The coolest security hardware device ever
"The coolest authentication hardware device ever." -- Steve Gibson, Security Now!
Here are some excerpts from the Security Now! postcast discussing the Yubikey authentication hardware device Steve Gibson is referring to in his quote above.
Yubikey is an OpenID tool (one option is to use Yubico as your OpenID provider). Yubikey is also much, much more, as you will find out if you listen to the podcast.
Using Yubikey as an OpenID authenication tool, any time you needed to authenticate to an OpenID site you would just reach down and put your finger on the little touch surface of the YubiKey, and it would emit a one-time token.
YubiKey has a number of other features. One is an anti-phishing feature. The authenticator is able to determine when the YubiKey's output was generated.
Yubikey shows up as a standard USB keyboard, as an HID device, so any computer, any operating system will recognize it without any special software or drivers.
The YubiKey is a keyboard in terms of functionality. (In terms of size, it is a very small piece of plastic that fits on your keychain or anywhere else you want to put it.) Since you plug it into a USB port, the computer recognizes it as a keyboard, then at the proper time, when you want it to emit its cryptographic string, you just touch a little touch surface on it. It has a really nice sort of green glow. It is literally, it's the thickness of a PC board, a printed circuit board.
STEVE: It is absolutely secure. You cannot get the YubiKey to tell you its secret 128-bit AES key. All you can get it to do is to spit out unique tokens which only have meaning if the authentication end already has the key. And what I was so pleased about is [the business model].
LEO: They picked the right model, I think; don't you?
STEVE: Oh, I mean, it's why I'm so excited about this.
STEVE: And it's completely open spec, also. What I'm so pleased with, and the reason I wanted to give this a whole Security Now! episode, is that what Stina and her colleagues have decided to do is to make the backend authentication services free. No subscription, no license, nothing. They want to just sell the YubiKeys. (And they are cheap.)
SERIES: Security Now!
DATE: May 8, 2008
SPEAKERS: Steve Gibson & Leo Laporte
GUEST: Stina Ehrensvrd, CEO of Yubico
SOURCE FILE: http://media.GRC.com/sn/SN-143.mp3
FILE ARCHIVE: http://www.GRC.com/securitynow.htm
Audio podcast: http://www.twit.tv/sn143
Text transcript: http://www.grc.com/sn/sn-143.txt
Yubico website: http://www.yubico.com