[Google Takes On Yubico And Builds Its Own Hardware Security Keys
Olegario Benford
A recent Forrester Report cited 10 security and risk technologies to pay attention to as a result of the pandemic, with one major disruptor being the shift away from weak password requirements. Many authentication solutions that were good enough a few years ago, do not protect against modern malware, phishing or man in the middle attacks. By moving beyond passwords to hardware-based security keys, organizations are enabling the strongest form authentication, that is proven to mitigate account takeovers, with unsurpassed ease-of-use.
Google takes on Yubico and builds its own hardware security keys
Download File >>>>> https://t.co/Eznll21rLR
It has been our long standing mission to make the internet safer for everyone. By being a pioneer for security keys with our YubiKey, and co-creating open security standards such as FIDO2 and WebAuthn, major platform companies, like Microsoft, are helping to drive the global business world towards the elimination of passwords.
Microsoft has been incorporating FIDO2 flows that support YubiKey strong authentication features that work natively with Azure Active Directory, Windows 10 and Microsoft 365 applications. Incorporating these types of identity verifications in conjunction with hardware-based authentication, hardens the security and mitigates remote phishing attacks.
Together with Microsoft, we are announcing a Go Passwordless Pilot Program where qualified Services Providers (e.g. systems integrators, consulting services) in Canada, EU, UK and US can nominate their customer to pilot the Azure Active Directory Passwordless flow. For a limited time, Yubico and Microsoft are offering 25 free YubiKeys to up-to 100 qualified customers to pilot the Microsoft Azure AD Passwordless flow and YubiEnterprise Delivery (YED) service.
Stina Ehrensvard, CEO and founder of Yubico and Sue Bohn, Partner Director of Program Management in the Identity Division at Microsoft, discuss the Go Passwordless Pilot Program and how both companies are helping to drive open standards and passwordless momentum.
Hello everyone,
I have HID-supported Arduino board ( ) which has 32KB of internal storage as well as built-in LED (3rd pin) and DIP switch (6th pin). Is it feasible to implement a minimal FIDO universal two-factor authentication protocol on it for usage with services such as Google, GitHub or Docker? Also, is there any library made for that yet?
Best regards,
moliata.
PS: implementation can be insecure, I just care about the concept.
Hello,
I have checked the first link and it seems I did everything I had to? I mean I posted in a right category, as it's description says "Feasibility" and well, I did some researching on Google and couldn't really find anything regarding that.
Looking at my experience, I would say intermediate.
If you did not understand what I mean by FIDO U2F implementation, take a look at FIDO specifications Index of /specs/, Yubico hardware authentication key Buy YubiKeys at Yubico.com Shop hardware authentication security keys and an article about universal 2nd factor authentication Universal 2nd Factor - Wikipedia, thanks! By saying minimal I mean the smallest, possibly insecure implementation on Arduino, which works with actual services like your Google account.
Best regards,
Ben.
P.S: I would love to know if it is feasible though.
Hi,
The board you are using, the Malduino is a product I have not come across before, being open sourced, the Arduino IDE and concept has been adopted my many manufacturers.
In this case you would be better to ask the Malduino people and quiz them on what you want to acheive.
Hello,
MalDuino is actually open-sourced and you can find more info on their wiki at their Technical Stuff papers. MalDuino is a minimalized version of Arduino made for USB attacks (like USB Rubber Ducky), but as they say themselves, it's an Arduino, so you can do way more with it. My goal is to try to implement an Arduino-based USB authentication key, so you could access your Google account with a hardware USB device like YubiKey. These universal 2 factor authentication keys use FIDO U2F protocol. Browser and USB device communicates through numerous requests including REGISTER for registering a new account (which could be stored on EEPROM) and KEYHANDLE for handling cryptographic keys to access your account.
Googling I found the site SignMyCode which is a certificates reseller, but has a lot for resources and tutorials. SignMyCode lets you buy certificate without a USB key, if you have your own hardware to store the keys.
Since I always use a laptop to work, I liked a lot the idea to use a tiny Yubikey Nano and keep it plugged in the USB port, instead of having to find a regular sized USB token every time I need to sign code.
To be fair, the certificates sold through Lindersoft are EV (Extended Validation). The one I bought is only OV (Organization Validated). Upgrading to EV in SignMyCode costs $70 more per year. I think the validation process for EV may be more complicated than OV so I preferred the OV option.
When you receive your Yubikey, you should change the default PIN and Management keys, then follow this tutorial to create a CSR (certificate request) and to export the key attestation and intermediate files. The video talks about merging the files, but the order page in SignMyCode now lets you paste each file in a different field.
After the documentation is validated, you receive another link to start the order validation phone call. The link shows the phone number they are going to call. They must validate this number somewhere else, fortunately I used my personal cel phone when registering with the Apple Develpers Program, so that part was easy. The process is automated, you press a Call me now button, your phone rings and a recording tells you to dial 1 to confirm the order (it took me a few tries until the 1 registered) and then reads you a number. You enter that number on the page where you pressed the call me now button and the order is validated.
The next day you receive a notice that your certificate was issued (I confirmed my order in a Friday and received the certificate until next Monday). You can then log into the SignMyCode site and download a zip file that includes your certificate .crt file and an additional CA bundle .crt file.
SignMyCode gives you support through a chat window in their site, they are very responsive. Support with the certificate issuer is through support tickets. Maybe they are in a diferente time zone because all interactions took 24 to 48 hours to complete.
NEW: I had visited the Lindersoft order page a few months ago and only found options to order the certificate with physical token. Now they also have an option to order by pasting a key attestation file from a Yubikey. If you want an EV certificate, this may be a better deal.
Carlos, how long is the PIN good for? IOW, if I generate and pass it into a build system that takes 30 minutes, would the PIN still be valid for signing the program and Installer at the end of the build?
Yubikeys are tied to the physical key that you must have with you on your person to be authenticated. Yubikeys are less convenient than passkeys but they can be more secure only if you need the security of a single air-gapped physical key. Typically, you register multiple yubikeys for each account in case you lose one.
Great question! Today, security keys like YubiKeys are used for two-factor authentication where you need to enter your password and then provide the security key as a second factor before you can authenticate to a service. The utility of security keys is that they can help prevent two big problems with passwords: phishing and password theft.
Passkeys are different from passwords in that they address those problems directly without the need for a security key. Unlike passwords, passkeys are always strong and unique. Passkeys use public-key cryptography to achieve their high level of security, which makes them highly resistant to phishing and theft. Based on the same underlying technology as USB security keys, passkeys are entirely software-based, stored on your devices, and accessed using biometrics.
It will be some time before every website on the internet builds support for passkeys. If your threat model is such that a security key is needed to protect yourself then I suggest that you continue using the Yubikeys that you ordered.
@Mork That isn't a change that 1Password itself can make. The websites you have accounts with will have to add support for Passkeys and offer a method for changing from password-based authentication to Passkey-based authentication. Passkeys and passwords will likely continue to co-exist for a long time to come. And there may be sites/services/systems that never adopt Passkeys. It isn't as though January 1 everybody is going to drop passwords and start using Passkeys, as nice as that might be. ?
The question is also, does it make more sense to store all 2FA tokens in the password manager and then use passkeys as 2FA instead of security keys and use the security key exclusively for the authentication of 1Password, or should you rather have 2FA on the Yubikey, because if someone has access to the 1Password via the PC he still can not log in without Yubikey 2FA?
Just registered two Yubikeys. However, when logging back in to the account, the SMS method is used. How does one select instead the hardware token? If not, how do I remove my mobile number from my account?
Did this post help you? If so, give it a Like below to let us know.
Need help with something else? Ask me a question!
Find Tips & Tricks Discover more ways to use Dropbox here!
Interested in Community Groups? Click here to join!