Tag: Yubico

YubiKey Verification

Occasionally someone on Hacker News or Reddit wonders whether or not a YubiKey (or other FIDO/U2F security key) could be duplicated in transit.

Never say never, but FIDO/U2F has specific mitigations designed to make it easy to quickly detect duplicate keys.

A U2F token must increase a counter each time it performs an authentication operation. This counter may be ‘global’ (i.e., the same counter is incremented regardless of the application parameter in Authentication Request message), or per-application (i.e., one counter for each value of application parameter in the Authentication Request message).

U2F token counters should start at 0.

The counter allows relying parties to detect token cloning in certain situations. Relying parties should implement their own remediation strategies if they suspect token cloning due to non-increasing counter values.

Similarly, while it would be possible to create a fake YubiKey, actual YubiKeys are signed with an attestation certificate. The certificate chain of a given key can be checked to ensure it is genuine.

Yubico has an online YubiKey Verification site that will tell you whether a given YubiKey is genuine.

Yubico Releases YubiKey 5 Series Featuring FIDO2/WebAuthn Support

Of course after I buy a half-dozen YubiKey 4 keys, the company goes and releases the YubiKey 5 series with FIDO2/WebAuthn support. 🙂

Single-Factor Authentication (Passwordless) with the YubiKey 5 Series – The YubiKey 5 security keys can be used alone for strong single-factor authentication, requiring no username or password to login — just tap or touch to authenticate.

Second-Factor Authentication with the YubiKey 5 Series – Used alongside a username and password, the YubiKey 5 series offers a strong second factor of authentication. This is the YubiKey integration that exists today with services like Google, Twitter, and Facebook, and it is most familiar to our users.

Multi-Factor Authentication (Passwordless + PIN + Touch) with the YubiKey 5 Series – The YubiKey 5 series can be used in conjunction with a PIN for user verification. In this case, the PIN unlocks the device locally and touch is still required for the YubiKey to perform the authentication.

Really looking forward to seeing what the uptake is on the passwordless single-factor authentication turns out to be, especially as Google’s recently released hardware authentication key also supports it.

I had some concerns about physical security with the passwordless authorization, but it appears that users can add a pin to the authentication keys in that setup if desired.

Usability Study of Yubikeys

In the YouTube video below, Joshua Reynolds presents at the IEEE Symposium on Security and Privacy about a couple of usability studies he and others conducted testing the usability of configuring and using Yubico’s Yubikey two-factor authentication security keys.

The full usability study can be found on the IEEE website. From the study’s abstract,

Two-factor authentication (2FA) significantly improves the security of password-based authentication. Recently, there has been increased interest in Universal 2nd Factor (U2F) security keys-small hardware devices that require users to press a button on the security key to authenticate. To examine the usability of security keys in non-enterprise usage, we conducted two user studies of the YubiKey, a popular line of U2F security keys. The first study tasked 31 participants with configuring a Windows, Google, and Facebook account to authenticate using a YubiKey. This study revealed problems with setup instructions and workflow including users locking themselves out of their operating system or thinking they had successfully enabled 2FA when they had not. In contrast, the second study had 25 participants use a YubiKey in their daily lives over a period of four weeks, revealing that participants generally enjoyed the experience. Conducting both a laboratory and longitudinal study yielded insights into the usability of security keys that would not have been evident from either study in isolation. Based on our analysis, we recommend standardizing the setup process, enabling verification of success, allowing shared accounts, integrating with operating systems, and preventing lockouts.

Yubikey 4C Nano

I have Yubico’s FIDO key enabled on all the accounts I have that utilize it. I have two primary laptops I use most days, and I bought Yubikey 4 Nano keys for both of those.

But I ran into a bit of a problem when I decided to add a Chromebook as a secure, ultraportable device. I ended up buying an ASUS Chromebook that only had USB-C ports.

Fortunately, Yubikcorecently released a USB-C version of the Yubikey 4 Nano. It’s a bit expensive at $60, but it has a very low profile on the Chromebook and works without any issues.

Yubikey 4C Nano

Yubikey 4C Nano

Yubikey 4C Nano
Yubikey 4C Nano