Yubikey: Your Key To Securing the Web
A company who believes they have the solution to our online security woes is Yubico, makers of a small USB dongle known as the Yubikey. This ingenious authentication solution can be combined with OpenID or other third party web sites to provide secure authentication on the web.
Authentication is an area of security that is more important than ever, especially since we're now using the web to access all sorts of private data, from personal communications to online banking sites. Yet as those services become more sophisticated and complex, so do the techniques used by criminals wanting access to our private information. Although many of these sites force you to create strong passwords, a password alone is not your best defense against identity thieves. For the best security, multi-factor authentication is needed, and that's what Yubikey provides.
Security Matters
At first glance, you may dismiss Yubikey as yet another smart card to carry around. However, the difference between smart cards and Yubikey is that smart cards require client software. Yubiky, on the other hand, identifies itself to the computer as a USB keyboard. This means there's no software to install - you just insert the key, press the button, and it will generate a one-time password for you to use.
This makes Yubikey more like PayPal's Security Key, a USB device which generates a temporary 6-digit security code every 30 seconds. However, the PayPal key requires you to enter the security code yourself each time you login. Yubikey, on the other hand, will enter your code for you.
Yubikey + OpenID
One of the most exciting uses for Yubikey is combing it with your OpenID for securing your online identity. The company runs their own OpenID server which can be used in combination with Yubikey to generate a secure OpenID. By pressing the button on the USB key, you're provided with an URL which you can use on any site which supports OpenID. You can also set up your own web site to work with Yubikey if you want a more personal URL. (To see this in action, click here for a short screencast).
Yubikey's Open Source Solution
Combining Yubikey with OpenID is just one way to use this device. Yubikey also supports authentication via RADIUS and PAM as well as other systems. Also, since Yubikey is open source, anyone can set up a server and use the company's web APIs and open source SDK to integrate it with their online services.
Already, developers have begun to use Yubikey in combination with numerous other systems. For example, Rohos has combined their Rohos Logon Key with Yubikey to provide secure authentication for logging into your Windows PC. Online password manager, MashedLife, also supports Yubikey sign on for their registered users. Henrick Schack created a WordPress blog plugin which uses Yubikey to provide an extra layer of security for logging into WordPress. A company known as Collective Software has created an Active Directory solution for use with workstation logon, network applications, extranet web publishing, and VPNs.
Those are just some of the applications available today, but the possibilities are endless.
Will Yubikey Take Off?
The security community has high hopes for Yubikey. Well-known security analyst, Steve Gibson of the "Security Now" podcast dubbed Yubikey "the coolest new secure authentication device." He felt the device had potential because of its open source nature: "...no subscription fee, lifetime free authentication...as long as you've got a USB port, this is the answer," he says.
The device also has potential because of the way it's built: small and thin enough to be carried into a wallet. It's also cheap to manufacture so it can be produced in volume for a low cost. These design considerations were no fluke, either. Yubikey's creator can CEO, Stina Ehrensvrd, put a lot of time an effort into the aesthetics, even speaking with experts at both Verisign and eBay to help her shape the product into what it is today.
Although Yubikey may not present the ideal solution for universal authentication, it could at least offer another layer of security to those web sites that contain the most private and personal information. With the growing number of identity theft victims today, extra security may appeal to those who have been burned in the past or who are just very cautious with their personal info online. It's easy to imagine banks offering Yubikey or similar solutions to their customers as an optional additional security mechanism, similar to how PayPal offers a security token to their users.
The Yubikey is available for purchase from the company's web site at prices which start at $30.00 and decrease with the number of keys ordered.
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
Key to the net
Posted by: Akshat | September 16, 2008 10:15 AM
Hardware dependency = FAIL! the same old bad idea that keeps making the rounds every few years.
Posted by: Todd | September 16, 2008 10:24 AM
the problem with this, its a hardware...
Posted by: California Super Lotto Plus Results | September 16, 2008 10:47 AM
Right, Todd. Because house keys have obviously failed.
Multi-factor authentication is used in every enterprise and with all wealthy bank clients in Europe. Multi-factor auth requires one of 3 things:
Something you know (password)
Something you have (a physical item)
Something you are (biometrics: fingerprint/iris)
For best security, one should use all 3, but just using 1 factor is the easiest to break (I can hack your yahoo account, just tell me your email). Using 2 factors is the best compromise. The yubikey and paypal token (RSA) may not be the best for everyone. I use my fingerprint reader integrated into my pc. If one has a business paypal account (free), the paypal token is only $5.
We'll see which wins, but using just a password is not EVER going to be secure.
Posted by: Frank | September 16, 2008 10:55 AM
Using just a password may not be the most secure protection in the world, but most sites don't offer anything more. Yubikey could be a step up from that if it offers another layer or two of security. Any ideas or suggestions on other forms of security they could integrate?
@Frank
"..Right, Todd. Because house keys have obviously failed."
Hence Locksmithing being a multi-billion dollar industry? Look in your phone book. Are there 12 pages of LockSmiths with ads saying "Will Call 24 hours a day!" "Lost your keys? Call us now!"
Will Yubikey being providing the nationwide ( global ) infrastructure, trucks and manpower to have a "YubiSmith" in every town of of city in America who will come to my house at midnight with a new Yubi key? Sounds expensive.
Didn't Sun already try this bad idea with their Java ring?
How about those self destructing CDs where after you open the package, the physical media starts to self destruct?
Anyone still using software that requires a 1989 style dongle that must be present on their computer's comm port in order to use the software?
Posted by: Todd | September 16, 2008 11:21 AM
I have one of these and while it isn't something that I use that much right now, it is the best physical token I've seen for this sort of thing. Easily fits on my keys and is a cool experience in terms of its physical interaction. Also really nice to see more ways to bring strong authentication to OpenID!
Posted by: David Recordon
|
September 16, 2008 12:00 PM
will it work with Linux?
Posted by: Thejesh GN | September 16, 2008 2:33 PM
"will it work with Linux?"
the key IS the same as a USB keyboard. you press the button and the chip spits out text as if you typed it on your keyboard.
It is supposed to work on every system which can used USB keyboards.
Posted by: sam | September 16, 2008 7:17 PM
I have one almost like that I keep on my keychain. Can't live without it!
Posted by: toshiba copiers | September 17, 2008 2:44 AM