by Amadou Diallo
The YubiKey Neo is a small, batteryless USB device that offers a very secure alternative to user-generated passwords.
If there’s one thing that decades of computer use have taught security experts, it’s that most of us are really bad at creating good passwords. After the recent data breach involving Adobe’s customer accounts, security researcher Jeremi Gosney took a look at the stolen data and found that the most popular user password was “123456″, with “password” not far behind. It’s a given in the security industry that when consumers have a choice between safety and convenience, the latter usually wins.
If Google GOOG -0.2% has its way, however, the very notion of typing in a password may soon be obsolete. In 2014, the Internet giant plans to release an ultra-secure and easy to use identity verification platform that eliminates the need for long, user-generated passwords. Dubbed U2F (Universal 2nd Factor), the consumer-facing side of this initiative will be a USB dongle called the YubiKey Neo. Built to Google’s specifications by security specialistYubico, the YubiKey Neo is a small, durable and driverless device that requires no battery. Plugged into your computer’s USB port it will add a second, highly secure layer of verification when you point Google’s Chrome browser to your Gmail or Google Docs account. You’ll initiate the login by typing your username and a simple PIN. The browser will then communicate directly with the YubiKey Neo, using encrypted data, to authorize account access. With U2F verification, if someone wanted to login surreptitiously to your account, he or she would need to know your username and PIN while simultaneously having physical possession of that specific YubiKey Neo.
Based on security technology found in the smart card devices favored by the military, the YubiKey Neo can be thought of as a digital key. Your Google account is the lock; one that is configured on-the-fly to accept only the YubiKey Neo in your possession. Because the YubiKey Neo and Google’s Chrome browser will engage in secure public-key encryption, the user-generated password you’d normally enter along with your username can be reduced to a simple four-digit PIN. The username and PIN simply state your identity. The YubiKey Neo is what actually verifies it.
Although U2F logins are not yet available to the public, Google has already deployed several hundred thousand YubiKey Neo devices to its employees since the beginning of 2013, according to Yubico CEO, Stina Ehrensvärd. Google’s ProductManagement Director for Information Security, Sam Srinivas confirmed the scope of the internal pilot program and says that the response to the device has been overwhelmingly positive, with employees remarking on the ease of use.
This is more than just a deal between Google and Yubico to provide more secure access to your Gmail account, though. Last February, Google joined the FIDO (Fast IDentity Online) Alliance, an industry standards group committed to effective, easy-to-use, open source solutions to Internet security. And when it joined the FIDO Alliance, Google published its U2F specification as an open standard, available to all interested parties. The Alliance, while still growing, includes heavyweights like PayPal, MasterCard MA +0.05%, Lenovo and LG Electronics , along with security specialists like NXP Semiconductor and Yubico.
It’s clear to Google and everyone else involved in the FIDO Alliance that for U2F to be viable, it must be implemented across a broad range of consumer products and services. The goal is ambitious: to create a viable ecosystem of web browsers, apps and hardware authentication devices supporting the protocol so that users can have easy, secure access to shopping, financial and social sites from both their desktop and mobile devices.
Because the login information that you manually provide (username and PIN) is only the first step of authentication, representatives from Google, NXP and Yubico that I spoke with all emphasized that you can reuse your PIN across multiple sites without compromising security. A single four-digit PIN, used on every site you visit, would be a game-changer for consumers, and make hard-to-remember passwords a thing of the past.
While the YubiKey Neo is the first U2F-certified hardware device, FIDO Alliance members expect competition to soon follow, in the form of chips embedded into new computers and biometric-scanning devices that use fingerprints or other unique physical traits to verify identity. For now, the YubiKey Neo offers an interesting look at the possibilities of the U2F standard. One of the great usability benefits of the YubiKey Neo is that this single hardware device can work with any number of U2F-enabled sites. You could register the same YubiKey Neo to work with all of your email, banking and social media accounts.
User privacy gets a prominent role in the U2F specification. No personal information is stored on the device. Nor is it possible for a thief to determine the individual sites that your YubiKey has been configured to work with. Furthermore, because it’s a physical product, rather than a virtual one that can be surreptitiously copied, you’ll know when your YubiKey Neo goes missing.
Not to be overlooked is the fact that you will buy the YubiKey Neo, thus owning your digital “key” outright. While Ehrensvärd offered no firm details on pricing, she envisions scaling to the point where YubiKey Neos, “can be bought at your local 7-Eleven in packs of five.” You could keep the extras as backups. In the case of loss or theft, you will be able to disable the connection between the sites you log into and the missing YubiKey Neo, and simply register one of your backups, instead. And keep in mind that even if a YubiKey Neo is lost or stolen, anyone trying to use it to access your accounts would need to know which site or sites it was registered with as well as your username and PIN.
For mobile devices, the YubiKey Neo is currently limited to compatibility with NFC-enabled smartphones, a shortcoming that Ehrensvärd readily acknowledges. She tells me however, that they are working on a solution for non-NFC devices (iPhone, anyone?) and will be ready to announce a solution in early 2014.
The big news about Google’s participation in the FIDO Alliance is, of course, that its millions of users will be exposed to the U2F standard. And ultimately it’s consumers who will decide if a U2F ecosystem will develop and flourish. If U2F becomes synonymous with customer security, much the way SSL certificates did years ago, adoption rates will grow.
The promise of a digital life unencumbered by the need to create passwords is a tantalizing one. Beyond simple convenience, however, the U2F standard offers robust protection against malware that records your keystrokes, since there’s no password to type. Phishing attacks, in which you unknowingly submit information to fake sites, are greatly minimized as well. For an in-depth look at the U2F protocol, Google has posted several documents with details about the specification.
We shouldn’t get ahead of ourselves, particularly since we don’t have a publicly available product yet, but we may be on the verge of a much more secure Internet, with an implementation easy enough for consumers to actually use.
full story: http://www.forbes.com/sites/amadoudiallo/2013/11/30/google-wants-to-make-your-passwords-obsolete/