YUBICO – Simple Two Factor Authentication (TH4B)

From IIW

Session Topic: Yubico

Convener: Stina Ehrensvärd

Notes-taker(s): Judi

Tags for the session - technology discussed/ideas considered: two factor authentication


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Notes source: http://digitalidcoach.com/2011/10/iiw-xiii-yubico/

Brief introductions. Yubico offers Yubikeys that help with authentication: low cost and simple! Acts as a keyboard, enters user password and 32 character passcode. Easier than smart cards (insert into USB port, push a button).

Lots of users: 1M users + 16k customers in 95 countries. Use cases: Google for internal staff, PayPal, Fedora, lastpass. Yubico is self-service: hardware sales on web store, free and open source server components and virtual appliance for remote access (enterprise-class VPN.

Versions of Yubikey: regular: one-time password, OATH (works with OTP – one-time passcode, not same as oAuth) standard, Static password, and Challenge response key. Secure life cycle: “trust no one.” Secure your servers.

Key is robust: sealed, simple. Accidentally went through a washing machine for several weeks and worked fine.

Future vision: one key for all Internet: YubiCloud validation service, 3rd party single sign-on and SAML. High security, Easy to use, Low cost. Plans to work with mobile phones via nearfield communications (NFC).

Demo (with keys) and questions. Here’s a video on how Yubico is working with Google Apps in Sweden: https://yubico.com/schoolvideo They’re working on supporting Google Apps here soon. Here’s a page where you can test your key: https://yubico.com/start