In a Nutshell: Anybody using a computer or mobile device has created a username or password at some point. For years, this has been the standard for online security and authentication, but experts say this approach is no longer sufficient. YubiKey, from Yubico, is a multifactor authentication product that boosts authentication security while maintaining convenience for its users. The YubiKey simply plugs into a USB port or uses near-field-communication technology for supported smartphones, and users can touch the key with their finger and gain access to hundreds of applications and sites. Google and Microsoft support YubiKey, and Google employees are even required to use it on the job.
If you’re reading this, you’re most likely using a computer or a mobile electronic device. And if you’re using one of those things, then you’ve likely had to create a password or two in your day. Or 27, which is how many discrete login passwords the average person has, according to a 2016 Intel Security poll.
But, with the numerous high-profile security breaches in recent years and more sophisticated technology available to hackers, some are saying it’s time to log off from using passwords to protect our accounts.
“Now, growing numbers of security experts feel that the password in its common form is too old and unsophisticated for the job,” according to a Washington Post article titled “The Secret Password Is…Obsolete” — from 1994.
That’s right, experts have considered simple password systems inadequate for at least 25 years.
Multifactor authentication — in which a user must present two forms of identification, such as a password and a one-time, computer-generated code — have become more commonly used in recent years. But even that’s not a match for today’s bad actors.
“Most of us in the industry have known for a long time that just a username and password is not secure enough,” said Hormazd Romer, Vice President of Product Marketing at the internet security company, Yubico. “As attackers have gotten more sophisticated and more real-time in their attacks, they’re even able to circumvent a lot of traditional multifactor authentication methods.”
So, if the 27 passwords you have written down on that tiny little piece of paper in your desk drawer are no longer adequate, and even the increased security of the more labor-intensive multifactor authentication is not enough, how can our online accounts stay secure?
With the YubiKey, according to Romer. The flagship product of Yubico, the YubiKey is a piece of hardware that can be plugged into computers and other devices to log in to email, online services, apps, computers, and even physical spaces.
We recently spoke with Romer to learn more about the YubiKey, the technology behind it, and what makes it a superior authentication method.
YubiKeys are Compatible with USB Ports and Require No Additional Hardware or Software
Yubico was founded in Sweden in 2007 with the mission to make secure login easy and accessible to everyone, with one single authentication key that would work across multiple services.
YubiKey is the realization of this vision.
YubiKey is a physical device that plugs into the USB port of your computer or electronic device. There are different models of YubiKeys available for devices that use USB-A, USB-C, Lightning, and near-field-communication (NFC) technology.
The key’s name conjures the notion of ubiquity on purpose, and the Japanese word yubi means finger, which is how users confirm their presence to the YubiKey.
“At a high level, one of the key benefits of YubiKey is that it fits into a regular USB port of a computer and doesn’t require any additional software or hardware,” Romer said. “Past solutions have required external card readers or other things you had to hook up to your computer, or required installing software.”
Romer said all major browsers and platforms support YubiKey.
“So that means as soon as you put your YubiKey into the USB port, the platform itself detects it and the browser says, ‘Oh, this is a security key, now I can use it,’” he said.
Romer said the company offers two different form factors users can choose from, based on their preference.
“One is what we call a keychain model, which is the size of, or smaller than, a typical house key,” he said. “And it has a little key chip holder in it, and you carry it with you on your keychain. It’s portable and goes from computer to computer, and you always have it on your person as long as you have your keys with you.”
The other version is the nano form factor which is geared toward convenience, Romer said.
“It’s for when you’re typically working from a single computer all day long, and you need to log in multiple times a day,” he said. “This is a tiny, tiny thing that’s kind of just a little nub sticking out, once you put into the USB port out of your computer. And to log in, all you have to do is tap it.”
Romer said most users prefer to have one of each type of YubiKey.
The devices can also be used with mobile phones that support NFC technology.
How the Technology Works
To use the YubiKey, users first must go to the security settings of their account and select two-factor authentication. Then, for computers, they insert the YubiKey into the USB port and touch the key to verify they are human and not a remote hacker.
For NFC-enabled phones, users just tap the YubiKey against the phone to complete authentication.
The YubiKey offers a variety of functions when it comes to security and authentication.
For example, it works with the FIDO U2F open authentication standard which enables strong two-factor authentication to hundreds of web-based applications, including Gmail, Salesforce, and Twitter. And the FIDO2 standard offers expanded authentication options like multifactor and passwordless authentication.
“With YubiKey support for FIDO2, organizations can accelerate to the passwordless future without the need for any client software or drivers,” according to the company website.
The YubiKey can also generate a one-time encrypted password for a single use.
YubiKey’s technology also enables it to generate six- and eight-character passwords for logging into various services and provides support for offline validations as well. The YubiKey 5 Series also supports the same features found in smart cards that broker data exchanges.
The keys can also generate 38-character static passwords that are compatible for any application login. This is handy for legacy systems that are not able to use two-factor authentication.
The company details the features supported on each YubiKey model on its YubiKey comparison chart, available on the company website.
All of these functions, which exist within the tiny YubiKeys, directly support Yubico’s mission of providing convenient ways to authenticate credentials and prevent sensitive information from being stolen.
YubiKey is the Security Solution Used by Google and is Compatible with Hundreds of Applications
“The YubiKey works with hundreds of enterprise, developer and consumer applications, out of the box and with no client software,” according to the company. “Combined with leading password managers, social login and enterprise single sign-on systems the YubiKey enables secure access to millions of online services.”
Romer said Yubico feels very good about all the support it has in the industry.
The crush- and water-resistant YubiKey has been successfully deployed by some of the largest tech, finance, and retail companies in the world, according to Yubico, and has millions of users in 160 countries.
Not only is YubiKey supported across Microsoft and Google applications, but the use of YubiKey is also mandatory for all Google employees.
Google began working with Yubico in 2009 when Google was increasingly the target of sophisticated cyberattacks that could circumvent traditional security measures.
“We believe that by using this token we’ve raised the standard of security for our employees beyond what was commercially available,” wrote Google’s Director of Security Engineering Mayank Upadhyay on the Yubico website. “The device works with Google’s Web browser Chrome, and works very seamlessly for people in their day-to-day workflow here at Google.”
Romer said these kinds of enterprise uses of YubiKey are very valuable to companies because there is so much at stake if a data breach occurs. Companies not only risk losing millions of dollars if infiltrated, but sensitive customer data can be accessed, and a company’s reputation can be severely damaged.
Although YubiKey does not work with every single website or service, Romer said Yubico is continually working to increase its level of support. In the meantime, the company encourages potential users to search its online catalog to see if the service they want to use is currently supported.
Romer added that Yubico does not currently have any banks listed in its catalog, and the company encourages users to express their desire to use a YubiKey with their financial institutions.
“Yubico is regularly engaged with service providers to broaden the YubiKey ecosystem, but we often hear that it’s the customer preference that is most influential,” he said. “Most product features and road maps are prioritized based on popular customer demands.”
Looking Toward an Online World Without Passwords
Romer said there is a lot of exciting work going into making convenient and secure passwordless authentication a reality.
“There’s going to be even more innovation in that area,” he said. “I think that is the future. Everybody hates usernames and passwords. IT people hate passwords. Hackers love passwords, but everybody else hates them.”
Romer said he believes the whole tech industry will be moving toward a world where users won’t have to create a new password every time they create an account or sign up for a new service online.