One Yubikey to rule them all

The Yubikey

I first came across the Yubikey listening to Episode 141 of Security Now and thought that it is pretty interesting thing. After listening to Episode 143 - which is all about Yubico and the Yubikey - I was convinced and ordered one to try it out: I received it last week and played with it over the weekend - this thing is so cool that I directly integrated support for it into masquerade

What is it all about?

The Yubikey is a new authentication device - a USB-keyboard with only one button.

The user inserts the YubiKey in any computer with a USB port on any platform or browser – no client software install needed – then press the YubiKey button to generate a one time passcode.

You can add it to your keychain, insert it into every computer you work on and use it to authenticate yourself without remembering a password… it requires no battery and is so easy, that even your mother could use it, since there is only one button to push ;)

But wait: This is the point where I have to mention that the website that asks for authentication (lets call it the relying party) has to support Yubikeys… this is a disadvantage of course, because at this point there are just a handful of public sites on the internet that authenticate via Yubikey. Even though it will take some time until this will hit the mainstream, the Yubikey is the perfect solution for todays intranets or other websites that require multifactor-authentication. And it is so easy to integrate, that adoption could spread rapidly…

I won’t go into further details about what the Yubikey is and what it can be used for, because there are other good resources on that out there and I want to talk about how to integrate authentication with Yubikeys. Just consult the Yubico website or listen to Episode 143 of Security Now if you want to get further technical details.

How does it work?

There are different ways to authenticate on websites that support Yubikeys and you can try them with this demo. How you have to authenticate depends on the integration at the relying party: There is the possibility of using only the one time password generated by the Yubikey or combining it with a legacy login (for instance username and password). The latter can be used to achieve multifactor-authentication since the user has to have his Yubikey and also provide his password. So what is this one time password about?

A Yubico one time password

[The Yubikey is] designed to do two things: To generate the user’s unique identity and a one time pass code that only works the very second it’s used. Every time the user presses the button it generates a new pass code.

The one time password is exactly 44 characters long and consists of the user’s identity (the first twelve characters, which are always the same) and a secure token (the remaining 32 characters). This combination is used to verify the Yubikey and is inserted into the password field like any normal password. But who verifies the one time password? This leads to how to integrate…

How to integrate?

The relying party has to use the Yubico web service to verify the entered passwords. Up to now there is only this way of verifying, which means that the whole system depens on the Yubico web service being available - but the software is open source and there are server-side libraries written in Java and C that can be used to decrypt the one time password, so one could set up an independent verification service.

To ease the use of the Yubico web service, there are already client-side libraries for the most common languages out there available, which can be used by the relying parties to add Yubikey support. I used the Ruby library to integrate it into my OpenID server project which was rather easy. Those of you being familiar with Ruby on Rails might want to take a look at the Yubikey support commit to masquerade to get an impression about the details I’m going to talk about in the next paragraphs.

How to add support for Yubikeys into existing applications?

First of all you will have to let users associate their account with their Yubikey. I did this by adding an attribute “yubico_identity” to the account, which is used to map the Yubikey to the account (remember: the identity are the first twelve characters, that always stay the same). Users can associate their account with their Yubikey by entering a one time password, which gets validated by the web service. If the web service confirms, the first twelve characters get extracted from the OTP and serve as Yubikey identifier. I also added the possibility to remove the association (for instance in case your Yubikey gets lost).

The last step is to distinguish between a Yubikey and normal passwords that get entered into your login form. This is easy to, because Yubikeys are always 44 characters long and normal passwords most likely are not ;)

So if a password with a length other than 44 characters gets entered you authenticate the user like you always did and if it is a Yubikey, you verify it against the Yubico web service (using the client-side library for your programming language). In case the web service confirms the OTP you just have to extract the identity and find the belonging account.