Inexpensive multi-factor authentication system from Sweden

probe

Simple, inexpensive (about €4 each in volume), a USB key that does multi-factor authentication. No battery in the device, giving it limitless shelf life. No complicated codes to enter, avoiding human error.

Logging into a bank or other secure website, the user enters their user ID and password and plugs the Yubikey into a USB slot and presses the green button. This causes the Yubikey to squirt a one time 128 bit number (ie 39 digits long) to the authentication server at the other end. It appears to the browser or other PC software as a keyboard. This 128 bit number is different for every login – defeating keyboard loggers. The combination of the user ID, password, and Yubikey code makes access very hacker-proof. If someone steals one's Yubikey, it is useless to them unless they also manage to steal one's user ID and password.

It is made by a Swedish company who apparently paid for a stand at RSA Security 2008 but weren’t allowed to exhibit when they turned up at the event. (Nothing to do with the fact that RSA has a competing product)!

Steve Gibson met Stina Ehrensvärd, the founder and CEO of Yubico on the stairs outside the exhibition hall, and gave her a lot of publicity in his podcast last week*. Her pic is on the home page of the company’s website. It works with Windows, Mac and Linux machines, and the product doesn’t require you to be a big corporate user to apply the technology to control access to your systems (unlike the competitors’ products). The USB key weighs just 4g. The authentication software can be run by user’s system – ie login information does not have to go to Yubico’s system.

With simple, inexpensive products like this, no company has any excuse for weak password only based security systems.

http://www.yubico.com/faq/index/

.probe

www.yubico.com

*http://www.twit.tv/sn141 - skip to the 1h15m point of the podcast for the relevant segment

Martyr

looks good, but i'd bet it can be broken just like anything else.

probe

Average Joe wrote: »

looks good, but i'd bet it can be broken just like anything else.

Nobody has broken far simpler devices – such as Paypal’s
https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/PPSecurityKey-outside or RSA’s http://www.rsa.com/node.aspx?id=1156 – which only use 5 or 6 digit codes – compared with the 39 digit code generated by the Yubikey.

The Yubikey code changes for each access attempt. So anyone trying to crack an access code is battling against a moving target, that is changing all the time. With conventional static password-only access, the cracking software just tries every combination until it gets the right one. When the correct password changes after every attempt by the hacker, the odds of a successful cracking operation are reduced by a factor of several zillion.

The multi-factor token is a re-enforcement of the traditional user ID and password for online access security. Keeping corporate data in a secure central data warehouse, controlled by multi-factor authentication is a zillion times more secure than allowing it to be put on employees’ notebook computers – even with the best encryption on the notebook. Online systems record multiple attempts at trying different passwords for a given user and can be set to lock out the account and IP number of someone entering incorrect code combinations on multiple occasions.

It is so easy for a keyboard logging software to be installed via spam email, an un-patched security weakness in a browser that visits a malicious website or some criminal who gets access to a computer for a few seconds, that every online application that deals with money or identity should be required to have some form of multi-factor authentication. Use a computer infected with a keyboard logger just once, and whatever details you have entered (eg your Visa card number, corporate email password, etc) get transmitted across the internet to the fraudster who planted them in seconds.

Tell us how you plan to break the Yubikey or stop trying to spread FUD! :-)

.probe

Screaming Monkey

thats a very cool bit of kit..will have to look into it, especially the linux side.

The only down side and not necessarily security is that it needs to be plugged into the computer so you have the issue of compatibility, whereas an RSA token is a self contained unit, large corporates don't want to have to support mum and dads Windows 98 pc.

There is also some vagueness on their website whether you can run it as a self contained standalone server like RSA, I wouldn't trust Yubikey's servers as the final endpoint. http://www.yubico.com/technology/comparison/

Martyr

probe wrote:

compared with the 39 digit code generated by the Yubikey.

is it 128-bits? (16 digits or 32 ascii digits)

probe wrote:

Tell us how you plan to break the Yubikey or stop trying to spread FUD! :-)

i'm not trying to sell multi-factor authentication devices, who is spreading FUD? :-)

if the Yubico published details of the algorithm, the values being generated by the key/server might be predictable.

what if someone steals the Yubikey? - you will say its useless, because an attacker doesn't have the password, but you make assumption he doesn't.

"my workmate just went home for the weekend, leaving his RSA token behind on the desk - i'm evil person with access to his PIN and password from a keylogger previously installed and now i'm going to clean his bank account"

Yubikey sounds the exact same as an RSA token, except the number is larger, and it behaves as a keyboard on the usb port, "injecting" the key when required.

blackgold>>

Average Joe
looks good, but i'd bet it can be broken just like anything else.

You tell em Joe......

quinta

How does this defeat attacks on two-factor auth using a MITM site? There's no 'cracking' required.

This is simply a competing product to SecurdID etc, nothing to see here, move along.

probe

The Yubikey gets ***** for security on Steve Gibson’s netcast this week. Steve and Leo do an interview with Yubico’s CEO Stina Ehrensvärd [over the phone, rather than Skype :-( ] and after the interview they discuss the authentication technology used.

Open source. Inexpensive. Operating system independent. Anyone can incorporate it in their systems, from large corporates to one man software developers.

No excuse for password cracking/disclosure breaches anymore. Innovative European technology developed in Sweden, using Belgian encryption technology.

Netcast: http://www.podtrac.com/pts/redirect.mp3/aolradio.podcast.aol.com/sn/SN-143.mp3

www.yubico.com

.probe

probe

Screaming Monkey wrote: »

I wouldn't trust Yubikey's servers as the final endpoint. http://www.yubico.com/technology/comparison/

You don't have to trust Yubikey's servers - you can run your own. With RSA you have no choice. Yubico only wants to sell the USB key - everything else is free, open source.

.probe