Showing results for: security protocol

Stina Ehrensvard

Yubico joins FIDO Alliance

Yubico has joined FIDO Alliance as a board member, and will be a part of the Universal 2nd Factor (U2F) working group that Google is creating  focusing on open authentication standards work for strong, universal second-factor devices.

The U2F working group will continue the work that was presented earlier this year in an IEEE paper and Wired, based on the technical specifications that jave now been successfully proven with thousands of YubiKey NEOs and users. By end of the year we expect more than 200,000 U2F protocol compliant YubiKey NEOs being deployed within Google and elsewhere.

U2F will be available as a stand-alone offering, and the working group will also collaborate closely with the already existing FIDO UAF Technical working group, to ensure harmonization of specifications. UAF aims to create a web eco-system including a broader range of authentication methods, including biometrics.

 

Simon

BrowserID and YubiKey

To to learn how you use the YubiKey with BrowserID, a new open identity initiative, please check out this video from a BrowserID developer: https://vimeo.com/64514090

BrowserID was introduced in mid 2011 by the Mozilla Project. It addresses the same problem as OpenID and SAML, as well as the common OAuth or OpenID-based login-with-an external-account (such as Google, Facebook or Twitter) flows. From a usability point of view, in comparison to OpenID, BrowserID uses email addresses instead of URLs, which is more natural for users.

Perhaps the strongest feature of BrowserID, when compared to OpenID and SAML, appears to be user privacy; with BrowserID your Identity Provider is not involved in the per-site login flow, so they cannot track which sites you have accounts on.

Technically, BrowserID has the simplicity of OpenID and OAuth but can provide stronger security (including public/private-key crypto, and provide session keys). The downside is that the BrowserID protocol is not well specified, such as in the form of an IETF RFC document, and supposedly uses obsolete JSON-security formats which poses some migration pains.

Yubico is happy to see that YubiKey support is possible with BrowserID, and we will continue to learn about this area so we can provider our customers with good advice about best usage of the YubiKey. We believe that the Internet needs better authentication methods, and also think that the YubiKey provides good security and ease of use for users.

Please note that BrowserID is not the same protocol used for the open authentication project that Google is currently working on, mentioned in Wired earlier this year and Yubico is closely engaged in.

The Source Code for the YubiKey Persona integration is avalible at https://github.com/jedp/persona-yubikey

David Maples

miiCard Proofs Identities with YubiKey

Online identity proofing service miiCard can prove an individual’s identity to the level of an offline photo ID check in minutes and purely online. By now adding YubiKey authentication to miiCard’s bank level ID verification service, the most secure and high value transactions can be performed online. Read more about how miiCard and YubiKey can make online identification safe and secure in the full press release and on our partner site!

Read full press release

Visit MiiCard’s YubiKey Protection Page

Morning dew. Shining water drops on spiderweb over green forest background. Hight contrast image. Shallow depth of field
Stina Ehrensvard

The Future of Authentication FAQ

A selection of questions we have received and answered on YubiKey NEO and Universal 2nd Factor (U2F), since this new open authentication standards initiative was announced in Wired Magazine and the Yubico identity vision blog.

Why do you want to kill the password?

We don’t. Yubico does and will continue to recommend two-factor authentication, consisting of a PIN or password in addition to a device which generates new and encrypted pass codes every time it is used, such as the YubiKey. The best security practice is to use something you have with something you know. With the YubiKey, the password becomes a supporting element rather than the main defense; thus a simple PIN suffices to protect you against misuse of your YubiKey by those around you.

 

What is the user experience of YubiKey NEO and U2F?

It is easier to use a YubiKey NEO with U2F than logging in with a username/password. With NFC mobile devices, all you need to do is to enter a PIN and tap the YubiKey NEO to an NFC-capable phone or tablet. With computers, you place the YubiKey NEO in the USB-port enter a PIN and touch the device. And you will only need a YubiKey and a simple password for any number of services. To see how it works, watch this video.

 

Why is a hardware key better than software-based authentication methods?

A software application, regardless if it’s on your computer or your smart phone, can be easily targeted and misused by malware – which has already happened to SMS and authentication apps. The best security practice is to move login credentials to a separate hardware device not connected to the Internet. To further improve security, it is recommended to use PKI encryption with session security, and a user presence touch button; features uniquely provided by the Yubikey NEO and the U2F specifications.

 

Will U2F support software-only implementations?

The initial U2F deployments inside Google and elsewhere are all based on hardware devices. However, for lower security applications, U2F software-only implementations are likely to be offered down the road.

 

Why can’t I have my identity and a security chip integrated in my device instead?

A user identity, including U2F specifications, can be integrated directly in your smartphone or computer using TPM, Arm TrustZone, SIM Card or a secure element. While this approach reduces the number of separate devices needed, it has notable disadvantages from a security, privacy and mobility perspective.

Security – Identity and authentication technologies that are permanently connected to a computer or phone fails to meet the “not connected to the Internet” best practice for storing sensitive secrets. These devices are all more or less exposed to malware, malicious apps, Wi-Fi exploits and VPN masking. In addition, they don’t help against the social attacks (i.e., software tricking the user into doing something unintended) which will continue to be the easiest way to attack users. Those social attacks will always be available on general multi-purpose devices where users can download and install apps on their own, and provide an avenue to attack the secure elements directly.

Mobility – With your credentials tied to a integrated device, it may be difficult to move your identity between other devices, or to use a computer at a hotel or friend’s house. For the majority of high security applications that are performed on computers, it may not help to have an identity tied to a phone, as there is no communication standard between all computers and mobile devices.

Privacy – The device identity may be controlled or monitored by the telecoms provider or other party, which may add cost, complexity and privacy concerns. In a time of “Big Data” and government surveillance, many enterprises and individual users have concerns about privacy. What’s more, tying your identity to a device does not easily allow for multiple identities, such as separate identities for work and personal accounts.

 

Why would users want to have multiple identities?

U2F and Yubico supports an open identity eco-system where users can be secure – but still guard privacy. Just as with email, many users chose to have multiple accounts; a real/personal, a real/job and an high privacy/alter ego or spam email account. We want to help you to prove that you are the legitimate owner of an account, while not requiring additional personal information. We also want to support use cases where identities are used for a limited time and revoked when needed. We believe you should be in control about how sites track you over your digital life; With the YubiKey NEO and U2F, minting new Private/Public key pairs for each site, tracking across sites is not enabled.

 

I still do not like to have to keep track of one more thing.

You will not need to. U2F is designed for secure elements; high security chips, for integration into many of the things you are likely to carry with you today; a card in your wallet, a key in your key-chain or directly in your phone. Therefor the U2F technology gives you the choice; you can use it embedded into your existing devices for low-risk purposes, or use U2F via a Yubikey NEO when you want better mobility, privacy and security properties.

 

So, what about fingerprints or face recognition?

We don’t believe that biometrics sent over the wire to authenticate users is appropriate for privacy and security reasons; Your fingerprint is a static and unique image that can be copied and misused – but not revoked. However, once the technology is proven to be more dependable, biometrics to unlock a phone or computer could be useful, but where the actual interaction and authentication is done between a security chip in the device and the server. But as discussed earlier, having a security chip permanently tied to a computer or phone device may have limitations from a security, privacy and mobility perspective.

 

When will NFC get mass adoption?

The majority of high security applications requiring strong second factor login are still performed from a computer with a USB-port. To address the growing use of mobile devices, YubiKey NEO and U2F also support NFC. While Apple is waiting to adopt NFC, their competitors, who represent a combined 80% smart phone market share, will have sold more than 200 million NFC enabled devices in 2013. Banks are pushing NFC enabled payment solutions and critical mass is being achieved in several countries. Once the next generation NFC credit- and debit cards have been deployed, allowing “one touch” secure payments directly on your own phone and computer, there will be a market demand for NFC on all devices and platforms.

 

How does the Yubico identity vision relate to federated identity services?

It is very complementary to SAML, Open ID Connect, etc, as these protocols enable powerful single sign-on opportunities but need to be combined with two-factor authentication. U2F is based on a PKI infrastructure where every service provider can optionally also be their own identity provider. When user data and cryptographic secrets do not need to be shared between service providers, both security and user privacy can be enhanced.

 

Why would users want to pay for their online identity?

In a time where users’ personal information is collected and used by a growing number of organizations, many users are growing concerned about privacy. Once a single U2F device can be used for a multitude of popular services, users will want to buy, own and control their own online identity, that does not need to be tied to a service provider. Also, with a physical U2F device, users will be ensured that their online identity is well protected and is not being exposed to malware, which has already happened to software authentication apps. Some service providers will offer financial incentives for users to buy and use a U2F device with their service, but many users will also be willing to pay for it themselves. In partnership with leading password managers, Yubico has already proven that there is a real market demand for a single and secure authentication hardware solution. Also, the millions of end-users who have purchased anti-virus software, prove that we are willing to pay to protect ourselves on the Internet.

The U2F and the NEO technology still allows enterprises and organisations to purchase larger volumes of devices and put them in the hands of their users, so you can chose whether to adopt the model where the user acquires and own the device and where the service organisation purchases and deploy the device.

 

What would happen if a user loses a U2F device?

A user will be able to have multiple and back-up U2F devices enrolled with an account, with the possibility to easily disable a lost device. Similar to other account recovery processes, the service provider may also choose to send “recovery codes” over email or phone as a back-up to the physical device. Ultimately, revocation is something that needs to be resolved by each website that authenticates users because they have the direct relationship with the user. U2F does not solve this problem, but makes it easier to have stronger recovery processes by introducing new authentication factors.

 

Why can’t we use Big Data to fix the authentication problem?

Server side risk evaluation software has its place in services, especially involving high-value transactions. However, easy-to-use strong authentication is critical in striking a balance between ease of use, reducing false positives and eliminating fraud. Computers, phones and networks will never be free from malware, and users will need to move their secure identity between devices and services. The YubiKey NEO with U2F enables true end-point authentication, where we only need to trust a key in our pocket and the services it connects to.

 

What are the main barriers in the broad adoption of YubiKey and U2F?

The inventor of the 3-point seatbelt at Volvo realized that security needs be really quick, simple and made into an open standard to scale. Online authentication for the masses has the same requirements. A YubiKey with U2F is easier to use than easier to use and more secure than traditional two-factor solutions, and is being supported and deployed by leading Internet thought leaders, including Google. This is a great start, but just like the seat belt; mass adoption will be derived from more severe accidents, increased concerns about security and privacy, and government and industry regulation.

 

What is the business incentive for driving a new open authentication initiative?

Yubico recognizes the potential that a higher level of authentication using PKI can offer, designed with better usability and less complexity than solutions available today. We found that Google’s authentication efforts are aligned with these goals. To support a next generation secure Internet, scaling our technology to as many services as possible, our approach is to make U2F a new and truly open standard.

 

How would you make high security transactions with a device you could purchase at your corner store?

For some identities you may choose to be secure and “anonymous”. For services requiring a higher level of identity assurance, you would bring your identity device along with your Passport, driver licence or ID to an official location which would associate your U2F device with your real identity. There are also online services offering identity proofing which could accredit your device.

 

What authentication technology initiative do you see as your biggest competitor?

All initiatives in this space help to educate and challenge the market for something better than the legacy username/password. There will not be one single authentication method and security protocol to rule the world, but the winners will address different needs and be open and interoperable. And Yubico’s focus is to make online authentication as easy and affordable as possible, yet retaining the highest level of security and privacy.

Stina Ehrensvard

Yubico’s Vision for Secure Online Identities

Wired Magazine recently announced that Google is working on a new online authentication protocol as an alternative to legacy username/password login. Yubico and NXP are co-creators of this protocol, designed to be integrated across a wide range of devices, including SIM cards, YubiKey NEOs, or a ring you carry on your finger, and to solve some of the fundamental problems with online identity. And these are problems we need to fix soon. Very soon. Or billions of people, along with the great creation named the Internet, will be in serious trouble.

At this stage we cannot say which route we will choose to ensure mass adoption of this new security protocol. But we can say that Yubico has decided to engage in the project as we believe it could be a game changer.

And this is the vision: 

Imagine that you have one single key and one single password to securely access all your Internet life. 

The key would not be issued, controlled or hosted by a government or a service provider. Instead, you would buy this key at your retail store, such as 7-Eleven or Amazon.com, similar to a gift card or pre-paid phone card.

The key would remain in your own full control, guarding your privacy. And you may even choose to have multiple keys and identities, enabling you to protect your digital identity while remaining anonymous.

From your computer or mobile device, you would be able to instantly, with no required software installed, connect your key to any number of online services. Placed in the USB-port or tapped to your NFC phone/tablet/laptop you would replace all your multiple, long, painful passwords with a simple touch. Combined with a simple PIN or password, you would then securely access your email, bank, healthcare records or any online account.

With built-in support for platforms and browsers, the key would offer superior security, protecting against man-in-the-middle and phishing – but with no drivers or client software needed.

With an open source approach and a clever ecosystem, there would be no fees for service providers, and the costly Certificate Authority model associated with traditional smart cards could be eliminated. But more importantly, there would be no single token or service provider who would control your digital identity or any cryptographic secrets.

Yes, there are a few obstacles to overcome, including aligning influential thought-leaders and global stake holders on the same page. But if enough people want to, it would be possible to create a new, really simple, secure and affordable online identity solution as outlined above.

Bring it out – click – go!

PS. Please find additional comments on this topic in the Future of Authentication FAQ