Yubico’s tiny YubiKey has the future of security all locked up

Say “YubiKey” aloud, and you might get a sense of the intention of Yubico, the company behind this USB hardware-based authentication key that’s stormed the internet by being very clever and working with open standards. Until recently, I’d only silently read the product name and didn’t get the pun until I spoke it—ubiquity.

The YubiKey comes in several models, all of which conform to a relatively new approach to validating identity online that relies on unique encryption keys tied to a specific site or app. Yubico has pushed for standardization, enlisting big partners and multiple alliances along the way. Most recently the World Wide Web Consortium (W3C) adopted a standard that Yubico helped develop that directly embeds this encryption approach into web browsers, making it vastly simpler for sites to implement it.

As Yubico’s technology spreads across the net, ordinary mortals tired of credential theft, phishing, and other fraud may finally latch onto a YubiKey for simplicity and security. Security geeks are already well aware of it. Some I know have recommended one to their less savvy relatives, even when they have to provide setup and hand-holding.

Google long ago implemented an early version of what’s called Web Authentication (or WebAuthn for short), and Microsoft activated support in November 2018. Firefox incorporated WebAuthn in May 2018. Apple is often a holdout in certain kinds of standards and interoperability in favor of its own, which it considers more secure and more privacy-focused solutions. And yet the company put WebAuthn support into the publicly available technology-preview version of Safari for Mac in December 2018, and it will likely remain in place for the macOS update in the third quarter of 2019. (Apple declined to provide more information about its plans to incorporate the technology into iOS or macOS.)

Yubico has paired this standards success with the release of an iPhone- and iPad-compatible USB token that has Apple’s Lightning adapter on one end and a USB-C plug on the other. Released as a technology preview, it works with the Brave browser for iOS and the Safari preview and other browsers in macOS. Hundreds of services currently work with WebAuthn and previous standards on which it was built; tens of thousands should follow.

Yubico’s security keys aren’t cheap, starting at $45 for its flagship key model. They compete with hardware from other companies that sells for as little as $20. But a recent Verge roundup examined eight hardware authentication devices and gave the nod to four YubiKeys—including ranking it in the #1, #2, and tied-for-#3 positions. A Google-made device came in fourth. The company doesn’t face that much competition from other makers of authentication keys, perhaps because it’s tough to build something with enough added value to command a cushy profit margin.

Even Yubico isn’t in business purely to sell security hardware. “We never started the company to build the YubiKey,” says Jerrod Chong, Yubico’s chief solutions officer. Rather, he says, the goal was to provide a broad-based way to keep everyone safe on the internet. It’s a lofty, idealistic goal—and it’s succeeding.

It’s all in the timing

With a YubiKey plugged into your computer, tablet, or phone, proving your identity to an app or site is a matter of first enrolling your device using unique, encrypted information buried in the key, and then on future logins, tapping a button. (Some sites may require a regular login plus the button tap each time; others can opt for the token to reauthenticate.) All the cryptographic jiggery-pokery happens invisibly, protecting you from fake sites and your account from password thieves and even sophisticated attacks such as two-factor authentication (2FA) hijacking.

While pursuing that mission, YubiKey has grown from 30 to 200 staffers over the last several years and has raised $30 million from investors. Crunchbase estimates that the privately-held company so far earns a modest $10 million in sales in a space that could be worth billions.

At the core of the standards Yubico has helped develop and gives away is a simple idea: Users should control and own the encryption keys that let them validate their identity with apps, sites, and services. No middleman has access to keys nor the contents of communications using them, and no central infrastructure is required.

Tech giants, of course, might be happy to serve as intermediaries between consumers and the apps and services they use. But Yubico’s decentralized approach hasn’t scared off big companies. Instead, more have rushed in, with the W3C’s approval cementing its future.

Yubico’s approach to security has enjoyed such success in part because of a quirk in timing. The company developed its login standards and specialized hardware just before makers of smartphones and other devices began to build in features focused on local, device-based authentication, such as fingerprint and face scanning and related technology. As Yubico has grown and spread the approach it helped pioneer, those manufacturers have signed on to broad standards rather than producing proprietary alternatives, perhaps due to the growing public mood in favor of digital privacy and against consolidating power in specific companies’ hands.

At various times in recent years, Apple, Google, and Microsoft have decided to protect mobile and desktop platforms by adding secure chips that act as one-way conduits and private safes for data like encryption keys and credit cards. Apple embeds these chips in its own gear, as does Google for its Pixel phones; both Google and Microsoft support them in their operating systems and encourage hardware manufacturers to embrace them. These enclaves are the heart of modern biometrics, mobile payment systems, and much more.

The secure chips built into devices encode the shape of your face, the whorls on your fingertips, the fry in your voice, and the code on your credit card. Even the makers of that hardware can’t extract the data. That became an issue when the FBI asked Apple to build a custom version of iOS that would give the agency greater odds of cracking codes secured by silicon. (Apple demurred and resisted in court; the FBI alleged that it found another way.)

However, while these security chips may be involved in authenticating you in native apps, for online purchases, and via device-based logins (such as Apple’s Touch ID and Face ID), they don’t bridge the gap to the web, where—despite app makers’ best efforts—people still spend much of their time. A web-based email service, for example, can’t get direct access to a chip such as Apple’s Secure Enclave to safely log you in.

That’s where Yubico fits in—literally.

A security chip in a portable package

YubiKeys and similar devices rely on standards that put a security chip in an external package and make it a company-, platform-, and device-agnostic validation method. The keys can work with any device and software that are USB-savvy.

This is possible because of the FIDO (Fast ID Online) Alliance. Founded in 2012 to provide a device-locked, cryptographic alternative to passwords, it increased its portfolio in 2013 when Yubico, Google, and their semiconductor partner NXN joined, bringing a hardware-based technology that could provide a second authentication factor.

This notion, released as Universal 2nd Factor (U2F), relies on public-key cryptography, where the encryption secret is split into a pair of public and private keys. At sites and services that support U2F, users enroll by logging in and verifying themselves, and then using the U2F device to generate a unique key pair. The remote site retains the public key portion.

On subsequent logins, users may still have to enter a username and password, or whatever similar credentials are required. Then the site handshakes with the security key by sending a challenge that’s encoded with the public key. The U2F hardware provides a response that only a party that possesses the private key could. The unique key pair is associated with a specific domain name, preventing phishing sites from fooling a user into logging in at a nefarious site; only the enrolled site has the public key.

This turns conventional two-factor authentication on its head. If a site uses a one-time code or a shared secret to authenticate users—as huge numbers of them do—the information could be intercepted by a third party and is subject to other vulnerabilities. By vesting ownership with the user and using a cryptographic exchange, Yubico’s approach dramatically improves the integrity of a second factor in protecting a user’s account.

Until recent years, U2F had relatively limited adoption, outside of specific apps and websites that required use of the Google Chrome browser. While that list of sites increasingly included big consumer and enterprise players—like Dropbox, Eve Online, and Salesforce—each site or app had to write what was effectively a custom integration.

The big tech companies seemed to be more interested in pushing “Sign In With” single-sign-on options that let users rely on their accounts to log in elsewhere. That included the operating-system makers like Microsoft and Google (plus Apple this fall), and a host of others, including Amazon, Facebook, and Twitter.

Those unified sign-ins are not only ecosystem-dependent, leading to lock-in; they don’t offer a whit more security. In fact, they establish even worse single points of failure.

The standard behind the key

Big firms typically want to consolidate and capture users. This time appears to be different, at least for operating-system and browser makers. Yubico’s long-held desire to bring secure authentication to websites has come to fruition.

In 2016, FIDO brought the web portion of its second-generation standards to the W3C, which released a final version in March 2019. WebAuthn puts the necessary pieces into web browsers for authentication of logins over the web outside of the browser. This allows for plug-in hardware such as the YubiKey. It also permits the use of built-in security chips tied to a specific computer or mobile device.

For web developers at sites large and small, this shifts the heavy lifting of using a YubiKey or similar authenticator to the browser and makes implementation the same across all browsers that support the standard. It puts authentication on the same footing as animating objects on a page or storing data locally in a browser.

Yubico’s tipping point may already be underway with the adoption of WebAuthn. But it’s most likely to reach its full potential if Apple adds the standard to the iOS version of Safari. That’s why Yubico created its Lightning/USB-C preview. Yubico’s Chong says that the company wanted to get something into the market, even as a limited early release, rather than just demoing a prototype. “If you don’t show a way to create the experience, then it never gets done,” he says. That philosophy seems to have guided Yubico from its founding until now.

The company’s biggest threat could come from its success. Because WebAuthn allows the use of existing secure enclaves, phone makers may eventually build Yubikey-like functionality into phones and other devices, allowing likely YubiKey buyers to avoid a separate purchase. And yet the same forces that would lead people to want authentication outside of a big company’s intermediation might also lead some of them to prefer a portable, personal, third-party device from a neutral company—a security company that’s thrived by opening its doors wide.