Thursday, April 05, 2012

YubiKey USB security token


I recently obtained YubiKeys from Yubico. It's a USB hardware token able to act as a keyboard device to input characters (a HID) and also has a little button. It supports different modes:
  • Yubico OTP Mode: Yubico implementation + server
  • OATH-HOTP Mode: standard HOTP as per RFC 4226
  • Static Password Mode: output the same static string
  • Challenge Response Mode: no HID, software challenges the token and gets a response

Two-factor authentication

The typical use of this token is two-factor authentication. For instance the YubiKey is configured in OTP mode and when your authentication service asks you for OTP, you plug the device on USB, press the button and it inputs the OTP for you (HID, acting as a keyboard).

Configuration

They offer a cross-platform (Windows, Mac and Linux) personalization tool (user guide). Quick way to start playing with the device.

Hacking

This is the best part, Yubico products are well documented and there are various open source software and libraries in various languages (either by Yubico or third party):

Example applications

With the server library, you can add two-factor authentication to your website. With the PAM module, you can add two-factor authentication to your SSH server. With static password you can use it like a sheet of paper to remember a strong password. But you can do much more up to your imagination, for instance:
  • YubiUnlock: use your YubiKey to unlock your workstation.
  • YubiText: use your YubiKey to input text, without static password mode.
The latter is quite interesting and I'll explain it in another post.

No comments:

Post a Comment