Showing results for: yubikey neo

Ronnie Manning

We Love Third-Party Validation!

It’s always rewarding when you see third-party validation of your company’s product, and that is why today started off so well.

In separate articles published today, Yubico’s YubiKey was highlighted for its tight security and ease of use by authors Don Sambandaraksa at, which is aimed at the telecom market, and Greg Harvey, co-founder and director at Code Enigma, which offers secure Linux hosting.

Both articles not only speak to the crypto power of the YubiKey, but its flexibility in terms of strong authentication options (including eating the key, really! but please don’t try this at home!) and Yubico’s commitment to open source software and the possibilities it provides.

Sambandaraksa’s article focuses on YubiKey’s OpenPGP support, how a private key is protected and YubiKey’s ability to solve “the usability / security trade-off that has hampered widespread PGP adoption on mobile devices.”

Harvey focuses on YubiKey’s one-time password capability to help protect access to production servers at Code Enigma, including how it is hack-proof, how the key can be certified, and the use of open-source YubiCloud software. Harvey also includes a great tutorial video: Using YubiKeys to secure Debian Linux.

Want to know who else has covered Yubico and YubiKeys lately? see our In the News section.

(image courtesy of Code Enigma

Stina Ehrensvard

Google Unveils FIDO U2F Security Key Support

Google today announced on its security blog an extra layer of security for Google Accounts based on the emerging strong authentication standard; Universal 2nd Factor or U2F.

This is a good day for the Internet.

As a driving contributor to FIDO U2F specifications, Yubico celebrates this big day by releasing a new blue campaign version of our YubiKey that is designed to work with U2F support Google has added to Chrome. This U2F-only Security Key, as well as our multi-technology YubiKey NEO, pioneers the market for U2F devices.

This U2F support is a milestone in a standards journey that began a couple of years ago. Along with Internet thought leaders, we recognized the advantages of high-security, public key cryptography for scalability and for protecting against advanced Trojans, phishing and man-in-the-middle attacks. With a mission to make great security available for every Internet user, we decided to focus on the essential; to keep it really lean.

Below is a short summary of the main differentiators between U2F security keys and traditional smart card- and hardware-based authentication devices:

  • No need for drivers, client software and middleware – Uses native drivers and built-in support directly into the browser. No installation, no configuration – just works !
  • Highly scalable while protecting your privacy – Generates a new set of encryption keys for every service, that is only stored on the specific service it connects to. With this approach no secrets are shared among service providers, and even low-cost security keys can support any number of services.
  • Great user experience – To register and authenticate, all it takes is a simple touch of a button!

In January 2013 Wired Magazine first wrote about the U2F project. As a response to all the inquiries Yubico received, we published a blog summarizing our vision of a single key for securing access to all Internet. Since then, U2F has continued to develop within the FIDO Alliance open standards consortium.

And now our vision has been turned into reality.

You can get your own FIDO U2F Security Key today at A key that you own and control allowing you to securely login into your Google Account, which lets you access services such as Gmail. The same is true for any number of service providers who choose to adopt simple and strong Universal 2nd Factor authentication.

A special thanks to everyone in the FIDO Alliance working groups for making this happen!

Learn more about the new FIDO U2F Security Key by Yubico

John Salter

YubiKey NEO & FIDO U2F: One Key for All Apps

I’ve been in this business for a long time and watched a lot of promise collapse and a fair number of snake oil salesmen flourish.

Strong authentication is one of those technology conundrums that always seems to be partially solved. The drawbacks of traditional one-time passcodes are well understood and we’ve always truly known their shelf life was limited.

I have been searching for something that would be more appropriate in today’s Internet, that would move past “partially solved” and would blossom into elegant simplicity spanning the technology, the plumbing and the user.

My eyes were opened to the answer while watching a room full of engineers work with their code — checking out, checking in, deploying live —and authenticating each time as they supported a massive cloud service that counts billions of users around the globe.

To cross each virtual security boundary the engineers simply press a small flashing Yubico YubiKey tucked into their USB ports to activate strong authentication. They were taking advantage of their body’s ability to hold an electrical charge and trigger a capacitance sensor.

A few years ago when I first saw this technology, I underestimated the capacitive touch. I did not think it had the needed security properties, but what I missed was how important it was to the end-user.

Once I realized that error, I began adding in the significance of the hermetically sealed, driverless YubiKey that is impervious to viruses and malware. I thought about its improvements over second-factor mobile devices that hackers can compromise, and over single sign-on, where conventional wisdom says authentication should happen as infrequently as possible then shared across domains boundaries.

I now understand security isn’t about limiting authentications but making hundreds, even thousands of them per day as easy as pushing another key on a computer keyboard. It’s a user-experience that requires zero training, even for technology’s bellwether grandmothers.

In addition, a previously missing piece is coming into focus with the FIDO Alliance’s Universal Second Factor (U2F) protocol, adding the standards-layer to enable one key to authenticate to all applications in our ecosystems while maintaining trust and end-user privacy.

Today, Yubico is releasing its YubiKey NEO with support for U2F and delivering it in two form-factors. This key will hold the promise of a significantly more secure online consumer experience, and a dramatic increase in enterprise security and ease-of-use.

This combination of all these factors (pun intended) leads me to believe we have our device and our extended shelf life for a proper “what you have” factor from a multi-factor authentication perspective.

And it has been a powerful enough epiphany for me after 30 years promoting and advancing strong authentication that I have joined Yubico as Chief Business Officer to explore this innovation and see it through to what I believe will be its rightful place in the security landscape.

As you will see in the coming weeks, my faith in these advancements will be validated by some of the most successful and influential Internet companies with arguably the largest end-user populations on the planet.

We can now challenge conventional wisdom around authenticating once then propagating credentials. I am a firm believer in SSO technology for gluing together computing across boundaries and would argue our SSO engines should play the primary role in directing identity traffic. They are, and will remain, essential in modern web architectures.

But, I argue fresh primary credentials trump older secondary credentials every time.  Application designers have never thought of a world where it is possible or desirable to verify primary credentials not just one time but many times. That world is coming into focus and I’m exited to have a front row seat, again.

John Haggard is Chief Business Officer at Yubico

John Fontana

When Will NEO Work with iPhone 6 NFC?

Yubico has heard this question a lot over the past days since the iPhone 6 was released with NFC support.

The answer would be “now” if Apple had an open ecosystem, but that likely won’t be the case for another 12-16 months. But put a pushpin on your roadmap, the YubiKey NEO will be a multi-factor authentication option, based on its current NFC support, for iPhone users once Apple opens it to developers.

And if Apple decides to join the FIDO Alliance, the Yubico promise of one authentication key for many services could get support from another heavyweight in the FIDO standardization effort.

It’s not far-fetched to envision Apple as part of FIDO given that Apple’s Touch ID is built from technology acquired when it bought AuthenTec – which applied for the original trademark on the FIDO name. (The company left FIDO the day it was acquired by Apple).

Apple showed its new willingness to work in international standards settings two weeks ago when it joined the GlobalPlatform, which creates specifications that address standardized infrastructure for securing multiple apps on smart chip technology.

The group has three areas of focus: secure elements, trusted execution environments and messaging that holds it all together. And it adds in security, interoperability, responsibilities, provisioning and a common language to exchange information.

Or as Global Platforms puts it, we’re “a cross industry, non-profit association that identifies, develops and publishes specifications that promote the secure and interoperable deployment and management of multiple applications on secure chip technology. “

Now that’s a mouthful, but what’s important is in a world where standards are the only way to reach Internet scale, it appears Apple is coming out to play.

Bravo Apple!

You can read more about the Apple/GlobalPlatform alliance on my Identity Matters blog on ZDNet.

Jakob Ehrensvärd

YubiKey & BadUSB

Updated Oct. 22, 2014 to include information on Security Key

We have received a few questions with regards to “BadUSB” concept, presented at BlackHat 2014. This was picked up by, where the problem domain is somewhat expanded into a claim that the “Security of USB Is Fundamentally Broken”.

Although there are a few different (and known) issues presented, the main claim here is the possibility to turn a legitimate USB device into an evil one by replacing its genuine firmware with a malign image. The authors describes USB devices, but this general concept applies to almost all types of devices having the capability to upgrade the firmware in the field, a process known as Device Firmware Upgrade (DFU).

The concept of creating “hardware Trojans” is interesting (and scary) and gained quite some attention in the early 1990s when the first field-upgradeable flash BIOSes for PCs became available. It was then shown that by replacing a legitimate BIOS with a hacked image, malign functionality could be implanted deep into the functionality of a PC, beyond reach of anti-virus software.

However, although conceptually feasible, such attacks are not that easy to execute practically and to make them widespread. There are quite a few reasons for that.

  1. Many low-end USB devices do not support DFU, either because the firmware is factory-programmed in a non-alterable mask ROM, one-time-programmable ROM or simply because there is no DFU mechanism implemented. Supporting DFU adds cost and complexity and therefore makes little sense for low-cost mass-market devices, such as thumb drives, card readers, keyboards and mice.
  2. To perform DFU, often some active (and usually quite awkward) sequence has to be performed by the user, such as holding a button while the device is power cycled. Then, a specific executable has to be run in the computer where the device is connected to perform the actual firmware upgrade. This is not something that is likely to happen without the user actively initiating it.
  3. An attack of this kind has to be targeted on a per device model basis, and then requires extensive knowledge of the particular implementation, including reverse-engineering. An attack that works for a specific device will only work for that particular version of the device. Making a blast to a large number of users and try to fool them to upgrade with a malign image seems somewhat unlikely to get more than a marginal impact.
  4. Many low-end USB devices have limited memory capabilities which cannot be upgraded with a firmware that can do anything really evil while maintaining their intended function. So, if the device is infected, it won’t be able to perform what it was designed to do. High-end devices, such as MP3-players, cameras and phones are a different story, but there the problem can be mitigated by code signing.

There are probably quite a few devices out there that do not implement basic countermeasures against what has been listed above, but probably the biggest issue with DFU is that the user accidentally bricks a device when an update fails or stalls before it has been completed. This is an implementation issue and should be seen as a design flaw by the vendor rather than a system-wide problem.

One can wonder if low-end USB devices, such as thumb drives are in fact the scariest targets for malign firmware and also why these would implement or require DFU? Phones, network routers and gateways with extensive memory and processing capabilities together with constant network and power connection seems to be more obvious and attractive in this respect. Here, the number of vendors is less and DFU is supported on a more general scale.

Seen from a different angle, one can ask if this is really a USB problem or the fact that devices (above the complexity of a thumb drive) are nowadays frequently (and very fundamentally) updated. Replacing the operating system in a tablet, firmware image in a printer, phone or a network router does not require USB – it is done directly via the network connection. The scalability and harm of such attacks is probably orders of magnitude worse than what can be accomplished on a per-device basis via USB.

The question then inevitably becomes – so how does this all affect current Yubico products, which obviously are USB devices?

With regards to the FIDO U2F Security Key by Yubico and DFU…
– There is not a DFU mechanism in the Security Key and hence it cannot be updated.

With regards to the YubiKey Standard and DFU…
– The firmware is in non-alterable ROM and hence cannot be updated.

With regards to the YubiKey NEO and DFU…
– The YubiKey NEO technically does support DFU, but requires the new firmware image to be signed by us. Yubico does not endorse nor support use of DFU for users.

With regards to the YubiHSM and DFU…
– The device does not implement DFU and hence cannot be updated.

With regards to a USB device being a carrier for malign files…
– The YubiKey or YubiHSM do not support Mass Storage Device (MSD), so they cannot carry infected files or data.


Bank of America Joins FIDO Alliance

Today, Bank of America, has joined the FIDO Alliance and been appointed to the Board of Directors. Among the world’s leading financial institutions, Bank of America is committing to FIDO standards for strong authentication, along with other leaders in the financial sector, including Discover Financial Services, MasterCard and Goldman Sachs.

“Historically, strong two factor hardware authentication has been too costly and complicated to scale for mass markets,” said Stina Ehrensvard, CEO and founder of Yubico. “We are pleased to see an ever-increasing number of large online services and financial institutions joining the FIDO Alliance and addressing the issues. FIDO certified devices offer better security and a greatly improved user experience over traditional software-and-hardware based authentication technologies.”

FIDO Alliance members commit to share technology and collaborate to deliver open specifications for universal strong authentication that enables FIDO-compliant authentication methods to be interoperable, more secure and private, and easier-to-use. The YubiKey NEO is the industry’s first FIDO Universal 2nd Factor (U2F) Ready device and is currently being demonstrated at RSA 2014 at the NXP booth. (* Please note – as of May 21, 2015, Yubico FIDO Ready™ products became official FIDO Certified™ products.  Read more here).

“Providing our customers with a convenient, secure digital banking experience is a top priority for us,” said Dave Godsman, Bank of America Digital Banking Solutions & Operations Executive. “As the world rapidly changes, our involvement in the FIDO Alliance will help ensure we continue to provide the convenient and secure solutions our customers want.”

“Bank of America is counted among the world’s leaders in financial services. As an institution responsible to secure high-value interests and relationships across consumer, government, enterprise, and business, Bank of America is among a select few ‘Relying Parties’ ideally positioned to drive adoption of FIDO standards at Internet scale,” said Michael Barrett, president of the FIDO Alliance. “We welcome Bank of America to our Board of Directors at a pivotal point in FIDO Alliance history. With our review draft specifications just publicly released, and the marketplace poised to deploy ‘FIDO Ready’ certified solutions in 2014, both users and those who serve them are eager to embrace simpler, stronger FIDO authentication.”

To find out more and to read the release in its entirety, please visit

Ronnie Manning

See Yubico at RSA 2014

NXP booth #1341 in the South Expo Hall

Throughout the conference, Yubico will be demoing the YubiKey NEO and the industry’s first FIDO Universal 2nd Factor (U2F) Ready device at the NXP booth (Though successfully deployed inside cloud companies, FIDO enabled YubiKeys are not yet for sale for the public). We will also present the simplicity of two-factor authentication for other YubiKey NEO use cases, including Windows login, PIV, PKCS11, OpenPGP, password managers, and for leading cloud services with support for OATH TOTP.

FIDO Ready Showcase – Moscone North, Room 110

Additionally, on Wednesday, February 26, from 1:00 PM to 5:00 PM, Yubico will be participating in the FIDO Ready Showcase. The Showcase will feature a FIDO Alliance member panel, FIDO Ready live product demonstrations, and a chance to meet and interact in one-to-one meetings.

FIDO Alliance Member Panels – Moscone North, Room 110

Yubico is honored to be participating on two panel discussions during the FIDO Ready Showcase.  Read more about the FIDO Alliance.

Date and Times: Wednesday, February 26, 2014. 1:00 PM and 3:00 PM

  • 1:00 PM – Business Drivers for the FIDO Solution
    Moderator – Brett McDowell, PayPal
    Participants – Stina Ehrensvard, Yubico, Michael Barrett, FIDO Alliance and Kayvan Alikhani, RSA
  • 3:00 PM – FIDO Technology: a Primer
    Moderator – Brett McDowell, PayPal
    Participants – Jerrod Chong, Yubico (U2F) and Davit Baghdasaryan, Nok Nok Labs (UAF)

Schedule a meeting with the Yubico team

If you would like to set up a meeting at RSA, please email Looking forward to seeing you at the show!


User-Centric ID Live

If you are attending User-Centric ID Live at the Washington DC Convention Center, be sure to check out the ¨Drivers and innovators: Meet leaders from the major identity initiatives¨ session today (10/15/13) from 4:00pm – 5:15pm. Our CEO and Founder, Stina Ehrensvard, will be participating on this panel with other FIDO Alliance members from Google, Blackberry, NXP Semiconductors and Nok Nok Labs. The panel will be discussing how the FIDO Alliance works on open standards for simpler, stronger open authentication standards.

Also, do not miss the session “Track 1: Identity Ecosystems & Technologies: User-centric identity concepts, technologies and how they will impact business”  tomorrow (10/16/13)  from 9-10:15 AM. In this session Stina will be presenting more details about Universal 2nd Factor Authentication (U2F). As one of the technical specifications hosted by FIDO Alliance, U2F introduces the first driverless smart card with user presence. Successfully deployed inside Google, it also challenges the traditional business model for secure online identities, allowing users to buy and control any number of real and “anonymous” identities to easily and securely access any number of services.

User-Centric ID Live is an event focused on the business of user-centric identity. Conference sessions focus on technologies, standards, implementations, applications, and business models in the new user-centric identity ecosystem.


YubiKey NEO OATH Applet

Yubico is proud to announce the release of our Free YubiKey NEO applet to help with storing OATH secrets and generating OATH one time pass codes.

With the increasing deployment of two step verification (e.g. GitHub this week, DropBox, Google, Microsoft, Evernote) relying on the OATH protocol, many users are concerned about using their mobile phones to store the secrets used to generate the 6 or 8 digit numbers, and the difficulty of changing devices. The applet we’re releasing today allows you to store those secrets in the secure element on your YubiKey NEO – and simply tapping your NEO against any NFC enabled Android device with the YubiOATH app running shows you your current codes. See the video below to see it in operation.

Existing YubiKey NEO owners comfortable with using command line tools can add the new applet to their NEO – see our forum post here. The source codes of both the YubiKey NEO OATH applet and the Android YubiOATH applet are available here.

Stina Ehrensvard

Yubico at TechCrunch Disrupt

As a Swedish-American innovator, Yubico has been selected to represent cutting edge Swedish innovation, and will demonstrate the YubiKey NEO on Tuesday, September 10, at the Nordic Pavilion at TechCrunch Disrupt.

At the event, Yubico will also outline the basics for U2F (Universal 2nd Factor); the new online security standards initiative, developed by Google, Yubico and NXP, focused on scaling high security smart card technology beyond government and enterprise to every Internet user. The YubiKey NEO with initial U2F specifications are already successfully proven with thousands of users, and by the end of the year, we expect more than 200,000 YubiKey NEOs will be deployed within Google and elsewhere for U2F authentication.

To TechCrunch Disrupt web site

Stina Ehrensvard

YubiKey in Fashion – Win a Laptop!

Lucy in the picture above is wearing her back-up Yubikey in her ear. How are you using your YubiKey? Send us your cool, fun or serious and useful YubiKey stories in any form that can be posted on our Facebook page; pictures, videos, quotes, links to blogs and Twitter feeds…

All applicants that present the YubiKey in a positive way will automatically win one free Yubikey NEO and one free YubiKey Nano. Starting now, we welcome submissions until Nov 1, 2013. The Yubico team will then select the best Yubico promotion or story that will win a Chromebook!

Tell us your story at our Facebook Page


Expanding YubiKey Keyboard Support

Hi. We’ve had a few queries about using the YubiKey with various keyboard layouts, so we thought we’ll spend some time describing the different methods available to do that.

Like a USB keyboard, YubiKeys work via inputting scan codes as opposed to actual characters. This means that when you type, the keyboard only sends the key number, or “scan code”, which the computer then translates depending on your keyboard settings.

This presents an issue as there are many different keyboard layouts in use in the world today. In order to mitigate the problem, the YubiKey only uses modhex (MODified HEXadecimal for short) characters, which are characters which are mapped to by the same scan codes in almost all keyboard layouts. If your chosen keyboard layout is not one of those covered by the modhex system (like Dvorak, etc), your YubiKey might not be able to output the characters correctly. If this is true for you, here are 3 ways to resolve the issue.

Option 1

Our recommended “best practice” is to switch to a US standard keyboard layout when entering the OTP and switching back when done. When properly configured this is quick and convenient – in a Windows environment, for example, pressing alt+shift (to switch the input language) and ctrl+shift (to switch the keyboard layout) can allow one to quickly switch to an alternative layout.


The screenshot above shows a sample configuration of a US standard keyboard layout and a US dvorak keyboard layout.

Option 2

If you are trying to output digits (0-9) with the French AZERTY keyboard layout, you can simply use the press the shift key while using the YubiKey or set the flag in personalization tool to use the numeric keypad instead (for firmware 2.3 onwards).


The screenshot above shows where the flag setting in the personalization tool is.

Option 3

If neither of this is possible for you, another solution would be to modify the scanmap used by your YubiKey NEO. This feature requires a YubiKey NEO and the command line version of the Cross-Platform Personalization Tool. Your YubiKey NEO will only work properly on the keyboard layout that you modified it for – if you modified it for a dvorak keyboard layout, for example, it can only be used on the dvorak keyboard layout.

The YubiKey uses the following alphabet:


The scan map is the 1 byte scan code for each of those characters. So for a US standard keyboard layout (and the YubiKey default), the scanmap is:

To set the scanmap, use the -S argument of the ykpersonalize tool and then affix the desired scanmap after. Shown below are some examples.

Simplified US Dvorak:

French AZERTY:

Turkish QWERTY (with a dotless i instead of usual i):

Note that you must remove any whitespace present in these examples before using the values. Leaving the argument empty will reset the scanmap to the YubiKey’s default.


The screenshot above shows a YubiKey NEO’s scanmap being configured for the dvorak keyboard layout.

Interested to know more? Head to our technical forum.

Enjoy using your YubiKey!

Stina Ehrensvard

Best Vaccine for Mobile Viruses

A security research team at Bluebox have unveiled a vulnerability in Android, claiming that malware can get full access to the mobile operating system and applications. The complete details are not yet public, so the Yubico security team does not know how such an attack would work. But we know for sure that we will see more sophisticated mobile malware attacks in the near future.

For many years Apple claimed that their computers were more secure than PCs, being immune to PC viruses. This was a correct statement until Max OS X and IOS won enough market share to become increasingly popular for malware creators.

As the security of static passwords and software authentication installed on computers was exposed, and more and more users adopted smart phones and tablets, SMS and authentication apps were presented as the more secure way to login.  But malware creators always follow the crowd. Long before the Bluebox vulnerability discovery, software authentication applications, running on mobile devices, have been copied and misused.

At Yubico we had these threats in mind when we developed the YubiKey NEO, enabling true second factor authentication across computers and NFC mobile devices. For users and devices that do not have NFC, the Yubikey NEO can also hold an authentication app on the YubiKey itself, offering higher security than loaded on a device exposed to the Internet.

Just as biological viruses have spread, infected and killed humans in the physical world, another type of virus is infiltrating the veins of the Internet. Cloud companies, that have been part of the YubiKey NEO development and success, have seen these viruses attacking their systems. And we know that authentication hardware is the most powerful vaccine.

Stina Ehrensvard

Yubico named Gartner Cool Vendor

Yubico has been named a “Cool Vendor in NFC 2013″ by Gartner, Inc., one of the world’s leading information technology research and advisory companies. Each year, Gartner identifies new Cool Vendors in key technology areas and publishes a series of research reports highlighting these innovative vendors and their products & services.  Yubico is recognized for the YubiKey NEO, a YubiKey two-factor authentication device that combines NFC, USB, one-time password and PKI authentication technology. To protect against sophisticated malware, it also includes a touch button for user presence.

 According to Gartner, “YubiKey NEO’s beauty lies in instant authentication through one tap without need to re-type the OTP, and it’s small, robust and waterproof form factor without any battery.”

For secure login to mobile applications, the user simply taps the YubiKey NEO to an NFC enabled mobile device or. For computers, the user plugs the device into a USB-port.

“The YubiKey has seen massive adoption rates in the market, and currently being used at five of the top 10 Internet and social media companies in the world,” said Stina Ehrensvard, CEO & founder, Yubico.  “We are honored to have been named a ‘Cool Vendor’ by Gartner, which speaks to every individual who follows the Yubico vision of making strong authentication easy and ubiquitous.”

The rugged, yet tiny YubiKey NEO fits naturally as on a keychain. It can be ordered from the Yubico web store for $50, with free open source software.



Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


Meet Yubico at RSA Conference

The Yubico team will be attending the RSA conference in San Francisco, February 25th – 28th.
We will have the YubiKey NEO on demonstration, featuring NFC functions like the OATH TOTP generator for Android and LastPass.

Come see us at the OATH Pavillion, Booth #829.

We look forward to seeing you!

Stina Ehrensvard

Yubico’s Vision for Secure Online Identities

Wired Magazine recently announced that Google is working on a new online authentication protocol as an alternative to legacy username/password login. Yubico and NXP are co-creators of this protocol, designed to be integrated across a wide range of devices, including SIM cards, YubiKey NEOs, or a ring you carry on your finger, and to solve some of the fundamental problems with online identity. And these are problems we need to fix soon. Very soon. Or billions of people, along with the great creation named the Internet, will be in serious trouble.

At this stage we cannot say which route we will choose to ensure mass adoption of this new security protocol. But we can say that Yubico has decided to engage in the project as we believe it could be a game changer.

And this is the vision: 

Imagine that you have one single key and one single password to securely access all your Internet life. 

The key would not be issued, controlled or hosted by a government or a service provider. Instead, you would buy this key at your retail store, such as 7-Eleven or, similar to a gift card or pre-paid phone card.

The key would remain in your own full control, guarding your privacy. And you may even choose to have multiple keys and identities, enabling you to protect your digital identity while remaining anonymous.

From your computer or mobile device, you would be able to instantly, with no required software installed, connect your key to any number of online services. Placed in the USB-port or tapped to your NFC phone/tablet/laptop you would replace all your multiple, long, painful passwords with a simple touch. Combined with a simple PIN or password, you would then securely access your email, bank, healthcare records or any online account.

With built-in support for platforms and browsers, the key would offer superior security, protecting against man-in-the-middle and phishing – but with no drivers or client software needed.

With an open source approach and a clever ecosystem, there would be no fees for service providers, and the costly Certificate Authority model associated with traditional smart cards could be eliminated. But more importantly, there would be no single token or service provider who would control your digital identity or any cryptographic secrets.

Yes, there are a few obstacles to overcome, including aligning influential thought-leaders and global stake holders on the same page. But if enough people want to, it would be possible to create a new, really simple, secure and affordable online identity solution as outlined above.

Bring it out – click – go!

PS. Please find additional comments on this topic in the Future of Authentication FAQ 

Stina Ehrensvard

Internet Identity and the Safety Belt

60 years ago the car industry and our society faced a security problem similar to the challenges facing online identity today. It was a time when the car changed our modern society by delivering on its promise of freedom and speed, but security and safety measures were overlooked; there were no seatbelts in cars. In fact, when happy car drivers hit the brand new highways and fatal accidents swelled, car manufacturers denied the problem. They feared that any acknowledgement of the risk associated with driving would negatively affect sales.

Nils Bohlin, the chief safety engineer at Volvo and a former aircraft designer, realized for a seat belt to be accepted by the everyday user it could not be clunky and complicated like the harnesses used by fighter pilots. It would need to be simple and take no more than a second for anyone to put on. With those objectives he designed the three-point seat belt in 1959, and then led the initiative making his invention into a standard feature in every car.

It was just a matter of finding a solution that was simple, effective and could be put on conveniently with one hand,Nils. Bohlin has said. “The pilots I worked with were willing to put on almost anything to keep them safe in case of a crash, but regular people do not want to be uncomfortable even for a minute.”

So, what can we learn from Mr. Bohlin when developing security for the Internet? This even more brilliant invention, which we all love until we get our digital life and identity smashed?

The answer is: Make online identification and authentication open and as easy and intuitive as the three-point seat belt:

Bring it out. Click. Go.

Yubico Team

Securing OATH Secrets on Android

Some people are concerned about the risk of storing cryptographic secrets on Android devices – for example, those used to generate One Time Passcodes (OTP) from Google Authenticator.  The production YubiKey NEO is the perfect companion to Android devices with NFC support.  By bringing your YubiKey NEO close to the back of the Android device (such as the Nexus 4 from Google), Android Apps can use the YubiKey NEO’s challenge response capability to generate an Open AuTHentication (OATH) time based OTP – such as those used by Google Apps and Dropbox.  And we have created a sample Android App to show this.  [Update] Take a look at the video here.

YubiTOTP Android Widget from Yubico on Vimeo.


When you first enable 2-step verification on Google Apps or on DropBox, you are presented with a 2D matrix code which contains the cryptographic secret used to create the OTPs.  Our YubiTOTP Android App reads this (using Google’s open source scanner app); however, instead of storing the secret on the Android file system, it programs one of the YubiKey NEO’s slots with the secret as part of an HMAC-SHA1 challenge/response configuration.  The secret can not be recovered from the YubiKey NEO, however, UNIX time can be sent to the YubiKey NEO (over NFC or via the USB connector) and the result truncated by the App to produce the OTP – which is displayed on the screen or can be put on the clipboard.

If you lose your Android Phone – or it dies, you just get a new one and reload the App – the secret stays in the YubiKey NEO!

[Update] We have enhanced the app to include a re-sizable home screen widget – just tap on the YubiKey icon and prompts you swipe your YubiKey NEO and displays the 6-digit OATH code on the icon.

Download the app here.  Let us know what you think…

Want to install it directly to your Android Device? Download the .apk file here.


YubiKey NEO Composite Device

The YubiKey NEO differs from the standard YubiKey as it can become a composite USB device – presenting both a HID (Keyboard) and CCID (SmartCard) device to the host.  This allows us to support all the great features of the standard YubiKey and add new support for SmartCard functions.  Our last NEO post described the OpenPGP NEO App that ships with the production YubiKey NEO.

In this post, we want to describe how to control how the YubiKey NEO presents itself to the host computer.

We ship the YubiKey NEO with just the HID (keyboard) USB device enabled.  We did this to maximise compatibility with the YubiKey Standard and the pre-production YubiKey NEO – neither of which support SmartCard functions.  To enable the OpenPGP SmartCard function, you need to configure the YubiKey NEO to switch on the CCID interface.  So far, we have updated the ykpersonalize command line to support the “-m” switch; this controls the composite modes the YubiKey NEO exhibits. Be careful, you can use the -m command to remove HID support; as ykpersonalize only works with the HID interface, this means you cannot use ykpersonalize anymore if you remove HID support.  We have added the tool ykneo-ccid-modeswitch which allows you to enable HID if it gets removed!


Here are the common modes:

  • -m0  HID (OTP) mode
  • -m1 CCID (OpenPGP only – no OTP) – warning – you cannot use ykpersonalize after this setting!
  • -m2 HID & CCID Only (OTP & OpenPGP)
  • -m82 HID & CCID (OTP and OpenPGP) EJECT Flag set – allows SmartCard and OTP concurrently.
  •  (Updated: 9/28/2015; You can enable CCID, OTP, and U2F with -m86 on YubiKey NEOs with 3.3 firmware or higher.)

The EJECT_FLAG (0x80) operates as follows:

  • with mode 1 with the EJECT_FLAG set, when touching the button the NEO will “eject” the smart card, making it unavailable to the host, when touching again it will be “inserted” again.
  • with mode 2 with the EJECT_FLAG set, when touching the button the NEO will “eject” the smart card, send the OTP from the HID interface and then “insert” the smart-card.
YubiKey NEO production launch
Yubico Team

YubiKey NEO and OpenPGP

In this post, we will take you through the steps to enable the YubiKey NEO’s OpenPGP applet on a production YubiKey NEO. YubiKey NEOs are currently shipped with an OpenPGP applet already installed but disabled. You will need to enable the Applet functionality of the YubiKey NEO before you can use the OpenPGP applet.

To do this, you will need to use the command line interface (CLI) version of the YubiKey Personalization Tool. If you are not familiar with using command line tools, this applet is probably not for you. To download ykpersonalize please click here.

Once you have installed the ykpersonalize software, insert your YubiKey NEO and you can check the version with the ykinfo -v command – which shows version: 3.0.1 for our YubiKey NEO. To enable your YubiKey NEO’s Smartcard interface (CCID), enter the command ykpersonalize -m82 as:

The -m option is the mode command. To see the different modes, enter ykpersonalize –help. Mode 82 (in hex) enables the YubiKey NEO as a composite USB device (HID + CCID) and allows OTPs to be emitted while in use as a smart card.  Once you have changed the mode, you need to re-boot the YubiKey – so remove and re-insert it.

Now our NEO App: OpenPGP is visible we can use the gpg program to set-up a new smart card: gpg –card-edit and then enter the admin command to enable admin commands. The command to create a new set of public/private key pairs is generate.  You should see something like:

Note the default PINs as you will need to enter them into the pop ups – e.g.:

Once you enter the Admin and User PINs, gpg will ask you for various settings. Once you select Okay the YubiKey NEO will work for between 1 minute and 3 minutes to generate 3 key pairs. It took our YubiKey NEO 1 minute 40 seconds.

WARNING: You cannot backup the secret keys – so if you lose the YubiKey NEO, re-generate another key pair or other lose the key pair there is no way to retrieve it! When you encrypt a file, make sure you have a plain text backup.

It is recommended to backup the Public key – we often use the Export Certificates to Server function in Kleopatra to do this. This is our screen:

The public keys and private key stubs are automatically loaded into the gpg database; we are running Kleopatra – so before completing, Kleopatra showed my soft keys:

And afterwards Kleopatra shows the YubiKey NEO with the SmartCard icon:

With details:

We can now select my YubiKey NEO to sign and encrypt files e.g.:

The source code for the YubiKey NEO OpenPGP app is available here.

Yubico Team

YubiKey NEO in Production

We know you have been waiting a long time for the production launch of our YubiKey NEO, and we are very happy to announce our plan to start shipping the production versions of the YubiKey NEO by December 10th. We are already accepting orders for the YubiKey NEO, so place your order today to get your full production sample of the NFC authentication token as soon as possible! And if you happen to be at CARTES in Paris this week, stop by the NXP booth where we will demonstrate the NEO.

The previous limitations of the beta version of the NEO have been addressed in the production version. The final version of the YubiKey NEO also includes a new secure element, enabling smart card/PKI functionality, which is certified for Common Criteria and the highest level of security. You can read more about all the new features here, as well as more about RFID and the YubiKey NEO.

We will naturally continue to expand and improve the YubiKey technology, so stay tuned for even more updates in the future!

Yubico Team

RFiD and the YubiKey NEO

When Yubico first introduced the YubiKey RFiD in 2009, it provided users with an unmatched integration of physical and network security. Many facilities with existing RFiD based security systems have integrated the RFiD YubiKey into their systems, allowing users to use one device to access their office space as well as network account. The RFiD YubiKey could be used with both standard RFiD readers as well as with any computer with a USB port, removing the need for additional hardware when integrating the RFiD YubiKey.

Since then, there has been a significant rise in the world of mobile computing. The task of authenticating users on Tablet PCs and SmartPhones is becoming just as vital as securing PCs or Laptops. With the growing addition of NFC support in mobile devices, Yubico decided to create the YubiKey NEO, capable of providing wireless authentication to NFC supporting devices while also allowing for standard USB authentication.

During the pre-production phase of the YubiKey NEO, we decided to simplify our product line to provide the best customer experience. From this decision, Yubico has decided to combine YubiKey support of RFiD and NFC into one device. When the Production YubiKey NEO is launched in November of 2012, it will support all of the capabilities of the YubiKey RFiD tokens alongside the new NFC communication features. The YubiKey NEO will allow users to validate against RFiD systems, NFC systems as well as the standard YubiKey Authentication.

However, with the introduction of the YubiKey NEO, Yubico will withdraw the RFiD YubiKey. New users looking for an RFiD-compatible solution, as well as existing users looking to expand their solution, will be able to utilize the production YubiKey NEO in place of the RFiD YubiKey.

We will continue to offer support of the YubiKey RFiD functionality, both in the older RFiD YubiKey and the new YubiKey NEO. We thank you all for your support of the RFiD YubiKey and hope that the YubiKey NEO continues to meet your high expectations!