Yubico USB Key Provides Extra Login Protection
Yubikey is a hardware device that you plug in to the USB port of a computer to improve the security of authentication processes.
Password theft is a common problem on the Internet in these days. Attackers use numerous ways to steal login credentials from users: this includes phishing attacks via email, brute force attacks that try to guess the password, trojans and computer viruses, or keyloggers that record every keystroke of the user.
The best forms of protection against those kinds of attacks are the use of strong passwords, an up to date computer system with security software installed, and an open educated mind that uses caution and common sense whenever passwords or other personal information is entered on the Internet.
Some security software programs can aid the user in protecting the data. Software programs like Last Pass or KeePass, password managers that can generate secure passwords and remember them for the user, are examples of this.
But those applications do not change the system itself. All that is needed to log into a service are the username and password of a user. Yubico changes this.
Yubikey is offered as a USB compatible device that offers strong authentication by adding an extra layer of authentication to the login process of several popular applications and Internet services.
Supported are among others password managers like Last Pass or KeePass, content management systems like WordPress or Drupal, the popular encryption software True Crypt and other services like Google Apps or OpenID.
- Requires no driver or software installation
- Compatible with Windows, Linux, Mac OSX and Solaris
- Robust, waterproof, crush-safe, no batteries required.
- Open-source client-side SDK available.
- Yubico offers a free validation service, or you can run it on your own server.
- Customization options like labeling the keys
- RFID and OATH Yubikeys available as well
How does it work?
Yubico, basically, adds another layer of security to the login process in most cases. A login to the Last Pass master server for instance requires the user's Last Pass email address and password just like before but a second step is added to the process by Yubico. You need to enter the Yubikey into an USB port of the device to complete the authentication process and sign in to the account.
The Yubikey comes with a button on the device that will authorize the request on the screen whenever it is pressed. This is used in the authorization process. In other words; no sign in to the service without access to the Yubikey. An attacker who manages to steal a user's username and password can't use the information to sign in to the account.
The Yubikey password consists of a static and dynamic part which makes this solution excellent for battling keyloggers and other eavesdropping techniques as the password is only valid for one time and void afterwards. This password can be changed to a very long static password for offline usage (for example required to make it work with True Crypt during system boot).
This means that an attacker would need access to the user's email address and password but also access to the Yubikey device to gain access to the service similar to how other two-factor authentication systems work.
Take a look at this video for additional details
Yubikey adds another security layer to the authentication process. It is Open Source, does not require installation, is compatible will most popular operating systems, works with lots of popular services and can be easily carried around in a wallet or on a key chain.
This is the perfect device for web users who work with WordPress, Google Apps, Dropbox, GitHub, password managers, OpenID or other services and applications listed on the Yubikey Wiki website. Interesting enough, Yubikeys work also as a second layer for logging in to Windows, Linux or Mac OS X devices.
Update: Yubico, the company behind the Yubikey devices released new versions of the Yubikey since our first review. The following devices are available:
- Yubikey 4 and Yubikey 4 Nano -- USB-A connection
- Yubijey 4C and Yubikey 4C Nanon -- USB-C connection
The two device families support the same set of features, and the only difference between them is that one connects to a USB-A port and the other to a USB-C port.
- Yubikey NEO -- USB-A connection and NFC support. Supports fewer cryptographic features (no RSA 4096 or ECC p384) which means that you may not use it for some services.
- FIDO U2F SECURITY KEY -- works specifically with services that use FIDO U2F.
If you want the broadest range of support, select a Yubikey 4 or 4c device. Nano versions are smaller in size and ideal for traveling or keeping in the device at all times.Advertisement