Showing results for: nfc

John Fontana

When Will NEO Work with iPhone 6 NFC?

Yubico has heard this question a lot over the past days since the iPhone 6 was released with NFC support.

The answer would be “now” if Apple had an open ecosystem, but that likely won’t be the case for another 12-16 months. But put a pushpin on your roadmap, the YubiKey NEO will be a multi-factor authentication option, based on its current NFC support, for iPhone users once Apple opens it to developers.

And if Apple decides to join the FIDO Alliance, the Yubico promise of one authentication key for many services could get support from another heavyweight in the FIDO standardization effort.

It’s not far-fetched to envision Apple as part of FIDO given that Apple’s Touch ID is built from technology acquired when it bought AuthenTec – which applied for the original trademark on the FIDO name. (The company left FIDO the day it was acquired by Apple).

Apple showed its new willingness to work in international standards settings two weeks ago when it joined the GlobalPlatform, which creates specifications that address standardized infrastructure for securing multiple apps on smart chip technology.

The group has three areas of focus: secure elements, trusted execution environments and messaging that holds it all together. And it adds in security, interoperability, responsibilities, provisioning and a common language to exchange information.

Or as Global Platforms puts it, we’re “a cross industry, non-profit association that identifies, develops and publishes specifications that promote the secure and interoperable deployment and management of multiple applications on secure chip technology. “

Now that’s a mouthful, but what’s important is in a world where standards are the only way to reach Internet scale, it appears Apple is coming out to play.

Bravo Apple!

You can read more about the Apple/GlobalPlatform alliance on my Identity Matters blog on ZDNet.

John Fontana

Welcome to the Future, It’s about to Get Really Interesting…

This week ushered in my start with Yubico and I couldn’t be happier to be a part of what is going on here. The challenge in any new job is that while your colleagues are at a full-on run, you’re still learning how to walk. But after five days, I do know I better catch up to them soon because the advancements and opportunities related to authentication technology are poised to come forward fast and furious.

Apple’s iPhone event next week is a hint at security and usability improvements that will spread across the industry. While Apple is initially focused on electronic payment transactions, you could easily swap in the word “authentication” for “payment” and get a picture of where things are going.

The new iPhone 6 by all accounts will show up with NFC support, which is sweet music to the electronic payment system folks. Why, because they can insert new levels of security and fraud protection leveraging the chip technology infrastructure without upsetting the familiar end-user experience of using the card. And they can do it without passing through software susceptible to malware.

They can provision shared secrets, thus protecting real credit card numbers throughout the transaction process and thwarting hackers via a scheme known as issuer tokenization.

“Now if someone steals transaction records from Home Depot, they get one-time numbers that are useless, it totally kills all these breaches,” said Steve Sidner, an independent security and payments consultant based in Omaha, Neb.

Chip-and-pin cards, well known in Europe and coming by mandate to the U.S. next year, are proof that the system works. (The devil in the details is the cost for swapping out current technology in POS systems and issuing new cards).

But the real sweet music to security wonks; there is virtually zero convenience/security trade off, which has always been the barrier to end-user entry.

That is a win for customers and vendors.

Take that same scenario, but think about an authentication transaction rather than a financial transaction. It works in a similar way but with a different flow. Think of a simple yet elegant hardware-based way to exchange public keys and private secrets, think of no software installs, think of a contactless device that wakes up your phone and announces it is there for a private conversation around strong user authentication.

Think of that same scenario with other contactless technologies.  Think of form factors from earrings to watches to clothing.

Major companies with a significant stake in online services and applications are certainly thinking about all that.  And they are poised to roll out first phases, not next year, but by the end of this one.

The FIDO Alliance is thinking about it and how to run it over a standard set of protocols — and, of course, the Alliance contains some of the same card issuers salivating over Apple joining the NFC device party with rival Android.

And I have been thinking about all this. That is one reason I am at Yubico trying to help get the message out about the potential for a major shift and a run at finally gaining a significant share of end-user acceptance for stronger security.

I wrote about this yesterday on my blog Identity Matters that runs on the technology web site ZDNet.

Pay attention to what happens next week within Apple’s initial limited NFC scope, but keep in mind the bulk of the benefits are more wide-spread and still to come.

I think the YubiKey is poised to fuel this market with its one-touch strong authentication.

The one thing that jumped out at me is when you insert the key into a USB port it looks like an external keyboard to your computer. So in essence strong authentication is added to your computer by including just one additional key to the 78 or so that are already on a typical computer keyboard.

Strong authentication delivered with a keystroke, likely one of the oldest and most understood end-user experience in computing. As just one example, the strong authentication experience is already familiar to scores of engineering teams, who securely log-in hundreds or thousands of times a day just by touching the one extra key.

That is cool. I’m really interested to see where all this can go.

David Maples

YubiKey NEO OATH Applet

Yubico is proud to announce the release of our Free YubiKey NEO applet to help with storing OATH secrets and generating OATH one time pass codes.

With the increasing deployment of two step verification (e.g. GitHub this week, DropBox, Google, Microsoft, Evernote) relying on the OATH protocol, many users are concerned about using their mobile phones to store the secrets used to generate the 6 or 8 digit numbers, and the difficulty of changing devices. The applet we’re releasing today allows you to store those secrets in the secure element on your YubiKey NEO – and simply tapping your NEO against any NFC enabled Android device with the YubiOATH app running shows you your current codes. See the video below to see it in operation.

Existing YubiKey NEO owners comfortable with using command line tools can add the new applet to their NEO – see our forum post here. The source codes of both the YubiKey NEO OATH applet and the Android YubiOATH applet are available here.

Stina Ehrensvard

Best Vaccine for Mobile Viruses

A security research team at Bluebox have unveiled a vulnerability in Android, claiming that malware can get full access to the mobile operating system and applications. The complete details are not yet public, so the Yubico security team does not know how such an attack would work. But we know for sure that we will see more sophisticated mobile malware attacks in the near future.

For many years Apple claimed that their computers were more secure than PCs, being immune to PC viruses. This was a correct statement until Max OS X and IOS won enough market share to become increasingly popular for malware creators.

As the security of static passwords and software authentication installed on computers was exposed, and more and more users adopted smart phones and tablets, SMS and authentication apps were presented as the more secure way to login.  But malware creators always follow the crowd. Long before the Bluebox vulnerability discovery, software authentication applications, running on mobile devices, have been copied and misused.

At Yubico we had these threats in mind when we developed the YubiKey NEO, enabling true second factor authentication across computers and NFC mobile devices. For users and devices that do not have NFC, the Yubikey NEO can also hold an authentication app on the YubiKey itself, offering higher security than loaded on a device exposed to the Internet.

Just as biological viruses have spread, infected and killed humans in the physical world, another type of virus is infiltrating the veins of the Internet. Cloud companies, that have been part of the YubiKey NEO development and success, have seen these viruses attacking their systems. And we know that authentication hardware is the most powerful vaccine.

David Maples

Meet Yubico at RSA Conference

The Yubico team will be attending the RSA conference in San Francisco, February 25th – 28th.
We will have the YubiKey NEO on demonstration, featuring NFC functions like the OATH TOTP generator for Android and LastPass.

Come see us at the OATH Pavillion, Booth #829.

We look forward to seeing you!

Stina Ehrensvard

Yubico’s Vision for Secure Online Identities

Wired Magazine recently announced that Google is working on a new online authentication protocol as an alternative to legacy username/password login. Yubico and NXP are co-creators of this protocol, designed to be integrated across a wide range of devices, including SIM cards, YubiKey NEOs, or a ring you carry on your finger, and to solve some of the fundamental problems with online identity. And these are problems we need to fix soon. Very soon. Or billions of people, along with the great creation named the Internet, will be in serious trouble.

At this stage we cannot say which route we will choose to ensure mass adoption of this new security protocol. But we can say that Yubico has decided to engage in the project as we believe it could be a game changer.

And this is the vision: 

Imagine that you have one single key and one single password to securely access all your Internet life. 

The key would not be issued, controlled or hosted by a government or a service provider. Instead, you would buy this key at your retail store, such as 7-Eleven or Amazon.com, similar to a gift card or pre-paid phone card.

The key would remain in your own full control, guarding your privacy. And you may even choose to have multiple keys and identities, enabling you to protect your digital identity while remaining anonymous.

From your computer or mobile device, you would be able to instantly, with no required software installed, connect your key to any number of online services. Placed in the USB-port or tapped to your NFC phone/tablet/laptop you would replace all your multiple, long, painful passwords with a simple touch. Combined with a simple PIN or password, you would then securely access your email, bank, healthcare records or any online account.

With built-in support for platforms and browsers, the key would offer superior security, protecting against man-in-the-middle and phishing – but with no drivers or client software needed.

With an open source approach and a clever ecosystem, there would be no fees for service providers, and the costly Certificate Authority model associated with traditional smart cards could be eliminated. But more importantly, there would be no single token or service provider who would control your digital identity or any cryptographic secrets.

Yes, there are a few obstacles to overcome, including aligning influential thought-leaders and global stake holders on the same page. But if enough people want to, it would be possible to create a new, really simple, secure and affordable online identity solution as outlined above.

Bring it out – click – go!

PS. Please find additional comments on this topic in the Future of Authentication FAQ 

Stina Ehrensvard

Internet Identity and the Safety Belt

60 years ago the car industry and our society faced a security problem similar to the challenges facing online identity today. It was a time when the car changed our modern society by delivering on its promise of freedom and speed, but security and safety measures were overlooked; there were no seatbelts in cars. In fact, when happy car drivers hit the brand new highways and fatal accidents swelled, car manufacturers denied the problem. They feared that any acknowledgement of the risk associated with driving would negatively affect sales.

Nils Bohlin, the chief safety engineer at Volvo and a former aircraft designer, realized for a seat belt to be accepted by the everyday user it could not be clunky and complicated like the harnesses used by fighter pilots. It would need to be simple and take no more than a second for anyone to put on. With those objectives he designed the three-point seat belt in 1959, and then led the initiative making his invention into a standard feature in every car.

It was just a matter of finding a solution that was simple, effective and could be put on conveniently with one hand,Nils. Bohlin has said. “The pilots I worked with were willing to put on almost anything to keep them safe in case of a crash, but regular people do not want to be uncomfortable even for a minute.”

So, what can we learn from Mr. Bohlin when developing security for the Internet? This even more brilliant invention, which we all love until we get our digital life and identity smashed?

The answer is: Make online identification and authentication open and as easy and intuitive as the three-point seat belt:

Bring it out. Click. Go.

Yubico Team

Securing OATH Secrets on Android

Some people are concerned about the risk of storing cryptographic secrets on Android devices – for example, those used to generate One Time Passcodes (OTP) from Google Authenticator.  The production YubiKey NEO is the perfect companion to Android devices with NFC support.  By bringing your YubiKey NEO close to the back of the Android device (such as the Nexus 4 from Google), Android Apps can use the YubiKey NEO’s challenge response capability to generate an Open AuTHentication (OATH) time based OTP – such as those used by Google Apps and Dropbox.  And we have created a sample Android App to show this.  [Update] Take a look at the video here.

YubiTOTP Android Widget from Yubico on Vimeo.

 

When you first enable 2-step verification on Google Apps or on DropBox, you are presented with a 2D matrix code which contains the cryptographic secret used to create the OTPs.  Our YubiTOTP Android App reads this (using Google’s open source scanner app); however, instead of storing the secret on the Android file system, it programs one of the YubiKey NEO’s slots with the secret as part of an HMAC-SHA1 challenge/response configuration.  The secret can not be recovered from the YubiKey NEO, however, UNIX time can be sent to the YubiKey NEO (over NFC or via the USB connector) and the result truncated by the App to produce the OTP – which is displayed on the screen or can be put on the clipboard.

If you lose your Android Phone – or it dies, you just get a new one and reload the App – the secret stays in the YubiKey NEO!

[Update] We have enhanced the app to include a re-sizable home screen widget – just tap on the YubiKey icon and prompts you swipe your YubiKey NEO and displays the 6-digit OATH code on the icon.

Download the app here.  Let us know what you think…

Want to install it directly to your Android Device? Download the .apk file here.

Yubico Team

YubiKey NEO in Production

We know you have been waiting a long time for the production launch of our YubiKey NEO, and we are very happy to announce our plan to start shipping the production versions of the YubiKey NEO by December 10th. We are already accepting orders for the YubiKey NEO, so place your order today to get your full production sample of the NFC authentication token as soon as possible! And if you happen to be at CARTES in Paris this week, stop by the NXP booth where we will demonstrate the NEO.

The previous limitations of the beta version of the NEO have been addressed in the production version. The final version of the YubiKey NEO also includes a new secure element, enabling smart card/PKI functionality, which is certified for Common Criteria and the highest level of security. You can read more about all the new features here, as well as more about RFID and the YubiKey NEO.

We will naturally continue to expand and improve the YubiKey technology, so stay tuned for even more updates in the future!

Yubico Team

RFiD and the YubiKey NEO

When Yubico first introduced the YubiKey RFiD in 2009, it provided users with an unmatched integration of physical and network security. Many facilities with existing RFiD based security systems have integrated the RFiD YubiKey into their systems, allowing users to use one device to access their office space as well as network account. The RFiD YubiKey could be used with both standard RFiD readers as well as with any computer with a USB port, removing the need for additional hardware when integrating the RFiD YubiKey.

Since then, there has been a significant rise in the world of mobile computing. The task of authenticating users on Tablet PCs and SmartPhones is becoming just as vital as securing PCs or Laptops. With the growing addition of NFC support in mobile devices, Yubico decided to create the YubiKey NEO, capable of providing wireless authentication to NFC supporting devices while also allowing for standard USB authentication.

During the pre-production phase of the YubiKey NEO, we decided to simplify our product line to provide the best customer experience. From this decision, Yubico has decided to combine YubiKey support of RFiD and NFC into one device. When the Production YubiKey NEO is launched in November of 2012, it will support all of the capabilities of the YubiKey RFiD tokens alongside the new NFC communication features. The YubiKey NEO will allow users to validate against RFiD systems, NFC systems as well as the standard YubiKey Authentication.

However, with the introduction of the YubiKey NEO, Yubico will withdraw the RFiD YubiKey. New users looking for an RFiD-compatible solution, as well as existing users looking to expand their solution, will be able to utilize the production YubiKey NEO in place of the RFiD YubiKey.

We will continue to offer support of the YubiKey RFiD functionality, both in the older RFiD YubiKey and the new YubiKey NEO. We thank you all for your support of the RFiD YubiKey and hope that the YubiKey NEO continues to meet your high expectations!