This article will cover the basic features of YubiKey 5 and how it differs from Security Key by Yubico.
Table of Contents for this Series
・YubiKey 5 Features (this article))
Features of YubiKey 5
The previous article mentioned two significant types of YubiKeys: the Security Key and YubiKey 5.
Also, we have received numerous inquiries regarding whether to purchase a Security Key or a YubiKey 5.
The answer to the question depends on what features one is looking for in a security device. For example, for FIDO authentication, the Security Key is recommended, whereas, for other functions, the YubiKey 5 series is better.
Services available with Security Key
Services that can be authenticated with the FIDO protocol include.
FIDO U2F
・Google 2-factor Authentication
・Facebook 2-factor Authentication
・Twitter 2-factor Authentication
・AWS IAM 2-factor Authentication
FIDO2 or WebAuthn
FIDO U2F/WebAuthn is essentially a web browser-based authentication. Therefore, when contacting the service one wishes to use, it is recommended to confirm whether the authentication is FIDO authentication (U2F/FIDO2) or something else (explained below).
However, even if one uses only the FIDO protocol, if NFC functionality is needed, they will need YubiKey 5 NFC, described below.
(Currently, Android devices and some Windows 10 devices support NFC.)
YubiKey 5 Series Features
While Security Key by Yubico supports the latest FIDO protocol and FIDO U2F, the YubiKey 5 series offers all the features of Security Key by Yubico, plus several Yubico proprietary and standard authentication protocols.
Multiple protocols on one key. Completely configurable.
Yubico OTP
The YubiKey 5 supports multiple protocols, but the most common is to use Yubico OTP, while the FIDO and WebAuthn are new protocols and are not fully supported on all platforms.
The Yubico OTP ties OTP to the "just touch" user action of YubiKey, providing a user experience where authentication is completed through a simple touch. In addition, the OTP is sent as simple text, making it independent of the authentication device. Input can also be used flexibly, such as reading it with a cell phone via NFC or inserting it directly into a PC and touching it.
Lastpass, for example, takes advantage of YubiKey's multi-device capability and can work on Windows, Mac, Android, and iOS.
It is still an active authentication method, especially for use on iOS and when WebAuthn is unavailable.
Softgiken’s Windows Logon Service also uses it for web screen logon and online authentication.
TOTP
YubiKey 5 series can store a 6-digit TOTP (time-based OTP), which Google Authenticator and other applications use.
Using the Authenticator app, 2-step authentication is implemented efficiently. However, the problem of where to store the seed of the OTP remains.
Moreover, if the seed is stored on the smartphone, any smartphone malfunctioning will result in the seed being lost. Further, company employees may be against storing confidential company information on their smartphones, especially as there have been various instances wherein TOTP seeds are accounts owned by multiple people.
In such a case, you may be able to solve the problem by storing the authentication information in a hardware device, YubiKey.
In such cases, storing this authentication information on hardware devices like YubiKeys proves extremely useful. By keeping the seed on this device, it is possible to create a situation where the user cannot use the device without the key, and the OTP can be confirmed on a Windows PC or Mac without storing the secret information on the personal phone.
Also, since the OTP seed is stored on an external device, it is possible to create a workflow in which the key is shared by multiple people or lent out only when used.
This solution can satisfy the requirements of employees who "do not want to keep confidential information" and managers who "want to manage confidential information.”
Certificates
YubiKey has a smart card function that complies with the PIV (Personal Identity Verification) standard, allowing client certificates and other proofs to be stored inside YubiKey.
Specifically, it is possible to use Microsoft Active Directory certificates for login or to store client certificates for VPN connections.
In either case, YubiKey is protected by a PIN code, making it a strong certificate-based two-factor authentication.
In the same way, private keys used for OpenPGP can also be stored.
Softgiken has also prepared and published a manual for deploying YubiKey in a Windows Active Directory environment.
Other Authentication
Other authentication protocols such as OATH-HOTP and static passwords are available, along with the option to store complex passwords in hardware.
Since there are two slots for OTP and static passwords, it is possible to use multiple functions simultaneously, such as using Yubico OTP while using a static password in the second slot.
Conclusion
As described above, YubiKey 5 supports multiple protocols and can be used for a wide range of applications, from two-step and two-factor authentication in older systems to passwordless authentication using the latest protocols.
In other words, YubiKey 5 is a product that can be used for a wide range of applications, from additional authentication for current systems to passwordless authentication in the future.
For more information about YubiKey and authentication, please contact us through the Contact Us page.