Why AD360
 
Solutions
 
Resources
 
 

What are YubIkeys and how do they work?

Shreya Iyer

Nov 015 min read

Book Demo
 

Table of Content

Read more
  • 5 pain points you can overcome in AD user account management  
    Manual vs. automated identity life cycle management  
    Active Directory clean-up: Should you automate it?  
  • Maintain confidentiality of critical information by implementing the POLP  
    6 essential capabilities of a modern UBA solution  
    How can SSO help in reinforcing password security?  
  • Authentication vs. authorization  
    5 simple steps to HIPAA compliance  
    Smart strategies to provision and de-provision Active Directory  

Why physical security keys?

That's a trivial and well-deserved question by your wallet and your resources (accounts, data, etc). Physical security keys require your physical presence to have you authenticated, and with that, it keeps tabs on phishing attacks and any form of unauthorized access or threats. For instance, with a YubiKey, all you need to do is insert it into your device to login to your account. We'll get into the details in a while, and before we do so, let's address the elephant in the room- The YubiKey that we mentioned a couple of times.

What is a YubiKey?

Manufactured by Yubico, a YubiKey is a small USB or NFC-enabled device serving as a physical security key to access computers, networks, and online services. It's designed to take security up a notch by adding a second factor of authentication beyond just a password. Speaking of authentication, these keys support the following protocols:

  • WebAuthn/FIDO2: Enables password-less authentication
  • FIDO U2F: Provides two-factor authentication.
  • One-time passwords (OTP): Generates single-use codes
  • Smart card/PIV functionality: Supports PIV, OpenPGP, and OATH protocols

Why do you need YubiKeys?

We now know that Yubikeys enhance security beyond passwords. They use advanced cryptographic protocols to provide phishing-resistant authentication. Unlike SMS codes or authenticator apps, they cannot be guessed or compromised remotely due to the physical presence of the key being a mandate. With this, you get a higher level of security against account takeovers and unauthorized access attempts. Apart from enhanced security, you need them for the following reasons:

Compliance

We know that YubiKeys provide phishing-resistant MFA, offering a strong authentication measure, which is a mandate to comply with standards such as GDPR, PSD2, and HIPAA.

For instance, Article 32 of GDPR specifies that controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The phishing resistant MFA mentioned ticks the "appropriate technical and organizational measures" box under the article.

We also know that maintaining compliance is a huge green flag for you and your organization. Not only are you securing your resources, you're also avoiding legal penalties as a result of non-compliance. Apart from that, organizations prioritizing compliance maintain good reputation with customers and stakeholders.

Durability

YubiKeys are waterproof, crush-resistant, and do not need batteries to function. That's quite an advantage, given that you can use them in various conditions. The durability also makes them reliable in the long run, and as a result, you won't need to replace the keys frequently. That's a win-win, and with all the time saved here, you can go to a fancy barista and have a fancy coffee in peace.

Versatility

A single key can secure multiple accounts and services, including your email, cloud storage, password managers, etc. As discussed before, YubiKeys support multiple protocols and this support lets you consolidate your security needs into one device. With this, you're simplifying managing your key and minimize the risk of lost credentials.

Offline use

YubiKeys offer several features that support offline usage, giving you enhanced security and accessibility when you're short on internet connectivity. The challenge-response mechanisms allow local devices to log in without access to a network, thus enabling offline authentication.

The keys also support cached logon for Windows workstations, permitting authentication when you're disconnected from networks. They generate OTPs using OATH-HOTP without an internet connection.

Apart from that, their PIV smart card functionality can work offline for authentication and encryption. Unlike SMS or app-based authenticators, these keys don't require network connectivity to function, operating via USB connection and physical touch. In case you forget to pay your internet bills, you can hold on to your keys.(Don't follow this advice; pay your bills)

Password-less capability

YubiKeys enable password-less login flows through their support for the FIDO2/WebAuthn standard. The protocol uses public key cryptography, and while logging in, the user inserts their key and authenticates locally, by pressing the button on it or through an OTP. The key then generates a cryptographic response to the service's challenge, verifying your identity without transmitting a password.

They also store multiple credentials, allowing password-less access to multiple accounts across different platforms and services. With this approach, you're not only avoiding threats and attacks such as phishing and man-in-the-middle attacks, you're also simplifying user experience.

How do you set them up?

Good question. Before you use the keys, you need to first set them up. Here's how you can do so:

  • Firstly, plug the YubiKey into your device's USB port or use NFC.
  • Navigate to the security settings of the service or account you have decided to secure.
  • Now, choose the option to add a security key or 2FA.
  • Follow the prompts to register your key. And you're done.

How do YubiKeys work?

We know that YubiKeys need to be inserted into a device from which you log in to your account or service after the first authentication is done. However, that's not the only crux of it. There's more. (Again, however, all you need to do is insert the key and press the button on it.) Here's what actually goes on when a YubiKey does its job as a second factor of authentication:

Wait. Here are a few things you need to know before getting to the authentication:

Firstly, these keys work on the principle of public key cryptography, which involves generating and storing a unique public or private key pair for each account or service they are used with. Here, the private key never leaves the device, while the public key is shared with your account or service for verification.

YubiKeys also make use of the principle of possesion-based 2 factor authentication where 'something you have' is paired with 'something you know' and/or 'something you are', in case you will be needing a 3rd factor of authentication.

The 'something you have' is your YubiKey and the 'something you know' could be a pin or a one time password(OTP). Your alternative or addition to the latter- 'something you are' is a biometric scan(Fingerprint, face recognition).

Let's now understand how the authentication works.

  • It starts with you attempting to access your protected account or service, so you insert the YubiKey into your device and tap it.
  • Now the key generates an OTP or uses public key cryptography to prove your identity. For instance, identity theft is not a joke. And other risks or attacks concerning your identity.
  • Speaking of using public key cryptography, here's how your identity is verified:

    • The service you've signed up for sends a challenge to your YubiKey.
    • The key generates a cryptographic response using its private key. The response or signature is generated using hashing algorithms or AES encryption. This is to encrypt the challenge into a non-readable format. Why the cryptographic response? The main reason is to verify your identity without letting any detail out.
    • Now, the response is sent back to verify your identity.
  • Now the server verifies your identity based on the OTP or the cryptographic response, given that the OTP you entered or the response is right. And you're good to go logging in.

FAQ

Can YubiKeys be used with mobile banking apps?

Yes, many mobile banking apps support YubiKeys and for ones with NFC capability, you can just tap your NFC-enabled key to the back of your phone to authenticate. For devices without NFC, you can use a YubiKey with a USB-C connector or a USB-A to USB-C adapter. However, compatibility may vary depending on the specific banking app and your device, so you will have to check with your bank for supported authentication methods.

Are YubiKeys compatible with password managers like LastPass or 1Password?

Yes, the keys are compatible with many popular password managers, including LastPass and 1Password. These password managers often support YubiKeys as an additional layer of security to access your password vault. By using the key with your password manager, you add a physical authentication factor, making it much more difficult for unauthorized users to access your stored passwords and sensitive information.

Can YubiKeys be used for securing cryptocurrency wallets or exchanges?

Yes, they can be used to secure many cryptocurrency wallets and exchanges. Many major cryptocurrency platforms support YubiKeys as a form of two-factor authentication. This adds an extra layer of security to your crypto assets, securing them from unauthorized access even if your password gets compromised.

 
Chat now
   

Hello!
How can we help you?

I have a sales question  

I need a personalized demo  

I need to talk to someone now  

E-mail our sales team  

Book a meeting  

Chat with sales now  

Back

Book your personalized demo

Thanks for registering, we will get back at you shortly!

Preferred date for demo
  •  
    • Please choose an option.
    • Please choose an option.
  •  
  •  
    This field is required.

    Done

     
  • Contact Information
    •  
    •  
    •  
    •  
  • By clicking ‘Schedule a demo’, you agree to processing of personal data according to the Privacy Policy.
Back

Book a meeting

Thanks for registering, we will get back at you shortly!

Topic

What would you like to discuss?

  •  
  • Details
  •  
    • Please choose an option.
    • Please choose an option.
    Contact Information
    •  
    •  
    •  
    •  
  • By clicking ‘Book Meeting’, you agree to processing of personal data according to the Privacy Policy.