In the wake of Equifax’s recent data breach, and Yahoo’s revelation that its previous hack attack was much worse than it had earlier reported, users may appreciate a new primer on the security of Yubico’s FIDO U2F security keys. Writing on the company’s blog, Yubico founder and CEO Stina Ehrensvard explains how her company and Google worked to make the YubiKey solution “unphishable”.
For those unfamiliar with the devices, they are, for the most part, designed to plug into a computer’s USB port, with user physically clicking the key when authenticating, confirming to external servers that, yes, the user’s data is coming from a device equipped with a physical key in the user’s possession. And it doesn’t just confirm that the user is legit: As Ehrensvard notes, it also ensures that the “user login is bound to the origin,” meaning that a YubiKey device will only send user data to a legitimate website, and won’t send it to a fake site used for “man-in-the-middle” attacks.
Also important is YubiKey devices’ use of cryptographic keys for each online service; since this information isn’t shared between multiple sites, it’s less valuable in the event that it’s somehow intercepted. It also uses a process called “token binding”, which leverages server-created tokens for authentication that help to prevent would-be attackers from sending their own authentication tokens from a victim’s device.
These and other features have helped to generate considerable excitement over Yubico’s authentication solutions, with the company having announced $30 million in new investments earlier this year, and major brands like Facebook having enabled support for two-factor authentication.