Yubico, maker of the popular YubiKey hardware tokens used for two-factor authentication, today launched its YubiKey 5 series, which includes the YubiKey 5 NFC, YubiKey 5C, YubiKey 5 Nano and YubiKey 5C Nano.
YubiKey 5 Passwordless Authentication
The main feature of this new series of products is the support for the FIDO 2 specification and the W3C Web Authentication (WebAuthn) API, which allow users to log into a website simply by tapping their YubiKey 5 token once. This is similar to the Universal 2nd Factor (U2F) specification as it uses the same type of public key encryption system. However, unlike U2F, a password is no longer needed to authenticate to a website (hence the passswordless name).
The solution is a major upgrade over passwords because malicious hackers should no longer be able to steal your login credentials unless they find a way to infect your YubiKey with malware. Users also will no longer have to worry about re-used passwords being leaked from one website’s data breach or another, or even having to use password managers--at least when most websites will support this type of authentication.
All that said, WebAuthn is still a one-factor authentication solution, so it won't be as secure as the combination of a password and a U2F token. There is still a small risk that the hardware tokens or the server-side counterpart could be compromised some way in the future, which would allow the attackers to bypass the authentication scheme and compromise users’ accounts.
However, for now, passwordless tokens should still be a much more secure solution than passwords, especially for most people who tend to use and re-use weaker passwords for their accounts.
Additionally, users can also enable a PIN for the YubiKey 5 tokens, which should make it more difficult for attackers to take over the token or for thieves to use someone else’s token.
Other Protocols Supported by YubiKey 5 Tokens
The support for the FIDO 2 specification that enables the passwordless login is the newest feature to come to YubiKeys. However, YubiKey 5 tokens also support a range of other authentication protocols, such as FIDO U2F, Yubico OTP, OATH-TOTP and OATH-HOTP, which means the tokens can still be used for both modern and traditional two-factor authentication. Other protocols include: smart card (PIV), OpenPGP and Challenge-Response.
All tokens come with a secure element to protect cryptographic keys and process encryption operations. The tokens are manufactured in both the U.S. and Sweden and work on Windows, macOS, Linux, Chrome OS, Android and iOS operating systems, as well as on major web browsers. However, websites would still need to offer support for WebAuthn, just as is the case for the U2F protocol for two-factor authentication.
Extreme Phishing Protection
Hardware tokens have shown extreme effectiveness in stopping phishing attempts in the past. Google, which used U2F-enabled YubiKeys internally, said that during use it saw zero account takeovers, 4x faster logins and 92 percent fewer IT calls.
Yubico also says YubiKeys have dramatically reduced Microsoft’s IT support costs for password resets, which cost the company over $12 million a month. The key-maker claims this dramatic decrease in IT costs is due to hardware tokens being significantly more secure than your average password and easier to use, although the latter is certainly debatable.
Yubico’s Newest Competition
Google, which until only recently was a major Yubico customer and partner in creating the U2F standard, announced its own Titan Key in late August. It's a U2F-only security key and a more direct competitor to Yubico’s previously announced Security Key. (opens in new tab) Google’s Titan Key doesn’t support the latest FIDO 2 passwordless specification.
One potential concern with Google’s Titan Key is that it’s manufactured in China and is very similar to a Feitian token. Feitian is one of Yubico’s primary Chinese competitors. Google uses its own custom firmware for the Titan Key, but it’s not clear how well-protected the device is against hardware backdoors.
Another potential issue is that the Titan Key uses Bluetooth instead of NFC, which is considered more secure. Yubico has only ever used NFC for wireless connectivity and has made statements arguing against Bluetooth's security (opens in new tab).
The YubiKey 5 Series tokens can be purchased from Yubico’s store (opens in new tab) starting at $45.