This forum is in permanent archive mode. Our new active community can be found here.

Yubico's Yubikey

edited November 2008 in Technology
I just discovered them this morning. This is truly a genius idea.

You may be familiar with RSA SecurID. Basically, it's a little electronic tag that has a little LCD display on it that changes every 60 seconds. In order to login to your network, you have to type in the current number. It's secure, but it has its problem.

Yubikey seems to solve those problems and more. Yubikey is a USB keyboard with one button. You push the button and it types in the one-time key. This avoids hardware keyloggers, and it avoids anyone getting the number just by looking at the key. All the software for dealing with these keys is open source, and they even have an OpenID server. So you can setup your own systems to use Yubikey without paying for any fancy servers. You can also use your Yubikey for many different sites, instead of just one site. You can also have a passkey or passphrase for your key, which gives you the very strong "something you have, something you know" security for your every day computing.

I'm totally ordering at least two of these. Anyone else want one? If we order 10 or more, we get $5 off.

Comments

  • This avoids hardware keyloggers, and it avoids anyone getting the number just by looking at the key.
    Just to be clear, though, knowing the number from an RSA key is meaningless: you also need to know the user's PIN, which is not in any way stored in the key.
  • edited November 2008
    Just to be clear, though, knowing the number from an RSA key is meaningless: you also need to know the user's PIN, which is not in any way stored in the key.
    This is true, but it's still a tiny bit less secure. The RSA key is something you know, for 60 seconds, and something you know. The Yubikey is something you have and something you know, as it puts out a different key every time you push the button. It's also cheaper and lasts longer because it doesn't have a battery or a screen.
    Post edited by Apreche on
  • edited November 2008
    Actually, Security Now had a whole episode about this a while back. They interviewed the founder of Yubico, Stina Ehrensvärd.
    LINK
    Post edited by Victor Frost on
  • Actually, Security Now had a whole episode about this a while back. They interviewed the founder of Yubico, Stina Ehrensvärd.LINK
    The downloading, it will happen.
  • After I saw Scott tweet about the Yubikey, I listened to Security Now!'s episode on it (as well as the episodes on OpenID), and I am seriously considering buying one.

    The only problem I can see with it right now is that it is still very early in deployment and thus there is very little support for it out there. Short of coding something myself (which would definitely nullify all notions of security) there is only one program that I could find for local authorization: Rohos. Conversely, on the remote authorization side, I found only one OpenID provider who supports the Yubikey: Clavid.

    What I would want from local authorization is a bit more flexibility, i.e., I want to be able to also use it on other local password dialogues (Keychains, Encrypted drives etc.) as well. Also there should be a "backdoor" static password (that I can write down and store in my bank vault) so Yubikey loss / breakage doesn't royally screw me.

    OpenID has some technical problems which are debatable (listen to the Security Now! episode (mp3) ), but the thing which makes me leery, is the fact that an OpenID provider can aggregate information on your browsing habits. Google, whom I would trust with this only because they already know me, currently only supports OpenID via Blogger.
  • They have provided a Yubikey authentication server and library that are both open source. Also, with pam yubikey you can easily use your yubikey for authentication on any *nix machines that support pam (almost all of them). After I get one I'm going to try to setup the pam in a vmware. If that works, I'll setup the same thing on my laptop and maybe on some servers and such.

    As for OpenID, I'm using Verisign right now as my primary OpenID provider, even though I could use Flickr or some of the others I have access to. I think maybe I'll just setup my own OpenID server in the future. Maybe integrate OpenID with the forum. We'll see where it goes.

    New web site is priority 1.
  • This looks really cool! Have you ordered yet? If not, count me in on this discount action.
  • Does anyone have any experience with the Yubikey and OSX?
  • Does anyone have any experience with the Yubikey and OSX?
    Yeah, what problem are you having? The yubikey is just a USB keyboard, it just works.
  • Does anyone have any experience with the Yubikey and OSX?
    Yeah, what problem are you having? The yubikey is just a USB keyboard, it just works.
    I'm having trouble finding a tool to configure my Yubikey/ change my AES.
  • edited September 2010
    I'm having trouble finding a tool to configure my Yubikey/ change my AES.
    http://www.yubico.com/developers/personalization/

    Mac tools, right there.
    Post edited by Apreche on
  • http://www.yubico.com/developers/personalization/

    Mac tools, right there.
    The "Mac Personalisation tool" doesn't seem to work for a lot of people, including me, and I can't seem to get the "GNU/Linux and Mac OS X Personalization Library" to work.
  • The "Mac Personalisation tool" doesn't seem to work for a lot of people, including me, and I can't seem to get the "GNU/Linux and Mac OS X Personalization Library" to work.
    I suggest getting VirtualBox and a pirated copy of windows and using that.
  • Scott, good call.

    Google wants to use Yubico.
    I'm always right, but it takes people years to figure it out. At least I got credit this one time.
  • With the exceptions of the times you're wrong, I'd say that's about true.
Sign In or Register to comment.