Yubico USB Key Provides Extra Login Protection - gHacks Tech News

Yubico USB Key Provides Extra Login Protection

Yubikey is a hardware device that you plug in to the USB port of a computer to improve the security of authentication processes.

Password theft is a common problem on the Internet in these days. Attackers use numerous ways to steal login credentials from users: this includes phishing attacks via email, brute force attacks that try to guess the password, trojans and computer viruses, or keyloggers that record every keystroke of the user.

The best forms of protection against those kinds of attacks are the use of strong passwords, an up to date computer system with security software installed, and an open educated mind that uses caution and common sense whenever passwords or other personal information is entered on the Internet.

Some security software programs can aid the user in protecting the data. Software programs like Last Pass or KeePass, password managers that can generate secure passwords and remember them for the user, are examples of this.

But those applications do not change the system itself. All that is needed to log into a service are the username and password of a user. Yubico changes this.

Yubico

Yubikey is offered as a USB compatible device that offers strong authentication by adding an extra layer of authentication to the login process of several popular applications and Internet services.

Supported are among others password managers like Last Pass or KeePass, content management systems like WordPress or Drupal, the popular encryption software True Crypt and other services like Google Apps or OpenID.

Features:

  • Requires no driver or software installation
  • Compatible with Windows, Linux, Mac OSX and Solaris
  • Robust, waterproof, crush-safe, no batteries required.
  • Open-source client-side SDK available.
  • Yubico offers a free validation service, or you can run it on your own server.
  • Customization options like labeling the keys
  • RFID and OATH Yubikeys available as well

How does it work?

Yubico, basically, adds another layer of security to the login process in most cases. A login to the Last Pass master server for instance requires the user's Last Pass email address and password just like before but a second step is added to the process by Yubico. You need to enter the Yubikey into an USB port of the device to complete the authentication process and sign in to the account.

The Yubikey comes with a button on the device that will authorize the request on the screen whenever it is pressed. This is used in the authorization process. In other words; no sign in to the service without access to the Yubikey. An attacker who manages to steal a user's username and password can't use the information to sign in to the account.

The Yubikey password consists of a static and dynamic part which makes this solution excellent for battling keyloggers and other eavesdropping techniques as the password is only valid for one time and void afterwards. This password can be changed to a very long static password for offline usage (for example required to make it work with True Crypt during system boot).

This means that an attacker would need access to the user's email address and password but also access to the Yubikey device to gain access to the service similar to how other two-factor authentication systems work.

Take a look at this video for additional details

Yubikey adds another security layer to the authentication process. It is Open Source, does not require installation, is compatible will most popular operating systems, works with lots of popular services and can be easily carried around in a wallet or on a key chain.

This is the perfect device for web users who work with WordPress, Google Apps, Dropbox, GitHub, password managers, OpenID or other services and applications listed on the Yubikey Wiki website. Interesting enough, Yubikeys work also as a second layer for logging in to Windows, Linux or Mac OS X devices.

Update: Yubico, the company behind the Yubikey devices released new versions of the Yubikey since our first review. The following devices are available:

  • Yubikey 4 and Yubikey 4 Nano -- USB-A connection
  • Yubijey 4C and Yubikey 4C Nanon -- USB-C connection

The two device families support the same set of features, and the only difference between them is that one connects to a USB-A port and the other to a USB-C port.

  • Yubikey NEO -- USB-A connection and NFC support. Supports fewer cryptographic features (no RSA 4096 or ECC p384) which means that you may not use it for some services.
  • FIDO U2F SECURITY KEY -- works specifically with services that use FIDO U2F.

If you want the broadest range of support, select a Yubikey 4 or 4c device. Nano versions are smaller in size and ideal for traveling or keeping in the device at all times.

Summary
Yubico USB Key Provides Extra Login Protection
Article Name
Yubico USB Key Provides Extra Login Protection
Description
Yubikey is a hardware device that you plug in to the USB port of a computer to improve the security of authentication processes.
Author
Publisher
Ghacks Technology News
Logo




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Raymond said on January 12, 2010 at 1:56 pm
      Reply

      Currently a roboform user, but would like to try my luck at getting this. It sounds very promising usb key.

    2. Pawel said on January 12, 2010 at 1:57 pm
      Reply

      I think that the idea is great. Yubico should be an improvement in everyday computer user security.

    3. Gerrit said on January 12, 2010 at 1:57 pm
      Reply

      Yes. Cool. I want to join the lottery….

    4. Chadwick said on January 12, 2010 at 2:31 pm
      Reply

      These things look pretty sweet and since I’m studying IT security and don’t have a usb key…this giveaway is perfect! Sign me up!

    5. gcg said on January 12, 2010 at 2:42 pm
      Reply

      This sounds like an excellent security measure. I’ve been looking for a way to better protect my personal information, and this seems like it would fit.

    6. Cindy Johnson said on January 12, 2010 at 2:49 pm
      Reply

      Sounds like a great idea. Would love one.

    7. Andy Buford said on January 12, 2010 at 2:50 pm
      Reply

      I have heard a great deal about the yubikey on the security now podcast. I wouldn’t mind having one.

    8. Deborah W said on January 12, 2010 at 3:03 pm
      Reply

      Great idea. would like to check it out.

    9. Kbn said on January 12, 2010 at 3:29 pm
      Reply

      the perfect securoty device, the feature of the press-button is excelent.

    10. Wally said on January 12, 2010 at 3:35 pm
      Reply

      A while back there was a thorough discussion of the Yubikey on the Security Now podcast ( http://media.grc.com/sn/sn-143.mp3 ). It sounds like a good solution to several security problems. I sure would like to try one for myself.

    11. Senura said on January 12, 2010 at 3:41 pm
      Reply

      This is cool. this is what i was looking for. press-button feature is awesome!! would love have one of this

    12. Harry said on January 12, 2010 at 3:45 pm
      Reply

      This seems like a wonderful product and i would use it many times everyday, id love to test it out!

    13. paul(us) said on January 12, 2010 at 3:53 pm
      Reply

      This looks like to be a extra layer of security what a great idea. I am very inpressed that the password is offering a static and dynamic part and i am very pleased with the fact that the attacker now needs access main email address, password and the USB key to gain access.

    14. Brian S said on January 12, 2010 at 4:06 pm
      Reply

      I’ve converted all my important logins to use strong, unique passwords using keePass. Now I’m giving LastPass a whirl, and would LOVE to include Yubikey for ultimate protection.

    15. Paul said on January 12, 2010 at 4:24 pm
      Reply

      I am a LastPass user and think that this would add an amazing level of security for me.

      Please consider me for the giveaway.

      Thanks.

    16. Nirojan said on January 12, 2010 at 4:45 pm
      Reply

      Consider me for the giveaway.

    17. Scot Newbury said on January 12, 2010 at 5:27 pm
      Reply

      I’ve been using LastPass for quite a while now and this device would really be nice to have as an added measure of security.

      Many thanks for doing the research and writeup on this.

    18. Ubiq said on January 12, 2010 at 5:43 pm
      Reply

      Hardware based token authentifacation compatible with volume encryption on *nix and win based systems ?

      I’ d like a look at that !

      Please count me in.

    19. Keith said on January 12, 2010 at 6:01 pm
      Reply

      It looks like a simple way to add more security.
      Would love to try one out.
      Thanks

    20. Philip said on January 12, 2010 at 6:20 pm
      Reply

      I’m a LastPass user, but have been looking for a way to better protect my privacy, because I dont like when someone is messing with my files and information (my roommate had reads it several times, and thats really annoying me).I’ve read this review and think the feature of the press-button is fantastic solution and really would like to try it.

    21. Marty said on January 12, 2010 at 7:57 pm
      Reply

      I read about this late last year — it looks like a neat solution — and I’d love to try it out now.

    22. dc said on January 12, 2010 at 8:47 pm
      Reply

      Excellent looking product and a thorough implementation. I was recently researching the feasibility of using a thumbdrive with fingerprint-scanner to add an additional layer of security to my logins, this seems like a much more elegant solution. Please consider me for the giveaway while I wait for next week’s paycheck to pick one up.

      Thanks gHacks!

    23. Don said on January 12, 2010 at 8:52 pm
      Reply

      I’ve heard lots about Yubikey from Steve Gibson and Leo Laporte on the “Security Now” netcast. I’d love to get a chance to try one out since I’m considering offering them as a security measure on one of the sites I run. Thanks for the great reminder!

    24. Upen said on January 12, 2010 at 9:31 pm
      Reply

      Would love this new security gadget that reuires no installation and is easy to use

    25. Abhishek said on January 12, 2010 at 9:53 pm
      Reply

      Nice giveaway. Count me in.

      Thanks.

    26. J. Moore said on January 12, 2010 at 10:03 pm
      Reply

      I like two-factor authentication portability of the YubiKey.

    27. riuzin said on January 13, 2010 at 12:08 am
      Reply

      This tool sounds something i might use in the future.

    28. Mike said on January 13, 2010 at 12:25 am
      Reply

      I’ve always wanted something like this. Two factor authentication for the win.

    29. Kelly said on January 13, 2010 at 1:58 am
      Reply

      I would really like to win one of these. My husband needs it. Thanks!

    30. Rush said on January 13, 2010 at 1:58 am
      Reply

      Hey Martin. I’d love to win one of these. I use several of the supported apps everyday and the extra layer of security would be invaluable to me. Thanks for the chance!

    31. pctech said on January 13, 2010 at 2:53 am
      Reply

      I used roboform and this sound great. Add me to the lottery. thanks.

    32. Adam said on January 13, 2010 at 3:12 am
      Reply

      Sounds like a great way to add cheap and easy multi-factor authentication. I’ve used a securID for work for some time, and use the verisign iPhone app for a similar feature with paypal. I’d like to have one of these to pair with lastpass for two-factor authentication for all logins.

    33. Lee said on January 13, 2010 at 6:51 am
      Reply

      I am a LastPass and Roboform user and think that this would add an the additional level of security I have been looking for. This would really be of use to me and give me peace of mind. Please consider me for the giveaway

    34. Manfred said on January 13, 2010 at 9:27 am
      Reply

      Very nice. That could be usefull for our team. I would evaluate it for my team members. Please consider me for the giveaway.

    35. Daniel said on January 13, 2010 at 9:51 am
      Reply

      That´s a great idea.
      Please add me to the lottery.

    36. Toader Silviu said on January 13, 2010 at 10:06 am
      Reply

      Software security methods added with a hardware extension have always been the best method to create a secured connection.
      That’s why the banks use a hardware password generator along with an already created password.

      This is an interesting device for really secured connections.

      Count me in :)

    37. Oss said on January 13, 2010 at 1:00 pm
      Reply

      Please count me in.

    38. Matias said on January 13, 2010 at 1:12 pm
      Reply

      I would very much like to get one license! I am a fan of security software (I have used Scram Disk, Drive Crypt, True Crypt and many many others) and would love to give this one a try! Thank you in advance!

    39. Gerrit said on January 13, 2010 at 3:36 pm
      Reply

      please count me in too…

    40. willdo said on January 13, 2010 at 5:03 pm
      Reply

      Dear Martin,
      I use lot of my pen-drives as part of my work,Yubico USB key could provide with protection which I didn’t even consider important enough!
      The best feature has to be any OS compatibility and support to password managers.I would love have one YUBICO USB.

      with regards,
      willdo

    41. vivek said on January 13, 2010 at 5:16 pm
      Reply

      Yubico usb key looks fantastic must-have usb protection.I wnna try this,I personally feel this should be tried by everyone.One Yubico in my pocket from from you would be great!Thanks 4 information and offer.

    42. DaExpt said on January 13, 2010 at 5:45 pm
      Reply

      Allready thought about bying one. Found a comment in a magazine, which sounds good enough for an eval. Would appriciate to get one free.

    43. Dasfx said on January 13, 2010 at 9:25 pm
      Reply

      Keep thinking about trying this out for keepass, truecrypt and other. Free is always nice :)

    44. Kbn said on January 14, 2010 at 8:37 pm
      Reply

      when will be the drawing? (and publish the giveaway winners?)

    45. Matthias said on January 14, 2010 at 9:10 pm
      Reply

      This sounds very effective and I would like to try it out.

    46. mr S said on January 15, 2010 at 11:25 pm
      Reply

      I want to try it!!
      thanks

    47. Ace said on January 16, 2010 at 4:21 pm
      Reply

      PLease ONe YUbico USb KEy 4 Me Too!!!!

    48. ofutur said on January 17, 2010 at 3:59 am
      Reply

      The yubikey is a great idea since it introduces that necessary extra layer of protection needed when using lastpass on public computers :).

      I was about to order one online, but I may just wait to see if I can win one :)

    49. okidoki said on January 20, 2010 at 7:13 am
      Reply

      Sounds Great…I hope im not too late to win one :)

      I love this idea….looks great. this is a must gadget for everyone!!!

      cheers

    50. Other said on January 22, 2010 at 2:46 pm
      Reply

      So how do we know if these were ever given away, or if this was fake since nothing is ever announced? Seems fishy to me…

    51. limon said on January 25, 2010 at 10:35 am
      Reply

      i will agri to giver password in your usb drive.

    52. Sonja said on January 29, 2010 at 12:02 pm
      Reply

      Do you accept only comments full of praises to YubiKey? How about some truth? Security Evangelist Dr. Fredrik Björck in his blog shares security review of YubiKey OTP token – http://security.dj/?p=4 .

    53. Versatile said on February 3, 2010 at 3:20 am
      Reply

      I have been following Security Now and that is how I discovered Yubikey. I would love to have one!

      It would be the perfect security tool for my netbook.

    54. Dave said on March 9, 2010 at 2:23 am
      Reply

      When does the giveaway end? If it already took place, I haven’t seen any post announcing who got it.

      How long is the coupon code good at Yubico? I just went to order the pair and it seems to have expired already.

      @Sonja –

      Why are you implying that Dr. Björck still does not trust the Yubikey?

      The weaknesses were revealed over a year ago. Some were addressed quickly and Björck updated his article TWICE within one day (2009-02-23). He also posted this, over six months later:

      “NOTE! (Added 2009-08-30): Please note that most of these security issues described in this article are now fixed, or the risk reduced. Please read http://security.dj/?p=154 for more information.”

      There is also a wealth of newer information here:
      http://yubico.com/news/news/

      1. Wally said on March 18, 2010 at 5:52 pm
        Reply

        I believe this giveaway was for the month of December 2009.

        I was notified by email in January that I was one of the lucky winners, and I can vouch for Martin’s integrity. I received my YubiKey in the mail just today!

        Thanks Martin!

    55. Scot Newbury said on March 20, 2010 at 4:53 am
      Reply

      To the last commenter – I received mine in the mail yesterday and took it for a test drive today.

      It works really nice, can’t wait to put it to use “across the board.”

    56. mrmule said on January 27, 2012 at 11:34 pm
      Reply

      Very sorry to report, but your coupon is no longer valid. :(

      “The coupon code you have entered is not valid.”

      1. Martin Brinkmann said on January 28, 2012 at 12:04 am
        Reply

        Sorry to hear that, I edit the article accordingly. Thanks for letting us know about it.

    Leave a Reply