Yubico Advances Strong Authentication Security With YubiKey Series 5

New security key hardware from Yubico provides support for different authentication protocols and can be used to enable a "password-less" security model.

YubiKey Series 5

Yubico announced its 5 Series security keys on Sept. 24, providing organizations with enhanced hardware to improve authentication security.

Yubico develops a hardware-based authentication device known as the YubiKey, which provides support for different authentication protocols. Organizations can use YubiKeys to enable different types of multifactor authentication and password-less authentication approaches.

"Our new YubiKey 5 Series is comprised of four different form factors and are multiprotocol security keys," Jerrod Chong, senior vice president of product at Yubico, told eWEEK.

The YubiKey Series 5 includes the YubiKey 5 NFC, YubiKey 5C, YubiKey 5 Nano and YubiKey 5C Nano. Each device includes the protocols included in the YubiKey 4 series: FIDO U2F, PIV (smart card), OpenPGP, Yubico OTP, OATH-TOTP, OATH-HOTP and challenge-response, he said. 

"What is added are two new features: FIDO2/WebAuthn on all of the devices and NFC [near-field communication] on the USB-A keychain design," Chong said. "For users familiar with our products, our YubiKey 5 NFC is the best combination of our YubiKey 4, YubiKey NEO and security key."

The FIDO (Fast Identity Online) Alliance is a group that develops strong authentication protocols for MFA. The 1.0 version of the FIDO specifications were published in 2014, and FIDO has since updated to FIDO2, which is also being adopted as part of the W3C's WebAuthn authentication standard that is currently in the process of being finalized. Chong said that WebAuthn-supported browsers include Chrome and Firefox by default, and it is also supported in Microsoft Edge in build 17723 on Windows Insider.  

"We anticipate several keys announcements in the near future about services supporting FIDO2," Chong said.

NFC

NFC enables a tap-and-go type of authentication, such that user doesn't always need to enter a username and password to get access to service.

"With YubiKey 5 NFC, we now can enable all use cases for the various authentication protocols over NFC including FIDO2," Chong said. "YubiKey 5 NFC supports U2F [Universal 2nd Factor] over NFC on Android devices using Google services. We will soon also support WebAuthn over NFC on Windows 10 devices for the FIDO2 tap-and-go experience."

Chong added that iOS devices that cannot support FIDO U2F or FIDO2 over NFC at this time can still use YubiKey 5 NFC in OTP (One Time Password) mode over NFC for authentication, such as Lastpass for iOS.

Password-less

While YubiKeys have typically been considered for use as part of an MFA approach, they can also be used for single-factor authentication, requiring no username or password to log in to a supported service (password-less). 

"FIDO2 is the first open authentication protocol that can take tap-and-go authentication to the masses. Many existing tap-and-go solutions are proprietary and based on weak static credentials," Chong said. "Strong single-factor authentication using public key cryptography sets a new bar for quick and easy authentication with significantly higher security, deployability and productivity."

Additionally, Chong said YubiKey Series 5 can be used in conjunction with a PIN for user verification, which the user would be able to set themselves for that YubiKey (touch + PIN).  In that scenario, the PIN unlocks the YubiKey locally and touch is still required for the YubiKey to perform the authentication. That PIN provides the high assurance by requiring that second step to unlock the YubiKey when logging in.  

Security Key Usage

Yubico has found success with its YubiKey in many different types of deployments around the world. In 2014, CERN, the European Organization for Nuclear Research, announced that it was using YubiKey technology to help secure access to its applications. Facebook, GitHub and Google have also been users of Yubico security key technology.

In 2016, Google published a study based on two years of security key usage and found that the technology helped to improve security. In 2018, Google announced that it was building and selling its own security key called Titan, which is now a rival to Yubico's YubiKey.

Chong said that Google's Titan security key currently supports FIDO's U2F protocol, which can help users securely access Gmail, Dropbox and Twitter, among other services. In contrast, he noted that the YubiKey 5 Series supports a wider range of strong authentication protocols, including FIDO2, FIDO U2F, PIV (smart card), OpenPGP, Yubico OTP, OATH-TOTP, OATH-HOTP and challenge-response, in a single device over both USB-A and NFC (keychain design), as well as in USB-C form factors.  

Alongside the Series 5 update, Yubico has updated its software tools that help organizations manage the keys. Looking forward, Chong said Yubico is always looking for ways to innovate and introduce its technology to new markets and use cases.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.