I have a number of things I find interesting when it comes to computers and gadgets, and a recurring theme for me is decent security combined with good user experiences. (That does sound grandiose doesn’t it?)
Lately I’ve been researching this more than usual partly due to building some services in Windows Azure where I want to provide secure and authenticated access. (And I don’t consider myself competent to build a fully hardened solution from scratch just because I know what hashing and salting of passwords means.) While looking into this I came across a nifty product series called YubiKey from http://www.yubico.com, and wanted to share some thoughts on these. If you’ve visited my blog before you might have noticed I’ve already covered client certificates a few times, which of course also meets the definition of two-factor, but this time around we’re looking at hardware for providing the additional factor.
I’d like to point out from the start that although it might seem like I’m advertising for this company I am not in any way affiliated with them, and have purchased my YubiKeys like any customer would do.
Yubico is a company that provides key fobs/code generators that you can either integrate with your own systems, or use out-of-the-box for existing online services like LastPass, Google Apps, etc. To authenticate when using a YubiKey you have to provide both a password, (or pin code), and a uniquely generated password in addition to the user name. This concept in itself is nothing new, and the most well-known company in this space is probably RSA whom I gather a lot if IT Pros have come across a few times before already. There’s also a number of banks who provide key fobs for consumers to use for accessing their online banking services (often a non-branded type of key) – so pretty much everyone knows what it is more or less even though they aren’t necessarily exposed to all the technical details.
These solutions do provide enhanced levels of security, but have a certain level of complexity to implement and often comes with an enterprise price tag on the flip side. The thing I like about Yubico is that they don’t charge an arm and a leg to get you started; as a geek you can get your own two-factor authentication for as low as 25$. You buy the hardware, and then you can decide if you want to use the hosted service Yubico provides for verification of the One Time Passwords (OTP) generated, or if you want to create your own service with the software provided. If you want to up the ante to another level you can buy a hardware security module, (HSM), as well. This will set you back 500 dollars, and while that is dirt cheap as far as HSMs go I haven’t played around enough with the basic scenario to invest in this yet.
(If you’re not familiar with what HSM means check out Wikipedia: http://en.wikipedia.org/wiki/Hardware_security_module )
The YubiKeys do not have a display, but instead emulates keyboard input. So, with the standard YubiKey model you plug it into a computer, place the cursor in an input field (for instance a password dialog), and press the YubiKey. This will generate a unique OTP, type it into the box for you and press enter/OK for you as well (default config – can be reconfigured). No need to type it manually which allows you to use much longer OTPs than the "standard" 6 digits.
Now, the reason I bring this into my blog, which usually doesn’t deal with these kinds of products, is that they have some models which are suitable for mobile devices as well.
There’s the YubiKey Nano – basically the same functionality as the regular YubiKey but much smaller. This fits perfectly into the USB stick included in the "iPad Camera Connection Kit", and while it’s still something that needs to be plugged into the iPad it’s a little sleeker than inserting the larger YubiKey in the stick. This means you’re covered with two-factor authentication for the iPad. It does not work on the iPhone, but that’s seems to be the way Apple designed the kit to work out. (It doesn’t work with an Apple USB keyboard either so it’s not the YubiKey at fault. Maybe they call it "iPad kit" for a reason…)
See the official video here:
If you’ve got an Android device that offers USB host functionality, and the keyboard profile, you should also be able to use the Nano or a standard YubiKey. (The Nano is just a "size thing" – the interface is the same.)
Now, for upping the fancy level, there’s the YubiKey Neo – which I really like. This also works as a USB keyboard when you plug it into your computer (or iPad), but in addition it has an NFC chip inside it. This means that with devices supporting NFC you can just have it touch the back of the device to trigger the OTP generation (I tested this on a Galaxy Nexus). By default the NFC tag contains a link to a test site so it will open the browser and append the OTP to the query string – smooth. (There is a configuration utility you can download to reprogram the YubiKeys.) If you have an app running on the device you don’t have to concern yourself with the url part and can just read out the OTP.
Official video here:
Unfortunately there aren’t that many devices out there supporting NFC yet, and while it has been a buzzword for some time there’s no guarantee it will ever pick up traction. I suppose if Apple includes it in the next iPhone everyone will support it a few weeks later 🙂
Reconfiguring the sticks you can also have it emit a static password instead of generating one. The regular YubiKey and the Nano will let you have two different password profiles stored, but the Neo is limited to one slot for now.
There’s plenty of scenarios for using these keys. As I mentioned you can use them for consumer services like LastPass and Google Apps, and with these you can get started right away. I’ll be exploring a way to integrate them with your infrastructure with Active Directory Federation Services in my next post to illustrate something more suited for an enterprise scenario.