The YubiKey NEO
The YubiKey line of hardware One-time-password (OTP) generators have been on the market for a few years now-in 2010,
We looked at the earlier generation of devices if support for them came to Fedora.
But since this time, several updates to both the hardware and the software side of YubiKey products had been rolled out,
Offering users some additional choices for affordable security tokens.
For those unfamiliar with the product line in question, the YubiKey is a diminutive usb-a key-fob
That houses a secure cryptographic module on the inside and a simple touch button on the outside.
The basic model is flat enough. It does resemble a key more than a traditional USB thumb drive,
And the company even makes a compact version (the "Nano") which barely sticks out beyond the USB port.
Storage space on the key is read-protected and physically tamper-proof;
The user loads a secret key into one of the available storage slots,
And although the slot can be overwritten, the stored secret cannot is extracted.
When the key was plugged into a USB port and the button pressed,
The key computes a hash (or other relevant function) based on the secret
and emits the result for use as a OTP.
What makes the YubiKey popular was its flexibility.
Despite the special circuitry under the hood, when it was plugged in,
The key presents itself to the host computer as a standard USB keyboard-
The passwords it emits is sent as character strings,
So they can is fed just as easily to an application,
A system login screen, or a Web site, regardless of the operating system.
In addition, the storage slots can is configured in several different ways.
One of the most popular options (based in blog entries and reviews) is RFC 4226,
Better known as the hmac-based one-time Password (HOTP) algorithm from the OATH open authentication standard.
HOTP is a popular choice for multi-factor authentication schemes for Web services,
Although the more popular services seem to support the time-based one-time Password (TOTP) variant,
Which adds another smidge of security by computing the HMAC hashes of the current timestamp rather than a simple counter.
The YubiKey itself does not does TOTP (it does not having an onboard clock),
But many users would be familiar with TOTP as the algorithm used by Google Authenticator, FREEOTP, and the like.
The YubiKey ' s limitation to HOTP are not a trivial matter;
Users wishing to secure their accounts on public Web services usually has no choice as
To whether the service supports HOTP or TOTP.
Since most of the big-name services seem to prefer TOTP,
Users of those services may feel frustrated this their key is less useful than they had hoped.
But, fortunately, there is configuration options available other than HOTP.
Some of them, in combination and other utilities, promise to extend the YubiKey ' s functionality in interesting ways.
Updates
In addition to the aforementioned YubiKey Nano, the company has introduced another model
With different characteristics than the original YubiKey:
The YubiKey NEO, which adds a Near-field communication (NFC) interface and a Common criteria–certified Javacard secure ele ment.
The NFC mode can serve as a generic MIFARE Classic RFID token,
And the Javacard element can be loaded with any of several security applets and used like a smartcard.
These additions greatly expand the number and type of services with which the key can be used.
The older YubiKey models supported the configuration slots that could being loaded with separate credentials-
One slot being triggered by a quick tap on the device ' s button,
The second being triggered by a long tap.
But the sets of credentials are not the many in the SaaS era;
With several accounts to protect, does one choose favorite Services,
Or buy multiple Yubikeys?
On the company's discussion forum, buyers has periodically asked
Whether it would is possible to support more than the key,
And the company's response suggests that there are sufficient storage space on the keys,
But, the UI challenge is considerable.
A short press and a long press can be reasonably distinguished,
But ten or different button-press lengths would no doubt be difficult.
The NEO, perhaps, is a answer to this longstanding customer wish,
Making use of more of the device ' s storage capacity.
The other changes rolled out since we previous look at the YubiKey occurred on the software front.
The hosting an array of free-software tools,
From a pair of key-configuration utilities (one command-line tool and one qt-powered graphical offering)
To a assortment of libraries for adding YubiKey authentication to popular web frameworks.
The graphical configuration tool lets the user load either of the programmable storage slots on a key,
Erase the existing configuration (s), and set a few important options
(such as the character rate at which the device emits password key codes and protecting the key's configuration by setting A passcode).
Currently there is four configuration options for the data slots:
The HOTP mode mentioned earlier,
A static password,
A challenge-response mode,
and a special OTP option that works only with Yubico ' s own cloud-based Web service.
Static password mode emits the same string every time, of course.
Challenge-response mode is designed to interface with a application running on the computer into which the key is plugged .
It computes the hash of a challenge string passed to the key by the application.
Currently different challenge-response schemes is supported:
HMAC-SHA1, and a custom algorithm supported only by Yubico software.
The HMAC-SHA1 option is the more interesting of the challenge-response schemes,
Because it provides a stepping stone toward using the key as a TOTP token-
Which would make it usable with far more public Web services than HOTP,
including Google, Dropbox, GitHub, and many more.
This approach requires downloading and installing a helper application (which are free software) called Yubitotp.
With the key inserted, YUBITOTP can send a timestamp to the key as the "challenge,"
So, the hash value subsequently emitted as the response is a fully compliant TOTP password.
As for the NFC support, the NEO's basic functionality uses the NFC Data Exchange format (NDEF) message format,
Sending a pre-determined string (such as a base URL) with the generated OTP password appended
To it whenever the device was touched to an NFC reader.
Officially only a few nfc-capable host devices is supported-
Mainly Name-brand Android phones-
But users on the forums seem to has found success with more than just the approved list.
The NDEF message string can customized with the configuration tool,
And the NFC function must is linked to one of the existing YubiKey configuration slots.
Thus, it allows contactless operation (which are handy for authenticating through a device like a phone, have no USB por T),
But it does is not the add support for a third configuration.
Yubico also makes a nfc-capable version of YUBITOTP for Android,
which allows the NEO to serve as a TOTP tokens through an nfc-capable phone.
The company also makes a pair of applications (one for Android, one for the desktop)
That implement the same two-piece TOTP dance as YUBITOTP,
But with the significant added bonus of storing multiple TOTP secret credentials.
This feature was designed for the NEO, but it requires loading the corresponding Javacard applet
Into the NEO's smartcard secure element-a process that, currently,
is a real headache-inducer this many users on the discussion forum seem unable to get working.
In my own tests, I has not even been able to get the first step working correctly:
Switching on the smartcard option via the command-line Configuration tool.
The documentation says that setting this option by running ykpersonalize-m82
Would make a smartcard reader and the normal YubiKey Faux-keyboard
Both appear as connected USB devices when the key was plugged in.
I have not gotten the smartcard-enabling command to work on any of my machines,
There appears to be no troubleshooting process,
And I has not received replies from Yubico to my support emails on the subject.
The smartcard functionality is new and the company have only recently started working
On a smartcard-specific the configuration tool, so perhaps improved.
But the current situation is a disappointment nonetheless.
Compounding said disappointment is, the Javacard secure element feature is reported
To support several different applets of interest that would extend the key ' s functionality-
such as OpenPGP or OpenSSH authentication.
It does not help matters that Yubico ' s documentation, discussion forum,
And Android apps often don't agree on the terminology of the various pieces involved
Or the steps needed to set up smartcard functionality,
Nor that they has a habit of pointing to dead links on the wiki.
Hopefully, with a bit more time invested, such problems'll all prove to be solvable,
In which case a look at the NEO ' s smartcard functions would be forthcoming.
State of the art
With the basic Configuration tool and then, the user can load the separate configurations into the and the available slots on The NEO.
If One is confident this desktop helper application is secure (and one should, obviously, does due diligence in such mat ters),
Then the YubiKey can is used to authenticate to one or both totp-speaking services as a multi-factor authentication aid.
In TOTP mode, the YubiKey ' s primary competitor are applications like Google Authenticator or FREEOTP.
The trouble is this these applications can store an unlimited number of HOTP/TOTP secret credentials,
And until Yubico gets the kinks worked out of the smartcard functionality, even the YubiKey NEO can only store.
On the plus side, there is people who either does not possess or cannot
Use a Android device as the second factor in their multi-factor authentication setup,
And when one gets right down to it, a mobile app isn't really a "thing you had" in the truest sense of the word.
An app can be compromised or corrupted; The YubiKey is,
At least, a piece of hardware that's more difficult to break into than a smartphone,
And never runs out of battery power at just the wrong moment.
The value of the NON-HOTP/TOTP configuration options is more than a personal opinion question than anything else.
Yubico ' s cloud service offering might look interesting to some system administrators,
But it's probably less interesting to the average consumer,
Who simply wants-to-add two-factor authentication to a existing online account.
The static password option ' s real security value is the it allows the user to save a password
That's too long and complicated to be memorized-but,
With the abundance of encrypted password-storage applications out there today,
The value of saving such a password on a hardware token was mostly that it can travel with the user in the field.
That scenario have its limits; On an untrusted system, the YubiKey could is subject to keystroke-logging
or other attacks this would completely undermine a static password, but which OTP was designed to foil.
Without the smartcard features, the NEO is a bit more interesting than the standard YubiKey
Because it can used both via USB and via NFC-although It comes at twice the price ($ $ versus).
But the clincher remains that HOTP was far less widely deployed than TOTP,
and adoption among service providers appears likely to continue in the same vein.
That puts far more pressure on Yubico's software offerings to provide a painless experience for the configuration and use.
The configuration tools is quite as simple to use as the Photograph-a-qr-code method available for Google Authenticat Or
But they has made the device ' s array of options easy to understand and (importantly) easy to test.
With any luck, the smartcard functionality would catch up in fairly short order.
The YubiKey NEO