In a Nutshell: The functionality housed within the small, unassuming YubiKey is powerful enough to protect access to account information for anyone — from your neighbor to the world’s largest enterprises. Yubico, the company that invented the YubiKey in 2007, now operates in 160 countries to prevent data breaches and identity theft at the point of access. It does this with a hardware solution that reduces the intricacies of two-factor authentication down to a touch or tap. And because Yubico worked with Google to turn the technology behind the YubiKey into an open standard, stakeholders across the information industry can collaborate in scaling it and increasing its usefulness. For building a simple, cost-effective approach to computing security, Yubico has earned our Editor’s Choice Award™ for Multi-Factor Authentication Products.
When industrial designer Stina Ehrensvärd decided to move her finances online, the bank informed her about the security protocol it used: A digital certificate for encrypting online transactions.
For most customers, that would have been the end of it. But Stina was different. She happened to be married to Jakob Ehrensvärd, a computer hardware and software engineer and security expert who had built his first computer at age 15 and designed the security system for a nuclear plant at 25. He told her that within about a day, he could write software to hack into the account.
Surprised and a little alarmed, Stina told the bank about their conversation. The reply? “Please tell him not to do that.”
The problem, Jakob recognized, was that the bank’s solution was vulnerable to attack. Hackers could obtain access to data by interposing themselves between users and the bank’s website.
Stina and Jakob founded Yubico to make the conversation they had about their bank obsolete. In 2008 the company introduced the YubiKey to make internet security easy, cost-effective, and scalable, so that everyone from individual users to the largest organizations in the world could use the same technology and control their own identity on the internet.
That’s where the YubiKey got its name. Yubico’s goal is to create a single, ubiquitous hardware-based key to secure all computers, networks, and web services. To that end, in 2011, it began working with Google to extend its technology and develop an open security standard called U2F. Today, the FIDO Alliance specifies and certifies the standard with almost 300 member organizations that, together, make open internet security available to 1.5 billion people worldwide.
Individuals and organizations all over the world depend on having secure access to computers, networks, and online services to get work done. For making the complexities of internet security transparent to end users and then turning its solution into an open standard for the global online community, Yubico has earned our Editor’s Choice Award™ for Multi-Factor Authentication Products.
A Physical Key for Business & Personal Authentication
A YubiKey is a durable physical key that supports several methods of two-factor authentication (2FA). In the usual form of single-factor authentication, a user receives access to a web service after presenting a password. Two-factor authentication generally requires a password and the sharing of a secret known to the user and the website, such as a one-time passcode.
The most common method for two-factor authentication uses SMS (a text message sent to a phone). The user enters a password on the site, which then texts a code to the user’s phone.
“Any form of two-factor is better than just a user name and password,” said Ronnie Manning, Senior Director of Public Relations at Yubico. “But there have been issues with SMS — it can be vulnerable to hijack sessions. Or a hacker can call your mobile provider and convince them to switch your phone number to their device.”
The first YubiKeys solved the SMS problem by supporting a one-time-password (OTP) protocol — an authentication system that is more secure than SMS-based 2FA. The Series 4 platform, released in 2016, supports several OTP protocols; smart card functionality to enable logins on Windows, Mac, and Linux computers; and email encryption.
“What differentiates the YubiKey from other authentication solutions is that it works almost everywhere,” Ronnie said. “You’re not dependent on a mobile network, like SMS, or on a battery because the YubiKey gets its power from the USB port it’s plugged into. You’re able to log in, press the key, and authenticate yourself.”
Businesses and other large organizations use the keys to lock down their accounts with employees, associates, partners, and customers. “YubiKeys are used by some of the biggest organizations in the world all the way down to small businesses and individuals who want to protect their own accounts,” Ronnie said. “Any business that wants to protect its employees’ (and end-users) credentials by adding a second factor of physical security would find a use for YubiKeys.”
An added benefit is that an employee can use the same YubiKey for both business and personal authentication. “It’s a benefit for our large customers to be able to protect their employees at work and then let them use the same device to stay safe at home as well,” Ronnie said.
Hardware Form Factor Enables a Frictionless Solution
The original YubiKey 4 was designed to fit on a keychain. “Like you have your car key to protect access to your car, and your house key to protect access to your house,” Ronnie said, “you have your YubiKey to protect access to your identity at work and home.”
That form factor is available in a version that fits into the USB-A port on a computer. For users of newer computers, such as Apple’s 2016 MacBooks, a USB-C version is also available.
For users who spend most of their computing time on one device, Yubico also produces a Nano version of the Series 4 for both USB-A and USB-C. It is designed to remain semi-permanently in the port.
“With introduction of the YubiKey 4C Nano,” Ronnie said, “it is actually quite an engineering feat that we were able to condense all this power and authentication technology into a device that’s smaller than a penny. If you are in a position where you need to authenticate often to a network or application that little Nano can remain in your USB port and you just touch it to securely log in.”
For authentication on mobile devices, Yubico offers the YubiKey NEO. It combines the multi-protocol functionality of the YubiKey 4 with support for the near-field communications (NFC) protocol, allowing communication by tapping the key on an Android phone.
Working with FIDO Alliance to Set the Industry Standard
“Most importantly,” Ronnie said, “all Series 4 and NEO YubiKeys support the FIDO U2F standard.”
The U2F protocol was originally written for internal use at Google. Yubico and Google then moved it into the FIDO Alliance, an industry organization made up of hundreds of companies that certify FIDO U2F as an open standard.
Google built support for U2F into the Chrome browser in October 2014. That was a crucial component in ensuring that a browser could recognize authentication requests from spurious services. Since then, U2F support has also been added to the Opera browser, with Firefox support coming in late 2017.
“U2F allows organizations and individuals across the globe to use the same authentication device with multiple services,” Ronnie said. “Furthermore, use of public-key encryption technology in U2F makes the standard more secure than any other solution.” When a YubiKey is synced with a U2F enabled service, such as Google, Dropbox or Facebook, a unique key pair is created for that individual user, ensuring that only they can access their accounts.
“One of the great aspects of U2F for end users is the way it works with social login functionality,” Ronnie said. Social login uses existing information from services including Facebook and Google (both U2F supporters) to let users sign into third-party websites instead of creating new login accounts.
Locked down by U2F, social login enables end users to minimize password clutter without increasing security vulnerability.
YubiKeys: Secure Access to Computers, Networks, & Services
Stina and Jakob’s experience with online banking security protocols typifies the ongoing contest between software and service providers who want to extend the benefits of the web and bad actors who seek to exploit it.
“That’s why it makes more sense than ever for businesses to implement a Yubikey authentication solution,” Ronnie said. “Our strong, cost-effective, and easy-to-use keys allow users and organizations to control their own identities online and remove the burden on service providers to deploy their own non-interoperable protections.”
Businesses can even use a Yubico solution — YubiHSM — to protect the user authentication data they store on their own servers. Initially developed by Yubico to safeguard its own hardware, YubiHSM now protects data — from both outside and inside attacks — for more than 100 large organizations, including leading internet companies and US Department of Defense contractors.
“To realize the internet’s potential — to create a single digital marketplace of information and transactions — we have to be able to trust the internet to keep our identities secure,” Ronnie said.
Because of the critical role YubiKeys — backed by the U2F standard — play in securing the internet, Yubico has earned our Editor’s Choice Award™ for Multi-Factor Authentication Products.