YubiKey Review: Next Generation Authentication


Using the YubiKey

Each YubiKey has two user programmable “identities” or modes which allows the YubiKey to work in a variety of authentication scenarios:

  1. YubiKey OTP
  2. Open Authentication OTP (OATH OTP)
  3. Static passcode
  4. Challenge-Response

Once programmed, the YubiKey can be switched between the two modes at any time using the gold contact pad. By tapping the pad, the YubiKey will perform the first programmed function, and a long hold on the pad will trigger the second function. So for example, a quick press on the pad could trigger the YubiKey to work in it’s standard OTP mode, while a long press could be programmed to have the YubiKey “type” a long and complex password the user might not otherwise be able to enter or remember themselves.

Being able to switch between two functions is important, as it allows the YubiKey to be used with services and systems that don’t yet have native YubiKey support built in. Even if the system only supports basic username and password authentication, you could still use the YubiKey’s static passcode mode. The static passcode mode is also excellent for use with things like BIOS passwords and TrueCrypt volumes.

Programming the YubiKey

One of Yubico’s biggest goals is to develop a TFA token which can be used in as many places and by as many different people as possible, so to that end, they have developed their YubiKey programming software as a cross-platform tool powered by the QT framework. This application, known as the “YubiKey Personalization Tool“, enables Linux, Windows, and Mac OS users to easily configure their YubiKey devices to their liking.

Main screen of YubiKey Personalization Tool

The main screen of the YubiKey Personalization Tool gives you a handy display of the vital statistics of any connected YubiKey, such as the firmware version and supported features. This is very useful for administrators who need to look after multiple YubiKeys that may be of different hardware revisions.

The options along the top allow you to configure the various modes of operation the YubiKey supports, and assign them to one of the two configurable identities on the device. Yubico has a very thorough guide (PDF) on their site that explains all the various options and menus, but for the most part, the tool is fairly self-explanatory. Yubico has done a good job of keeping the look and options fairly consistent between the different modes, so it’s fairly easy to understand the tool and get to work.

Configuring a static password with the YubiKey Personalization Tool

The fact that you can so easily reprogram a YubiKey, without any special hardware or complicated software, is a big advantage to both the individual and the administrator alike. For the individual, this means you can update your YubiKey with your latest static passwords or other authentication methods on any computer with a USB port. For the administrator it’s even better, as the addition of a standard USB hub to the equation means you can program large numbers of YubiKeys at once. This considerably lowers the total cost of ownership (TCO) for a YubiKey based authentication system.

Implementing the YubiKey

Developing and manufacturing the authentication token is only half the battle; for it to be useful, you also need to create a server side and an API to pull it all together. This is where the YubiKey really shines, as they’ve created free software (BSD licensed) libraries to interface with the Yubikey in multiple languages. This means that anyone can implement high security two factor authentication in their applications or services with the only upfront cost being a single YubiKey.

More information on implementing the YubiKey into your software can be found on their Developers Introduction page:


The Verdict

Whether you’re an individual looking to improve your personal security online, a developer looking to implement two factor authentication into your software, or an administrator who wants to provide secure authentication for his or her users, the YubiKey has something to offer you. With a base cost of $25 for the standard YubiKey (with volume pricing available in quantities of 50 or more), it’s budget friendly for everyone from the student to the corporation.

While YubiKey didn’t invent the idea of a security token, they have brought some very unique (and welcome) features to the table. By doing away with the LCD display and battery of traditional tokens, they have greatly improved the device’s reliability. Acting as a USB input device makes use of the YubiKey foolproof for even the most non-technical of users. Perhaps best of all, developing free and open APIs combined with delivering their configuration tools via the cross-platform QT framework means Yubico has gone a long way towards their goals of developing an affordable universal TFA token.

Be sure to check back with “The Powerbase” for coverage of Yubico’s future products, such as the YubiKey NEO: a standard YubiKey enhanced with NFC technology intended for use with mobile devices. We’ll also be taking a look at using the YubiKey with your favorite services and programs.

About Tom Nardi

Tom is a Network Engineer with focus on GNU/Linux and open source software. He is a frequent submitter to "2600", and maintains a personal site of his projects and areas of research at: www.digifail.com .