Breaking Tech Industry news from the top sources
It’s an open secret that passwords aren’t the most effective way to protect online accounts. Alarmingly, three out of four people use duplicate passwords, and 21 percent of people use codes that are over ten years old. (In 2014, among the top five most popular passwords were “password,” “123456,” and “qwerty.”) Two-factor SMS authentication adds a layer of protection, but it isn’t foolproof — hackers can reasonably easily redirect text messages to another number.
A much more secure alternative is hardware authentication keys, and there’s good news this week for folks looking to pick one up. Yubico unveiled during Microsoft’s Ignite conference in Orlando , Florida the YubiKey 5 Series: The YubiKey 5C, the YubiKey 5 NFC, tthe YubiKey 5 Nano, and the YubiKey 5C Nano. The company claims they’re the first multi-protocol security keys to support the FIDO2 (Fast IDentity Online 2) standard.
All four are available for purchase at the Yubico store starting at $45.
“Innovation is core to all we do, from the launch of the original YubiKey ten years ago, to the concept of one authentication device across multiple services, and today as we are accelerating into the passwordless era,” Stina Ehrensvard, CEO and founder of Yubico, said. “The YubiKey 5 Series can deliver single-factor, two-factor, or multifactor secure login, supporting many different uses cases, industries, platforms and authentication scenarios.”
Every key in the YubiKey 5 Series, including the new NFC-compatible YubiKey NFC which supports tap-and-go authentication on compatible PCs and smartphones, support FIDO U2F, smart card (PIV), Yubico OTP, OpenPGP, OATH-TOTP, OATH-HOTP, and Challenge-Response schemes. (That’s in addition to crypto algorithms RSA 4096, ECC p256, and ECC p384.) A secure hardware element protects cryptographic keys.
The new YubiKeys support three authentication options:
- Single Factor: Passwordless; requires a YubiKey only
- Two Factor: Requires a username and password in addition to a YubiKey
- Multifactor: Passwordlessl; requires a YubiKey and a PIN
Conspicuously absent from the refreshed lineup is a Bluetooth Low Energy (BLE) fob a la Google’s Titan Security Key. Ehrensvard said that was a conscious decision.
“While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability,” he wrote in a June blog post. “BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.”
Fret not if you’ve got an iOS device, though. In May, Yubico announced an iOS SDK that enables developers to add YubiKey Neo NFC authentication to their apps. (The first to support it was LogMeIn’s LastPass.) NFC might not have BLE’s range, but it’s bound to be faster than fishing around for a USB adapter — Yubico, in fact, claims that it’s four times quicker than typing a password.
FIDO2, for the uninitiated, is a standard certified by the nonprofit FIDO Alliance that supports public key cryptography and multifactor authentication — specifically the Universal Authentication Framework (UAF) and Universal Second Factor (U2F) protocols. When you register a FIDO2 device with an online service, it creates a key pair: an on-device, offline private key, and an online public key. During authentication, the device “proves possession” of the private key by prompting you to enter a PIN code or password, supply a fingerprint, or speak into a microphone.
Since 2014, Yubico, Google, NXP, and others have collaborated to develop the Alliance’s standards and protocols, including the new Worldwide Web Consortium’s Web Authentication API. (WebAuthn shipped in Chrome 67 and Firefox 60 earlier this year.) Among the services that support them are Dropbox, Facebook, GitHub, Salesforce, Stripe, and Twitter.
YubiKey says that since 2012, it’s deployed 275,000 keys across organizations in 160 countries, including Facebook, and Salesforce. It said that since deploying YubiKeys, one client — Google — has experienced “zero” account takeovers, four times faster logins, and 92 percent IT support calls.