Executive View

YubiKey by Yubico

YubiKey is a hardware authentication device that provides two-factor authentication using either one-time passwords or public key infrastructures. Combining strong cryptography with ease of use and supporting a wide range of authentication methods and protocols, YubiKeys are widely deployed by both enterprises and consumer-oriented online services.

Alexei Balaganski


1 Introduction

Yubico is a privately held company headquartered in Palo Alto, CA, USA. Originally founded in 2007 in Sweden with a specific focus on developing a secure, yet simple and affordable alternative to password authentication, the company now has a global presence with offices in the USA, UK and Sweden and over 100,000 customers in 150 countries including such companies as Google, Salesforce and Facebook.

Security experts have been predicting “death to passwords” for over a decade. Unfortunately, despite all their efforts and despite a number of stronger alternatives available on the market, passwords are still a reality we have to deal with. In fact, with the continuing proliferation of online services and a wide variety of devices to access them, the number of credentials users have to deal with is only increasing. Although passwords are universally known to be subject to a wide variety of risks, most stronger alternatives fail to get significant traction for a number of reasons: equipment costs, lack of interoperability and vendor lock-in, inability to scale to a large number of identities, and last but not least, complicated deployment involving hardware adapters, drivers, client software and so on.

Although Yubico’s first product, the original YubiKey, was merely a one-time password token with a USB connector, it managed to address most of these concerns quite successfully. First of all, it provided completely plug and play one-touch operation without any client software. Second, although the device was created for a specific customer project, the infrastructure around it was designed to be open and extensible, with all components published as Open Source projects. Finally, a single YubiKey was enough to secure multiple independent online services.

Since then, the company has developed several generations of their flagship product, and Yubico’s current portfolio includes several YubiKey models with different interfaces (USB and NFC with Bluetooth in development) and a wide variety of supported authentication methods and protocols including Yubico and OATH One-time Password (OTP), Personal Identity Verification (PIV), OpenPGP and the latest FIDO U2F standard. Thus, a single YubiKey can replace multiple OTP tokens and smartcards, not to mention securing existing password-based authentication with a strong hardware-based second factor.

Although the company’s primary focus is manufacturing and distribution of their hardware devices, Yubico is very active in promoting strong authentication to the public and maintaining a large developer and partner community. The company provides cloud services for validating OTP transactions, as well as a number of open source projects for strong authentication, encryption and digital signatures. Yubico is a member of several open identity standard bodies including W3C, OpenID Foundation, and the FIDO Alliance, where the company actively participates in development of the Universal 2nd Factor (U2F) standard.

With a number of large-scale end user online services making support for the open standards that the YubiKey works with (for example, by Google, Dropbox and, most recently, GitHub), YubiKey has arguably become one of the most popular hardware authentication devices for consumers.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.