I just discovered
them this morning. This is truly a genius idea.
You may be familiar with
RSA SecurID. Basically, it's a little electronic tag that has a little LCD display on it that changes every 60 seconds. In order to login to your network, you have to type in the current number. It's secure, but it has its problem.
Yubikey seems to solve those problems and more. Yubikey is a USB keyboard with one button. You push the button and it types in the one-time key. This avoids hardware keyloggers, and it avoids anyone getting the number just by looking at the key. All the software for dealing with these keys is open source, and they even have an OpenID server. So you can setup your own systems to use Yubikey without paying for any fancy servers. You can also use your Yubikey for many different sites, instead of just one site. You can also have a passkey or passphrase for your key, which gives you the very strong "something you have, something you know" security for your every day computing.
I'm totally ordering at least two of these. Anyone else want one? If we order 10 or more, we get $5 off.
Comments
LINK
The only problem I can see with it right now is that it is still very early in deployment and thus there is very little support for it out there. Short of coding something myself (which would definitely nullify all notions of security) there is only one program that I could find for local authorization: Rohos. Conversely, on the remote authorization side, I found only one OpenID provider who supports the Yubikey: Clavid.
What I would want from local authorization is a bit more flexibility, i.e., I want to be able to also use it on other local password dialogues (Keychains, Encrypted drives etc.) as well. Also there should be a "backdoor" static password (that I can write down and store in my bank vault) so Yubikey loss / breakage doesn't royally screw me.
OpenID has some technical problems which are debatable (listen to the Security Now! episode (mp3) ), but the thing which makes me leery, is the fact that an OpenID provider can aggregate information on your browsing habits. Google, whom I would trust with this only because they already know me, currently only supports OpenID via Blogger.
As for OpenID, I'm using Verisign right now as my primary OpenID provider, even though I could use Flickr or some of the others I have access to. I think maybe I'll just setup my own OpenID server in the future. Maybe integrate OpenID with the forum. We'll see where it goes.
New web site is priority 1.
Mac tools, right there.
Google wants to use Yubico.