Password theft is a common problem on the Internet these days. Attackers use numerous ways to steal login credentials from users including phishing attacks via email, brute force attacks that try to guess the password, trojans and computer viruses or keyloggers that record every keystroke of the user.
The best protection against those kind of attacks are strong passwords, an up to date computer system with security software installed and an open educated mind that uses caution and common sense whenever passwords or other personal information are entered on the Internet.
Some security software programs can aid the user in protecting the data. Software programs like Last Pass or KeePass, a password manager that can generate secure passwords and remember them for the user, are examples of this.
But those applications do not change the system itself. All that is needed to log into a service are the username and password of a user. Yubico changes this.
Yubikey is an USB key that offers strong authentication by adding an extra layer of authentication to the login process of several popular applications and Internet services. Supported are for instance password managers like Last Pass or KeePass, content management systems like WordPress or Drupal, the popular encryption software True Crypt and other services like Google Apps or OpenID.
Features:
- Requires no driver or software installation
- Compatible with Windows, Linux, Mac OSX and Solaris
- Robust, waterproof, crush-safe, no batteries required.
- Open-source client-side SDK available.
- Yubico offers a free validation service, or you can run it on your own server.
- Customization options like labeling the keys
- RFID and OATH Yubikeys available as well
How does it work?
Yubico basically adds another layer of security to the login process in most cases. A login to the Last Pass master server for instance will still require the user’s Last Pass email address and password but will display a Yubico prompt afterwards. The user then needs to enter the Yubikey into an USB port. The Yubikey comes with a button on the device that will send a password to the computer whenever it is pressed. This password is used in the authorization process.
The Yubikey password consists of a static and dynamic part which makes this solution excellent of battling keyloggers and other eavesdropping techniques as the password is only valid for one time and void afterwards. This password can be changed to a very long static password for offline usage (for example required to make it work with True Crypt during system boot).
This means that an attacker would need access to the user’s email address and password but also access to the USB key to gain access to the service.
Take a look at this video for additional details
Yubikey adds another security layer to the authentication process. It is Open Source, does not require installation, is compatible will most popular operating systems, works with lots of popular services and can be easily carried around in a wallet or on a key chain.
This is the perfect device for web users who work with WordPress, Google Apps, password managers, OpenID or other services and applications listed at the Yubikey Wiki.
Giveaway and Discount
The Yubico guys were nice enough to give us ten of their Yubikeys that we can give away to you. If you want to win a Yubikey post a comment and let us know what you think of the device.
We were also able to get a 40% discount for a pair of Yubikeys that are usually sold for $50 at the store. If you do not trust your luck you might want to buy them with the discount code instead. Simply enter ghacks in the coupon code field during checkout to get the 40% discount.
Update: The Yubikey coupon code is no longer valid.
Enjoyed the article?: Then sign-up for our free newsletter or RSS feed to kick off your day with the latest technology news and tips, or share the article with your friends and contacts on Facebook or Twitter.Related Articles:
Gmail Security Checklist, Improve Login SecurityFacebook Improves Security, One-Time Login, Remote Logout
Automatically login during Vista startup
Windows Integrity Levels for extra security in Windows Vista
Reset Windows Passwords if you cannot login anymore
I used roboform and this sound great. Add me to the lottery. thanks.
Sounds like a great way to add cheap and easy multi-factor authentication. I’ve used a securID for work for some time, and use the verisign iPhone app for a similar feature with paypal. I’d like to have one of these to pair with lastpass for two-factor authentication for all logins.
I am a LastPass and Roboform user and think that this would add an the additional level of security I have been looking for. This would really be of use to me and give me peace of mind. Please consider me for the giveaway
Very nice. That could be usefull for our team. I would evaluate it for my team members. Please consider me for the giveaway.
That´s a great idea.
Please add me to the lottery.
Software security methods added with a hardware extension have always been the best method to create a secured connection.
That’s why the banks use a hardware password generator along with an already created password.
This is an interesting device for really secured connections.
Count me in :)
Please count me in.
I would very much like to get one license! I am a fan of security software (I have used Scram Disk, Drive Crypt, True Crypt and many many others) and would love to give this one a try! Thank you in advance!
please count me in too…
Dear Martin,
I use lot of my pen-drives as part of my work,Yubico USB key could provide with protection which I didn’t even consider important enough!
The best feature has to be any OS compatibility and support to password managers.I would love have one YUBICO USB.
with regards,
willdo
Yubico usb key looks fantastic must-have usb protection.I wnna try this,I personally feel this should be tried by everyone.One Yubico in my pocket from from you would be great!Thanks 4 information and offer.
Allready thought about bying one. Found a comment in a magazine, which sounds good enough for an eval. Would appriciate to get one free.
Keep thinking about trying this out for keepass, truecrypt and other. Free is always nice :)
when will be the drawing? (and publish the giveaway winners?)
This sounds very effective and I would like to try it out.
I want to try it!!
thanks
PLease ONe YUbico USb KEy 4 Me Too!!!!
The yubikey is a great idea since it introduces that necessary extra layer of protection needed when using lastpass on public computers :).
I was about to order one online, but I may just wait to see if I can win one :)
Sounds Great…I hope im not too late to win one :)
I love this idea….looks great. this is a must gadget for everyone!!!
cheers
So how do we know if these were ever given away, or if this was fake since nothing is ever announced? Seems fishy to me…
i will agri to giver password in your usb drive.
Do you accept only comments full of praises to YubiKey? How about some truth? Security Evangelist Dr. Fredrik Björck in his blog shares security review of YubiKey OTP token – http://security.dj/?p=4 .
I have been following Security Now and that is how I discovered Yubikey. I would love to have one!
It would be the perfect security tool for my netbook.
When does the giveaway end? If it already took place, I haven’t seen any post announcing who got it.
How long is the coupon code good at Yubico? I just went to order the pair and it seems to have expired already.
@Sonja –
Why are you implying that Dr. Björck still does not trust the Yubikey?
The weaknesses were revealed over a year ago. Some were addressed quickly and Björck updated his article TWICE within one day (2009-02-23). He also posted this, over six months later:
“NOTE! (Added 2009-08-30): Please note that most of these security issues described in this article are now fixed, or the risk reduced. Please read http://security.dj/?p=154 for more information.”
There is also a wealth of newer information here:
http://yubico.com/news/news/
I believe this giveaway was for the month of December 2009.
I was notified by email in January that I was one of the lucky winners, and I can vouch for Martin’s integrity. I received my YubiKey in the mail just today!
Thanks Martin!
To the last commenter – I received mine in the mail yesterday and took it for a test drive today.
It works really nice, can’t wait to put it to use “across the board.”
Very sorry to report, but your coupon is no longer valid. :(
“The coupon code you have entered is not valid.”
Sorry to hear that, I edit the article accordingly. Thanks for letting us know about it.