Showing results for: Yubico

Stina Ehrensvard

The Key to Trust

As the principal inventor behind both the Security Key and U2F protocol, we are true supporters of open standards. To realize our mission of making secure login ubiquitous, we designed the original Security Key, and provided the majority of the open source code and test tools for FIDO U2F and the latest version of the standard, FIDO2, which offers a passwordless experience.

Innovation is core to all we do, and as the ecosystem continues to mature, U2F and FIDO2 functionality will come in many different form factors, communications methods (USB/BLE/NFC) and features, from Yubico and others.

Over the past several years, Google has deployed hundreds of thousands of FIDO U2F-enabled Yubico devices internally with amazing results. Today, Google released their own version of a security key, and while we have received the question if we were part of this production, these devices are not manufactured by Yubico.

Yubico strongly believes there are security and privacy benefits for our customers by manufacturing and programming our products in the USA and Sweden.

Google’s offering includes a Bluetooth (BLE) capable key. While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.

Yubico is a believer in NFC, and the YubiKey NEO design has proven at scale to deliver a superior contactless user experience for U2F.  Also, Yubico will soon announce another secure and user friendly solution for iOS.

YubiKey authentication devices

The FIDO U2F and FIDO2 standards work has been a long, challenging and inspiring journey convincing and engaging all leading platforms and browsers to subscribe to the Yubico mission: to make secure login easy and available for everyone.  

U2F is just one tool in the YubiKey toolbox. Today, the majority of our customers use our multi-function YubiKeys across multiple applications, services, and operating systems. In addition to FIDO U2F, we offer smart card (PIV), Yubico OTP, OpenPGP, and OATH-HOTP/TOTP, in a single device, over both USB and NFC, as well as in USB-C form factors. 

Yubico continues to work closely with Microsoft, Google and the global open standards community on FIDO2, the passwordless evolution of U2F. This next-generation standard enables the option to use a security key as a single factor, with an optional PIN or biometrics on the user device, removing the need for service providers to store and manage passwords.

We will continue to create market defining authentication products, which we are currently demonstrating at Google Cloud Next, booth #S1426. We welcome you to join us.

Ronnie Manning

Yubico Lands a16z Investment and Grows Board of Directors

Today, Yubico is proud to announce its latest round of investment from Andreessen Horowitz (a16z). a16z is supporting Yubico’s mission to create a safer internet for everyone by providing ubiquitous secure access to computers, networks and servers. The company has been growing with profits over the last six years, and funds from the new investment will be used for scaling engineering, product and development teams.

In addition to company backing, Martin Casado, general partner for a16z, will be joining the Yubico board of directors. With an extensive background in computer science, software-defined networking, and security, Martin will support the company in a rapid growth phase. Helping Yubico scale as the hardware root of trust for users and servers, as we move toward the passwordless future.  

“Internet security is an area I’m personally very passionate about and I’m a true believer in the Yubico vision and approach. I’m thrilled to be joining the board and working with the team on this journey forward,” said Casado.

The YubiKey is the authenticator of choice for thousands of business customers and millions of users in more than 160 countries, including a16z, who currently deploy YubiKeys to every employee. This decision was made prior to the investment in Yubico, as a16z determined that the YubiKey was the most secure approach for protecting accounts and sensitive company data.  

Yubico CEO and Founder Stina Ehrensvard worked with Martin Casado on the a16z Podcast episode ‘The State of Security’ from earlier this year to provide insight into the crossroads of software and hardware in the security space. Specifically, Stina spoke about the increasingly important role of authentication  in a world where we hear of new data breaches and stolen user credentials on a daily basis.

Previous Yubico investors include NEA and renowned Silicon Valley entrepreneurs Marc Benioff, CEO of Salesforce, and Ram Shriram, Yubico Chairman and Google founding board member.

Ronnie Manning

Yubico CEO recognized as the Most Powerful Swedish Woman Entrepreneur 2018

On Thursday, March 8, Yubico CEO & Founder Stina Ehrensvard was named “The Most Powerful Woman Entrepreneur, 2018” by Veckans Affärer, the leading weekly business magazine in Sweden.

“With a product that is becoming a world leading standard, she is today one of Sweden’s most powerful, as well as most successful entrepreneurs,” shared the jury for the award.

Following the award, Veckans Affärer published a feature on Stina and her story. In the article, Stina thanked her parents for never stopping her from climbing trees as a young girl, and for instead asking how the view was from the top. She also emphasized that the most important foundation in a company is the team and that every award she gets represents Yubico as a whole.

The Most Powerful Woman Award is celebrating its 20th year anniversary, having started in 1998 to honor and highlight successful, influential women business leaders and entrepreneurs. At the time, there were only 2 women board members for Swedish companies listed on the stock exchange.  Today, the number of women has grown tenfold.

The award was handed out at the gala dinner and award ceremony in central Stockholm, attended by leading Swedish business executives.

Stina Ehrensvard

Buckle Up for a Safer Internet

Some cynics say that the problem of internet security will only continue to get worse, and that there is nothing we can do, but manage and minimize damages and losses. As an optimist, I completely disagree. Throughout our existence, people have faced and resolved extremely complex and evolving challenges—a great example of which is automobile safety.

A few years back, I wrote a blog post entitled Internet Identity and the Safety Belt. It focused on the introduction of the three-point seatbelt and its significant contribution to the automobile industry by making cars safer for drivers and passengers. Today, there are 10 times more cars on the road, but a lower total number of fatal car accidents. While driving will never be completely safe,  millions of lives have been saved through the realization of the problem, innovation, education, market demand, open standards, and government regulations. I am confident that we will make the information superhighway safer for everyone through the same efforts.

For the automobile industry, the seatbelt is an innovation that has had the greatest positive impact on passenger safety. Further advancements in car safety designs and driver’s education programs have similarly equipped new drivers with the tools they need to safely navigate any unforeseen turns.

What if there was a driver’s education program to help internet users move safely across the internet? Perhaps this should become a staple in a school curriculum just like Math and History?

Education, innovation, and collaboration are key to helping us all solve this complex challenge together. With that in mind, I am sharing a security quiz that we developed for basic IT security training of new Yubico employees. I invite you to test your security knowledge, and please feel free to share the quiz with family, friends, and coworkers.

Safe driving on the internet!

David Treece

Yubico Simplifies Smart Card Deployment in the Enterprise

In the enterprise, smart cards are used to simplify logging into computers, VPNs, and online applications. Smart cards can also be used for digitally signing emails and documents. While smart cards are known for delivering strong authentication, they have not always been known for being the simplest to deploy. For example, to use a smart card in an enterprise setting, an admin needs to install client / driver software on every computer, and an external smart card reader is typically required.

Since 2015, the YubiKey has supported smart card PIV functionality with the ability for the YubiKey to act as both a smart card reader and a smart card, meaning that no extra hardware is required. Most recently, we have simplified smart card deployment with the introduction of a YubiKey smart card minidriver. The new YubiKey minidriver enables users to simply self-enroll using the native Windows GUI, and even manage their smart card PIN from Windows Ctrl+Alt+Del. Administrators also benefit from the YubiKey minidriver by being able to do user provisioning using the Microsoft built-in MMC.

Smart card functionality is one of the five authentication protocols supported by the YubiKey, including Yubico and OATH one time password, FIDO U2F, and Open PGP smart card. With this multi-protocol support, the YubiKey is suitable for deployment across the enterprise to secure access to computers, networks, and services.

Learn more about YubiKey smart card in the enterprise.

Alex Yakubov

PetitionThat with the YubiKey

Today, the World’s Largest Developer Expo + Conference, DeveloperWeek 2018, opens at the Oakland Convention Center with thousands of developers participating from all over the globe. As a warm up for the conference, hundreds of developers participated in the DevWeek 2018’s hackathon and pulled an all-nighter on Saturday. Over 160 teams coded and collaborated for 24 hours. Our challenge was simple – incorporate YubiKey two-factor authentication (2FA) support into a standalone project for the chance to win a YubiCrown.

And the winning project is… PetitionThat

PetitionThat is a proof of concept that enables petition organizers to collect personal contact information about supporters for the purpose of continued outreach via text, phone, and email after the petition is signed. The platform’s inventors are siblings Solaman and Jameela, and their longtime friend Neil. The three Software Engineers joined forces to tackle an idea they’d been kicking around for awhile. They said, “it’s hard to find time to start a new project. When we saw the tools and technologies that were being promoted for the hackathon and how well they could service our idea, we knew that this was finally the time to build it.”

We were blown away by the progress the team made in just 24 hours. They successfully demonstrated secure login to the PetitionThat organizer platform using the YubiKey, real-time signing of a petition by a verified citizen, and re-engagement with the petition-signer over SMS. What really stood out, however, was this team’s fundamental understanding of the importance of privacy and security of the data they aim to collect.

Here’s what they have to say

“In the current political climate, too many people feel like they don’t have a voice. They wish they could improve some aspect of society, but they don’t really feel empowered to inspire change. People have traditionally proven support for an idea by gathering signatures, and today, there are petition websites that go further by leveraging the reach and connectedness of the internet. However, the problem with these sites is that there’s no verification of supporters. It’s too easy for petition organizers and supporters alike to game the system, creating a lack of confidence in the actual support for an idea,” shared the PetitionThat team.

PetitionThat solves this problem by filtering submissions that appear to be fraudulent and requiring a verified electronic signature for an individual to be counted among the supporters of a cause.

“Our service requires two-factor authentication from petition organizers before they can access the contact information of their supporters. We can associate a YubiKey with their account to make two-factor authentication as easy as pressing a button,” they said.

“The YubiKey gives us confidence that a petition organizer’s account isn’t being accessed by a malicious third party to collect personal contact information about supporters for a cause. And for organizers, it’s easier to use than other two-factor authentication methods, such as taking out a phone, waiting for a text message, and manually typing in a code. We get the security of two-factor authentication in a way that doesn’t slow down our users when they’re logging in.”

When asked about the experience of developing with and using the YubiKey and our developer tools, they said, “We explored a lot of new technologies when working on this project, including the YubiKey. The service advertises integration in less than an hour; it took us 15 minutes! It was so easy! There were some APIs from other hackathon sponsors that were so complicated or poorly documented that we had to re-architect our service to avoid using them. The YubiKey and YubiCloud just integrated seamlessly.”

Yubico applauds PetitionThat for their vision, hard work, and excellent performance at the DevWeek hackathon. To learn more about the YubiKey and how to deploy 2FA into your software or service, please visit https://developers.yubico.com/. If you are at Developer Week 2018, stop by and meet the Yubico team at booth # 513.

Why_2018_will_be_the_year_for_authentication_hardware_blog_crown
Stina Ehrensvard

Why 2018 will be the year for authentication hardware

A journalist recently asked me why the world is seeing the return of hardware authentication. My response is that hardware actually never went away. Today, there is no more prevalent form of user verification than hardware. If there had been an easier and more secure way to deploy and revoke user credentials for billions of people, we would not have hardware SIM cards in our phones or chip credit cards in our wallets.

Security is all about minimizing attack surface and achieving separation. The recent Spectre and Meltdown attacks illustrated that it’s hard to achieve watertight separation between processes as systems become increasingly complex. General purpose computing devices that are connected to the internet have big attack surfaces, making them vulnerable to attacks from many fronts, including malware, phishing, malicious apps, Wifi exploits, VPN masking, and social engineering.

However, hardware security devices by themselves do not automatically make things more secure. Modern threats require stronger cryptography with a tighter integration to the applications they’re designed to protect. As a result, we will see increased awareness and adoption of hardware-based authentication and encryption devices using public key cryptography throughout 2018. These devices keep cryptographic information physically separated from the computing device they are connected to, dramatically minimizing the attack surface.

The benefits of using hardware authenticators go beyond just security. Users wanting to ensure privacy do not want to leave footprints that tie their identity to a particular device. Most mobile devices are controlled or monitored by the telecom or platform providers, collecting data about user activities. Furthermore, tying user identity to a device does not easily allow for multiple identities, such as separate identities for work and personal accounts, or being anonymous. Hardware authenticators, such as the YubiKey, do not require you to share any personal details of yourself to authenticate.

Additionally, there are enterprises who do not allow their employees to bring their phones to work, which makes mobile device based authentication inaccessible. In some geographic locations, there are regulations in place that prohibit companies from forcing employees to download business applications on personal computing devices.

Mobility is another important benefit of hardware-based authenticators. With your credentials tied to an integrated device, it can be difficult to move your login credentials between devices, as there is no seamless communication standard between all computers and mobile platform. Using a hardware authenticator with multiple communication methods solves this problem.

Finally, hardware authenticators offer significant benefits related to backups. Independent of what type of authentication technology selected, users will sooner or later lose, break, or reset their login devices. When organizations allow the use of multiple affordable hardware authenticators, one as a primary and others as backups, productive work will increase and support calls will decrease. A hardware authenticator, such as the YubiKey, can cost less than a support call, and a fraction of the expense of using a mobile phone.

Today, in 2018, Yubico and all leading browsers and platform providers are engaged in open standards work based on hardware and public key crypto across leading standards organizations, including the FIDO Alliance, W3C, IETF, and OpenID. We work together not as competitors, but as true leaders collaboratively driving the open standards that will stop the number one problem of IT security breaches for login, payments, IoT, and beyond: stolen user credentials.

Ronnie Manning

WIRED and Ars Technica Experts Choose the YubiKey 4 for New Subscribers

Credibility is defined as the quality of being trusted and believed in. As Yubico continues to grow the trust from our users, partners, and peers, it is truly valued. It’s with this trust that we continue to drive forward in creating strong, open authentication standards and delivering on our vision and belief of a secure internet for all.

Today, we are honored to announce we are partnering with Ars Technica, as part of celebrating its 20 year anniversary, by offering the YubiKey 4 to new Ars Pro++ subscribers. Ars Technica is a highly respected online publication within the technology community and combines technical savvy content with wide-ranging coverage of human arts and sciences, while specializing in bringing readers the right answer, the first time.

Eric Bangeman, Managing Editor, Ars Technica says, “Keeping your online accounts and personal data safe can be a challenge, but YubiKey’s flexibility and best-in-class two-factor authentication capabilities offers a deeper level of security for its users. Ars Technica is proud to offer the Yubikey 4 as a gift for its Ars++ subscribers.”

Limited Edition WIRED and Ars Technica YubiKeys

Also today, we are equally excited to say we are partnering with WIRED magazine to deliver YubiKeys to their new subscribers as well. WIRED is the ultimate authority on the people and ideas changing our world. With a particular focus on emerging technologies, they don’t just write about the future, they ignite it.

As Nicholas Thompson, Editor-in-Chief, WIRED states, “We’re thrilled to be able to offer our subscribers free YubiKeys. Our readers are sophisticated technology users who value their security, which is why we picked YubiKey as a natural gift for them.”  

With both of these powerful and forward-thinking audiences, we are extremely honored that experts from WIRED and Ars Technica chose the YubiKey as the gift of security for their readers. The best part is, subscribers are not receiving a regular YubiKey — they are receiving a limited edition YubiKey 4 with a laser-etched WIRED or Ars Technica logo. The cool factor is upped considerably here. 

Now, new WIRED and Ars Technica subscribers will be able to add the most secure, easy-to-use multi-factor authentication to their business and personal accounts. YubiKey support is available with services such as Google, Facebook, and Dropbox, plus popular password managers, and hundreds of other services — all with a simple touch.  

Looking to read about some of the best in tech? Are you an avid WIRED or Ars reader?  Want to get your hands on one of these limited edition YubiKeys? Check out the subscription information for WIRED and Ars Technica!

Ronnie Manning

Yubico CEO awarded KTH Great Prize

Yubico is proud to announce that our CEO and Founder, Stina Ehrensvärd, has been named the winner of the 2016 KTH Royal Institute of Technology Great Prize.  Founded in 1827, KTH is Sweden’s first polytechnic university and is one of Scandinavia’s largest institutions of higher education in technology.

Kth_logo

Yubico CEO and Founder, Stina Ehrensvärd, awarded 2016 KTH Great Prize

First awarded in 1945, the annual KTH Great Prize was founded and funded from the proceeds of a 1944 anonymous donation.

According to the sponsor of the award, the prize shall be presented to, “A person who, through epoch-making discoveries and the creation of new values and by ingenious applications of findings gained on the practical aspects of life, promotes Sweden’s continued material progress, or a person who by means of scientific research has discovered particularly valuable principles or methods which are useful for applications, which promote the above purpose, or a person who through artistic activities ‘exerts a powerful influence particularly on the spiritual life of her own people.”

“Stina Ehrensvärd is a very worthy recipient of the KTH Great Prize,” said Peter Gudmundson, President of KTH “A combination of innovation and entrepreneurship is key to meeting society’s challenges, for both Stina and for KTH. IT security is absolutely critical in our digitized world, and this is why Stina’s effort is significant.”

Stina is extremely honored and happily surprised by this honor, but stresses that credit for Yubico’s success is not hers alone. “It would not have been possible without my great team at Yubico. And a special thanks to Jakob Ehrensvärd, the company’s CTO, and my husband, whom I would have liked to share this prize with. It has been said that behind every successful man stands a strong woman. In our case it is the opposite, and it’s Jakob who developed most of the technology.”

When asked to give advice to the next generation of innovators, Stina said, “Inspiration and hard work are the secret. Find a solution to a real problem. If it makes you so happy that the idea of devoting several years to implement this solution, product or service makes it hard for you to sit still, then you’re probably on the right track. Surround yourself with a really good team that complements you. Think big. Listen to your gut.”

Stina says that joining a list of KTH Grand Prize honorees is exciting and a little unreal.  Previous winners include: Niklas Zennström, Co-founder of Skype; Daniel Ek, founder of Spotify; Robyn, pop singer and producer; Jan Uddenfeldt, contributor to the GSM standard; Gunilla Pontén, fashion designer; and Assar Gabrielsson, Co-founder of Volvo.

Click to view the full list of KTH Great Prize winners.

Ronnie Manning

Yubico CEO and Founder wins Gold Stevie Award for Female Executive of the Year

We are proud to announce that Stina Ehrensvard, CEO and Founder of Yubico has been named the Gold Stevie Award winner for Female Executive of the Year – Business Products. The Stevie Awards for Women in Business were announced Friday, November 14. The awards shine a spotlight on women executives, entrepreneurs, and organizations run by women.

“Yubico has seen a tremendous 2014!” said Ehrensvard. “Our technology has been adopted by the leading Internet companies, and as a driving contributor of FIDO U2F we are defining new global standards for simple and secure login. This award speaks very highly, and is a clear result of amazing work from all members of the Yubico team”

The Stevie, the Greek word for “crowned,”  is widely considered to be the world’s premier business award, and the 2014 awards received entries from 22 nations and territories. The awards presentations were broadcast live across the U.S.A., and simulcast around the world by Biz Talk Radio. The ceremony will be featured in a television special on Biz TV in January.

More than 160 executives worldwide who participated in the judging process this year selected the Stevie Award winners. Details about the Stevie Awards for Women in Business and the list of Stevie Award winners are available at www.StevieAwards.com/Women.

John Salter

YubiKey NEO & FIDO U2F: One Key for All Apps

I’ve been in this business for a long time and watched a lot of promise collapse and a fair number of snake oil salesmen flourish.

Strong authentication is one of those technology conundrums that always seems to be partially solved. The drawbacks of traditional one-time passcodes are well understood and we’ve always truly known their shelf life was limited.

I have been searching for something that would be more appropriate in today’s Internet, that would move past “partially solved” and would blossom into elegant simplicity spanning the technology, the plumbing and the user.

My eyes were opened to the answer while watching a room full of engineers work with their code — checking out, checking in, deploying live —and authenticating each time as they supported a massive cloud service that counts billions of users around the globe.

To cross each virtual security boundary the engineers simply press a small flashing Yubico YubiKey tucked into their USB ports to activate strong authentication. They were taking advantage of their body’s ability to hold an electrical charge and trigger a capacitance sensor.

A few years ago when I first saw this technology, I underestimated the capacitive touch. I did not think it had the needed security properties, but what I missed was how important it was to the end-user.

Once I realized that error, I began adding in the significance of the hermetically sealed, driverless YubiKey that is impervious to viruses and malware. I thought about its improvements over second-factor mobile devices that hackers can compromise, and over single sign-on, where conventional wisdom says authentication should happen as infrequently as possible then shared across domains boundaries.

I now understand security isn’t about limiting authentications but making hundreds, even thousands of them per day as easy as pushing another key on a computer keyboard. It’s a user-experience that requires zero training, even for technology’s bellwether grandmothers.

In addition, a previously missing piece is coming into focus with the FIDO Alliance’s Universal Second Factor (U2F) protocol, adding the standards-layer to enable one key to authenticate to all applications in our ecosystems while maintaining trust and end-user privacy.

Today, Yubico is releasing its YubiKey NEO with support for U2F and delivering it in two form-factors. This key will hold the promise of a significantly more secure online consumer experience, and a dramatic increase in enterprise security and ease-of-use.

This combination of all these factors (pun intended) leads me to believe we have our device and our extended shelf life for a proper “what you have” factor from a multi-factor authentication perspective.

And it has been a powerful enough epiphany for me after 30 years promoting and advancing strong authentication that I have joined Yubico as Chief Business Officer to explore this innovation and see it through to what I believe will be its rightful place in the security landscape.

As you will see in the coming weeks, my faith in these advancements will be validated by some of the most successful and influential Internet companies with arguably the largest end-user populations on the planet.

We can now challenge conventional wisdom around authenticating once then propagating credentials. I am a firm believer in SSO technology for gluing together computing across boundaries and would argue our SSO engines should play the primary role in directing identity traffic. They are, and will remain, essential in modern web architectures.

But, I argue fresh primary credentials trump older secondary credentials every time.  Application designers have never thought of a world where it is possible or desirable to verify primary credentials not just one time but many times. That world is coming into focus and I’m exited to have a front row seat, again.

John Haggard is Chief Business Officer at Yubico

John Fontana

Welcome to the Future, It’s about to Get Really Interesting…

This week ushered in my start with Yubico and I couldn’t be happier to be a part of what is going on here. The challenge in any new job is that while your colleagues are at a full-on run, you’re still learning how to walk. But after five days, I do know I better catch up to them soon because the advancements and opportunities related to authentication technology are poised to come forward fast and furious.

Apple’s iPhone event next week is a hint at security and usability improvements that will spread across the industry. While Apple is initially focused on electronic payment transactions, you could easily swap in the word “authentication” for “payment” and get a picture of where things are going.

The new iPhone 6 by all accounts will show up with NFC support, which is sweet music to the electronic payment system folks. Why, because they can insert new levels of security and fraud protection leveraging the chip technology infrastructure without upsetting the familiar end-user experience of using the card. And they can do it without passing through software susceptible to malware.

They can provision shared secrets, thus protecting real credit card numbers throughout the transaction process and thwarting hackers via a scheme known as issuer tokenization.

“Now if someone steals transaction records from Home Depot, they get one-time numbers that are useless, it totally kills all these breaches,” said Steve Sidner, an independent security and payments consultant based in Omaha, Neb.

Chip-and-pin cards, well known in Europe and coming by mandate to the U.S. next year, are proof that the system works. (The devil in the details is the cost for swapping out current technology in POS systems and issuing new cards).

But the real sweet music to security wonks; there is virtually zero convenience/security trade off, which has always been the barrier to end-user entry.

That is a win for customers and vendors.

Take that same scenario, but think about an authentication transaction rather than a financial transaction. It works in a similar way but with a different flow. Think of a simple yet elegant hardware-based way to exchange public keys and private secrets, think of no software installs, think of a contactless device that wakes up your phone and announces it is there for a private conversation around strong user authentication.

Think of that same scenario with other contactless technologies.  Think of form factors from earrings to watches to clothing.

Major companies with a significant stake in online services and applications are certainly thinking about all that.  And they are poised to roll out first phases, not next year, but by the end of this one.

The FIDO Alliance is thinking about it and how to run it over a standard set of protocols — and, of course, the Alliance contains some of the same card issuers salivating over Apple joining the NFC device party with rival Android.

And I have been thinking about all this. That is one reason I am at Yubico trying to help get the message out about the potential for a major shift and a run at finally gaining a significant share of end-user acceptance for stronger security.

I wrote about this yesterday on my blog Identity Matters that runs on the technology web site ZDNet.

Pay attention to what happens next week within Apple’s initial limited NFC scope, but keep in mind the bulk of the benefits are more wide-spread and still to come.

I think the YubiKey is poised to fuel this market with its one-touch strong authentication.

The one thing that jumped out at me is when you insert the key into a USB port it looks like an external keyboard to your computer. So in essence strong authentication is added to your computer by including just one additional key to the 78 or so that are already on a typical computer keyboard.

Strong authentication delivered with a keystroke, likely one of the oldest and most understood end-user experience in computing. As just one example, the strong authentication experience is already familiar to scores of engineering teams, who securely log-in hundreds or thousands of times a day just by touching the one extra key.

That is cool. I’m really interested to see where all this can go.

Jakob Ehrensvärd

YubiKey & BadUSB

Updated Oct. 22, 2014 to include information on Security Key

We have received a few questions with regards to “BadUSB” concept, presented at BlackHat 2014. This was picked up by wired.com, where the problem domain is somewhat expanded into a claim that the “Security of USB Is Fundamentally Broken”.

Although there are a few different (and known) issues presented, the main claim here is the possibility to turn a legitimate USB device into an evil one by replacing its genuine firmware with a malign image. The authors describes USB devices, but this general concept applies to almost all types of devices having the capability to upgrade the firmware in the field, a process known as Device Firmware Upgrade (DFU).

The concept of creating “hardware Trojans” is interesting (and scary) and gained quite some attention in the early 1990s when the first field-upgradeable flash BIOSes for PCs became available. It was then shown that by replacing a legitimate BIOS with a hacked image, malign functionality could be implanted deep into the functionality of a PC, beyond reach of anti-virus software.

However, although conceptually feasible, such attacks are not that easy to execute practically and to make them widespread. There are quite a few reasons for that.

  1. Many low-end USB devices do not support DFU, either because the firmware is factory-programmed in a non-alterable mask ROM, one-time-programmable ROM or simply because there is no DFU mechanism implemented. Supporting DFU adds cost and complexity and therefore makes little sense for low-cost mass-market devices, such as thumb drives, card readers, keyboards and mice.
  2. To perform DFU, often some active (and usually quite awkward) sequence has to be performed by the user, such as holding a button while the device is power cycled. Then, a specific executable has to be run in the computer where the device is connected to perform the actual firmware upgrade. This is not something that is likely to happen without the user actively initiating it.
  3. An attack of this kind has to be targeted on a per device model basis, and then requires extensive knowledge of the particular implementation, including reverse-engineering. An attack that works for a specific device will only work for that particular version of the device. Making a blast to a large number of users and try to fool them to upgrade with a malign image seems somewhat unlikely to get more than a marginal impact.
  4. Many low-end USB devices have limited memory capabilities which cannot be upgraded with a firmware that can do anything really evil while maintaining their intended function. So, if the device is infected, it won’t be able to perform what it was designed to do. High-end devices, such as MP3-players, cameras and phones are a different story, but there the problem can be mitigated by code signing.

There are probably quite a few devices out there that do not implement basic countermeasures against what has been listed above, but probably the biggest issue with DFU is that the user accidentally bricks a device when an update fails or stalls before it has been completed. This is an implementation issue and should be seen as a design flaw by the vendor rather than a system-wide problem.

One can wonder if low-end USB devices, such as thumb drives are in fact the scariest targets for malign firmware and also why these would implement or require DFU? Phones, network routers and gateways with extensive memory and processing capabilities together with constant network and power connection seems to be more obvious and attractive in this respect. Here, the number of vendors is less and DFU is supported on a more general scale.

Seen from a different angle, one can ask if this is really a USB problem or the fact that devices (above the complexity of a thumb drive) are nowadays frequently (and very fundamentally) updated. Replacing the operating system in a tablet, firmware image in a printer, phone or a network router does not require USB – it is done directly via the network connection. The scalability and harm of such attacks is probably orders of magnitude worse than what can be accomplished on a per-device basis via USB.

The question then inevitably becomes – so how does this all affect current Yubico products, which obviously are USB devices?

With regards to the FIDO U2F Security Key by Yubico and DFU…
– There is not a DFU mechanism in the Security Key and hence it cannot be updated.

With regards to the YubiKey Standard and DFU…
– The firmware is in non-alterable ROM and hence cannot be updated.

With regards to the YubiKey NEO and DFU…
– The YubiKey NEO technically does support DFU, but requires the new firmware image to be signed by us. Yubico does not endorse nor support use of DFU for users.

With regards to the YubiHSM and DFU…
– The device does not implement DFU and hence cannot be updated.

With regards to a USB device being a carrier for malign files…
– The YubiKey or YubiHSM do not support Mass Storage Device (MSD), so they cannot carry infected files or data.

David Maples

The Future of Online Authentication

Last week, Yubico delivered a glimpse into the future of online authentication with a presentation at Mozilla. If you missed the live talk about FIDO Alliance Universal 2nd Factor (U2F) and in-the-browser authentication for the mass market, please watch the archived video below.

In the 60 minute presentation, Yubico discusses the motivation behind U2F, provides a demo of U2F in action, explains the user privacy and security issues that are addressed, highlights the importance of browser support for U2F and dives into some key details about the protocol.

FIDO Alliance U2F is a new, open authentication standard focused on adding public-key cryptography to existing password authentication mechanisms, offering high security with friction-less user experience. U2F represents a crucial step in driving the rapid adoption of strong authentication technology, where the user will be able to use a simple password/passcode, which even if compromised, does not compromise the user’s identity. The elegance of the protocol lies in the fact that the user in possession of the authenticator can authenticate to any number of web-based services using only one device, without the need to install any drivers or client software. The added benefit of U2F also lies in the simplicity of how this protocol can be easily integrated into an existing password authentication model.

For more background on Yubico’s work with the FIDO Alliance and the future YubiKey NEO with U2F, please visit here.

Stina Ehrensvard

Yubico at TechCrunch Disrupt

As a Swedish-American innovator, Yubico has been selected to represent cutting edge Swedish innovation, and will demonstrate the YubiKey NEO on Tuesday, September 10, at the Nordic Pavilion at TechCrunch Disrupt.

At the event, Yubico will also outline the basics for U2F (Universal 2nd Factor); the new online security standards initiative, developed by Google, Yubico and NXP, focused on scaling high security smart card technology beyond government and enterprise to every Internet user. The YubiKey NEO with initial U2F specifications are already successfully proven with thousands of users, and by the end of the year, we expect more than 200,000 YubiKey NEOs will be deployed within Google and elsewhere for U2F authentication.

To TechCrunch Disrupt web site

Stina Ehrensvard

Yubico joins FIDO Alliance

Yubico has joined FIDO Alliance as a board member, and will be a part of the Universal 2nd Factor (U2F) working group that Google is creating  focusing on open authentication standards work for strong, universal second-factor devices.

The U2F working group will continue the work that was presented earlier this year in an IEEE paper and Wired, based on the technical specifications that jave now been successfully proven with thousands of YubiKey NEOs and users. By end of the year we expect more than 200,000 U2F protocol compliant YubiKey NEOs being deployed within Google and elsewhere.

U2F will be available as a stand-alone offering, and the working group will also collaborate closely with the already existing FIDO UAF Technical working group, to ensure harmonization of specifications. UAF aims to create a web eco-system including a broader range of authentication methods, including biometrics.

 

David Maples

miiCard Proofs Identities with YubiKey

Online identity proofing service miiCard can prove an individual’s identity to the level of an offline photo ID check in minutes and purely online. By now adding YubiKey authentication to miiCard’s bank level ID verification service, the most secure and high value transactions can be performed online. Read more about how miiCard and YubiKey can make online identification safe and secure in the full press release and on our partner site!

Read full press release

Visit MiiCard’s YubiKey Protection Page

Morning dew. Shining water drops on spiderweb over green forest background. Hight contrast image. Shallow depth of field
Stina Ehrensvard

The Future of Authentication FAQ

A selection of questions we have received and answered on YubiKey NEO and Universal 2nd Factor (U2F), since this new open authentication standards initiative was announced in Wired Magazine and the Yubico identity vision blog.

Why do you want to kill the password?

We don’t. Yubico does and will continue to recommend two-factor authentication, consisting of a PIN or password in addition to a device which generates new and encrypted pass codes every time it is used, such as the YubiKey. The best security practice is to use something you have with something you know. With the YubiKey, the password becomes a supporting element rather than the main defense; thus a simple PIN suffices to protect you against misuse of your YubiKey by those around you.

 

What is the user experience of YubiKey NEO and U2F?

It is easier to use a YubiKey NEO with U2F than logging in with a username/password. With NFC mobile devices, all you need to do is to enter a PIN and tap the YubiKey NEO to an NFC-capable phone or tablet. With computers, you place the YubiKey NEO in the USB-port enter a PIN and touch the device. And you will only need a YubiKey and a simple password for any number of services. To see how it works, watch this video.

 

Why is a hardware key better than software-based authentication methods?

A software application, regardless if it’s on your computer or your smart phone, can be easily targeted and misused by malware – which has already happened to SMS and authentication apps. The best security practice is to move login credentials to a separate hardware device not connected to the Internet. To further improve security, it is recommended to use PKI encryption with session security, and a user presence touch button; features uniquely provided by the Yubikey NEO and the U2F specifications.

 

Will U2F support software-only implementations?

The initial U2F deployments inside Google and elsewhere are all based on hardware devices. However, for lower security applications, U2F software-only implementations are likely to be offered down the road.

 

Why can’t I have my identity and a security chip integrated in my device instead?

A user identity, including U2F specifications, can be integrated directly in your smartphone or computer using TPM, Arm TrustZone, SIM Card or a secure element. While this approach reduces the number of separate devices needed, it has notable disadvantages from a security, privacy and mobility perspective.

Security – Identity and authentication technologies that are permanently connected to a computer or phone fails to meet the “not connected to the Internet” best practice for storing sensitive secrets. These devices are all more or less exposed to malware, malicious apps, Wi-Fi exploits and VPN masking. In addition, they don’t help against the social attacks (i.e., software tricking the user into doing something unintended) which will continue to be the easiest way to attack users. Those social attacks will always be available on general multi-purpose devices where users can download and install apps on their own, and provide an avenue to attack the secure elements directly.

Mobility – With your credentials tied to a integrated device, it may be difficult to move your identity between other devices, or to use a computer at a hotel or friend’s house. For the majority of high security applications that are performed on computers, it may not help to have an identity tied to a phone, as there is no communication standard between all computers and mobile devices.

Privacy – The device identity may be controlled or monitored by the telecoms provider or other party, which may add cost, complexity and privacy concerns. In a time of “Big Data” and government surveillance, many enterprises and individual users have concerns about privacy. What’s more, tying your identity to a device does not easily allow for multiple identities, such as separate identities for work and personal accounts.

 

Why would users want to have multiple identities?

U2F and Yubico supports an open identity eco-system where users can be secure – but still guard privacy. Just as with email, many users chose to have multiple accounts; a real/personal, a real/job and an high privacy/alter ego or spam email account. We want to help you to prove that you are the legitimate owner of an account, while not requiring additional personal information. We also want to support use cases where identities are used for a limited time and revoked when needed. We believe you should be in control about how sites track you over your digital life; With the YubiKey NEO and U2F, minting new Private/Public key pairs for each site, tracking across sites is not enabled.

 

I still do not like to have to keep track of one more thing.

You will not need to. U2F is designed for secure elements; high security chips, for integration into many of the things you are likely to carry with you today; a card in your wallet, a key in your key-chain or directly in your phone. Therefor the U2F technology gives you the choice; you can use it embedded into your existing devices for low-risk purposes, or use U2F via a Yubikey NEO when you want better mobility, privacy and security properties.

 

So, what about fingerprints or face recognition?

We don’t believe that biometrics sent over the wire to authenticate users is appropriate for privacy and security reasons; Your fingerprint is a static and unique image that can be copied and misused – but not revoked. However, once the technology is proven to be more dependable, biometrics to unlock a phone or computer could be useful, but where the actual interaction and authentication is done between a security chip in the device and the server. But as discussed earlier, having a security chip permanently tied to a computer or phone device may have limitations from a security, privacy and mobility perspective.

 

When will NFC get mass adoption?

The majority of high security applications requiring strong second factor login are still performed from a computer with a USB-port. To address the growing use of mobile devices, YubiKey NEO and U2F also support NFC. While Apple is waiting to adopt NFC, their competitors, who represent a combined 80% smart phone market share, will have sold more than 200 million NFC enabled devices in 2013. Banks are pushing NFC enabled payment solutions and critical mass is being achieved in several countries. Once the next generation NFC credit- and debit cards have been deployed, allowing “one touch” secure payments directly on your own phone and computer, there will be a market demand for NFC on all devices and platforms.

 

How does the Yubico identity vision relate to federated identity services?

It is very complementary to SAML, Open ID Connect, etc, as these protocols enable powerful single sign-on opportunities but need to be combined with two-factor authentication. U2F is based on a PKI infrastructure where every service provider can optionally also be their own identity provider. When user data and cryptographic secrets do not need to be shared between service providers, both security and user privacy can be enhanced.

 

Why would users want to pay for their online identity?

In a time where users’ personal information is collected and used by a growing number of organizations, many users are growing concerned about privacy. Once a single U2F device can be used for a multitude of popular services, users will want to buy, own and control their own online identity, that does not need to be tied to a service provider. Also, with a physical U2F device, users will be ensured that their online identity is well protected and is not being exposed to malware, which has already happened to software authentication apps. Some service providers will offer financial incentives for users to buy and use a U2F device with their service, but many users will also be willing to pay for it themselves. In partnership with leading password managers, Yubico has already proven that there is a real market demand for a single and secure authentication hardware solution. Also, the millions of end-users who have purchased anti-virus software, prove that we are willing to pay to protect ourselves on the Internet.

The U2F and the NEO technology still allows enterprises and organisations to purchase larger volumes of devices and put them in the hands of their users, so you can chose whether to adopt the model where the user acquires and own the device and where the service organisation purchases and deploy the device.

 

What would happen if a user loses a U2F device?

A user will be able to have multiple and back-up U2F devices enrolled with an account, with the possibility to easily disable a lost device. Similar to other account recovery processes, the service provider may also choose to send “recovery codes” over email or phone as a back-up to the physical device. Ultimately, revocation is something that needs to be resolved by each website that authenticates users because they have the direct relationship with the user. U2F does not solve this problem, but makes it easier to have stronger recovery processes by introducing new authentication factors.

 

Why can’t we use Big Data to fix the authentication problem?

Server side risk evaluation software has its place in services, especially involving high-value transactions. However, easy-to-use strong authentication is critical in striking a balance between ease of use, reducing false positives and eliminating fraud. Computers, phones and networks will never be free from malware, and users will need to move their secure identity between devices and services. The YubiKey NEO with U2F enables true end-point authentication, where we only need to trust a key in our pocket and the services it connects to.

 

What are the main barriers in the broad adoption of YubiKey and U2F?

The inventor of the 3-point seatbelt at Volvo realized that security needs be really quick, simple and made into an open standard to scale. Online authentication for the masses has the same requirements. A YubiKey with U2F is easier to use than easier to use and more secure than traditional two-factor solutions, and is being supported and deployed by leading Internet thought leaders, including Google. This is a great start, but just like the seat belt; mass adoption will be derived from more severe accidents, increased concerns about security and privacy, and government and industry regulation.

 

What is the business incentive for driving a new open authentication initiative?

Yubico recognizes the potential that a higher level of authentication using PKI can offer, designed with better usability and less complexity than solutions available today. We found that Google’s authentication efforts are aligned with these goals. To support a next generation secure Internet, scaling our technology to as many services as possible, our approach is to make U2F a new and truly open standard.

 

How would you make high security transactions with a device you could purchase at your corner store?

For some identities you may choose to be secure and “anonymous”. For services requiring a higher level of identity assurance, you would bring your identity device along with your Passport, driver licence or ID to an official location which would associate your U2F device with your real identity. There are also online services offering identity proofing which could accredit your device.

 

What authentication technology initiative do you see as your biggest competitor?

All initiatives in this space help to educate and challenge the market for something better than the legacy username/password. There will not be one single authentication method and security protocol to rule the world, but the winners will address different needs and be open and interoperable. And Yubico’s focus is to make online authentication as easy and affordable as possible, yet retaining the highest level of security and privacy.

David Maples

Meet Yubico at RSA Conference

The Yubico team will be attending the RSA conference in San Francisco, February 25th – 28th.
We will have the YubiKey NEO on demonstration, featuring NFC functions like the OATH TOTP generator for Android and LastPass.

Come see us at the OATH Pavillion, Booth #829.

We look forward to seeing you!

Ronnie Manning

Yubico Launches YubiHSM 2: The World’s Smallest and Best Price/Performance Hardware Security Module, Providing Root of Trust for Servers and Computing Devices

PALO ALTO, CA – October 31, 2017 – Yubico, the leading provider of authentication and encryption hardware devices for the modern web, today launched the YubiHSM 2, a new, cost-effective Hardware Security Module (HSM) for servers and IoT gateways. The product delivers the highest levels of security for cryptographic digital key generation, storage, and management, supporting an extensive range of enterprise environments and applications.

YubiHSM 2, a new, cost-effective Hardware Security Module (HSM) for servers and IoT gateways

The YubiHSM 2 differs from traditional HSM models — historically limited in use by cost, size, and performance — by offering advanced digital key protection capabilities and benefits at a price within reach for all organizations. Delivered in an ultra-slim “nano” form factor, the YubiHSM 2 fits inside a USB port, eliminating the need for bulky additional hardware, and offers flexibility for offline key transfer or backup. 

Essential security features, including hashing, asymmetric, and symmetric cryptography, are supported by the YubiHSM 2 to protect cryptographic keys while at rest or in use. These keys are most often used by certificate authorities, databases, code signing, and more, to secure critical applications, identities, and sensitive data in an enterprise. Furthermore, the integrity and privacy of commands and data in transit between the application and YubiHSM 2 are protected using a mutually authenticated, integrity- and confidentiality-protected tunnel.

“It’s estimated that 95% of all IT breaches happen when a user credential or server gets hacked. For years Yubico has been protecting user accounts from remote hijacking with our unphishable YubiKey authentication devices, but we knew that millions of servers storing sensitive data were still lacking physical security,” said Stina Ehrensvard, CEO and Founder, Yubico. “It was important to us that we brought a solution to market that embodied the signature Yubico standards of high-security, convenience, and affordability. Now, with the addition of YubiHSM 2, we can enable critical server security for organizations worldwide — regardless of size or budget.”

Common use cases for  the YubiHSM 2 include protecting cryptographic keys stored on servers used in data centers, cloud server infrastructures, manufacturing and industrial services. Critical security benefits include:

  • Secure Microsoft’s Active Directory Certificate Services – YubiHSM 2 provides a cost-effective hardware-backed key to secure digital keys used in a Microsoft-based PKI implementation. Deploying YubiHSM 2 to Microsoft Active Directory Certificate services not only guards the CA root keys but also protects all signing and verification services using the root key.
  • Enhance Protection for Cryptographic Keys – YubiHSM 2 offers a compelling option for secure generation, storage and management of digital keys including essential capabilities to generate, write, sign, decrypt, hash and wrap keys.
  • Enable Hardware-Based Cryptographic Operations – YubiHSM 2 can be used as a comprehensive cryptographic toolbox for a wide range of open source and commercial applications. The most common use case being hardware-based digital signature generation and verification. The YubiHSM 2 features can be accessed through Yubico’s Key Storage Provider (KSP) for industry-standard PKCS#11 or Microsoft’s CNG, or via native Windows, Linux and macOS libraries.

Additional features include, optional network-sharing, role-based access controls, remote management, M of N wrap key backup and restore, tamper evident audit logging, concurrent connections (up to 16), and extensive cryptographic capabilities (RSA, ECC, ECDSA (ed25519), SHA-2, and AES).

For more information on the YubiHSM 2, visit https://www.yubico.com/products/yubihsm. Units are available for purchase at www.Yubico.com/store for $650 US. To learn more about Yubico and the company’s products and ecosystem, please visit www.Yubico.com.

 

About Yubico
Yubico sets new global standards for simple and secure access to computers, servers, and internet accounts.

The company’s core invention, the YubiKey, delivers strong hardware protection, with a simple touch, across any number of IT systems and online services. The YubiHSM, Yubico’s ultra-portable hardware security module, protects sensitive data stored in servers.

Yubico is a leading contributor to the FIDO Universal 2nd Factor open authentication standard, and the company’s technology is deployed and loved by 9 of the top 10 internet brands and by millions of users in 160 countries.

Founded in 2007, Yubico is privately held, with offices in Sweden, UK, Germany, USA, Australia, and Singapore. For more information: www.yubico.com

 

Media Contact
Ronnie Manning
Senior Director, Public Relations
Yubico
619.822.2239
ronnie@yubico.com

Ronnie Manning

Yubico Launches the YubiKey 4C Nano, the World’s Smallest USB-C Authentication Device, at Microsoft Ignite

PALO ALTO, CA and ORLANDO, FL – Sept. 25, 2017 – Yubico, the leading provider of authentication and encryption hardware devices for the modern web, today launched the YubiKey 4C Nano, the world’s smallest, multi-protocol USB-C authentication device available. Yubico will demonstrate the new YubiKey USB-C form factor at the Microsoft Ignite conference (booth #2063) in Orlando, Florida on September 25-28, 2017.

YubiKey 4C Nano in USB-C port

YubiKey 4C Nano, the world’s smallest, multi-protocol USB-C authentication device

The YubiKey 4C Nano is an engineering and product design triumph, delivering enterprise-grade authentication functionality within a micro-sized hardware device. Its innovative ultra-slim USB-C form factor (12mm x 10.1mm x 7mm) is designed for use with the latest devices featuring USB-C ports, such as newly designed Mac and PC laptops. To enable the device to sit in the USB-C port as a semi-permanent installation, Yubico engineered a patent-pending connector design, creating the smallest USB-C authentication device on the market.

The YubiKey 4C Nano supports multiple authentication protocols similar to the other keys built on the YubiKey 4 platform, including the YubiKey 4, YubiKey 4 Nano, and YubiKey 4C. With one touch, it performs strong crypto and touch-to-sign, FIDO U2F (Universal 2nd Factor), one-time password (OTP), smart card (PIV), and smart card (OpenPGP).

When Yubico launched the YubiKey 4C keychain design in February 2017, customers demanded an even smaller YubiKey form factor with a USB-C design akin to the YubiKey 4 Nano. The YubiKey 4C Nano answers that demand, providing easy-to-use, strong two-factor authentication for secure, one-touch login.

“As we continue to see an onslaught of hacks and data breaches resulting from weak or stolen login credentials, two-factor authentication with the YubiKey is the easiest and most secure way to protect enterprise and consumer identities, accounts, and data,” said Stina Ehrensvard, CEO and Founder, Yubico. “We designed the YubiKey 4C Nano to be the most powerful USB-C authenticator on the market, built for the future as USB-C ports become more prevalent across mobile and computing devices.”

Requiring only a simple touch to authenticate, the YubiKey 4C Nano secures access to a wide range of enterprise and cloud-based applications, including Windows smart card login and Windows Hello functionality, U2F strong authentication (Facebook, Google, Dropbox, GitHub, Salesforce, etc.), password managers (LastPass, Dashlane, etc.), remote access, VPN, and much more. The YubiKey works on Microsoft Windows, Mac, Linux, and is supported natively in Chrome, Opera and in the pre-beta release of FireFox Nightly, eliminating the need for extra client software or drivers.

The YubiKey 4C Nano is available today at www.Yubico.com/store for $60 US. For more information on Yubico and the company’s products and ecosystem, please visit www.Yubico.com or stop by the Yubico booth #2063 at Microsoft Ignite.

About Yubico
Yubico sets new global standards for simple and secure access to computers, servers, and internet accounts.

The company’s core invention, the YubiKey, delivers strong hardware protection, with a simple touch, across any number of IT systems and online services. The YubiHSM, Yubico’s ultra-portable hardware security module, protects sensitive data inside standard servers.

Yubico is a leading contributor to the FIDO Universal 2nd Factor open authentication standard, and the company’s technology is deployed and loved by 9 of the top 10 internet brands and by millions of users in 160 countries.

Founded in 2007, Yubico is privately held, with offices in Sweden, UK, Germany, USA, Australia, and Singapore. For more information: www.yubico.com

Media Contact
Ronnie Manning
Senior Director, Public Relations
Yubico
ronnie@yubico.com
619.822.2239

Ronnie Manning

UK Becomes the First Government to Offer Secure Online Identities Based on FIDO U2F Standards

STOCKHOLM & AMSTERDAM, March 23, 2016 – Yubico, the leading provider of simple, open and strong authentication, and Digidentity, a leading identity service provider, today announced a partnership to enable FIDO Universal 2nd Factor (U2F) authentication and YubiKeys for UK government services. The joint solution allows all UK citizens to easily and securely access GOV.UK Verify digital public services.

Compromised online identities have reached a level that has exposed the weaknesses in usernames and passwords as well as traditional software security solutions. Government services around the world have a growing demand for strong two-factor authentication, but traditional hardware technologies have been too costly and complicated to scale for most countries and internet users.

The new open authentication standard FIDO U2F changes that model. Successfully deployed and supported by leading commercial service providers, including Gmail and Dropbox, FIDO U2F is now also supported in UK government services, including for identity assurance.

GOV.UK Verify is a new simple way for UK citizens to access an increasing range of UK government services online. This is the first government service in the world to make support for simple and strong FIDO U2F authenticators. The service works using a roster of identity providers, who check and confirm a user’s identity before they can access a government service. Digidentity is one of the UK government’s certified identity service providers.

“UK citizens can easily purchase a FIDO U2F device online and register it with Digidentity,” says Marcel Wendt, Digidentity CTO and co-founder. “With a quick online process, the user’s identity is verified and tied to the U2F device, and the data is encrypted to safeguard a user’s privacy. We are pleased to partner with Yubico, a driving contributor of the FIDO U2F standard, to make this happen.”

To authenticate to GOV.UK Verify using Digidentity with FIDO U2F, the user inserts a U2F YubiKey device into their computer’s USB port, and then touches the device. There are no drivers or client software to install. Later this year, U2F authentication via Near Field Communication (NFC) and Bluetooth will be supported by Digidentity for secure login from mobile devices.

“We are impressed with the online identity services that GOV.UK and Digidentity have developed and are now offering to UK citizens,” says Stina Ehrensvard, CEO and founder, Yubico. “We share their mission of making secure online identities easy and available for everyone.”

YubiKeys with FIDO U2F support are available (starting from £13/$18) at Amazon.com or from the Yubico Store. The same U2F key that works with GOV.UK Verify and Digidentity also works for logging in to a growing number of large scale commercial services, without any personal data or encryption secrets shared between service providers.

About Yubico
Yubico sets new world standards for simple, secure login, preventing unauthorized access to computers, servers, and internet accounts.

Supporting multiple authentication and encryption protocols on all devices and platforms, YubiKeys protect access to user accounts for the world’s largest enterprises with a simple touch, and with no driver or client software needed. Yubico is a leading contributor to the FIDO Universal 2nd Factor open authentication standard, and Yubico’s technology is used, and loved, in more than 150 countries.
Founded in 2007, Yubico is privately held with offices in Sweden, US and UK. For more information, please visit www.yubico.com.

About Digidentity
Digidentity makes your online life simpler and safer by enabling secure and verified digital identities for everyone.

To do this, Digidentity developed services focused on a unique digital identity, where the user and their privacy are key. Digidentity is also a supplier of SSL certificates and qualified digital signatures. Digidentity provides national digital identity solutions to the Dutch and British governments, as well as solutions for a large variety of organizations. Providing identities to more than 12 million Europeans, Digidentity executes more than 150 million secure online transactions per year between people, organizations, and governments.

Founded in 2008, Digidentity is privately held in The Netherlands. For more information, please visit www.digidentity.com.

Media Contact
Ronnie Manning
Director, Public Relations
Yubico, Inc.
Ronnie@Yubico.com
1.619.822.2239

Ronnie Manning

YubiKey and U2F at CES ShowStoppers – Yubico Demonstrates Mobile Contactless, Tokenless, and Passwordless Authentication

PALO ALTO, CA, JAN. 6, 2016 – Yubico, the leading provider of simple and open online identity protection, today announced it will be participating at ShowStoppers @ CES (Consumer Electronics Show) 2016.  Yubico will be demonstrating the first FIDO U2F-certified NFC-enabled YubiKey and a preview of a software-based U2F mobile client that brings public-key cryptography to both consumer and enterprise mobile users with a tokenless and passwordless experience.

YubiKey NEO

One Touch, Secure Login with YubiKey at ShowStoppers @ CES

Yubico will be exhibiting at booth B-12 at ShowStoppers on Wednesday, January 6, 2016, 6-10 p.m., at the Wynn Las Vegas.

Hacking, data loss, and identity theft is no longer just a concern to enterprises, but a threat that reaches everyone online.  The time is now and the technology is here for consumers to protect themselves beyond just a username and password.  Yubico’s YubiKey holds the promise of a more secure online and mobile consumer experience, and a dramatic increase in enterprise security.

The YubiKey NEO is the first device certified for U2F mobile authentication over NFC (Near Field Communication).  At ShowStoppers, Yubico will demonstrate how a single YubiKey NEO securely authenticates to both online services via USB and a U2F supported mobile login, with a simple tap of the YubiKey to an NFC-enabled mobile device.

“2016 is the year when FIDO U2F will unfold its promise of a ‘universal’ second factor,” said Stina Ehrensvard, CEO and Founder, Yubico, Inc. “This year, we expect to see many more large-scale online service providers announce their support for U2F and YubiKeys, targeting both consumers and enterprises.”

Also at Showstoppers, Yubico is demonstrating a software-based U2F mobile client (iOS/Android) that does not require additional hardware. With the U2F mobile client, second-factor authentication can be a password or the fingerprint used to unlock the phone, enabling the first tokenless and passwordless user experience for FIDO U2F.

While external hardware authenticators without internet connections offer the highest level of identity protection, Yubico’s U2F mobile client provides a heightened level of security compared to a static username and password login. As an example, an online bank that adds supports for U2F can allow its mobile users to perform lower-value transactions using the U2F mobile client only, while higher-value transactions would require U2F hardware authentication.

The YubiKey NEO is available today at Amazon.com and Yubico web store for $50 (single quantity retail price).

 

 

 

Media Contact
Ronnie Manning
Director, Public Relations
619.822.2239
Ronnie@Yubico.com