The New YubiKey Will Help Kill the Password

The latest batch of hardware-based tokens from Yubico will eventually let you skip the password altogether.
This image may contain Electrical Device Adapter Electronics Phone Mobile Phone and Cell Phone
Yubico

By now it's hopefully been drilled into you to enable two-factor authentication on your online accounts, giving you more protection than a password alone. And while the most ubiquitous second factor is a numeric code sent to your smartphone via an app, physical tokens that you plug into your computer have become increasingly popular. And now they're angling to make passwords obsolete.

On Monday, the hardware authentication company Yubico is announcing a new generation of its physical YubiKey tokens that support password-less login. The Series 5 YubiKeys get this streamlined mojo from FIDO2, a new version of an open source standard that facilitates secure authentication. As companies like Microsoft adopt the standard over the next few months, all you'll need for a secure log-in is to plug in and tap your new YubiKey. That's it.

"We rely on so many static credentials like passwords or your mother’s maiden name—it's everywhere," says Jerrod Chong, senior vice president of product at Yubico. "So it's very important that we think about the plumbing that needs to change, and FIDO2 brings a whole new range of capabilities."

The idea behind all FIDO tokens is that instead of relying on a static piece of data you know, like a password, you can authenticate yourself with something you have, like a YubiKey, and that device can perform all sorts of robust cryptographic checks without any extra work on your part. Yubico came to market early and its products have become synonymous with the larger movement in many ways, but other options built on the FIDO standard are out there, including Google's Titan security keys. Titan doesn't support FIDO2 yet, though. (By way of disclosure, WIRED gives new subscribers a YubiKey 4 as an incentive to sign up.)

Passwords have, ahem, a lot of pretty serious shortcomings. Using single-factor login with a physical token instead instantly improves security in many ways. But physical tokens can also be stolen, or abused by people who are in close proximity to each other. So Series 5 YubiKeys offer the option of requiring a local PIN as part of password-free login. If you want to get technical about it, that does immediately bring back passwords in a sense. But you never transmit that PIN across the internet, where it might be at risk of being stolen. It simply allows a YubiKey's cryptographic authentication to proceed.

"When we say passwordless, it actually means that step one is possession of an authentication device, step two is you need to present the device, and then you can have other layers of protections from there," Chong says. "We think of it as all part of a multi-factor evolution."

There are four models of Series 5 YubiKeys that incorporate different combinations of USB-A, USB-C, and near-field communication. The least expensive model, the YubiKey 5 NFC, costs $45; the priciest, the 5C Nano, costs $60. At launch no consumer services are ready to support password-less login. But Yubico says it wants to start getting all-in-one authentication keys in the hands of users, so that as FIDO2 upgrades start rolling out, the transition can be seamless. And Microsoft has been working closely with Yubico to launch support soon for Windows 10 and Azure.

“Passwordless login brings a monumental change to how business users and consumers will securely log in to applications and services,” Alex Simons, corporate vice president of Microsoft's identity division said in a statement. “With FIDO2, Microsoft is working to remove the dependency on password-based logins, with support from devices like the YubiKey 5.”

Passwords are cumbersome and problematic, so the prospect of a passwordless future may radically spur the adoption of physical authentication tokens like YubiKeys. But researchers caution that you should still use them as one part of a multi-factor authentication process, rather than relying solely on a single piece of hardware. "The crypto in these tokens is strong enough that they’re trustworthy as a first factor," says Matt Green, a cryptographer at Johns Hopkins University. "But the reason for two-factor authentication is that both factors have value. We could have ATMs that have only one factor—a card, no PIN. But then if someone steals your card, there’s nothing protecting you. The same thing applies here."

So while it's tempting to envision a truly password-free future, the closest you'll be able to get for now is a more accessible and easy-to-use approach to authentication. And compared to the trash fire that is the current login situation, that probably sounds pretty good.

More Great WIRED Stories