The best protection against those kind of attacks are strong passwords, an up to date computer system with security software installed and an open educated mind that uses caution and common sense whenever passwords or other personal information are entered on the Internet.

Some security software programs can aid the user in protecting the data. Software programs like Last Pass or KeePass, a password manager that can generate secure passwords and remember them for the user, are examples of this.

But those applications do not change the system itself. All that is needed to log into a service are the username and password of a user. Yubico changes this.

Yubikey is an USB key that offers strong authentication by adding an extra layer of authentication to the login process of several popular applications and Internet services. Supported are for instance password managers like Last Pass or KeePass, content management systems like WordPress or Drupal, the popular encryption software True Crypt and other services like Google Apps or OpenID.

Features:

• Requires no driver or software installation
• Compatible with Windows, Linux, Mac OSX and Solaris
• Robust, waterproof, crush-safe, no batteries required.
• Open-source client-side SDK available.
• Yubico offers a free validation service, or you can run it on your own server.
• Customization options like labeling the keys
• RFID and OATH Yubikeys available as well

How does it work?

Yubico basically adds another layer of security to the login process in most cases. A login to the Last Pass master server for instance will still require the user’s Last Pass email address and password but will display a Yubico prompt afterwards. The user then needs to enter the Yubikey into an USB port. The Yubikey comes with a button on the device that will send a password to the computer whenever it is pressed. This password is used in the authorization process.

The Yubikey password consists of a static and dynamic part which makes this solution excellent of battling keyloggers and other eavesdropping techniques as the password is only valid for one time and void afterwards. This password can be changed to a very long static password for offline usage (for example required to make it work with True Crypt during system boot).

This means that an attacker would need access to the user’s email address and password but also access to the USB key to gain access to the service.

Take a look at this video for additional details

Yubikey adds another security layer to the authentication process. It is Open Source, does not require installation, is compatible will most popular operating systems, works with lots of popular services and can be easily carried around in a wallet or on a key chain.

This is the perfect device for web users who work with WordPress, Google Apps, password managers, OpenID or other services and applications listed at the Yubikey Wiki.

Giveaway and Discount

The Yubico guys were nice enough to give us ten of their Yubikeys that we can give away to you. If you want to win a Yubikey post a comment and let us know what you think of the device.

We were also able to get a 40% discount for a pair of Yubikeys that are usually sold for $50 at the store. If you do not trust your luck you might want to buy them with the discount code instead. Simply enter ghacks in the coupon code field during checkout to get the 40% discount.

Update: The Yubikey coupon code is no longer valid.

An OpenID is an URL. However, using an URL like http://computerjoe.myopenid.com/ to log-in and post comments with just doesn’t look sophisticated. I much prefer to use my own blog’s URL to post comments and log-in; it pumps traffic to my blog and frankly just looks better.

Whilst you could run your own OpenID identity server to do this, this takes quite a bit of expertise to set-up and whilst it is probably more secure, it isn’t needed in my opinion.

It is possible to use a any identity server with your website’s URL. I personally use MyOpenID, but I log in to sites with joeanderson.co.uk/blog; not with computerjoe.myopenid.com.

This can be done by simply adding a few lines of HTML to your website’s <head>.

For example, I put

<link rel=”openid.server” href=”http://www.myopenid.com/server” />
<link rel=”openid.delegate” href=”http://computerjoe.myopenid.com” />

Naturally, these have to be modified depending on your username and server, but the provider should provider the information.

There are several benefits using this type of OpenID identificatin. The main one is that it just looks better but the most practical one is probably that it allows you to change provider whilst keeping the same log on. So, if I suddenly decide not to use MyOpenID, I can change to any other provider but my URL remains the same.

Short time ago I found a nice online RSS aggregator called Rootly. Important thing is that you can customize your account very well. You can use their feed presets or even better insert your own feed addresses and create unique tabs. Rootly then collects all the news for you and displays them in a very clean and well styled interface.

You can choose in which tab your news will appear and the order of tabs too. I appreciate that this service mixes all news together and displays them on one page instead of dividing the feeds according to their source. I hope that in the future they’ll add at least one more option – the possibility to choose how many news you want to display on a single page.

And the best thing at the end – Rootly supports OpenID (read previous article for more info on that). Actually, when I found the service few weeks ago, I had some serious problems with logging in using OpenID among other minor troubles but at this time it looks like everything works fine already.

Rootly is not really an alternative if you are already using Netvibes for instance as your news aggregator. I’m basically using it at work because Netvibes has been banned there while Rootly has not. The interface of Rootly is not that intuitive and it takes a step longer to perform actions. Adding feeds for instance has to be done on a separate page while you can add them on the fly so to speak in Netvibes.

Moreover, if you don’t use a very unique username, most likely you’ll sooner or later find out that your username has already been taken by someone else on a particular website. That forces you to choose another one and remember it or write it down. A good solution for storing such username password combinations for various services is KeePass but it doesn’t resolve the problem of multiple logins. The solution to this might be OpenID.

You simply create your openID account at one of openID providers (e.g. myOpenID ) and after that you can sign in to all OpenID enabled sites without having to re-enter login details on all of them.

You just provide your unique ID (username.openidprovider.tld) and that’s it. It could be especially useful if you don’t have the possibility to use features such as Opera’s Wand. One disadvantage is that the website must support it. However, the number of OpenID enabled sites is growing quite fast. Some of them are:

• ImageShack
• Technorati
• Ma.gnolia
• Crunchy
• Rootly

Another disadvantage is that if someone steals your identity, he could gain access to all of your accounts on these websites. Does not make a difference for users who do use the same username and password on all sites though.