Lately I’ve been researching this more than usual partly due to building some services in Windows Azure where I want to provide secure and authenticated access. (And I don’t consider myself competent to build a fully hardened solution from scratch just because I know what hashing and salting of passwords means.) While looking into this I came across a nifty product series called YubiKey from http://www.yubico.com, and wanted to share some thoughts on these. If you’ve visited my blog before you might have noticed I’ve already covered client certificates a few times, which of course also meets the definition of two-factor, but this time around we’re looking at hardware for providing the additional factor.
(…)
Yubico is a company that provides key fobs/code generators that you can either integrate with your own systems, or use out-of-the-box for existing online services like LastPass, Google Apps, etc. To authenticate when using a YubiKey you have to provide both a password, (or pin code), and a uniquely generated password in addition to the user name. This concept in itself is nothing new, and the most well-known company in this space is probably RSA whom I gather a lot if IT Pros have come across a few times before already. There’s also a number of banks who provide key fobs for consumers to use for accessing their online banking services (often a non-branded type of key) – so pretty much everyone knows what it is more or less even though they aren’t necessarily exposed to all the technical details.