The Internet is a dangerous place for those without proper identification and authentication mechanisms. The same is true for laptop users with weak encryption passwords. So security professionals have been evangelizing the value of multi-factor authentication (MFA). But there is a problem.
Most users don't have the time, skills, or cash necessary to engage a token vendor like VeriSign or configure their own in-house identify verification environment. This is the void I see filled by Yubico's Yubikey.
What is a Yubikey?
A Yubikey (see Figure 1) is a small USB device that looks to a computer like a USB keyboard. When plugged into a PC, a green circle around a button glows green, indicating the key is ready to transmit.
When the button is pushed, the key communicates by default a 44 character string containing both a onetime password (OTP) and the key's unique ID, as shown in Figure 2 (Yubikey Personalization Tool User Guide, p. 11 ). Characters are restricted to alpha (see Figure 3), somewhat limiting entropy. However, the onetime nature of the password makes this approach strong enough.
The OTP generated when a user pushes a button is validated either by the Yubico online validation server (free service) or a locally hosted copy. Validation is based on the 12 character key ID and Yubico's time-variant code.
Prior to writing this article, I purchased two Yubikeys ($25 each), one for OTP use and another to use as a static password. (How to configure and use a static password is demonstrated in the next section.) To test the effectiveness of the OTP key, I signed up for an OpenID account with Clavid. Clavid is one of the Yubikey-supported vendors listed in the Yubico wiki.
Clavid allows me to select the Yubikey OTP or the OTP and a password to log in, as shown in Figure 4. Coupling a password (something I know) with the Yubikey OTP (something I have) provides true MFA. Clavid also supports the Yubikey via SAML.
Although I think OpenID is a good idea, it isn't used most places I visit on the Net. So I looked for another, more comprehensive use for my key. I found it at MashedLife.com.
MashedLife.com allows me to create an account for every online login I use. I can use an auto-login feature to access those sites if they support it or simply use Mashelife.com as a password repository. Each site still has a unique password, but I can use my Yubikey and a PIN to gain access to my MashedLife.com account. Figure 5 depicts the login screen. I can use either my Yubikey (Secure Key) or a traditional password to login.
After supplying my Secure Key code, I was prompted for the optional PIN I created when I set up the account. Again, this provides true MFA authentication.
This is all great, but the Yubikey is relatively new with limited vendor OTP support, even though there is promise of great things to come like Steve Gibson's CryptoLink. So how can I use a key for traditional login pages?
Configuring a static password
Yubico provides a tool to convert a Yubikey from an OTP generator to a static password repository. Once converted, a Yubikey provides the same character string every time its button is pushed. This allows use of a key for entering a long, random password without actually typing it.
The first step in the conversion process is downloading the Personalization Tool. Be warned, however, that use of this tool may prevent the target key from future use as an OTP.
The tool is simple to use, as shown in Figure 6. The arrow points to the check box which causes the key plugged into the USB port to convert to static mode. Once the conversion is complete, the static password on the key can be used as you could any other password—only it's much longer than normal.
The final word
I really like my Yubikeys. However, I wish the OTP functionality was supported across a wider selection of sites. Until that happens—I certainly hope it does—I'll carry two keys, one static and one which supports OTP. They're small enough to be unnoticeable in my shirt pocket or when stuffed into the pocket of my leather iPod Touch "portfolio."
The only thing bothering me about these keys is the occasional assertion that they, by themselves, fulfill the need for MFA. This is apparently the result of over exuberance about what is certainly a cool security innovation. However, to truly support MFA, a PIN or password must be used in addition to either the OTP or the static passwords the keys generate. Like anything I "have", Yubikeys are subject to loss or theft. I wouldn't want to rely only on the key and the backend servers for protection. And entering a four or five digit PIN in support of Yubikey output—something easy to remember—isn't difficult nor of huge value to the recipients of keylogger data.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.