September 25, 2018 // 11:21 a.m.
Second-factor authentication specialist Yubico has announced the launch of its fifth-generation hardware security keys, unimaginatively dubbed the YubiKey 5 series, which bring the platform's first support for the FIDO2 and WebAuthn protocols.
It's no secret that a password is a poor means of security: Between malicious software logging your keystrokes, insecure websites leaking their password databases, good-old shoulder-surfing, and the fact that highly secure passwords are typically impossible for humans to remember - even the famous correct horse battery staple becomes a challenge when faced with the need for a unique password for each one of the dozens of sites with which a typical internet user interacts in any given week - keeping safe online is a challenge. Second-factor authentication, also known as two-factor authentication (2FA), is one solution to the problem: As well as something you know, being your password, it requires something you have, typically in the form of a physical security key containing a protected private key and triggered only when physically inserted into a computer to verify a login. Using a second factor, anybody with only your username and password remains locked out of the account unless they can also present the physical key.
Yubico's latest YubiKey 5 series goes a step further, though: As well as acting as the second factor for traditional password authentication, the new USB devices are designed to replace passwords entirely through the new Fast Identity Online 2 (FIDO2) and WebAuthn standards. 'Innovation is core to all we do, from the launch of the original YubiKey ten years ago, to the concept of one authentication device across multiple services, and today as we are accelerating into the passwordless era,' claims Stina Ehrensvard, chief executive and founder of Yubico. 'The YubiKey 5 Series can deliver single-factor, two-factor, or multi-factor secure login, supporting many different uses cases on different platforms for different verticals with a variety of authentication scenarios.'
As with previous releases, the keys themselves support multiple authentication protocols: In addition to FIDO2, the keys can be configured for the original FIDO Universal Second Factor (U2F), PIV smart-card, one-time password (OTP), OpenPGP, OATH time-based and HMAC-based one-time password (OATH-TOTP and OATH-HOTP), and challenge-response systems. In all cases, cryptographic keys and operations take place in a secure hardware element - meaning that even if a Yubikey is connected to a compromised PC, the device remains secure. A variant with near-field communication (NFC) support is also available for mobile devices.
Yubico has launched its fifth-generation keys in the US now, priced at $45 for the YubiKey 5 NFC with USB Type A connector, $50 for the YubiKey 5 Nano USB Type A permanently-inserted variant, $50 for the YubiKey 5C with USB Type-C connector, and $60 for the YubiKey 5C Nano permanently-inserted variant. A cheaper Security Key model, which has only FIDO U2F and FIDO2 support and a USB Type-A connector, is also available for $20. UK pricing has yet to be confirmed, with more information available on the company's official store.