Recently a story about Google hit the news, according to an article in Wired, “Google declares war on the password”. Google wants to integrate this into the browser. Their approach is based on the idea of using a USB key or a NFC (Near Field Communication) device to log into applications. Currently, Google uses a YubiKey, developed by Yubico.
This brought my attention back to Yubico. Some months ago, I had a conversation with their CEO Stina Ehrensvärd. She unveiled some of the new devices Yubico is working on, including their YubiKey NEO, which supports both NFC and USB, and their YubiKey Nano, which is so small that it is designed to be put into a USB port and to remain there. There are other YubiKeys out there as well, but these two are the most interesting ones.
In contrast to other vendors, Yubico focuses on a “lightweight” approach with fairly cheap devices and little overhead. They also deliver free and open source software for the backend side, but mainly rely on partners. Customers can simply buy a YubiKey online, download the free software or turn to an enterprise software partner supporting Yubikey, including Quest Software, Duo Security, and Digital Persona. A growing number of consumers are also using YubiKey with password managers, including Password Safe, Passpack and LastPass. Adding Google to the list of partners would obviously be a very big deal for Yubico.
A more interesting question however is a simple one: is this approach good enough to really replace passwords? When we look at the authentication space, there are three factors: Knowledge, Ownership, and Biometrics. Quite some time ago, I wrote a report providing a market overview on conceptual approaches for strong authentication together with my two colleagues Prof. Dr. Sachar Paulus and Sebastian Rohr. This provides an in-depth analysis of strengths and weaknesses of different approaches.
First, having only a token will not be sufficient. That would lead to a one-factor authentication and thus wouldn’t be sufficient. When working with a username and password, there are at least two factors, both based on knowledge. You might argue however that an e-mail address as a means doesn’t count, given that this typically is public information.
Two-factor authentication also is not secure by design – there has for instance been a recent incident in online banking where both factors were attacked successfully.
Therefore, I don’t see the future in having just a device like the YubiKey. Everyone who has access to that device then could log on using it, if no additional factor is used. However, the combination of such a device together with a password delivers real two-factor authentication. When we asked Ehrensvärd about this approach, she clarified that though it was not highlighted by Google in the IEEE white paper that Wired has reviewed, the Yubico approach and vision is to always combine a YubiKey with at least a simple PIN or password.
One problem will remain in any case: your password is in your brain and available everywhere and anytime (unless you forget it). A token has to be carried around. In these days where most of us use multiple devices, this can become rather inconvenient. If we leave the token in the device, we opt for a rather insecure approach – everyone who has access to the device has access to the token as well. But carrying it around is not the choice of users, even with very small form factors like the ones provided by Yubico. NFC solves some of the problems, because such a device can be used for multiple systems, but you still have to remember to carry it.
I personally would prefer a credit card size form factor for a NFC device plus the choice between password and OTP (one time password), sent out-of-band to my cell phone, as the second factor. My wallet and the cell phone are the two assets I typically carry around. When discussing this with Ehrensvärd, she answered that many YubiKey NEO customers place the NFC-enabled Yubikey NEO in their wallet, and then tap the whole wallet to a smart phone or NFC laptop to login.
Despite the fact that the card form factor is still lacking from Yubico, their approach is quite interesting – and they might get a big push from Google in future. However, if you look for affordable approaches for stronger authentication, you should have a look at Yubico today. Even while it is not the perfect solution for the stronger authentication challenge, Yubico provides an interesting alternative.