions.  To enable the OpenPGP SmartCard function, you need to configure the YubiKey NEO to switch on the CCID interface.  So far, we have updated the ykpersonalize command line to support the “-m” switch; this controls the composite modes the YubiKey NEO exhibits. Be careful, you can use the -m command to remove HID support; as ykpersonalize only works with the HID interface, this means you cannot use ykpersonalize anymore if you remove HID support.  We have added the tool ykneo-ccid-modeswitch which allows you to enable HID if it gets removed!

 

Here are the common modes:

  • -m0  HID (OTP) mode
  • -m1 CCID (OpenPGP only – no OTP) – warning – you cannot use ykpersonalize after this setting!
  • -m2 HID & CCID Only (OTP & OpenPGP)
  • -m82 HID & CCID (OTP and OpenPGP) EJECT Flag set – allows SmartCard and OTP concurrently.
  •  (Updated: 9/28/2015; You can enable CCID, OTP, and U2F with -m86 on YubiKey NEOs with 3.3 firmware or higher.)

The EJECT_FLAG (0x80) operates as follows:

  • with mode 1 with the EJECT_FLAG set, when touching the button the NEO will “eject” the smart card, making it unavailable to the host, when touching again it will be “inserted” again.
  • with mode 2 with the EJECT_FLAG set, when touching the button the NEO will “eject” the smart card, send the OTP from the HID interface and then “insert” the smart-card.
YubiKey NEO production launch
Yubico Team

YubiKey NEO and OpenPGP

In this post, we will take you through the steps to enable the YubiKey NEO’s OpenPGP applet on a production YubiKey NEO. YubiKey NEOs are currently shipped with an OpenPGP applet already installed but disabled. You will need to enable the Applet functionality of the YubiKey NEO before you can use the OpenPGP applet.

To do this, you will need to use the command line interface (CLI) version of the YubiKey Personalization Tool. If you are not familiar with using command line tools, this applet is probably not for you. To download ykpersonalize please click here.

Once you have installed the ykpersonalize software, insert your YubiKey NEO and you can check the version with the ykinfo -v command – which shows version: 3.0.1 for our YubiKey NEO. To enable your YubiKey NEO’s Smartcard interface (CCID), enter the command ykpersonalize -m82 as:

The -m option is the mode command. To see the different modes, enter ykpersonalize –help. Mode 82 (in hex) enables the YubiKey NEO as a composite USB device (HID + CCID) and allows OTPs to be emitted while in use as a smart card.  Once you have changed the mode, you need to re-boot the YubiKey – so remove and re-insert it.

Now our NEO App: OpenPGP is visible we can use the gpg program to set-up a new smart card: gpg –card-edit and then enter the admin command to enable admin commands. The command to create a new set of public/private key pairs is generate.  You should see something like:

Note the default PINs as you will need to enter them into the pop ups – e.g.:

Once you enter the Admin and User PINs, gpg will ask you for various settings. Once you select Okay the YubiKey NEO will work for between 1 minute and 3 minutes to generate 3 key pairs. It took our YubiKey NEO 1 minute 40 seconds.

WARNING: You cannot backup the secret keys – so if you lose the YubiKey NEO, re-generate another key pair or other lose the key pair there is no way to retrieve it! When you encrypt a file, make sure you have a plain text backup.

It is recommended to backup the Public key – we often use the Export Certificates to Server function in Kleopatra to do this. This is our screen:

The public keys and private key stubs are automatically loaded into the gpg database; we are running Kleopatra – so before completing, Kleopatra showed my soft keys:

And afterwards Kleopatra shows the YubiKey NEO with the SmartCard icon:

With details:

We can now select my YubiKey NEO to sign and encrypt files e.g.:

The source code for the YubiKey NEO OpenPGP app is available here.

Special Holiday Offer
Stina Ehrensvard

Special Holiday Offer

It’s time for Yubico’s Special Holiday Offer! The v2.3 firmware has just been released and the Yubico team, with help from Rob, our hard working robot, have put together a Holiday Pack to give you a chance to try it out.

Here’s what you get with a purchase of the Holiday Pack: two black YubiKey Standards and a very special Gold Edition of the YubiKey Nano. Fancy! And yes, all YubiKeys in the Holiday Pack comes with v2.3 firmware. You’ll save 35% on the Holiday Pack as compared to buying them separately, not forgetting the special edition of the Nano that’s currently only available with the Holiday Pack.

Click here to order online, but remember that we have limited stocks.

Enjoy the holiday season trying out the new features!

Changes to YubiKey VIP
Yubico Team

Changes to the YubiKey VIP

We’ve made some changes to the YubiKey VIP! Previously, the YubiKey VIP came with a Symantec VIP credential used with services that support the Symantec VIP second factor authentication. If you wanted to use the YubiKey with a YubiCloud service (such as LastPass) you would need to add a YubiCloud credential to the YubiKey VIP.

With the release of the v2.3 firmware for the YubiKey, we have decided to add a “dormant” YubiCloud config to the second slot. You can use the cross platform personalization tool to activate it – indeed, you can also swap the configs so your YubiCloud credential is in slot 1 and your VIP is in slot 2!

To help prevent making mistakes, we have password protected both YubiKey configuration slots. You will need to enter the configuration Access Code to make changes (such as swapping, or making the configuration active or dormant). Just enter the serial number of the YubiKey VIP in as the Access code – as it appears lasered on the YubiKey. As with other versions of the YubiKey, you can change the configuration passwords – but be aware there is no way to reset the password should it be lost or forgotten!

YubiKey cross platform personalization tool
Klas Lindfors

Updated Personalization Tool

Good news! We have just released a new version of our Cross Platform Personalization Tool, available for download from our website. Your feedback has been valuable for us, and we’ve incorporated many requests to make the tool better and easier to use. The changes to the new Tool includes new features, improved user interface and, of course, a number of bug fixes. Some if the new features include:

  • NDEF configuration support for YubiKey NEO beta/Production
  • Possibility to clear configuration slots
  • Secret ID is now always a random value
  • Allows HMAC-SHA1 with a static secret
  • Default option to automatically use the YubiKey Serial Number as the public ID
  • Choice of log file formats
  • All v2.3 features supported (we will soon tell you more)
  • Enhanced Static password input features, including copy/pasting passwords
  • Enhanced status display; reports the configuration of each slot and displays an icon matching your YubiKey

You can download the new version of the Cross Platform Personalization Tool here, and remember to continue to let us know if you have any feedback!

Yubico Team

YubiKey NEO in Production

We know you have been waiting a long time for the production launch of our YubiKey NEO, and we are very happy to announce our plan to start shipping the production versions of the YubiKey NEO by December 10th. We are already accepting orders for the YubiKey NEO, so place your order today to get your full production sample of the NFC authentication token as soon as possible! And if you happen to be at CARTES in Paris this week, stop by the NXP booth where we will demonstrate the NEO.

The previous limitations of the beta version of the NEO have been addressed in the production version. The final version of the YubiKey NEO also includes a new secure element, enabling smart card/PKI functionality, which is certified for Common Criteria and the highest level of security. You can read more about all the new features here, as well as more about RFID and the YubiKey NEO.

We will naturally continue to expand and improve the YubiKey technology, so stay tuned for even more updates in the future!

Yubico Team

Yubico.com and Our Blog

Finally! We are very happy to launch our new website, based on the open source CMS WordPress. But that’s not enough! We have an exciting future ahead of us, including the long awaited release of the YubiKey NEO in volume production and a whole range of other things we are getting ready to talk about. While the awareness and discussion about online security, breaches and two-factor authentication continues to rise, this blog will be the place where we publicly talk and discuss these topics with you. At this blog you will also get product updates, how to-guides and other fun stuff going on in the Yubico world.

You will meet Stina Ehrensvärd, CEO & Founder, Simon Josefsson, Security Architect, David Maples, Technical Support, Evelina Ander, our Marketing Manager, as well as the rest of the Yubico team here at the YubiBlog. You might also find guest blog posts written by our friends and partners, and our very important community (you!) in the future.

As always, a brand new site is likely to have minor errors that we are just blind about. Please let us know, or if you have any other feedback, in the comments below or with an email to info@yubico.com. We would also love to hear your thoughts about what you would like us to blog about! And of course, stay tuned by subscribing to the YubiBlog via RSS.

All the best,
The Yubico team

PS. If you would like to secure your own WordPress site with YubiKey two-factor authentication, read more here.

Yubico Team

RFiD and the YubiKey NEO

When Yubico first introduced the YubiKey RFiD in 2009, it provided users with an unmatched integration of physical and network security. Many facilities with existing RFiD based security systems have integrated the RFiD YubiKey into their systems, allowing users to use one device to access their office space as well as network account. The RFiD YubiKey could be used with both standard RFiD readers as well as with any computer with a USB port, removing the need for additional hardware when integrating the RFiD YubiKey.

Since then, there has been a significant rise in the world of mobile computing. The task of authenticating users on Tablet PCs and SmartPhones is becoming just as vital as securing PCs or Laptops. With the growing addition of NFC support in mobile devices, Yubico decided to create the YubiKey NEO, capable of providing wireless authentication to NFC supporting devices while also allowing for standard USB authentication.

During the pre-production phase of the YubiKey NEO, we decided to simplify our product line to provide the best customer experience. From this decision, Yubico has decided to combine YubiKey support of RFiD and NFC into one device. When the Production YubiKey NEO is launched in November of 2012, it will support all of the capabilities of the YubiKey RFiD tokens alongside the new NFC communication features. The YubiKey NEO will allow users to validate against RFiD systems, NFC systems as well as the standard YubiKey Authentication.

However, with the introduction of the YubiKey NEO, Yubico will withdraw the RFiD YubiKey. New users looking for an RFiD-compatible solution, as well as existing users looking to expand their solution, will be able to utilize the production YubiKey NEO in place of the RFiD YubiKey.

We will continue to offer support of the YubiKey RFiD functionality, both in the older RFiD YubiKey and the new YubiKey NEO. We thank you all for your support of the RFiD YubiKey and hope that the YubiKey NEO continues to meet your high expectations!