It’s an open secret that passwords aren’t the most effective way to protect online accounts. Alarmingly, three out of four people use duplicate passwords, and 21 percent of people use codes that are over 10 years old. (In 2014, among the five most popular passwords were “password,” “123456,” and “qwerty.”) Two-factor SMS authentication adds a layer of protection, but it isn’t foolproof — hackers can fairly easily redirect text messages to another number.
A much more secure alternative is hardware authentication keys, and there’s good news this week for folks looking to pick one up. During Microsoft’s Ignite conference in Orlando, Florida, Yubico unveiled the YubiKey 5 Series: The YubiKey 5C, YubiKey 5 NFC, YubiKey 5 Nano, and YubiKey 5C Nano. The company claims they’re the first multi-protocol security keys to support the FIDO2 (Fast IDentity Online 2) standard.
All four are available for purchase at the Yubico store starting at $45.
“Innovation is core to all we do, from the launch of the original YubiKey 10 years ago to the concept of one authentication device across multiple services — and today, as we are accelerating into the passwordless era,” said Yibico CEO and founder Stina Ehrensvard. “The YubiKey 5 Series can deliver single-factor, two-factor, or multifactor secure login, supporting many different uses cases, industries, platforms, and authentication scenarios.”
Every key in the YubiKey 5 Series, including the new NFC-compatible YubiKey NFC, which supports tap-and-go authentication on compatible PCs and smartphones, supports FIDO U2F, smart card (PIV), Yubico OTP, OpenPGP, OATH-TOTP, OATH-HOTP, and Challenge-Response schemes. (That’s in addition to crypto algorithms RSA 4096, ECC p256, and ECC p384.) A secure hardware element protects cryptographic keys.
The new YubiKeys support three authentication options:
- Single Factor: Passwordless, requires a YubiKey only
- Two Factor: Requires a username and password in addition to a YubiKey
- Multifactor: Passwordless, requires a YubiKey and a PIN
Conspicuously absent from the refreshed lineup is a Bluetooth Low Energy (BLE) fob along the lines of Google’s Titan Security Key. Ehrensvard said that was a conscious decision.
“While Yubico previously initiated development of a BLE security key and contributed to the BLE U2F standards work, we decided not to launch the product, as it does not meet our standards for security, usability, and durability,” Ehrensvard wrote in a June blog post. “BLE does not provide the security assurance levels of NFC and USB and requires batteries and pairing that offer a poor user experience.”
Fret not if you’ve got an iOS device, though. In May, Yubico announced an iOS SDK that enables developers to add YubiKey Neo NFC authentication to their apps. (The first to support it was LogMeIn’s LastPass.) NFC might not have BLE’s range, but it’s bound to be faster than fishing around for a USB adapter. In fact, Yubico claims it’s 4 times faster than typing a password.
FIDO2, for the uninitiated, is a standard certified by the nonprofit FIDO Alliance that supports public key cryptography and multifactor authentication — specifically, the Universal Authentication Framework (UAF) and Universal Second Factor (U2F) protocols. When you register a FIDO2 device with an online service, it creates a key pair: an on-device, offline private key and an online public key. During authentication, the device “proves possession” of the private key by prompting you to enter a PIN code or password, supply a fingerprint, or speak into a microphone.
Since 2014, Yubico, Google, NXP, and others have collaborated to develop the Alliance’s standards and protocols, including the new Worldwide Web Consortium’s Web Authentication API. (WebAuthn shipped in Chrome 67 and Firefox 60 earlier this year.) Among the services that support them are Dropbox, Facebook, GitHub, Salesforce, Stripe, and Twitter.
YubiKey says that since 2012 it has deployed 275,000 keys across organizations in 160 countries, including for Facebook, and Salesforce. It said that since deploying YubiKeys, client Google has experienced “zero” account takeovers, 4 times faster logins, and 92 percent IT support calls.