YubiKey
Company type | Private |
---|---|
Industry | Hardware |
Founded | 2007 |
Headquarters | Palo Alto, California, United States |
Key people | Stina Ehrensvärd (CEO and founder) Jakob Ehrensvärd (CTO) |
Website | www |
The YubiKey is a hardware
The YubiKey implements the
Founded in 2007 by CEO
YubiKey released the YubiKey 5 series in 2018, which adds support for
History
Yubico was founded in 2007 and began offering a Pilot Box for developers in November of that year.[18] The original YubiKey product was shown at the annual RSA Conference in April 2008,[19][20] and a more robust YubiKey II model was launched in 2009.[21] Yubico's explanation of the name "YubiKey" is that it derives from the phrase "your ubiquitous key", and that "yubi" is the Japanese word for finger.[22]
YubiKey II and later models have two "slots" available, for storing two distinct configurations with separate AES secrets and other settings. When authenticating the first slot is used by only briefly pressing the button on the device, while the second slot gets used when holding the button for 2 to 5 seconds.
In 2010, Yubico began offering the YubiKey OATH and YubiKey RFID models. The YubiKey OATH added the ability to generate 6- and 8-character one-time passwords using protocols from the Initiative for Open Authentication (OATH), in addition to the 32-character passwords used by Yubico's own OTP authentication scheme. The YubiKey RFID model included the OATH capability plus also included a MIFARE Classic 1k radio-frequency identification chip,[23] though that was a separate device within the package that could not be configured with the normal Yubico software over a USB connection.[24]
Yubico announced the YubiKey Nano in February 2012, a miniaturized version of the standard YubiKey which was designed so it would fit almost entirely inside a USB port and only expose a small touch pad for the button.[25] Most later models of the YubiKey have also been available in both standard and "nano" sizes.
2012 also saw the introduction of the YubiKey Neo, which improved upon the previous YubiKey RFID product by implementing
In 2014, the YubiKey Neo was updated with FIDO Universal 2nd Factor (U2F) support.[28] Later that year, Yubico released the FIDO U2F Security Key, which specifically included U2F support but none of the other one-time password, static password, smart card, or NFC features of previous YubiKeys.[8] At launch, it was correspondingly sold at a lower price point of just $18, compared to $25 for the YubiKey Standard ($40 for the Nano version), and $50 for the YubiKey Neo ($60 for Neo-n).[29] Some of the pre-release devices issued by Google during FIDO/U2F development reported themselves as "Yubico WinUSB Gnubby (gnubby1)".[30]
In April 2015, the company launched the YubiKey Edge in both standard and nano form factors. This slotted in between the Neo and FIDO U2F products feature-wise, as it was designed to handle OTP and U2F authentication, but did not include smart card or NFC support.[31]
The YubiKey 4 family of devices was first launched in November 2015, with USB-A models in both standard and nano sizes. The YubiKey 4 includes most features of the YubiKey Neo, including increasing the allowed OpenPGP key size to 4096 bits (vs. the previous 2048), but dropped the NFC capability of the Neo.
At CES 2017, Yubico announced an expansion of the YubiKey 4 series to support a new USB-C design. The YubiKey 4C was released on February 13, 2017.[32] On Android OS over the USB-C connection, only the one-time password feature is supported by the Android OS and YubiKey, with other features not currently supported including Universal 2nd Factor (U2F).[33] A 4C Nano version became available in September 2017.[34]
In April 2018, the company brought out the Security Key by Yubico, their first device to implement the new
Product features
A list of the primary features and capabilities of the YubiKey products.[36]
Model |
---|
Years sold |
OATH OTP |
Secure static passwords |
Yubico OTP |
OATH: HOTP (event) |
OATH: TOTP (time) |
Smart card (PIV-compatible) |
OpenPGP |
FIDO U2F |
FIDO2
|
General-purpose HSM |
FIPS 140-2 |
NFC |
USB-A |
USB-C |
Lightning |
YubiKey VIP | YubiKey Plus | YubiKey Nano | YubiKey NEO-n | YubiKey 4 Nano | YubiKey Edge-n | YubiKey Standard | YubiHSM 1 | FIDO U2F Security Key | Security Key by Yubico | YubiKey NEO | YubiKey 4C Nano | YubiKey 4C | YubiKey 4 Nano | YubiKey 4 | YubiKey C Nano FIPS | YubiKey C FIPS | YubiKey Nano FIPS | YubiKey FIPS | YubiHSM 2 | Security Key NFC by Yubico | YubiKey 5C Nano | YubiKey 5C | YubiKey 5 Nano | YubiKey 5 NFC | YubiKey 5Ci | YubiKey 5C NFC |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2011–2017 | 2014–2015 | 2012–2016 | 2014–2016 | 2016–2017 | 2015–2016 | 2014–2016 | 2015–2017 | 2013–2018 | 2018–2020 | 2012–2018 | 2017–2018 | 2017–2018 | 2015–2018 | 2015–2018 | 2018–present | 2018–present | 2018–present | 2018–present | 2017–present | 2019–present | 2018–present | 2018–present | 2018–present | 2018–present | 2019–present | 2020–present |
Yes | Yes | |||||||||||||||||||||||||
Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | |||||||||||
Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | |||||||||||
Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | |||||||||||
Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | |||||||||||||||
Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | |||||||||||||
Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | |||||||||||||
Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | |||||||||
Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | |||||||||||||||||||
Yes | Yes | |||||||||||||||||||||||||
Yes | Yes | Yes | Yes | |||||||||||||||||||||||
Yes | Yes | Yes | Yes | |||||||||||||||||||||||
Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | ||||||||
Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | |||||||||||||||||||
Yes |
ModHex
When being used for one-time passwords and stored static passwords, the YubiKey emits characters using a modified hexadecimal alphabet which is intended to be as independent of system keyboard settings as possible. This alphabet is referred to as ModHex and consists of the characters "cbdefghijklnrtuv", corresponding to the hexadecimal digits "0123456789abcdef".[37]
Since YubiKeys use raw keyboard scan codes in USB HID mode, there can be problems when using the devices on computers that are set up with different keyboard layouts, such as
This problem only applies to YubiKey products in HID mode, where it must emulate keyboard input. U2F authentication in YubiKey products bypasses this problem by using the alternate U2FHID protocol, which sends and receives raw binary messages instead of keyboard scan codes.[40] CCID mode acts as a smart card reader, which does not use HID protocols at all.
Security issues
YubiKey 4 closed-sourcing concerns
Most of the code that runs on a YubiKey is closed source. While Yubico has released some code for industry standard functionality like
Code for other functionality such as
On May 16, 2016, Yubico CTO Jakob Ehrensvärd responded to the open-source community's concerns with a blog post saying that "we, as a product company, have taken a clear stand against implementations based on off-the-shelf components and further believe that something like a commercial-grade
ROCA vulnerability in certain YubiKey 4, 4C, and 4 Nano devices
In October 2017, security researchers found a vulnerability (known as
OTP password protection on YubiKey NEO
In January 2018, Yubico disclosed a moderate vulnerability where password protection for the OTP functionality on the YubiKey NEO could be bypassed under certain conditions. The issue was corrected as of firmware version 3.5.0, and Yubico offered free replacement keys to any user claiming to be affected until April 1, 2019.[49]
Reduced initial randomness on certain FIPS series devices
In June 2019, Yubico released a security advisory reporting reduced randomness in
Social activism
In 2018, Yubico gave away free YubiKeys with laser engraved logos to new WIRED and ArsTechnica subscribers.[51]
Yubico provided 500 YubiKeys to protesters during the
See also
References
- ^ "Specifications Overview". FIDO Alliance. Retrieved 4 December 2015.
- ^ "What Is A Yubikey". Yubico. Retrieved 7 November 2014.
- ^ McMillan (3 October 2013). "Facebook Pushes Passwords One Step Closer to Death". Wired. Retrieved 7 November 2014.
- ^ Diallo, Amadou (30 November 2013). "Google Wants To Make Your Passwords Obsolete". Forbes. Retrieved 15 November 2014.
- ^ Blackman, Andrew (15 September 2013). "Say Goodbye to the Password". The Wall Street Journal. Archived from the original on 3 January 2014. Retrieved 15 November 2014.
- ^ "YubiKey Authentication". LastPass. Retrieved 15 November 2014.
- ^ "KeePass & YubiKey". KeePass. Retrieved 15 November 2014.
- ^ a b "Yubico Releases FIDO U2F Security Key". Yubico (Press release). 2014-10-21. Retrieved 2018-05-05.
- ^ a b "Yubico Launches New Developer Program and Security Key for FIDO2 and WebAuthn W3C Specifications" (Press release). 2018-04-10. Retrieved 2018-05-06.
- ^ https://support.yubico.com/hc/en-us/articles/360016649139-YubiKey-5-2-Enhancements-to-OpenPGP-3-4-Support#h.17w9cagj5zl8
- ^ "Launching The 4th Generation YubiKey". Yubico. Retrieved 20 November 2015.
- ^ "With a Touch, Yubico, Docker Revolutionize Code Signing". Yubico. Retrieved 20 November 2015.
- ^ "Setting up Windows Server for YubiKey PIV Authentication". Yubico. Retrieved 2021-06-06.
- ^ "SSH user certificates". developers.yubico.com. Retrieved 2021-06-06.
- ^ "The Team". Yubico. Retrieved 12 September 2015.
- ^ "History of FIDO". FIDO Alliance. Retrieved 16 March 2017.
- ^ "Yubico launches new YubiKey 5 Series 2FA keys, supports passwordless FIDO2 and NFC". Android Police. 2018-09-24. Retrieved 2019-10-07.
- ^ "Yubico launches YubiKey Pilot Box". Yubico. 2007-11-26. Archived from the original on 2008-02-21. Retrieved 2018-05-06.
- ^ Steve Gibson (April 2008). "Security Now! Notes for Episode #141". Security Now!. Gibson Research Corporation. Retrieved 2018-05-05.
- ^ Leo Laporte and Steve Gibson (2008-04-24). "Episode #141 - RSA Conference 2008". Security Now!. Gibson Research Corporation. Retrieved 2018-05-05.
- ^ Mike (2009-08-27). "Yubikey II – got it". Read My Damn Blog. Retrieved 2018-05-05.
- ^ "Company Information". Yubico. Retrieved 2020-11-30.
- ^ "RFID YubiKey". Yubico Store. Archived from the original on 2011-08-29. Retrieved 2018-05-05.
- ^ "RFID YubiKey". IDivine Technology. Retrieved 2018-05-05.
- ^ "Yubico Launches YubiKey Nano, The World's Smallest One-Time Password Token" (Press release). Yubico. 2012-02-28. Retrieved 2018-05-05.
- ^ Clark, Sarah (2012-02-22). "Yubico introduces one-time password token that secures access to the contents of NFC phones". NFC World. Retrieved 2018-05-05.
- ^ Maples, David (2012-12-26). "YubiKey NEO Composite Device". Yubico. Retrieved 2018-05-05.
- ^ "Yubico Introduces Industry's First FIDO Ready™ Universal 2nd Factor Device". Yubico (Press release). 2014-01-06. Retrieved 2018-05-05.
- ^ "YubiKey Hardware". Yubico. Archived from the original on 2014-11-07.
- ^ "pamu2fcfg doesn't support test devices". GitHub.
- ^ "Yubico Launches YubiKey Edge at RSA 2015; OTP and U2F Two-Factor Authentication in One Key". Yubico (Press release). Retrieved 2018-05-05.
- ^ "NEW YubiKey 4C featuring USB-C revealed at CES 2017 | Yubico". Yubico. 2017-01-05. Retrieved 2017-09-14.
- ^ "Can the YubiKey 4C be plugged directly into Android phones or tablets with USB-C ports? | Yubico". Yubico. Archived from the original on 2017-09-14. Retrieved 2017-09-14.
- ^ "Our Family is Growing! YubiKey 4C Nano Unveiled at Microsoft Ignite". Yubico. 2017-09-25. Retrieved 2018-05-05.
- ^ Jones, Michael (2018-03-20). "Candidate Recommendation (CR) for Web Authentication Specification". W3C Web Authentication Working Group. Retrieved 2018-05-06.
- ^ "What YubiKey Do You Have". Retrieved 2021-02-11.
- ^ E, Jakob (12 June 2008). "Modhex - why and what is it?". Yubico. Archived from the original on 16 November 2017. Retrieved 6 November 2016.
- ^ "Modified hexadecimal encoding (ModHex)". docs.yubico.com. Retrieved 2023-09-01.
- ^ Toh, Alvin (2013-07-24). "Expanding YubiKey Keyboard Support". Yubico. Retrieved 2018-05-05.
- ^ "FIDO U2F HID Protocol Specification". FIDO Alliance. 2017-04-11. Retrieved 2018-05-06.
- ^ "A comparison of cryptographic keycards". LWN.net. Retrieved 21 September 2020.
- ^ "Bad News: Two-Factor Authentication Pioneer YubiKey Drops Open Source PGP For Proprietary Version". techdirt. Retrieved 21 September 2020.
- ^ "Secure Hardware vs. Open Source". Yubico.com. Retrieved 18 September 2022.
- ^ Masnick, Mike (16 May 2016). "Bad News: Two-Factor Authentication Pioneer YubiKey Drops Open Source PGP For Proprietary Version". Techdirt. Retrieved 27 March 2020.
- ^ "ROCA: Vulnerable RSA generation (CVE-2017-15361) [CRoCS wiki]". crocs.fi.muni.cz. Retrieved 2017-10-19.
- ^ "NVD - CVE-2017-15361". nvd.nist.gov. Retrieved 2017-10-19.
- ^ "Infineon RSA Key Generation Issue - Customer Portal". Yubico.com. Retrieved 11 June 2019.
- ^ "Yubico Mitigation Recommendations". Yubico.com. Retrieved 11 June 2019.
- ^ "Security advisory YSA-2018-01". Yubico. Retrieved 2021-01-04.
- ^ "Security Advisory YSA-2019-02 Reduced initial randomness on FIPS keys". Retrieved 2019-06-14.
- ^ Manning, Ronnie (2018-02-01). "WIRED and Ars Technica Experts Choose YubiKey 4 for New Subscribers". Yubico. Retrieved 2023-09-01.
- ^ "Swedish tech firm Yubico hands Hong Kong protesters free security keys amid fears over police tactics online". South China Morning Post. 2019-10-10. Retrieved 2019-10-18.
- ^ "Yubico 贊助香港抗爭者世上最強網上保安鎖匙 Yubikey | 立場新聞". 立場新聞 Stand News (in Chinese). Retrieved 2019-10-18.