Yubico’s Ubiquitous to be Yubikey
May 14th, 2008 | by rey |
It’s incredibly secure, uber-convenient, open source, and you won’t have to pay a recurring subscription fee to use it. The Yubico Yubikey is a breakthrough in personal authentication technology that leaves other existing technologies like VeriSign’s Identity Protection seasick in its wake.
To start off with a little comparo, here’s how VeriSign’s VIP works according to their site:
VeriSign Identity Protection (VIP) protects your accounts and your identity by requiring a unique security code, in addition to your username and password, to access your online accounts. To generate a security code, you use a VIP credential (such as a USB flash drive or VIP Security Token that you carry with you) that generates a series of numbers unique to that VIP credential. While usernames and passwords can be guessed or otherwise discovered, only you have access to the physical device that generates the security codes you need to identify yourself.
If you’ll notice, the Verisign “football” above generates a 6 character code that the user physically types into a field on some web form that needs to be submitted for authentication. 
The Yubikey uses the same concept of generating a one-time security passcode with one major difference: the passcode is 32 characters (128 bits) long. How the Yubikey does it’s job is so much more convenient as all a user has to do is press a single button on the device and it’ll generate that passcode and type it out for you. It can “type” the code out because the device appears to the computer as a standard USB HID device, kinda like a standard keyboard which can be practically plugged into any computer that has a USB port running whatever Operating System (MacOS, Windows, Linux, it doesn’t matter) it’s OS independent/cross platform. Every time you press the button, it encrypts some data using a built-in secret 128-bit AES key and blurts it out as a passcode. When you submit the web form with the passcode, this information is sent to your security provider’s authentication server which looks up the symmetric key in its database to decrypt the data and effectively authenticate you.
Yubico’s part in all this is providing interested parties the tools to build their own secure authentication solution by selling the Yubikey device itself and providing an SDK (Software Development Kit) which anyone can download from their site. Which is miles away from VeriSign’s or many other “Authentication providers’” business model of having you sign up for their service and basically relying on their authentication servers and infrastructure which can get pretty expensive.
Practical applications for Yubikey are authenticating customers to allow access to their online banking service, logging on to an eCommerce site, for posting comments on a blog using an OpenID or any other online service that elects to use the technology.
For example, let’s say a pharmaceutical company is interested in rolling this out to their medical representatives in the field who need to be able to remotely and securely access their corporate intranet to submit reports and what not. They can buy the keys in bulk from Yubico and download the SDK from their site which is open source and free, by the way, then develop and install custom software on a dedicated company server whose main job is to authenticate the folks using Yubikey to log into their intranet.
Yubico comes from the word ubiquitous ‘coz they didn’t want to come up with a name based on some crappy, unoriginal, security-related term like verify, secure or encryption. They envision the Yubikey as something you will one day find being used everywhere well-known for its ubiquity.
Read up on this awesome product at their website Yubico.com
10 Responses to “Yubico’s Ubiquitous to be Yubikey”
By Host on Jun 3, 2008 | Reply
I searched for \’Ecommerce Website Host Provider\’ in google and found this your post (\’s Ubiquitous to be Yubikey | Once and Still a Techie Weblog\’) in search results. Not very relevant result, but still interesting to read.
By Snow White on Jun 4, 2008 | Reply
Bought 5 Yubikeys and use it on Mashed Life for my wife, kids, and my Mom. This is a great convenience device + service that enhanced our experience on the net.
Especially my kids and my mom can never keep track of their growing # of passwords online in gaming, photo sharing, and family blogs. They can’t even remember the URLs and this solves a lot of my daily role as IT support at home.
Thanks for the great story!
By rey on Jun 4, 2008 | Reply
I’m seriously considering ordering my own.
By Smart Card Guy on Jun 11, 2008 | Reply
I’m a smart card guy at martsoft.com but fed up with the support overhead of readers, CCID/PCSC/drivers, CSP/PKCS#11, … every time an upgrade of PC, a patch to OS, made ~ 50% of my customers’ smart cards stop working and we need to upgrade the drivers, diagnose the problem, and most people give up on smart card projects finally as we all know.
Weeks ago I ordered YubiKeys and integrated with 3 strong auth projects painlessly, and reduced these customers’ support overhead to almost zero, I’m converted by YubiKey now. It is the best compromise for the mass market.
By Max on Aug 7, 2008 | Reply
After reading your blog, I completely agree. I’ve been using the Yubikey for a few weeks now and I’m in love. It just makes logging into certain sites so easy. I know that not every site supports it yet, but I sure hope they will soon!
Also, using the Yubikey with other password sites is great. This one site I use, Mashedlife, is a password management site. It stores all my passwords online and lets me log in with one click. Using my Yubikey to log in there it really secure. Since my Yubikey logs me in, and Mashedlife remembers my other passwords, this is a relationship that makes life great. I’d say you should go check it out. Just go to http://www.mashedlife.com
Thanks for the great blog post!
Regards
By Bobbysan on Aug 21, 2008 | Reply
I bought one to test it out. I’ve been using it on mashedlife also and will be buying another as a backup. If I would have known better, I could have saved on shipping by ordering both at the same time. They sent it priority mail and I had it in about 3 business days from the time I placed the order.
By Nico on Sep 4, 2008 | Reply
Judging from the available documentation, Yubikey is based on standard mass storage, which cannot be considered as a secure element like smartcards. As far as security is concerned, you can consider your Yubikey compromised as soon as somebody else can have it long enough to study it.
Second main issue: by construction, AES keys for all users need to be stored in clear on the server side. Consider the system compromised as soon as you had an intrusion on the server (read-only access would be sufficient).
Two weaknesses that tend to place Yubikey in the range of low-order security. This might be an issue, depending on what you are trying to protect.
By Jeff on Apr 4, 2009 | Reply
The Yubikey is not a mass storage device, it only acts as a USB keyboard when plugged into a computer. This is why it can work as a one-time password device on just about any computer with a USB port.
By museekero on Dec 12, 2009 | Reply
hi, nice blog you have here.. care for exchange link?..my site http://museekero.com
please visit and post ur comments. thanks. godbless.