Updated and republished with link to a review of Yubikey security issues, 9/3/2009, with further updates and fixes to broken links on 23/1/2013.
[Added 9/3/2009. Here, with thanks to Positive Internet, is a friendly but quite critical assessment of Yubikey and some of its security flaws by Dr. Fredrik Björck, a security consultant, along with (added 23/1/2013) an update showing the fixes that Yubico was already making back in 2009.]
Yubico is a Swedish start-up that has come up with a clever and economical way of providing three-factor* authentication. The two normal factors are your user name and password, but what if someone or some software system has acquired these? Three-factor authentication involves a device owned by you needing to be part of the process, thereby making it more difficult for someone to access your web-based services. The problem with three-factor systems is their expense, and the YubiKey is cheap enough even in small quantities for it to be realistic to deploy on a mass basis, provided there is cheap enough access to the necessary validation service. It is also designed to work with OpenID, and would reduce the risks of phishing that are associated with using OpenID for higher-value services.
What if you lose your key? The effect of this would depend on how the service is configured. You could, for example, be allowed "n" two-factor accesses without your key, or, once you've used your credit card to order a new key, or phoned your service provider to be issued with a new key, then be allowed two-factor access until, with your replacement key, you can switch three-factor authentication back on.
Yubico looks to be pitching to be put into use by Google as an add-on for users of Gmail and Google Apps; and you would imagine that Banks must be interested in this kind of service as well (I believe some already provide it).
* Yubico describes its system as a two-factor service, in the sense of something you know (your user name and password), and something you have (e.g. the YubiKey).
With thanks to Ufi's Dick Moore for highlighting this. (23/1/2013 - that was then, this is now.)
Comments