Password theft is a common problem on the Internet these days. Attackers use numerous ways to steal login credentials from users including phishing attacks via email, brute force attacks that try to guess the password, trojans and computer viruses or keyloggers that record every keystroke of the user.
The best protection against those kind of attacks are strong passwords, an up to date computer system with security software installed and an open educated mind that uses caution and common sense whenever passwords or other personal information are entered on the Internet.
Some security software programs can aid the user in protecting the data. Software programs like Last Pass or KeePass, a password manager that can generate secure passwords and remember them for the user, are examples of this.
But those applications do not change the system itself. All that is needed to log into a service are the username and password of a user. Yubico changes this.
Yubikey is an USB key that offers strong authentication by adding an extra layer of authentication to the login process of several popular applications and Internet services. Supported are for instance password managers like Last Pass or KeePass, content management systems like WordPress or Drupal, the popular encryption software True Crypt and other services like Google Apps or OpenID.
Features:
- Requires no driver or software installation
- Compatible with Windows, Linux, Mac OSX and Solaris
- Robust, waterproof, crush-safe, no batteries required.
- Open-source client-side SDK available.
- Yubico offers a free validation service, or you can run it on your own server.
- Customization options like labeling the keys
- RFID and OATH Yubikeys available as well
How does it work?
Yubico basically adds another layer of security to the login process in most cases. A login to the Last Pass master server for instance will still require the user’s Last Pass email address and password but will display a Yubico prompt afterwards. The user then needs to enter the Yubikey into an USB port. The Yubikey comes with a button on the device that will send a password to the computer whenever it is pressed. This password is used in the authorization process.
The Yubikey password consists of a static and dynamic part which makes this solution excellent of battling keyloggers and other eavesdropping techniques as the password is only valid for one time and void afterwards. This password can be changed to a very long static password for offline usage (for example required to make it work with True Crypt during system boot).
This means that an attacker would need access to the user’s email address and password but also access to the USB key to gain access to the service.
Take a look at this video for additional details
Yubikey adds another security layer to the authentication process. It is Open Source, does not require installation, is compatible will most popular operating systems, works with lots of popular services and can be easily carried around in a wallet or on a key chain.
This is the perfect device for web users who work with WordPress, Google Apps, password managers, OpenID or other services and applications listed at the Yubikey Wiki.
Giveaway and Discount
The Yubico guys were nice enough to give us ten of their Yubikeys that we can give away to you. If you want to win a Yubikey post a comment and let us know what you think of the device.
We were also able to get a 40% discount for a pair of Yubikeys that are usually sold for $50 at the store. If you do not trust your luck you might want to buy them with the discount code instead. Simply enter ghacks in the coupon code field during checkout to get the 40% discount.
Update: The Yubikey coupon code is no longer valid.
Related Articles:
Gmail Security Checklist, Improve Login SecurityFacebook Improves Security, One-Time Login, Remote Logout
Windows Integrity Levels for extra security in Windows Vista
Automatically login during Vista startup
Reset Windows Passwords if you cannot login anymore
Enjoyed the article?: Then sign-up for our free newsletter or RSS feed to kick off your day with the latest technology news and tips, or share the article with your friends and contacts on Facebook, Twitter or Google+ using the icons below.
Currently a roboform user, but would like to try my luck at getting this. It sounds very promising usb key.
I think that the idea is great. Yubico should be an improvement in everyday computer user security.
Yes. Cool. I want to join the lottery….
These things look pretty sweet and since I’m studying IT security and don’t have a usb key…this giveaway is perfect! Sign me up!
This sounds like an excellent security measure. I’ve been looking for a way to better protect my personal information, and this seems like it would fit.
Sounds like a great idea. Would love one.
I have heard a great deal about the yubikey on the security now podcast. I wouldn’t mind having one.
Great idea. would like to check it out.
the perfect securoty device, the feature of the press-button is excelent.
A while back there was a thorough discussion of the Yubikey on the Security Now podcast ( http://media.grc.com/sn/sn-143.mp3 ). It sounds like a good solution to several security problems. I sure would like to try one for myself.
This is cool. this is what i was looking for. press-button feature is awesome!! would love have one of this
This seems like a wonderful product and i would use it many times everyday, id love to test it out!
This looks like to be a extra layer of security what a great idea. I am very inpressed that the password is offering a static and dynamic part and i am very pleased with the fact that the attacker now needs access main email address, password and the USB key to gain access.
I’ve converted all my important logins to use strong, unique passwords using keePass. Now I’m giving LastPass a whirl, and would LOVE to include Yubikey for ultimate protection.
I am a LastPass user and think that this would add an amazing level of security for me.
Please consider me for the giveaway.
Thanks.
Consider me for the giveaway.
I’ve been using LastPass for quite a while now and this device would really be nice to have as an added measure of security.
Many thanks for doing the research and writeup on this.
Hardware based token authentifacation compatible with volume encryption on *nix and win based systems ?
I’ d like a look at that !
Please count me in.
It looks like a simple way to add more security.
Would love to try one out.
Thanks
I’m a LastPass user, but have been looking for a way to better protect my privacy, because I dont like when someone is messing with my files and information (my roommate had reads it several times, and thats really annoying me).I’ve read this review and think the feature of the press-button is fantastic solution and really would like to try it.
I read about this late last year — it looks like a neat solution — and I’d love to try it out now.
Excellent looking product and a thorough implementation. I was recently researching the feasibility of using a thumbdrive with fingerprint-scanner to add an additional layer of security to my logins, this seems like a much more elegant solution. Please consider me for the giveaway while I wait for next week’s paycheck to pick one up.
Thanks gHacks!
I’ve heard lots about Yubikey from Steve Gibson and Leo Laporte on the “Security Now” netcast. I’d love to get a chance to try one out since I’m considering offering them as a security measure on one of the sites I run. Thanks for the great reminder!
Would love this new security gadget that reuires no installation and is easy to use
Nice giveaway. Count me in.
Thanks.
I like two-factor authentication portability of the YubiKey.
This tool sounds something i might use in the future.
I’ve always wanted something like this. Two factor authentication for the win.
I would really like to win one of these. My husband needs it. Thanks!
Hey Martin. I’d love to win one of these. I use several of the supported apps everyday and the extra layer of security would be invaluable to me. Thanks for the chance!