The YubiKey appears to be a decent product in the market providing two-factor authentication with a durable piece of hardware and afforable price tag. This brief review covers the most common type of YubiKey which is the Standard model.

The YubiKey provides symmetric encryption where a server and the device itself contains the secret which establishes secure authentication. This puts forth the importance of protecting the validation service as it will contain the keys for all users. The easiest path is to trust the Yubico validation servers to adhere to strict security standards of course, otherwise an enterprise level setup will most certainly be mandatory.

Positives:

  • The YubiKey provides 128-bit AES encryption which is entirely internal to the key as it gets recognized as a Human Interface Device to the operating system.
  • It allows for 2 independent configuration slots, slot #1 gets activated with a short press (pressing the YubiKey button for 0.3 – 1.5 seconds), slot #2 gets activated with a long press (pressing the YubiKey button for 2.5 – 5 seconds).
  • Multi-factor authentication which is better than a password technically, and arguably better than biometrics as well since biometrics generally require an additional device per machine which drives up the costs and tends to cause privacy issues.

Negatives:

  • Being recognized by the operating system similar to a keyboard also means that the key has the same level of access the user does to the machine.

Best Practices:

A major security consideration is the fact that essentially any scan code can be programmed into the YubiKey. (The following will trigger CAPS-LOCK, then Hello causing the key in slot 1 to alternate.)

ykpersonalize -1 -v -o -static-ticket -oshort-ticket -o fixed=h:39 -o uid=8b080f0f1200 -a 00000000000000000000000000000000

For this reason it is very important to set a write-protection password on both slots of your YubiKey. Another good practice would be to customize/personalize the look of your key, otherwise if anybody switches their own key with yours you would only have the serial number of the key to help you verify its authenticity.

reviewed on: 2015/06/01 12:02 EST