Skip to Main Content
PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

RSAC: Yubico and the FIDO Alliance Promise an End to Passwords

Passwords are a terrible authentication solution, and biometric solutions require complicated hardware. The coming Yubikey Neo, powered by FIDO universal two factor authentication, just might spell the end of passwords.

By Neil J. Rubenking
February 28, 2014
Yubikey Nano

Yubico introduced the Yubikey hardware authentication device in 2008, but at the time there wasn't much the average consumer could use it for except logging in to LastPass. The company has grown mightily since that time, and will soon offer a unique "universal second factor" authentication technique. At the RSA Conference in San Francisco, Yubico CEO and Founder Stina Ehrensvärd enthusiastically shared what's coming from Yubico.

"We wanted to bring smart card authentication technology to the mass consumer market, but removing drivers, middleware…something that has as good security as a smartcard without the complexity," she said. "We initiated this project with Google, and it's now being used inside Google."

FIDO Connection
The FIDO (Fast IDentity Online) Alliance includes some huge players, among them Microsoft, Mastercard, PayPal, Bank of America, and many more. "We've merged our efforts with FIDO," said Ehrensvärd. "The result is FIDO Universal Second Factor, or U2F, implemented in our Yubikey Neo device. The probem with existing Yubikeys and other hardware security devices is that you have one device for each service. You could use a phone and have multiple security apps for different services, but phones can be hacked."

"With a U2F device, you can have one device for unlimited services," she said. "I've always wanted that. In fact, the company name Yubico comes from the word 'ubiquitous'."

Simple Authentication
When you register a Yubikey Neo with a supporting website, it generates a unique public/private key pair. For Android smartphones, it connects via NFC; for PCs and Macs, via USB. (Support for iOS is in the works, but Ehrensvärd wasn't free to discuss details). Enter your PIN if required, touch the device, and it authenticates you.

"The important thing," said Ehrensvärd, "is that the device interacts with each site directly. There's no third-party storage that could be hacked. There's also no special reader needed as with a chip and PIN credit card."

"Yubikey Neo won't be available to the public until later this year," she said, "but several large partners are already using it internally, for their staff. It works really well. It's like a driverless smart card."

Privacy, Too
"People are more and more aware of privacy issues, in part due to the NSA revelations," said Ehrensvärd. "With U2F, users get control of their identity. They can buy their secure device many places; we are the first, but there will be others. Then use it to authenticate without giving away details about your identity. It's secure, yet anonymous. It's not owned or controlled by the government, or the bank, or the cloud. It's user-owned identity."

"This is disruptive!," she continued. "Banks and enterprises don't need to push it. User will want to buy it. They won't have to worry about passwords. Oh, it's complementary to password managers, but eventually you may not even need a password manager."

Free, Easy Implementation
"Service providers can easily support U2F using free, open source components," explained Ehrensvärd. "Or they can pay to have it set up for them. My vision was to get here, to realize what's now the FIDO U2F. Many device vendors can compete and coexist."

"If standards are locked in to one vendor, it can get costly," she said. "We say the technology is free. The only one who must pay is the user, and it's a one-time cost. We'll roll it out later this year. It's helpful that so many big names are already in the FIDO Alliance, because in order for the device to be useful, you need many sites supporting it for the big deployment."

Just about everyone agrees that passwords are a pain. Biometric solutions, from fingerprint to heartbeat to eyeball analysis are all way more complex than Yubico's proposed solution. And the darn things are durable; I've carried on my keychain for five years. This just be the invention that spells the end of stupid passwords.

Like What You're Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.


Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

Sign up for other newsletters

TRENDING

About Neil J. Rubenking

Lead Analyst for Security

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s I turned my focus to security and the growing antivirus industry. After years working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

Read Neil J.'s full bio

Read the latest from Neil J. Rubenking