An authentication procedure is a security procedure used to verify the identity of individuals who wishes to converse safely. A password authentication protocol (PAP) is a verification procedure that uses a password to verify the identity of the user before allowing them accessibility to the resources of the server. Though, PAP is the most common method of verifying the identity of the user, it is also the most incompetent form of verification. In today’s computer world, bypassing this form of defense is very easy. Many companies are trying to make passwords stronger, hackers are able to outsmart them easily. In order to overcome this problem Google is planning to introduce a Universal Serial Bus (USB) key, Yubikey, with which a user can automatically log into Google without a password.
The Yubikey is a small security token created by Yubico. A security token is a tool used to electronically verify the identity of the user and is used either with or without a password. Sophisticated security tokens comprise of smart cards/PC cards, GSM mobile phones, USB tokens and Bluetooth tokens and they carry fingerprints, biometric data, cryptographic keys or digital signatures. Since the security token is a small device it is easy to carry.
The YubiKey emulates a USB keyboard and provides safe verification using a one-time password (OTP). It has two verification procedures – the Passcode that generates an OTP to the server that verifies the identity of the user and thus creates a suitable login; and a static physical key. The OTP has 44 characters with a 128 bit encoded Password and Public ID which cannot be duplicated. The OTP is made of two parts – the initial 12 characters are constant and correspond to the Public ID of the YubiKey and the last 32 characters represent a unique Passcode for every OTP created. Both the parts are encoded with ModHex, which is a replacement code created by Yubico to assure that suitable OTPs are generated by YubiKey.
The second verification process is based on a unique physical key that can neither be recorded nor duplicated as it permits access only when the authorized users’ device is used. The information contained in the YubiKey AES Key can never be removed and only the YubiKey security related codes are read directly when the YubiKey is being used. Since insecure data is not transferred, YubiKey will never be a carrier for viruses.
The main strengths of this key is that like a USB keyboard its sends the OTP as text and hence does not need any drivers. Also, no software is needed to set up or use the tool. All one needs to do is plug it in to the system and touch the sensitive area on the USB to start it. When the user places a finger on the sensitive area the password gets input. After this the security token can be used in any system that one using, whether it is at home, workplace or any other place. This small cryptographic card can be implanted in a USB key, jewelry or a keychain.
The YubiKey hardware is made up of injection molded plastic. It is 2 mm thin and it weighs only 2 grams. Since it gets its power from the USB port and has no batteries or other power supplies, it will never stop running due to power shortage or internal damages. The YubiKey can be programmed to log into a pre-determined web site automatically. The most likable fact about this method is that it bypasses phishing – the most common attack that even Google’s current cell phone verification system cannot avert.
In retrospect, it seems that the Yubikey is an excellent lightweight and safe substitute for generating OTP and communicating safely via the internet.