yubikey – sometimes simple is better
I’ve been listening to Steve Gibson on some older Security Now podcasts, and found one on the Yubikey, from yubico.
First up, what is it?
It’s a small USB dongle, which looks like a USB flash drive – well, a VERY VERY small USB flash drive. It has a single button. If you plug the key into your USB port, and press the button. The yubikey, which is actually a standard USB keyboard, generates what is basically a one time password with a user id, like the big-boys do. This key is regenerated every second, so press it again, and you dont get the same value. So you get something like:
4567abc123456789abcdef
So if the serial for this device is 4567abc, the rest is the cryptographic hash, which changes every time.
The main difference between Yubico and RSA, for example, is that the software – how to decode and validate the output – is totally open source. It’s written in Java and/or C, and hosted on google code. There are various web service clients which will authenticate a code (over SSL I’d assume) which people can use, and they even have an OpenID server, so you can use it against the growing number of web (mostly 2.0) sites accepting OpenID. There is even a company which provides an active directory plug in and various VPN plugins.
The cost involved is just for the hardware – it starts at $30 US for up to 10, coming down to $15 for 1K-5K of them.
Given the cost – and compared to the likes of RSA, these are really cheap – it would make sense for an internet banking site to support these. Imagine something like “please enter your username, password, and press the button on your yubikey to login”. My bank – Barclays – do this already – I have a device about the size of a pocket calculator, into which I put my chip-and-pin EFTPOS card, enter my pin, and I get a one time code back. I log into the bank with my account number, card number, and that code. Easy, and VERY secure – to get into my account, you need my card AND my pin, and it can’t be sniffed.
[update thanks to Bwooce: yes, it CAN be sniffed, but as it's a one-time, time-dependant password, unless it's used immediatly, it's not a lot of use to a hacker - and you can run it over SSL to prevent sniffing the first place.]
So anyway – if you are looking for some kind of login security, this might be a good one. It’s cheap enough, and without lock in, to just give it a try! It’s both smart, and very very simple to use.
Nice device, I hadn’t seem them before.
Easy, and VERY secure – to get into my account, you need my card AND my pin, and it can’t be sniffed.
I take issue with this. It can be sniffed but is not replayable, this is 2-factor authentication but this is vulnerable to Man-in-the-Middle attacks. A spoofed webpage can ask for these items and pass them to the real page to gain full access…
Yes, you are right. It CAN be sniffed, but as it’s rolling, the sniff is fairly useless, unless you use the code immediately. It’s the same as the RSA keys, but it’s immediate. Even a one time pad is sniffable – if you don’t want it sniffed, encrypt the conversation.
It is, however, much simpler and cheaper to implement than the equivalent hardware in the same space. And thats a good thing.