A company who believes they have the solution to our online security woes is Yubico, makers of a small USB dongle known as the Yubikey. This ingenious authentication solution can be combined with OpenID or other third party web sites to provide secure authentication on the web.
Authentication is an area of security that is more important than ever, especially since we’re now using the web to access all sorts of private data, from personal communications to online banking sites. Yet as those services become more sophisticated and complex, so do the techniques used by criminals wanting access to our private information. Although many of these sites force you to create strong passwords, a password alone is not your best defense against identity thieves. For the best security, multi-factor authentication is needed, and that’s what Yubikey provides.
Security Matters
At first glance, you may dismiss Yubikey as yet another smart card to carry around. However, the difference between smart cards and Yubikey is that smart cards require client software. Yubiky, on the other hand, identifies itself to the computer as a USB keyboard. This means there’s no software to install – you just insert the key, press the button, and it will generate a one-time password for you to use.
This makes Yubikey more like PayPal’s Security Key, a USB device which generates a temporary 6-digit security code every 30 seconds. However, the PayPal key requires you to enter the security code yourself each time you login. Yubikey, on the other hand, will enter your code for you.
Yubikey + OpenID
One of the most exciting uses for Yubikey is combing it with your OpenID for securing your online identity. The company runs their own OpenID server which can be used in combination with Yubikey to generate a secure OpenID. By pressing the button on the USB key, you’re provided with an URL which you can use on any site which supports OpenID. You can also set up your own web site to work with Yubikey if you want a more personal URL. (To see this in action, click here for a short screencast).
Yubikey’s Open Source Solution
Combining Yubikey with OpenID is just one way to use this device. Yubikey also supports authentication via RADIUS and PAM as well as other systems. Also, since Yubikey is open source, anyone can set up a server and use the company’s web APIs and open source SDK to integrate it with their online services.
Already, developers have begun to use Yubikey in combination with numerous other systems. For example, Rohos has combined their Rohos Logon Key with Yubikey to provide secure authentication for logging into your Windows PC. Online password manager, MashedLife, also supports Yubikey sign on for their registered users. Henrick Schack created a WordPress blog plugin which uses Yubikey to provide an extra layer of security for logging into WordPress. A company known as Collective Software has created an Active Directory solution for use with workstation logon, network applications, extranet web publishing, and VPNs.
Those are just some of the applications available today, but the possibilities are endless.
Will Yubikey Take Off?
The security community has high hopes for Yubikey. Well-known security analyst, Steve Gibson of the “Security Now” podcast dubbed Yubikey “the coolest new secure authentication device.” He felt the device had potential because of its open source nature: “…no subscription fee, lifetime free authentication…as long as you’ve got a USB port, this is the answer,” he says.
The device also has potential because of the way it’s built: small and thin enough to be carried into a wallet. It’s also cheap to manufacture so it can be produced in volume for a low cost. These design considerations were no fluke, either. Yubikey’s creator can CEO, Stina Ehrensvrd, put a lot of time an effort into the aesthetics, even speaking with experts at both Verisign and eBay to help her shape the product into what it is today.
Although Yubikey may not present the ideal solution for universal authentication, it could at least offer another layer of security to those web sites that contain the most private and personal information. With the growing number of identity theft victims today, extra security may appeal to those who have been burned in the past or who are just very cautious with their personal info online. It’s easy to imagine banks offering Yubikey or similar solutions to their customers as an optional additional security mechanism, similar to how PayPal offers a security token to their users.
The Yubikey is available for purchase from the company’s web site at prices which start at $30.00 and decrease with the number of keys ordered.