Showing results for: mobile authentication

David Maples

YubiKey NEO OATH Applet

Yubico is proud to announce the release of our Free YubiKey NEO applet to help with storing OATH secrets and generating OATH one time pass codes.

With the increasing deployment of two step verification (e.g. GitHub this week, DropBox, Google, Microsoft, Evernote) relying on the OATH protocol, many users are concerned about using their mobile phones to store the secrets used to generate the 6 or 8 digit numbers, and the difficulty of changing devices. The applet we’re releasing today allows you to store those secrets in the secure element on your YubiKey NEO – and simply tapping your NEO against any NFC enabled Android device with the YubiOATH app running shows you your current codes. See the video below to see it in operation.

Existing YubiKey NEO owners comfortable with using command line tools can add the new applet to their NEO – see our forum post here. The source codes of both the YubiKey NEO OATH applet and the Android YubiOATH applet are available here.

Stina Ehrensvard

Best Vaccine for Mobile Viruses

A security research team at Bluebox have unveiled a vulnerability in Android, claiming that malware can get full access to the mobile operating system and applications. The complete details are not yet public, so the Yubico security team does not know how such an attack would work. But we know for sure that we will see more sophisticated mobile malware attacks in the near future.

For many years Apple claimed that their computers were more secure than PCs, being immune to PC viruses. This was a correct statement until Max OS X and IOS won enough market share to become increasingly popular for malware creators.

As the security of static passwords and software authentication installed on computers was exposed, and more and more users adopted smart phones and tablets, SMS and authentication apps were presented as the more secure way to login.  But malware creators always follow the crowd. Long before the Bluebox vulnerability discovery, software authentication applications, running on mobile devices, have been copied and misused.

At Yubico we had these threats in mind when we developed the YubiKey NEO, enabling true second factor authentication across computers and NFC mobile devices. For users and devices that do not have NFC, the Yubikey NEO can also hold an authentication app on the YubiKey itself, offering higher security than loaded on a device exposed to the Internet.

Just as biological viruses have spread, infected and killed humans in the physical world, another type of virus is infiltrating the veins of the Internet. Cloud companies, that have been part of the YubiKey NEO development and success, have seen these viruses attacking their systems. And we know that authentication hardware is the most powerful vaccine.

Stina Ehrensvard

Yubico named Gartner Cool Vendor

Yubico has been named a “Cool Vendor in NFC 2013” by Gartner, Inc., one of the world’s leading information technology research and advisory companies. Each year, Gartner identifies new Cool Vendors in key technology areas and publishes a series of research reports highlighting these innovative vendors and their products & services.  Yubico is recognized for the YubiKey NEO, a YubiKey two-factor authentication device that combines NFC, USB, one-time password and PKI authentication technology. To protect against sophisticated malware, it also includes a touch button for user presence.

 According to Gartner, “YubiKey NEO’s beauty lies in instant authentication through one tap without need to re-type the OTP, and it’s small, robust and waterproof form factor without any battery.”

For secure login to mobile applications, the user simply taps the YubiKey NEO to an NFC enabled mobile device or. For computers, the user plugs the device into a USB-port.

“The YubiKey has seen massive adoption rates in the market, and currently being used at five of the top 10 Internet and social media companies in the world,” said Stina Ehrensvard, CEO & founder, Yubico.  “We are honored to have been named a ‘Cool Vendor’ by Gartner, which speaks to every individual who follows the Yubico vision of making strong authentication easy and ubiquitous.”

The rugged, yet tiny YubiKey NEO fits naturally as on a keychain. It can be ordered from the Yubico web store for $50, with free open source software.

 

Disclaimer

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Morning dew. Shining water drops on spiderweb over green forest background. Hight contrast image. Shallow depth of field
Stina Ehrensvard

The Future of Authentication FAQ

A selection of questions we have received and answered on YubiKey NEO and Universal 2nd Factor (U2F), since this new open authentication standards initiative was announced in Wired Magazine and the Yubico identity vision blog.

Why do you want to kill the password?

We don’t. Yubico does and will continue to recommend two-factor authentication, consisting of a PIN or password in addition to a device which generates new and encrypted pass codes every time it is used, such as the YubiKey. The best security practice is to use something you have with something you know. With the YubiKey, the password becomes a supporting element rather than the main defense; thus a simple PIN suffices to protect you against misuse of your YubiKey by those around you.

 

What is the user experience of YubiKey NEO and U2F?

It is easier to use a YubiKey NEO with U2F than logging in with a username/password. With NFC mobile devices, all you need to do is to enter a PIN and tap the YubiKey NEO to an NFC-capable phone or tablet. With computers, you place the YubiKey NEO in the USB-port enter a PIN and touch the device. And you will only need a YubiKey and a simple password for any number of services. To see how it works, watch this video.

 

Why is a hardware key better than software-based authentication methods?

A software application, regardless if it’s on your computer or your smart phone, can be easily targeted and misused by malware – which has already happened to SMS and authentication apps. The best security practice is to move login credentials to a separate hardware device not connected to the Internet. To further improve security, it is recommended to use PKI encryption with session security, and a user presence touch button; features uniquely provided by the Yubikey NEO and the U2F specifications.

 

Will U2F support software-only implementations?

The initial U2F deployments inside Google and elsewhere are all based on hardware devices. However, for lower security applications, U2F software-only implementations are likely to be offered down the road.

 

Why can’t I have my identity and a security chip integrated in my device instead?

A user identity, including U2F specifications, can be integrated directly in your smartphone or computer using TPM, Arm TrustZone, SIM Card or a secure element. While this approach reduces the number of separate devices needed, it has notable disadvantages from a security, privacy and mobility perspective.

Security – Identity and authentication technologies that are permanently connected to a computer or phone fails to meet the “not connected to the Internet” best practice for storing sensitive secrets. These devices are all more or less exposed to malware, malicious apps, Wi-Fi exploits and VPN masking. In addition, they don’t help against the social attacks (i.e., software tricking the user into doing something unintended) which will continue to be the easiest way to attack users. Those social attacks will always be available on general multi-purpose devices where users can download and install apps on their own, and provide an avenue to attack the secure elements directly.

Mobility – With your credentials tied to a integrated device, it may be difficult to move your identity between other devices, or to use a computer at a hotel or friend’s house. For the majority of high security applications that are performed on computers, it may not help to have an identity tied to a phone, as there is no communication standard between all computers and mobile devices.

Privacy – The device identity may be controlled or monitored by the telecoms provider or other party, which may add cost, complexity and privacy concerns. In a time of “Big Data” and government surveillance, many enterprises and individual users have concerns about privacy. What’s more, tying your identity to a device does not easily allow for multiple identities, such as separate identities for work and personal accounts.

 

Why would users want to have multiple identities?

U2F and Yubico supports an open identity eco-system where users can be secure – but still guard privacy. Just as with email, many users chose to have multiple accounts; a real/personal, a real/job and an high privacy/alter ego or spam email account. We want to help you to prove that you are the legitimate owner of an account, while not requiring additional personal information. We also want to support use cases where identities are used for a limited time and revoked when needed. We believe you should be in control about how sites track you over your digital life; With the YubiKey NEO and U2F, minting new Private/Public key pairs for each site, tracking across sites is not enabled.

 

I still do not like to have to keep track of one more thing.

You will not need to. U2F is designed for secure elements; high security chips, for integration into many of the things you are likely to carry with you today; a card in your wallet, a key in your key-chain or directly in your phone. Therefor the U2F technology gives you the choice; you can use it embedded into your existing devices for low-risk purposes, or use U2F via a Yubikey NEO when you want better mobility, privacy and security properties.

 

So, what about fingerprints or face recognition?

We don’t believe that biometrics sent over the wire to authenticate users is appropriate for privacy and security reasons; Your fingerprint is a static and unique image that can be copied and misused – but not revoked. However, once the technology is proven to be more dependable, biometrics to unlock a phone or computer could be useful, but where the actual interaction and authentication is done between a security chip in the device and the server. But as discussed earlier, having a security chip permanently tied to a computer or phone device may have limitations from a security, privacy and mobility perspective.

 

When will NFC get mass adoption?

The majority of high security applications requiring strong second factor login are still performed from a computer with a USB-port. To address the growing use of mobile devices, YubiKey NEO and U2F also support NFC. While Apple is waiting to adopt NFC, their competitors, who represent a combined 80% smart phone market share, will have sold more than 200 million NFC enabled devices in 2013. Banks are pushing NFC enabled payment solutions and critical mass is being achieved in several countries. Once the next generation NFC credit- and debit cards have been deployed, allowing “one touch” secure payments directly on your own phone and computer, there will be a market demand for NFC on all devices and platforms.

 

How does the Yubico identity vision relate to federated identity services?

It is very complementary to SAML, Open ID Connect, etc, as these protocols enable powerful single sign-on opportunities but need to be combined with two-factor authentication. U2F is based on a PKI infrastructure where every service provider can optionally also be their own identity provider. When user data and cryptographic secrets do not need to be shared between service providers, both security and user privacy can be enhanced.

 

Why would users want to pay for their online identity?

In a time where users’ personal information is collected and used by a growing number of organizations, many users are growing concerned about privacy. Once a single U2F device can be used for a multitude of popular services, users will want to buy, own and control their own online identity, that does not need to be tied to a service provider. Also, with a physical U2F device, users will be ensured that their online identity is well protected and is not being exposed to malware, which has already happened to software authentication apps. Some service providers will offer financial incentives for users to buy and use a U2F device with their service, but many users will also be willing to pay for it themselves. In partnership with leading password managers, Yubico has already proven that there is a real market demand for a single and secure authentication hardware solution. Also, the millions of end-users who have purchased anti-virus software, prove that we are willing to pay to protect ourselves on the Internet.

The U2F and the NEO technology still allows enterprises and organisations to purchase larger volumes of devices and put them in the hands of their users, so you can chose whether to adopt the model where the user acquires and own the device and where the service organisation purchases and deploy the device.

 

What would happen if a user loses a U2F device?

A user will be able to have multiple and back-up U2F devices enrolled with an account, with the possibility to easily disable a lost device. Similar to other account recovery processes, the service provider may also choose to send “recovery codes” over email or phone as a back-up to the physical device. Ultimately, revocation is something that needs to be resolved by each website that authenticates users because they have the direct relationship with the user. U2F does not solve this problem, but makes it easier to have stronger recovery processes by introducing new authentication factors.

 

Why can’t we use Big Data to fix the authentication problem?

Server side risk evaluation software has its place in services, especially involving high-value transactions. However, easy-to-use strong authentication is critical in striking a balance between ease of use, reducing false positives and eliminating fraud. Computers, phones and networks will never be free from malware, and users will need to move their secure identity between devices and services. The YubiKey NEO with U2F enables true end-point authentication, where we only need to trust a key in our pocket and the services it connects to.

 

What are the main barriers in the broad adoption of YubiKey and U2F?

The inventor of the 3-point seatbelt at Volvo realized that security needs be really quick, simple and made into an open standard to scale. Online authentication for the masses has the same requirements. A YubiKey with U2F is easier to use than easier to use and more secure than traditional two-factor solutions, and is being supported and deployed by leading Internet thought leaders, including Google. This is a great start, but just like the seat belt; mass adoption will be derived from more severe accidents, increased concerns about security and privacy, and government and industry regulation.

 

What is the business incentive for driving a new open authentication initiative?

Yubico recognizes the potential that a higher level of authentication using PKI can offer, designed with better usability and less complexity than solutions available today. We found that Google’s authentication efforts are aligned with these goals. To support a next generation secure Internet, scaling our technology to as many services as possible, our approach is to make U2F a new and truly open standard.

 

How would you make high security transactions with a device you could purchase at your corner store?

For some identities you may choose to be secure and “anonymous”. For services requiring a higher level of identity assurance, you would bring your identity device along with your Passport, driver licence or ID to an official location which would associate your U2F device with your real identity. There are also online services offering identity proofing which could accredit your device.

 

What authentication technology initiative do you see as your biggest competitor?

All initiatives in this space help to educate and challenge the market for something better than the legacy username/password. There will not be one single authentication method and security protocol to rule the world, but the winners will address different needs and be open and interoperable. And Yubico’s focus is to make online authentication as easy and affordable as possible, yet retaining the highest level of security and privacy.

David Maples

Meet Yubico at RSA Conference

The Yubico team will be attending the RSA conference in San Francisco, February 25th – 28th.
We will have the YubiKey NEO on demonstration, featuring NFC functions like the OATH TOTP generator for Android and LastPass.

Come see us at the OATH Pavillion, Booth #829.

We look forward to seeing you!

Stina Ehrensvard

Yubico’s Vision for Secure Online Identities

Wired Magazine recently announced that Google is working on a new online authentication protocol as an alternative to legacy username/password login. Yubico and NXP are co-creators of this protocol, designed to be integrated across a wide range of devices, including SIM cards, YubiKey NEOs, or a ring you carry on your finger, and to solve some of the fundamental problems with online identity. And these are problems we need to fix soon. Very soon. Or billions of people, along with the great creation named the Internet, will be in serious trouble.

At this stage we cannot say which route we will choose to ensure mass adoption of this new security protocol. But we can say that Yubico has decided to engage in the project as we believe it could be a game changer.

And this is the vision: 

Imagine that you have one single key and one single password to securely access all your Internet life. 

The key would not be issued, controlled or hosted by a government or a service provider. Instead, you would buy this key at your retail store, such as 7-Eleven or Amazon.com, similar to a gift card or pre-paid phone card.

The key would remain in your own full control, guarding your privacy. And you may even choose to have multiple keys and identities, enabling you to protect your digital identity while remaining anonymous.

From your computer or mobile device, you would be able to instantly, with no required software installed, connect your key to any number of online services. Placed in the USB-port or tapped to your NFC phone/tablet/laptop you would replace all your multiple, long, painful passwords with a simple touch. Combined with a simple PIN or password, you would then securely access your email, bank, healthcare records or any online account.

With built-in support for platforms and browsers, the key would offer superior security, protecting against man-in-the-middle and phishing – but with no drivers or client software needed.

With an open source approach and a clever ecosystem, there would be no fees for service providers, and the costly Certificate Authority model associated with traditional smart cards could be eliminated. But more importantly, there would be no single token or service provider who would control your digital identity or any cryptographic secrets.

Yes, there are a few obstacles to overcome, including aligning influential thought-leaders and global stake holders on the same page. But if enough people want to, it would be possible to create a new, really simple, secure and affordable online identity solution as outlined above.

Bring it out – click – go!

PS. Please find additional comments on this topic in the Future of Authentication FAQ 

Stina Ehrensvard

Internet Identity and the Safety Belt

60 years ago the car industry and our society faced a security problem similar to the challenges facing online identity today. It was a time when the car changed our modern society by delivering on its promise of freedom and speed, but security and safety measures were overlooked; there were no seatbelts in cars. In fact, when happy car drivers hit the brand new highways and fatal accidents swelled, car manufacturers denied the problem. They feared that any acknowledgement of the risk associated with driving would negatively affect sales.

Nils Bohlin, the chief safety engineer at Volvo and a former aircraft designer, realized for a seat belt to be accepted by the everyday user it could not be clunky and complicated like the harnesses used by fighter pilots. It would need to be simple and take no more than a second for anyone to put on. With those objectives he designed the three-point seat belt in 1959, and then led the initiative making his invention into a standard feature in every car.

It was just a matter of finding a solution that was simple, effective and could be put on conveniently with one hand,Nils. Bohlin has said. “The pilots I worked with were willing to put on almost anything to keep them safe in case of a crash, but regular people do not want to be uncomfortable even for a minute.”

So, what can we learn from Mr. Bohlin when developing security for the Internet? This even more brilliant invention, which we all love until we get our digital life and identity smashed?

The answer is: Make online identification and authentication open and as easy and intuitive as the three-point seat belt:

Bring it out. Click. Go.

Yubico Team

Securing OATH Secrets on Android

Some people are concerned about the risk of storing cryptographic secrets on Android devices – for example, those used to generate One Time Passcodes (OTP) from Google Authenticator.  The production YubiKey NEO is the perfect companion to Android devices with NFC support.  By bringing your YubiKey NEO close to the back of the Android device (such as the Nexus 4 from Google), Android Apps can use the YubiKey NEO’s challenge response capability to generate an Open AuTHentication (OATH) time based OTP – such as those used by Google Apps and Dropbox.  And we have created a sample Android App to show this.  [Update] Take a look at the video here.

YubiTOTP Android Widget from Yubico on Vimeo.

 

When you first enable 2-step verification on Google Apps or on DropBox, you are presented with a 2D matrix code which contains the cryptographic secret used to create the OTPs.  Our YubiTOTP Android App reads this (using Google’s open source scanner app); however, instead of storing the secret on the Android file system, it programs one of the YubiKey NEO’s slots with the secret as part of an HMAC-SHA1 challenge/response configuration.  The secret can not be recovered from the YubiKey NEO, however, UNIX time can be sent to the YubiKey NEO (over NFC or via the USB connector) and the result truncated by the App to produce the OTP – which is displayed on the screen or can be put on the clipboard.

If you lose your Android Phone – or it dies, you just get a new one and reload the App – the secret stays in the YubiKey NEO!

[Update] We have enhanced the app to include a re-sizable home screen widget – just tap on the YubiKey icon and prompts you swipe your YubiKey NEO and displays the 6-digit OATH code on the icon.

Download the app here.  Let us know what you think…

Want to install it directly to your Android Device? Download the .apk file here.

Yubico Team

YubiKey NEO in Production

We know you have been waiting a long time for the production launch of our YubiKey NEO, and we are very happy to announce our plan to start shipping the production versions of the YubiKey NEO by December 10th. We are already accepting orders for the YubiKey NEO, so place your order today to get your full production sample of the NFC authentication token as soon as possible! And if you happen to be at CARTES in Paris this week, stop by the NXP booth where we will demonstrate the NEO.

The previous limitations of the beta version of the NEO have been addressed in the production version. The final version of the YubiKey NEO also includes a new secure element, enabling smart card/PKI functionality, which is certified for Common Criteria and the highest level of security. You can read more about all the new features here, as well as more about RFID and the YubiKey NEO.

We will naturally continue to expand and improve the YubiKey technology, so stay tuned for even more updates in the future!

Ronnie Manning

YubiKey and U2F at CES ShowStoppers – Yubico Demonstrates Mobile Contactless, Tokenless, and Passwordless Authentication

PALO ALTO, CA, JAN. 6, 2016 – Yubico, the leading provider of simple and open online identity protection, today announced it will be participating at ShowStoppers @ CES (Consumer Electronics Show) 2016.  Yubico will be demonstrating the first FIDO U2F-certified NFC-enabled YubiKey and a preview of a software-based U2F mobile client that brings public-key cryptography to both consumer and enterprise mobile users with a tokenless and passwordless experience.

YubiKey NEO

One Touch, Secure Login with YubiKey at ShowStoppers @ CES

Yubico will be exhibiting at booth B-12 at ShowStoppers on Wednesday, January 6, 2016, 6-10 p.m., at the Wynn Las Vegas.

Hacking, data loss, and identity theft is no longer just a concern to enterprises, but a threat that reaches everyone online.  The time is now and the technology is here for consumers to protect themselves beyond just a username and password.  Yubico’s YubiKey holds the promise of a more secure online and mobile consumer experience, and a dramatic increase in enterprise security.

The YubiKey NEO is the first device certified for U2F mobile authentication over NFC (Near Field Communication).  At ShowStoppers, Yubico will demonstrate how a single YubiKey NEO securely authenticates to both online services via USB and a U2F supported mobile login, with a simple tap of the YubiKey to an NFC-enabled mobile device.

“2016 is the year when FIDO U2F will unfold its promise of a ‘universal’ second factor,” said Stina Ehrensvard, CEO and Founder, Yubico, Inc. “This year, we expect to see many more large-scale online service providers announce their support for U2F and YubiKeys, targeting both consumers and enterprises.”

Also at Showstoppers, Yubico is demonstrating a software-based U2F mobile client (iOS/Android) that does not require additional hardware. With the U2F mobile client, second-factor authentication can be a password or the fingerprint used to unlock the phone, enabling the first tokenless and passwordless user experience for FIDO U2F.

While external hardware authenticators without internet connections offer the highest level of identity protection, Yubico’s U2F mobile client provides a heightened level of security compared to a static username and password login. As an example, an online bank that adds supports for U2F can allow its mobile users to perform lower-value transactions using the U2F mobile client only, while higher-value transactions would require U2F hardware authentication.

The YubiKey NEO is available today at Amazon.com and Yubico web store for $50 (single quantity retail price).

 

 

 

Media Contact
Ronnie Manning
Director, Public Relations
619.822.2239
Ronnie@Yubico.com