YubiKey Review: Next Generation Authentication

yubikey_feat

In the 1960’s, when the early generation of mainframe computers began popping up at places like MIT, it quickly became obvious that users needed a way to identify themselves on the machine they were logging into. The solution was simple, and as old as the Romans: you would have to provide the system with your unique name and a secret word only you and the computer knew. The computer password was born.

Now, over 50 years later, that simple scheme is still the way the vast majority of users log into their personal computers or web services. With all of the advancements modern technology has made, we are still left struggling to create and maintain strong passwords day in and day out. Far too many users take the easy way out, and either choose a poor password or write it down in some easily spotted place. The effect is the same, poor password practices lower security and negate the whole point of the password in the first place.

Luckily, there is a better way. Two-factor authentication (TFA) is an improvement over the basic username and password concept that adds in the concept of a “token”, a physical object that is used to prove the identity of the person attempting to authenticate. There a many different kind of tokens, from applications running on smartphones to pocket-sized devices with their own LCD displays. One of the newest types of tokens is the YubiKey, developed by Yubico. The YubiKey aims to be a cheap and simple TFA token that anyone can use.

YubiKey

Traditional TFA tokens generate a code, known as a One Time Password (OTP), which the user must then manually enter into their terminal or software application. This is a tedious process, and leaves the possibility to the user mistyping the code, causing failed login attempts that could be flagged as security threats. The YubiKey is fundamentally different than older devices, as it mimics a USB Human Interface Device (HID), or in other words, makes the host computer think it’s a USB keyboard. It’s then able to directly “type” the authentication code into whatever field the user places the cursor in. This is much faster than manually transcribing the code from another device, and eliminates the issue of mistyped codes.

The standard Yubikey looks very much like a USB flash drive, though it’s smaller and considerably thinner. The thin profile, along with the hole built into the rear of it, allow the Yubikey to be put on a standard keyring. With the YubiKey on your keyring along with your house and car keys, you’re much less likely to forget it or at least not have it when you need it.

Standard YubiKey

A standard USB flash drive wouldn’t last very long attached to your keyring, so Yubico has pioneered a new manufacturing process for their YubiKey devices. Rather than the standard construction for USB devices, where a two piece plastic case is glued together around the central circuit board, the YubiKey is made entirely of one piece of plastic. To achieve this, Yubico places the bare YubiKey circuit board into a machine which injects molten plastic around it, creating one solid object. With one piece construction and gold outer contacts, Yubico claims the YubiKey will last 10 years on the average keyring.

YubiKey Nano

Yubico also offers a much smaller version of the YubiKey, which they call the YubiKey Nano. The Nano is small enough that when inserted into the USB port, it’s essentially flush with the outside of the device. Both versions of the YubiKey are functionality identical, the difference is how you use the device day to day. While the standard YubiKey is meant to travel with the user on his or her keyring, the Nano is meant to be inserted into a computer and left there indefinitely.

YubiKey Nano and standard YubiKey

This slight change in usage has a big impact on the YubiKey concept. The standard YubiKey is something you would likely use on public access computers, or on your work computer. On the other hand, the Nano would only be appropriate to use on your own personal computer or tablet. With the Nano left in the host device’s USB port, the device itself essentially becomes the TFA token. While it is possible to remove the Nano once it’s installed into the USB port, it isn’t easy, and clearly isn’t something you are meant to do often. If your laptop or tablet which had the YubiKey Nano installed was ever stolen, it could be a serious blow to your online security and identity, so keep this in mind when deciding which device you want to go with.

YubiKey Nano installed in the CR-48 Chromebook

Hardware Image Gallery


Tom Nardi

Tom is a Network Engineer with focus on GNU/Linux and open source software. He is a frequent submitter to "2600", and maintains a personal site of his projects and areas of research at: www.digifail.com .

Related posts

Top